diff --git a/exploits/aspx/webapps/46987.txt b/exploits/aspx/webapps/46987.txt new file mode 100644 index 000000000..4fba337ad --- /dev/null +++ b/exploits/aspx/webapps/46987.txt @@ -0,0 +1,14 @@ +# Exploit Title: Sitecore v 8.x Deserialization RCE +# Date: Reported to vendor October 2018, fix released April 2019. +# Exploit Author: Jarad Kopf +# Vendor Homepage: https://www.sitecore.com/ +# Software Link: Sitecore downloads: https://dev.sitecore.net/Downloads.aspx +# Version: Sitecore 8.0 Revision 150802 +# Tested on: Windows +# CVE : CVE-2019-11080 + +Exploit: + +Authentication is needed for this exploit. An attacker needs to login to Sitecore 8.0 revision 150802's Admin section. +When choosing to Serializeusers or domains in the admin UI, calls to /sitecore/shell/~/xaml/Sitecore.Shell.Applications.Dialogs.Progress.aspx will include a CSRFTOKEN parameter. +By replacing this parameter with a URL-encoded, base64-encoded crafted payload from ysoserial.net, an RCE is successful. \ No newline at end of file diff --git a/exploits/windows/local/46988.txt b/exploits/windows/local/46988.txt new file mode 100644 index 000000000..77c48403e --- /dev/null +++ b/exploits/windows/local/46988.txt @@ -0,0 +1,60 @@ +[Summary] +The Pronestor service "PNHM" (aka Health Monitoring or HealthMonitor) +before 8.1.12.0 has "BUILTIN\Users:(I)(F)" permissions for +the "%PROGRAMFILES(X86)%\proNestor\Outlook add-in for Pronestor\PronestorHealthMonitor.exe" file, +which allows local users to gain privileges via a Trojan horse PronestorHealthMonitor.exe file. + +During the installation of Pronestors Outlook-Add-In (version 8.1.11.0 +and older) the installer creates a service named PNHM (Pronester +Health Monitoring) with weak file permission running as SYSTEM. +The vulnerability allows all "Authenticated Users" to potentially +execute arbitrary code as SYSTEM on the local system. + +[Additional Information] +Tested on Windows 7. +Version: Outlook Add-In 8.1.11.0 and older +Also tested on version 5.1.6.0 with same result. +Discovered: 06-nov-2018 +Reported: 07-nov-2018 + +Vendor: https://www.pronestor.com/ +Vendor confirmed: True +Fixed: Version 8.1.12.0 +Attack Type: Local Privilege Escalation +Vulnerability due to: Insecure Permissions +Discoverer: PovlTekstTV +CVE: 2018-19113 +Original link: https://gist.github.com/povlteksttv/8f990e11576e1e90e8fb61acf8646d28 + +[Proof] +C:\Users\povltekst>sc qc PNHM + +SERVICE_NAME: PNHM + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : "C:\Program Files (x86)\proNestor\Outlook add-in for Pronestor\PronestorHealthMonitor.exe" + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Pronestor HealthMonitor + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +C:\Users\povltekst>icacls 'C:\Program Files (x86)\proNestor\Outlook add-in for Pronestor\PronestorHealthMonitor.exe' +C:\Program Files (x86)\proNestor\Outlook add-in for Pronestor\PronestorHealthMonitor.exe + BUILTIN\Users:(I)(F) + NT AUTHORITY\SYSTEM:(I)(F) + BUILTIN\Administrators:(I)(F) + +Notice: "BUILIN\Users:(I)(F)". (F) = Full access! +This means that an authenticated user can change the file + +[Attack Vectors] +Replace the file "PronestorHealthMonitor.exe" with a malicious file +also called "PronesterHealthMonitor.exe". Next time the service (PNHM) +starts, the malicious file will get executed as SYSTEM. The service +starts on every reboot. + +[Affected Component] +PronestorHealthMonitor.exe +This exe will be executed on every reboot by a service named PNHM running as SYSTEM. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index de18af0ac..adcf439a5 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10544,6 +10544,7 @@ id,file,description,date,author,type,platform,port 46973,exploits/linux/local/46973.md,"Vim < 8.1.1365 / Neovim < 0.3.6 - Arbitrary Code Execution",2019-06-04,Arminius,local,linux, 46976,exploits/windows/local/46976.txt,"Microsoft Windows - AppX Deployment Service Local Privilege Escalation (3)",2019-06-07,SandboxEscaper,local,windows, 46978,exploits/linux/local/46978.sh,"Ubuntu 18.04 - 'lxd' Privilege Escalation",2019-06-10,s4vitar,local,linux, +46988,exploits/windows/local/46988.txt,"Pronestor Health Monitoring < 8.1.11.0 - Privilege Escalation",2019-06-13,PovlTekstTV,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -41392,3 +41393,4 @@ id,file,description,date,author,type,platform,port 46982,exploits/php/webapps/46982.txt,"phpMyAdmin 4.8 - Cross-Site Request Forgery",2019-06-11,Riemann,webapps,php, 46983,exploits/jsp/webapps/46983.txt,"Liferay Portal 7.1 CE GA=3 / SimpleCaptcha API - Cross-Site Scripting",2019-06-11,"Valerio Brussani",webapps,jsp, 46985,exploits/php/webapps/46985.py,"FusionPBX 4.4.3 - Remote Command Execution",2019-06-12,"Dustin Cobb",webapps,php, +46987,exploits/aspx/webapps/46987.txt,"Sitecore 8.x - Deserialization Remote Code Execution",2019-06-13,"Jarad Kopf",webapps,aspx,