Tuesday, April 13, 2021

CVE-2020-29592 and CVE-2020-29593 - Orchard CMS Unrestricted File Upload and XSS

 

Note: This is fixed in Orchard 1.10, this post is about Orchard 1.8.1.0.


CVE-2929-29592 - Unrestricted File Upload via Media Folder and TinyMCE HTML Editor:

https://user-images.githubusercontent.com/68610637/101294502-afb75c00-37e5-11eb-8bc4-9745a66e15f5.png

Not allowed because these are the allowed file types:

https://user-images.githubusercontent.com/68610637/101294729-741d9180-37e7-11eb-84e8-fee3143f34b1.png

But we can...

https://user-images.githubusercontent.com/68610637/101294742-88fa2500-37e7-11eb-8141-6092d7de5e6a.png

https://user-images.githubusercontent.com/68610637/101294750-91eaf680-37e7-11eb-9fd8-2b83ebb2a1c2.png 

 Success!

https://user-images.githubusercontent.com/68610637/101294764-a4653000-37e7-11eb-9ffb-9cc44fbb9589.png 

 

CVE-2020-29593 - XSS via Media Types Settings



 



https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29592

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29593


RCE Using Recaf: an Awesome Java Decompiler/Recompiler

Recaf is super slick for reverse engineering and editing Java, I used it for arbitrary command injection (for RCE running as root!) last week (see previous post about the file handle lock). 

 

Anyway, about Recaf... I love that it auto-guesses the Java version. I used both the decompiler and hex editor, both excellent. Check it out:


https://www.coley.software/Recaf/

https://github.com/Col-E/Recaf

Hash Cracking with Rental AI GPUs

I've been doing a lot with fast.ai lately and really enjoying it. The worst part about AI is how long it takes to train a model, realize you messed up, change it, then do it again. A fast machine makes all the difference.

So when this guy was looking to do some hashcracking, and would have otherwise needed to borrow a bunch of physical graphic cards, I thought it would be a great time to suggest trying AI rental GPUs to do it. I think the implementation turned out great, check out his blog for details: 

https://www.scrawledsecurityblog.com/2020/11/cracking-password-hashes-on-cheap-how.html

Note: we couldn't really use fast.ai Gradient/paperspace, since those free tiers are public by default. Obviously that wouldn't be great security. So the article describes vast.ai (I know, I thought it was a typo at first!)

CVE-2020-26885 - XSS in 2SXC

Reflected XSS via the sxcver parameter on the /DesktopModles/tosic_sexycontent/dist/dnn/ui.html page by using the payload:

 

"><IMG%20SRC=%23%20onerror="alert('xss')">


2SIC was very fast to respond and super great to work with! This has been remediated with this update here: (https://github.com/2sic/eav-item-dialog-angular/blob/develop/projects/ng-dialogs/src/index.html#L33-L42) and they published a helpful notice on their blog here: (https://2SXC.org/en/blog/post/2sxc-security-notification-2021-001)

 

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-26885

Monday, April 12, 2021

CVE-2021-3163 - Stored XSS Slab Quill JS

 XSS in the WYSIWYG HTML editor by abusing the image tag.

 

For example, in the POST request when adding a comment, add this payload to the field with the comment text by using an interception proxy like BurpSuite:

 

<div><image src=validateNonExistantImage.png onloadstart=alert(1337)> hey girl hey </div>


Now the payload is stored on the page. When the next user visits, the XSS will execute.


This is a good example of why client side validation does not stop attackers who routinely bypass validation by interacting with APIs and server side endpoints directly.


https://github.com/quilljs/quill/issues/3273


I reported this to LinkedIn since they are using QuillJS, but they only have a private bug bounty program.


https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3163


NOTE: Though the CVE is marked as "disputed", it is a very basic stored XSS has been easily reproducible. They seemed to accept this explanation and remediation note in issue #3558, but as of September 2022, the issue is still open and there doesn't seem to be a security patch in place, so it's still exploitable. As explained here, in order to fix it, there needs to be server side sanitation in addition to the client side validation that they're already using:

https://github.com/quilljs/quill/issues/3558

More discussion here, where I comment as "burninatorsec2":

https://github.com/quilljs/quill/issues/3364


Tuesday, April 6, 2021

Bamboozle D 3 f en d e r Effortlessly (BDE) - File Lock on Shell Code

Still confirming this is working the way I intend it, updates and detailed POC to follow...


I found RCE in a web application, and place a web shell file in a publicly facing directory on the server. However, AV keeps deleting it, so as part of my command injection, I spin up a process to put a file handle on the shell. Even though defender is detecting it, it's not deleting it. (I know it's detecting it because I've also gained remote desktop access and can see the alerts.)


In the past I have focused mainly on detection evasion but deletion evasion is looking a lot easier right now.


UPDATE: Well, turns out my webshell was a low-priv account, but the process I was doing command injection through was running as NT AUTHORITY\SYSTEM, so woot! No wonder I can successfully lock the webshell file using a process that starts on startup. This doesn't work for Meterpreter payloads that spin off their own processes that then become detected. So maybe it works, but it's limited.

Sidenote:

A bit about how difficult it was to figure out I was root when my RCE was Java arbitrary code execution...


The webshell was written to C:\inetpub\wwwroot by my Java process. It executed commands as a low privilege AppPool type IIS user. Running whoami through the shell will tell you this


Asking the Java Virtual Machine  was a little useless. Calling System.getProperty("user.name") just returns the USERNAME environment variable from (I believe) when the JVM was initiated. This gave me PC-NAME$ where PC was the domain name of another user I got access another way, i.e. PC-NAME\otheruser.


FINALLY I got the idea to run "cmd.exe /c whoami" directly through the Java injection, write the results to a publicly served directory and check out the results. NT AUTHORITY\SYSTEM! Whew! At this point I guess I don't need evasion, I could just turn off the AV!