PT SWARM

2021-10-26 10:12:48 PHP-FPM Local Root Vulnerability

by Charles Fol

PHP-FPM (FastCGI Process Manager) is the official PHP FastCGI server. It is used in conjunction with an HTTP server such as Apache or NGINX to handle the processing of PHP files. It generally listens for connections over either a UNIX socket or on TCP port 9000. When the HTTP server needs to run a PHP file, it will forward parameters, such as the file path, PHP variables, and configuration to PHP-FPM, which will send back a response.

A low-privilege process can read and write an array of pointers used by the main process, running as root, through shared memory. An attacker can leverage this problem to change a 32-bit integer from zero to one in the main process's memory, or clear a memory region. By leveraging the primitive multiple times, it is possible to reach another bug, make the main process execute code, and thus escalate privileges.

Due to the growing adoption of NGINX instead of Apache, a good look at PHP-FPM was in order. An oversight in the design of the shared memory region lead to half-decent exploitation primitives, which in turn lead to a root privilege escalation.

Contents:
• Introduction
• Overview of the bug
• Overview of PHP-FPM
• Main process and workers
• Scoreboards
• IPC through SHM
• Proecss scoreboard management and the bad primitive
• An example
• Exploitation
• Tailoring the primitive
• Reaching the heap: setting catch_workers_output
• Good enough ?
• All your bases
• Persistent worker control
• Capping the number of workers
• Closed FD
• Error-free PHP
• Problem-free exploitation tactics
• Managing streams: zlog_stream
• Unreachable heap overflow
• Faking the streams, getting root
• Heap overflow
• Arbitrary write
• Demo
• Vulnerable versions
• Conclusion and Remarks

https://ambionics.io/blog/php-fpm-local-root Open / Comment

2021-10-20 17:06:03 New article: "WinRAR’s vulnerable trialware: when free software isn’t free" by our researcher Igor Sak-Sakovskiy.

In this article, we show how vulnerabilities in trialware could beсome a gate for hackers.

https://swarm.ptsecurity.com/winrars-vulnerable-trialware-when-free-software-isnt-free/ Open / Comment

2021-10-15 16:15:16 Building a POC for CVE-2021-40438

by Firzen

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. The author of the article found a way to exploit it

Contents:
• The Patch
• How to exploit?
• How uds_path is being set?
• Success
• Conclusion and Remarks

https://firzen.de/building-a-poc-for-cve-2021-40438 Open / Comment

2021-10-11 16:54:45 We are pleased to present the utility developed by our researcher Philip Nikiforov for Flutter apps traffic monitoring.

Just make app trust installed certificates by repacking it with reFlutter and hunt bugs using Burp Suite. No root, no VPN, no more hassle!

https://github.com/ptswarm/reFlutter Open / Comment

2021-10-07 11:32:39 CVE-2021-26420: Remote Code Execution in Sharepoint via workflow compilation
by The ZDI Research Team

In June of 2021, Microsoft released a patch to correct CVE-2021-26420 – a remote code execution bug in the supported versions of Microsoft SharePoint Server. This bug was reported to the ZDI program by an anonymous researcher and is also known as ZDI-21-755. This blog takes a deeper look at the root cause of this vulnerability.
This vulnerability could be used by an authenticated user to execute arbitrary .NET code on the server in the context and permissions of the service account of a SharePoint web application. For a successful attack, the attacker should have “Manage Lists” permissions on any SharePoint site. By default, any authenticated user can create their own site where they have the necessary permissions.

Contents:
• The Vulnerability
• Proof of Concept
• Achieving Remote Code Execution
• Conclusion

https://www.zerodayinitiative.com/blog/2021/10/5/cve-2021-26420-remote-code-execution-in-sharepoint-via-workflow-compilation Open / Comment

2021-10-05 18:14:23 We have reproduced the fresh CVE-2021-41773 Path Traversal vulnerability in Apache 2.4.49.

If files outside of the document root are not protected by "require all denied" these requests can succeed.

Patch ASAP!

https://httpd.apache.org/security/vulnerabilities_24.html Open / Comment

2021-10-01 11:34:30 Chasing a Dream :: Pre-authenticated Remote Code Execution in Dedecms
by Steven Seeley

Technical review of Chinese CMS “Dedecms” including its attack surface and how it differs from other applications. In the end, the author ends up with a pre-authenticated remote code execution vulnerability impacting the v5.8.1 pre-release.

Contents:
• Threat Modeling
• Defense in Depth
• Finding a pre-authenticated endpoint
• ShowMsg Remote Code Execution Vulnerability
• Summary
• Vulnerability Analysis
• Proof of Concept
• Reporting
• Conclusion
• References

https://srcincite.io/blog/2021/09/30/chasing-a-dream-pwning-the-biggest-cms-in-china.html Open / Comment

2021-09-29 17:00:46 New article: "Cisco Hyperflex: How We Got RCE Through Login Form and Other Findings"

Read more about critical vulnerabilities (CVSS 9.8, 7.3 and 5.3) found by our researchers
Nikita Abramov & Mikhail Klyuchnikov:

https://swarm.ptsecurity.com/cisco-hyperflex-how-we-got-rce-through-login-form-and-other-findings/ Open / Comment

2021-09-28 12:06:17 "A tale of making internet pollution free" - Exploiting Client-Side Prototype Pollution in the wild
by Mohan Sri Rama Krishna P, Sergey Bobrov, Terjanq, Beomjin Lee, Masato Kinugawa, Nikita Stupin, Rahul Maini, Harsh Jaiswal, Mikhail Egorov, Melar Dev, Michał Bentkowski, Filedescriptor, Olivier, William Bowling, Ian Bouchard

In JavaScript, an object inherits methods and properties from its prototype. Prototype Pollution it’s the situation when extra properties are added to a prototype of base
objects. Based on the application logic, prototype pollution leads to other vulnerabilities from RCE to SQL. This technical write-up touch the tools researchers are created, challenges they faced, and case studies during the whole process.

Contents:
• Introduction
• Methodology
• Detection
• Case 1
• Selenium Bot
• Browser Extension
• Case 2
• Identifying the vulnerable library
• Blocking the JS resource request in Firefox
• Debugger Breakpoint on setter
• Finding Script Gadgets
• What is a script gadget?
• Keyword search and Source Code Review
• Filedescriptor’s untrusted-types extension
• Report
• Store vulnerable libraries and gadgets in database
• Case Studies
• Case Study 1: CodeQL for fun and profit
• Case Study 2: Prototype Pollution on Jira Service Management 4.16.0, <4.18.0(fix bypass)
• Case Study 3: XSS on apple.com found using chrome extension by Rahul and Harsh
• Case Study 4: HubSpot Analytics
• Case Study 5: Segment Analytics Pollution by Masato Kinugawa
• Mitigations

https://blog.s1r1us.ninja/research/PP Open / Comment

2021-09-23 11:08:49 Autodiscovering the Great Leak
by Amit Serper

The design flaw within the Autodiscover protocol that makes it possible for an attacker who controls top-level Autodiscover domains (or has the ability to conduct a DNS-poisoning attack using these domains), to get valid domain credentials from leaky Autodiscover requests.

Contents:
• Executive summary
• Introduction
• What is Autodiscover?
• Abusing the Leak
• The ol’ switcheroo
• Mitigation
• Conclusion

https://www.guardicore.com/labs/autodiscovering-the-great-leak/ Open / Comment