Posts

Enjay CRM 1.0 - Multiple code executions via Unrestricted Terminal

Image
  Enjay CRM is a collection which contains the CRM software along with Linux Ubuntu, however normal user don't have access to the underlying OS. Once the OS boots its runs the Enjay CRM software which has multiple read-only options.  However some of these options opens a terminal to perform a specific activity, This terminal is unrestricted and user can access the underlying OS as a ROOT and can run any command on OS. Underlying OS can be accessed using two methods; Also CVEs are assigned to these findings. 1. Using Ping menu (CVE-2024-41308):  it will open a terminal and user can click on File menu -> New Tab/New window. And root level terminal will be open. 2. Using Hardware info (CVE-2024-41309): Once the Hardware info page opens click on Help menu and either select "Open HardInfo Website" or "Report bug", it will open an unrestricted terminal where user can click on File menu -> New Tab/New window. And root level terminal will be open. Both the vulner

GRANDING UTime Master - CSV Injection

Image
    Hi All, I was able to identify CSV Injection Vulnerability in one online attendance system i.e. GRANDING UTime Master (v  UTime Master_9.0.7-Build:Apr 4,2023 ).  UTime Master is a powerful web-based time and attendance management software that provides a stable connection to GRANDING’s standalone push communication devices by Ethernet/Wi-Fi/GPRS/3G and working as a private cloud to offer employee self-service by mobile application and web browser. Login to UTime Master using admin account Click on Personnel > Employee Management >Employee Select Any employee or create a new employee In First name Section embed you payload. For test case I used " =cmd|' /C notepad'!'A1' " CSV payload embed in EMP NAME field. Once submitted, the CSV payload will be visible in First Name Field. Click on export button and click on CSV Export. CSV payload embedded in EMP NAME field. Open the exported file and payload will be executed successfully. I have also observed mul

GRANDING UTime Master - IDOR (CVE-2023-45393)

Image
  Hi All, I was able to identify IDOR Vulnerability in one online attendance system i.e. GRANDING UTime Master (v  UTime Master_9.0.7-Build:Apr 4,2023 ).  CVE ID: CVE-2023-45393 UTime Master is a powerful web-based time and attendance management software that provides a stable connection to GRANDING’s standalone push communication devices by Ethernet/Wi-Fi/GPRS/3G and working as a private cloud to offer employee self-service by mobile application and web browser. Using IDOR any user of the application can fetch Logs which are only meant to be accessible to administrators only. These logs also contains sensitive information like user password which is used to do the attendance by employees. Login to UTime Master using any account. Capture the request in burpsuite with the valid cookies. modify the URL to "/base/adminlog/table/?page=1&limit=200" Forward the request and it will fetch all the admin logs. IDOR has been fixed in latest versions after 9.0.7-Build:Apr 4,2023.

GRANDING UTime Master - Stored XSS (CVE-2023-45391)

Image
  Hi All, I was able to identify stored XSS in one online attendance system i.e. GRANDING UTime Master (v  UTime Master_9.0.7-Build:Apr 4,2023 ). CVE ID: CVE-2023-45391 UTime Master is a powerful web-based time and attendance management software that provides a stable connection to GRANDING’s standalone push communication devices by Ethernet/Wi-Fi/GPRS/3G and working as a private cloud to offer employee self-service by mobile application and web browser. Login to UTime Master using admin account Click on Personnel > Employee Management >Employee Select Any employee or create a new employee In First name Section embed you payload. For test case I used "/><img src=a onerror=alert(22)> XSS payload embedded in EMP NAME field. Save the employee details, Once the page refreshed it will execute your payload. our payload executed successfully. I have also observed multiple other fields are also vulnerable to XSS e.g. Device Name, Department etc. XSS has been fixed in la

CSV injection in Avaya Call Management System (CMS). CVE-2023-3527

Image
 Hi All, I was able to identify CVS injection vulnerability in Avaya Call Management System (CMS). Avaya Call Management System (CMS) is an integrated analysis and reporting solution that keeps you in touch with virtually everything that’s going on in your contact center from evaluating the performance of a single agent or group of agents to managing a contact center with multiple locations worldwide. During the security assessment of CMS Supervisor Web application, i noted that whole section of "Administration" has a feature to download the content in CSV format. Any malicious user can inject malicious CSV payload, which will be executed if the admin downloads the csv report and opens it. The Excel will ask the admin to enable the content, since the report is downloaded from trusted source he will click on enable which will execute the content. Vulnerability and Fixed: Vulnerability Name : CMS is vulnerable to CSV Injection Assigned CVE:  CVE-2023-3527 ASA Number:  ASA

ZKT Eco ADMS - Stored XSS (CVE-2022-44213)

Image
 Hi All, I was able to identify stored XSS in one online attendance system i.e. ZKT Eco ADMS (v 3.1-164 )(Automatic Data Master Server) is a powerful web-based time and attendance management software. which is used to configure the attendance devices and manage its users. Cve ID assigned CVE-2022-44213: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44213 Technical details Login to ZKT Eco ADMS (default admin/admin) Click on System and click on Employee Click on Append button to add new Employee In Emp Name field Add your XSS payload. For testing I have used a non malicious code "/><img src=a onerror=alert('stored-XSS');> Click on Submit button, it will redirect you to the employee list, and our payload will be executed. XSS payload embedded in EMP NAME field. our payload executed successfully. XSS has been fixed in latest versions after 3.1-164.

NXLog Convert windows Hostname to Host-IP in the logs

 Hi all, Recently I have faced an issue where I was sending windows logs to my logs collector, however the logs were sent in below format Timestamp, System Hostname , Event-ID, etc etc Since to resolve the hostname to IP address the collector needed access to local DNS server, but there is no local DNS :-P So there are 2 solutions. Create local DNS server, and add all the entries of all the hosts and point the logs collector to this local DNS. Find some work around to be implemented on all the server so it can convert the hostname to its local IP before forwarding it to the logs collector. After googling for around 4-5 hrs. I wasn't able to find any proper solution, every solution which I was reading were converting IP to hostname. So I started reading the documentations of NXLOG and found a core function which can be used to convert the Hostname to Host IP.  Lets assume you have already configured the INPUT entity in the NXLOG config file and you know which logs to be collected. N

ZKBio Time - CSV Injection (CVE-2022-40472)

Image
 Hi all, I am here with new post. Recently I have identified a csv injection vulnerability in one of the web-based time and attendance management software. Below are the details: Software Description: ZKBio Time is a powerful web-based time and attendance management software. With a powerful data handling capacity, the system can manage the attendance data of 10,000 employees. It can easily handle hundreds of devices and thousands of employees and their transactions. ZKBio Time comes with an intuitive user interface is able to manage timetable, shift and schedule and can easily generate attendance reports. Impacted Version: 8.0.7 (Build: 20220721.14829) and before. CVE ID: CVE-2022-40472 Vulnerability details: Login to ZKBio Time Application In the left Menu click on Messages -> Public Click on ADD new message button Write your Device Serial Number Mention any date/time and duration In Content Field Add your CSV injection payload. As shown below Any user who extract the report in CS

Python Not Showing Colors in Windows 10

Image
 Hi All, So today i was testing one exploit but on windows it was not showing the colors which was very annoying, i tried to install colorama, termcolor. however nothing worked, the exploit was still showing ASCI instead of colors. as shown below After alot of search i was able to fix it, it requires alittle modification of the exploit. 1st make sure to  install colorama, termcolor. For Python 2.7 x pip install colorama pip install termcolor For Python 3x pip3 install colorama pip3 install termcolor Next open the file in notepad or any other editor and add below lines at the start of script; import os os.system("") Save the script and re-run it, it will give start showing the color codings Thanks

CSV Injection in Acunetix version 13.0.201217092 (CVE-2022-29315 )

Image
 Hi all,  I was using Acunetix version 13.0.201217092 for scanning purposes back in Jan 2021, and I was able to identify CSV Injection vulnerability in the web scanner. Any user who is not the administrator can perform these actions which can lead to admin system compromise. For testing I used the Admin account. Lets get to the technical details. CVE ID Assigned:  CVE-2022-29315  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29315 https://www.cve.org/CVERecord?id=CVE-2022-29315 Vulnerable Version: Before version 14 Fixed Version: 14 and 14+ # Software description: Acunetix by Invicti Security is an application security testing tool built to help small & mid-size organizations around the world take control of their web security. # Technical Details & Impact: It was observed that Target page is vulnerable to CSV Injection, using CSV injection; Maliciously crafted formulas can be used for three key attacks: Hijacking the user's computer by exploiting vulnerabilitie

SSL Pinning Bypass trick PT2 (Forcing APK Accept CA Certificate)

 So As discussed in Part 1, the 1APP has implemented another trick to avoid bypassing SSL Pinning. Before they were focusing on CA certificates present in device. Which we were able to bypass by putting our burpsuite certificate in CA directory. Now After update the Old trick was not working. To understand the implemented fix, I have decompile the APK again and In "resources\res\xml" directory I checked for "network_security_config.xml" after reviewing the XML file I Saw a new entry like <trust-anchors>             <certificates src="@raw/myAPP"/> </trust-anchors> This means that they have embedded their own certificate in "\resources\res\raw" directory with "myAPP" name. which means that application will not accept any certificate (CA/system or User) from device, it will only use myAPP certificate which is embedded in APK. I have tried multiple attempts to bypass it however every time I manipulate the APK file and tri

SSL Pinning Bypass Trick PT1(Copying Burp certificate to CA Directory)

Image
 Hi everyone as you are aware I update this blog when I get stuck in some situation and after multiple attempts if I bypass that situation I write a blog about it. So today we will be discussing multiple issues which I faced while bypassing SSL pinning in one Application. lets call it 1APP So 1APP is configured in a way that normal installing burpsuite certificate in Andriod was not working. Running the application with normal burp certificate it was giving error like "java.security.cert.certpathvalidatorexception" webhook etc. After decompiling the app using online tools or you can use APKTOOL. In "resources\res\xml" directory I checked for "network_security_config.xml" after reviewing the XML file it was clear application is only trusting those certificate which are installed in CA directory of Device. So it was cleared that we have to copy our certificate to Android CA directory. After alot of searching I came across an awesome article where he explaine

Ericsson ECM (Enterprise Content Management) solution Vulnerable to CSV Injection (CVE-2021-41390)

Image
Dear Reader, I was able to identify CSV Injection in Ericsson ECM (Enterprise Content Management) solution Version: 18.0 (0331) R1E  CVE ID:  CVE-2021-41390 Below are its details: # Software description: Ericsson Catalog Manager allows customers to rapidly launch and enable new innovative offerings with simple user experience and enterprise product, service & resource catalog capabilities.  # Technical Details & Impact: It was observed that Security Provider Endpoint in User Profile Management Section is vulnerable to CSV Injection , using CSV injection; Maliciously crafted formulas can be used for three key attacks: Hijacking the user's computer by exploiting vulnerabilities in the spreadsheet software, such as CVE-2014-3524. Hijacking the user's computer by exploiting the user's tendency to ignore security warnings in spreadsheets that they downloaded from their own website. Exfiltrating contents from the spreadsheet, or other open spreadsheets. # POC Login as

Ericsson ECM (Enterprise Content Management) solution Vulnerable to Stored XSS. ( CVE-2021-41391)

Image
 Dear Reader, I was able to identify stored XSS in  Ericsson ECM (Enterprise Content Management) solution Version: 18.0 (0331) R1E  CVE ID: CVE-2021-41391 Below are its details: # Software description: Ericsson Catalog Manager allows customers to rapidly launch and enable new innovative offerings with simple user experience and enterprise product, service & resource catalog capabilities.  # Technical Details & Impact: It was observed that Security Management  Endpoint in User Profile Management  Section is vulnerable to stored XSS, In most test cases session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or exploiting admin's browsers using beef framework. # POC Login as normal user in ECM  Click on User Profile Management and click on Preference Definition or just visit this URL "https://host:port/ecm/securityManagement " change the host/port to your ECM host/port Edit or create new Preference

Microsoft Teams Webinar Vulnerable to CSV Injection Vulnerability

Image
 Dear reader, While testing different features of TEAMS, I find out a CSV injection vulnerability in TEAMS Webinar feature, where any external user, or attacker can register himself for attending public webinar and in webinar registration page he can inject a malicious payload which will executed once the admin download the attendees list. As per Microsoft they are not accepting it as high/medium security bug (which I totally Disagree) and not eligible for bounty or hall of fame, also they provided the permission to disclose this publicly.  As per Microsoft the admin has to click enable button once he open the report. For which I mentioned them multiple times that admin will always trust the report as its coming from Trusted source which in this case is Microsoft and 95% of times he will click on Enable button and payload will be executed. Anyways lets start with the Vulnerability details, At the end of this document I will give a bonus trick on how to find publicly available webinars

Windows Update / Defender update issue

Image
Today while updating my Windows defender to latest version, I was facing below Issue and it was not updating to latest version and showing error code 0x80070643  multiple retried and troubleshoot were performed but nothing helped.  Later I found below commands which help to update defender using command prompt. cd %ProgramFiles%\Windows Defender MpCmdRun.exe -removedefinitions -dynamicsignatures MpCmdRun.exe -SignatureUpdate and it fixed the issue.

Joplin App Desktop Version Vulnerable to XSS

Dear Reader Jubair Rehman Yousafzai Here: Update Sept 2022: CVE assigned CVE-2021-33295 https://www.cvedetails.com/cve/CVE-2021-33295/ During the testing of Joplin App Desktop Version before 1.8.5 I was able to execute the malicious XSS when entered in Main body of Joplin App Desktop,  Once I click on Toggle button twice, the payload was executed successfully. The payload which I have used for this testing is as below <noscript><p title="</noscript><img src=x onerror=alert('testing')>">  Below is the POC for this exploit   After reporting to the Joplin team they fixed the issue directly and released the fixed in 1.8.5 version.  Below are their release notes and details:   https://github.com/laurent22/joplin/releases/tag/v1.8.5   Thanks Jubair Rehman: https://twitter.com/jubairfolder

Win10 WIFI keeps on disconnecting

Image
 Dear Reader, From last two days I was extremely annoyed by Windows10 and my Lenovo L490, The issue was my WIFI started disconnecting after every few minutes or sometimes after an hour.  I have tried every method which was suggested over internet below are the methods I have performed. 1. Uninstalling the WIFI driver from device manager and restart the system, the driver got installed automatically after restart but it solve the issue temporarily and the WIFI started disconnecting after an hour. 2. My laptop was connected to 5GHz WIFI, so tried to connected to 2.4GHz, Still the same issue. 3. Downloading new WIFI driver from Lenovo website and installing it, still the same issue. 4. Turning of the option "Allow computer to turn off this device for power saving" details are mentioned below how to turn of.  5. Re-setting the netsh winsock by entering below two commands in CMD (Run As Administrator) but Same issue. -> netsh winsock reset -> netsh int ip reset  6. Performin