This exploit leverages the CVE-2024-24401 and CVE-2024-24402 vulnerabilities in Nagios XI to fully compromise the system and gain total remote control. The monitoringwizard.php component of Nagios XI version 2024R1.01 is vulnerable to a critical SQL Injection, identified as CVE-2024-24401. Initially, the exploit targets this component, performing an SQL Injection to extract the administrator key (admin key). Before proceeding, it authenticates using an existing user, regardless of their privilege level, ensuring access to the system for subsequent stages. With the administrator key obtained, a new administrator user is created, along with an identity associated with this user, using the newly generated credentials. This identity enables reauthentication and the ability to perform elevated actions. Subsequently, the exploit executes arbitrary commands on the system using the privileges of the newly created administrator. Next, it installs an agent and escalates its privileges to root, exploiting the CVE-2024-24402 vulnerability. During this process, the exploit manages the npcd service binary: first, the original service is stopped, and a backup of the npcd binary is created in the /usr/local/nagios/bin/ directory as npcd.backup. Then, the agent binary is copied to the same directory under the name npcd, replacing the original binary. Finally, the npcd service is restarted to execute the agent. These steps result in a full system compromise, granting the attacker total remote control and the ability to execute arbitrary actions with root privileges.
The Kernel Streaming WOW Thunk Service module (ksthunk.sys) present in Microsoft Windows is vulnerable to a double-fetch, which can result in arbitrary memory decrement. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Get kernel address of nt!SeDebugPrivilege Create a new thread to win the race condition Trigger the double-fetch three times and overwrite nt!SeDebugPrivilege Create a new process running the agent as SYSTEM
An authentication bypass in Palo Alto Networks PAN-OS software(CVE-2024-0012) enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions. A privilege escalation vulnerability in Palo Alto Networks PAN-OS software(CVE-2024-9474) allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges. This module exploits these two vulnerabilities CVE-2024-0012 and CVE-2024-9474 in order to deploy an agent. The exploit does the following steps: Sends a request containing a header parameter for authentication bypass(CVE-2024-0012) to inject a command within a "user" request body parameter(CVE-2024-9474) and receive an elevated PHP user session ID(PHPSESSID) in the response, whereby the injected command is written to a local session cache file. Sends a request with the elevated PHPSESSID to trigger evaluation of the injected local session cache file. Repeats the process with all the necessary commands to deploy an agent.
An authentication bypass in Palo Alto Networks PAN-OS software(CVE-2024-0012) enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions. A privilege escalation vulnerability in Palo Alto Networks PAN-OS software(CVE-2024-9474) allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges. This module exploits these two vulnerabilities CVE-2024-0012 and CVE-2024-9474 in order to deploy an agent. The exploit does the following steps: Sends a request containing a header parameter for authentication bypass(CVE-2024-0012) to inject a command within a "user" request body parameter(CVE-2024-9474) and receive an elevated PHP user session ID(PHPSESSID) in the response, whereby the injected command is written to a local session cache file. Sends a request with the elevated PHPSESSID to trigger evaluation of the injected local session cache file. Repeats the process with all the necessary commands to deploy an agent.
This module exploits CVE-2024-5910 to reset the password of the admin. For doing this, it will craft a special request to the endpoint /OS/startup/restore/restoreAdmin.php. After getting the admin password, it will authenticate with the admin credentials and it will exploit CVE-2024-9464 in order to deploy an agent. The exploitation of CVE-2024-9464 consists in crafting a special request to the endpoint /bin/CronJobs.php. As an authenticated user we can abuse this endpoint for inserting commands in the table cronjobs from pandb. After inserting the command into this table, the target will execute it.
This module exploits CVE-2024-5910 to reset the password of the admin. For doing this, it will craft a special request to the endpoint /OS/startup/restore/restoreAdmin.php. After getting the admin password, it will authenticate with the admin credentials and it will exploit CVE-2024-9464 in order to deploy an agent. The exploitation of CVE-2024-9464 consists in crafting a special request to the endpoint /bin/CronJobs.php. As an authenticated user we can abuse this endpoint for inserting commands in the table cronjobs from pandb. After inserting the command into this table, the target will execute it.
The Windows streaming driver (ks.sys) has a design vulnerability which can result in arbitrary memory write. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Opens an audio device with read/write access. Gets the memory address of a kernel object associated with a process, to access its details in kernel space. Allocates memory to create a fake RTL_BITMAP structure in user space, which will allow arbitrary memory read/write operations. Gets the base address of a kernel module (ntoskrnl.exe), necessary for locating functions within kernel space. Computes the address of a gadget in the kernel for use in memory manipulation operations. Writes data to a specific memory address, allowing the system's memory space to be modified. Changes the current process token to gain system privileges Restores the thread mode to avoid BSOD
CVE-2023-43208 stems from an insecure data deserialization process in Mirth Connect's use of the XStream library, which improperly processes untrusted XML payloads. This deserialization flaw enables us to exploit the system by sending crafted XML requests to execute code remotely on the server.
CVE-2023-43208 stems from an insecure data deserialization process in Mirth Connect's use of the XStream library, which improperly processes untrusted XML payloads. This deserialization flaw enables us to exploit the system by sending crafted XML requests to execute code remotely on the server.
This module chains 2 vulnerabilities to deploy an agent in the target system that will run with NT AUTHORITY\\SYSTEM user privileges. The first vulnerability is an authentication bypass present in the doLogin function of the com.ca.arcserve.edge.app.base.ui.server.EdgeLoginServiceImpl class. The second vulnerability is an authenticated path traversal file upload present in the doPost method of the com.ca.arcserve.edge.app.base.ui.server.servlet.ImportNodeServlet class. This module will use the first vulnerability to authenticate against the target application using a POST HTTP request to the /management/wizardLogin endpoint, providing a random username and no password parameter. Then, it will use the second vulnerability to upload a JSP file to the Program Files/Arcserve/Unified Data Protection/Management/TOMCAT/webapps/management directory. Finally, it will deploy an agent using a GET HTTP request to the uploaded JSP file inside the /management endpoint.