Uncategorized

HP Device Manager – CVE-2020-6925, CVE-2020-6926, CVE-2020-6927

Ever come across a system that did so many little things wrong that you were certain you could “get r00t”? You chip away, gradually uncovering the links in the chain, but then you run out of time…

This was almost one of those. Almost.

tl;dr;

The tl;dr; of this one is that HP Device Manager versions 5.0.3 and below, and 4.7 before service pack 13 (pending release at the time of writing) are affected by a bunch of vulnerabilities that, in the worst case, lead to unauthenticated remote command execution with SYSTEM privileges. The official advisory and mitigation advice from HP can be found here.

Update 16th Oct 2020: PoC exploit can be found here.

Published on: 5th Oct 202016th Oct 2020Author: NickstaDB

Exploitation

X-Cart 5 <= 5.4.0.12/5.4.1.7 Unauthenticated RCE via File Write

This one was a fun little hack. Versions 5.4.1.7 and below, and 5.4.0.12 and below of the X-Cart PHP ecommerce platform are affected by an unauthenticated vulnerability that allows an attacker to control the path and partial contents of a file write operation. The vulnerability was fixed in versions 5.4.1.8 and 5.4.0.13, but read on for the details.

Update: Links to the vendor’s changelog for the updated versions:

X-Cart Changelog v5.4.1.8: https://devs.x-cart.com/changelog/5.4.1.8_-_21_july_2020.html
X-Cart Changelog v5.4.0.13: https://devs.x-cart.com/changelog/5.4.0.13_-_21_july_2020.html

Published on: 21st Aug 202021st Aug 2020Author: NickstaDB

Tools

Patching Android Split APKs

I recently came up against my first split APK during an Android app security assessment. My usual toolkit doesn’t support split APKs, so I hacked together a solution to allow me to instrument and analyse an Android app that was split over multiple APKs. I’ve published patch-apk.py to Github, but read on for the gory details!

Published on: 29th Mar 202029th Mar 2020Author: NickstaDB

Exploitation

Reversing JNBridge to Build an n-day Exploit for CVE-2019-7839

I was chatting to @Random_Robbie at the inaugural BSides Liverpool (@BSidesLivrpool), when he mentioned a new Adobe ColdFusion RCE and then said…

“There’s no public exploit.”

I’ve dabbled a bit with ColdFusion exploitation in the past and expected this to be another Java deserialization vulnerability. Instead I ended up spending the next day or so reversing a bizarre network protocol.

Published on: 12th Oct 201929th Mar 2020Author: NickstaDB

Exploitation

Drupal Coder Module – Unauth RCE – SA-CONTRIB-2016-039

Note: This is an old write-up from 2016 but I was prompted to resurrect it after my tweet about it was recently retweeted. I do think it’s a good example of the process of identifying an exploitable vulnerability too.

The Drupal Security Advisory SA-CONTRIB-2016-039 was issued for an unauthenticated remote code execution vulnerability that I found whilst doing a code review of the third-party Coder module. The vulnerability affects all versions of the Drupal coder module for Drupal 7.x below version 7.x-1.3 and 7.x-2.6, and the module does not need to be enabled to be vulnerable. When I discovered this vulnerability there were around 4,000 websites reportedly using the module.

The module included a PHP script which was inherently dangerous and could be accessed without authentication. The script’s purpose was to patch PHP code. The module developer (who also wrote a “Secure Code Review” module) didn’t make any attempt to restrict access to this inherently dangerous script and when I reported the issue he repeatedly closed the report saying that the script was working as designed…

Published on: 19th Jul 20182nd Oct 2020Author: NickstaDB

Exploitation

Another ColdFusion RCE – CVE-2018-4939

In October 2017 I published an overview and video proof-of-concept of a Java RMI/deserialization vulnerability affecting the Flex Integration service of Adobe ColdFusion. I held off on publishing all of the details and exploit code at the time because I spotted an additional exploit payload that could be used against a patched server.

A further security update has now been released by Adobe, so read on for more details.

Published on: 18th Jun 201818th Jun 2018Author: NickstaDB

Exploitation

POPping WordPress

Fun with PHP deserialization and some accidental WordPress bugs.

A few months ago I was putting together a blog post on PHP deserialization vulnerabilities. I decided to look for a real target that would allow me to supply data to the PHP unserialize() function to use for demonstration purposes. I downloaded a load of WordPress plugins and started grepping through the code for calls to unserialize() to find the following example:

$url = 'http://api.wordpress.org/plugins/info/1.0/';
$response = wp_remote_post ($url, array ('body' => $request));
$plugin_info = @unserialize ($response ['body']);
if (isset ($plugin_info->ratings)) {

$url = 'http://api.wordpress.org/plugins/info/1.0/';

$response = wp_remote_post ($url, array ('body' => $request));

$plugin_info = @unserialize ($response ['body']);

if (isset ($plugin_info->ratings)) {

The plugin in question made a clear text HTTP request and passed the response to unserialize(). In terms of a real attack it wasn’t the greatest entry point but if I could trigger this code it would be trivial to supply input to unserialize() this way so it was good enough!

Published on: 28th Feb 20188th Mar 2019Author: NickstaDB

Exploitation

Popping Password-“Protected” JMX

The name gives it away, Java Management Extensions (JMX) is a potentially juicy target for attack. One of the ways that a JMX service may be exposed is using Java Remote Method Invocation (RMI), which we can detect using nmap or my tool BaRMIe by looking for RMI registry services (by default on TCP port 1099) which expose an object named jmxrmi, or an object using the class javax.management.remote.rmi.RMIServer or javax.management.remote.rmi.RMIServerImpl_Stub.

Ignoring horrifically outdated/configured versions of Java where RMI is trivially exploitable with Metasploit, Braden Thomas (@drspringfield) did some research into exploiting the JMX RMI service back in 2013 and came up with a way to achieve remote code execution by instructing the service to load and execute code from a remote server that is under the attacker’s control. One of the recommended mitigations was to ensure that the JMX service is password protected.

Published on: 26th Jan 20188th Mar 2019Author: NickstaDB

Exploitation

Improving the BMC RSCD RCE Exploit

Last week I wrote about how I semi-blindly produced an RCE exploit for the BMC Server Automation RSCD service without access to a test environment. Since then I’ve got my hands on a test environment where I’ve been able to improve the exploit in several ways through further analysis and fuzzing.

The tl;dr; is that I’ve fixed a few bugs through further analysis, debugging, and a little fuzzing/bruteforcing. The exploit can be found over on Github.

Published on: 8th Jan 20188th Mar 2019Author: NickstaDB

Exploitation

RCE with BMC Server Automation

If you’ve ever come across BMC Server Automation during network scanning then you may have seen Nessus flag up a Critical vulnerability titled “BMC Server Automation RSCD Agent Weak ACL NSH Arbitrary Command Execution” (Nessus plugin ID 91947).

Published on: 1st Jan 20188th Mar 2019Author: NickstaDB