This module uses an authenticated OS command injection vulnerability to deploy an agent in the target system that will run with NT AUTHORITY\\SYSTEM user privileges. The vulnerability is present in the saveSvcConfig method of the com.progress.ubroker.tools.AbstractGuiPluginRemObj java class. The vulnerable class can be reached by creating an instance of the com.progress.chimera.adminserver.AdminContext class via the com.progress.chimera.adminserver.IAdminServer interface. This module may also abuse CVE-2024-1403: an authentication bypass vulnerability that allow access to the adminServer classes. This module will perform the following steps: If no username and password are provided, the module will use the CVE-2024-1403 vulnerability to authenticate against the target application as the NT AUTHORITY/SYSTEM user. If a username and password are provided, then those credentials will be used for authentication. Once authenticated, it will create an instance of the com.progress.chimera.adminserver.AdminContext class via the com.progress.chimera.adminserver.IAdminServer interface. Then, it will use the getPlugins method of the previous class to obtain a list of the interfaces exposed by the com.progress.ubroker.tools.NSRemoteObject plugin. Then, use the getRemoteManageObject method of the com.progress.ubroker.tools.NSRemoteObject class via the com.progress.ubroker.tools.IYodaSharedResources interface to create an instance of an object compatible with the com.progress.ubroker.tools.IYodaRMI interface. Then, use the doRemoteToolCmd method via the com.progress.ubroker.tools.IYodaRMI interface to add a payload to deploy an agent inside the Progress\\OpenEdge\\properties\\ubroker.properties file. An entry to an application *service* will be added. Finally, it will use again the doRemoteToolCmd method to start a process that will use the parameters added in the previous step. All requests to target will be made using Java RMI requests
This module uses a XML External Entity vulnerability in combination with an authenticated OS command injection to deploy an agent in SysAid on-prem that will run with the sysaidinternal user privileges. The module will use the XML External Entity vulnerability located in the com.ilient.mdm.GetMdmMessage java class and accessed via the /mdm/serverurl endpoint to download the InitAccount.cmd file located in the C:\Program Files\SysAidServer\logs folder. The InitAccount.cmd contains the username and password of the main administrator in plain text in its first line. The module will create a new identity with these credentials. Then, with the main administrator credentials, the module will login in the application and then use the authenticated OS command injection via the /API.jsp endpoint to execute system commands to deploy the agent.
This module uses a XML External Entity vulnerability in combination with an authenticated OS command injection to deploy an agent in SysAid on-prem that will run with the sysaidinternal user privileges. The module will use the XML External Entity vulnerability located in the com.ilient.mdm.GetMdmMessage java class and accessed via the /mdm/serverurl endpoint to download the InitAccount.cmd file located in the C:\Program Files\SysAidServer\logs folder. The InitAccount.cmd contains the username and password of the main administrator in plain text in its first line. The module will create a new identity with these credentials. Then, with the main administrator credentials, the module will login in the application and then use the authenticated OS command injection via the /API.jsp endpoint to execute system commands to deploy the agent.
This module uses a message header injection vulnerability to deploy an agent in Apache Camel that will run with the same privileges as the webapp. First, this module will use the vulnerability to determine the underlying OS system and check if the target is vulnerable. If the underlying OS can be determined, then the target is assumed to be vulnerable and the vulnerability will be used again to deploy an agent.
This issue allows unauthenticated users to execute arbitrary commands on the server due to a command injection vulnerability in the `cmd_realtime.php` file. The vulnerability arises when the `register_argc_argv` option of PHP is enabled, which is the default setting in many environments. The `$poller_id` used in command execution is sourced from `$_SERVER['argv']`, which can be manipulated through URLs when this option is enabled. This module exploits this vulnerability sending a special request to 'cmd_realtime.php' that sets $_SERVER['argv'] into an os command.
This issue allows unauthenticated users to execute arbitrary commands on the server due to a command injection vulnerability in the `cmd_realtime.php` file. The vulnerability arises when the `register_argc_argv` option of PHP is enabled, which is the default setting in many environments. The `$poller_id` used in command execution is sourced from `$_SERVER['argv']`, which can be manipulated through URLs when this option is enabled. This module exploits this vulnerability sending a special request to 'cmd_realtime.php' that sets $_SERVER['argv'] into an os command.
An authentication bypass in Palo Alto Networks PAN-OS software(CVE-2024-0012) enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions. A privilege escalation vulnerability in Palo Alto Networks PAN-OS software(CVE-2024-9474) allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges. This module exploits these two vulnerabilities CVE-2024-0012 and CVE-2024-9474 in order to deploy an agent. The exploit does the following steps: Sends a request containing a header parameter for authentication bypass(CVE-2024-0012) to inject a command within a "user" request body parameter(CVE-2024-9474) and receive an elevated PHP user session ID(PHPSESSID) in the response, whereby the injected command is written to a local session cache file. Sends a request with the elevated PHPSESSID to trigger evaluation of the injected local session cache file. Repeats the process with all the necessary commands to deploy an agent.
An authentication bypass in Palo Alto Networks PAN-OS software(CVE-2024-0012) enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions. A privilege escalation vulnerability in Palo Alto Networks PAN-OS software(CVE-2024-9474) allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges. This module exploits these two vulnerabilities CVE-2024-0012 and CVE-2024-9474 in order to deploy an agent. The exploit does the following steps: Sends a request containing a header parameter for authentication bypass(CVE-2024-0012) to inject a command within a "user" request body parameter(CVE-2024-9474) and receive an elevated PHP user session ID(PHPSESSID) in the response, whereby the injected command is written to a local session cache file. Sends a request with the elevated PHPSESSID to trigger evaluation of the injected local session cache file. Repeats the process with all the necessary commands to deploy an agent.
This module exploits CVE-2024-5910 to reset the password of the admin. For doing this, it will craft a special request to the endpoint /OS/startup/restore/restoreAdmin.php. After getting the admin password, it will authenticate with the admin credentials and it will exploit CVE-2024-9464 in order to deploy an agent. The exploitation of CVE-2024-9464 consists in crafting a special request to the endpoint /bin/CronJobs.php. As an authenticated user we can abuse this endpoint for inserting commands in the table cronjobs from pandb. After inserting the command into this table, the target will execute it.