Yearly Archives: 2024

SQL Injection Attack on Airport Security

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2024/09/sql-injection-attack-on-airport-security.html

Interesting vulnerability:

…a special lane at airport security called Known Crewmember (KCM). KCM is a TSA program that allows pilots and flight attendants to bypass security screening, even when flying on domestic personal trips.

The KCM process is fairly simple: the employee uses the dedicated lane and presents their KCM barcode or provides the TSA agent their employee number and airline. Various forms of ID need to be presented while the TSA agent’s laptop verifies the employment status with the airline. If successful, the employee can access the sterile area without any screening at all.

A similar system also exists for cockpit access, called the Cockpit Access Security System (CASS). Most aircraft have at least one jumpseat inside the cockpit sitting behind the flying pilots. When pilots need to commute or travel, it is not always possible for them to occupy a revenue seat, so a jumpseat can be used instead. CASS allows the gate agent of a flight to verify that the jumpseater is an authorized pilot. The gate agent can then inform the crew of the flight that the jumpseater was authenticated by CASS.

[attack details omitted]

At this point, we realized we had discovered a very serious problem. Anyone with basic knowledge of SQL injection could login to this site and add anyone they wanted to KCM and CASS, allowing themselves to both skip security screening and then access the cockpits of commercial airliners.

We ended up finding several more serious issues but began the disclosure process immediately after finding the first issue.

2024-08-31 Лекция на Grace Hopper

Post Syndicated from Vasil Kolev original https://vasil.ludost.net/blog/?p=3484

По принцип видеото ми е един от най-бавните и неудобни начини да приемам информация (това въпреки всичкото време, което съм отделил за записване и stream-ване на конференции). Та рядко гледам такива неща, и много често предпочитам да си прочета за нещо, вместо да седя и да слушам.

Тия дни обаче попаднах на запис на лекция на Grace Hopper в NSA, който наскоро са разсекретили (и в който няма нищо особено секретно или тайно). За лекция, която е изнесена преди 30-40 години, нещата са доста интересни и на място, доста от проблемите от тогава съществуват и сега, а самият разказ и начинът на разказване са едни от най-добрите, дето съм виждал.

Та, препоръчвам.

Metasploit Weekly Wrap-Up 08/30/2024

Post Syndicated from Simon Janusz original https://blog.rapid7.com/2024/08/30/metasploit-weekly-wrap-up-08-30-2024/

A New Way to Encode PHP Payloads

Metasploit Weekly Wrap-Up 08/30/2024

A new PHP encoder has been released by a community contributor, jvoisin, allowing a PHP payload to be encoded as an ASCII-Hex string. This can then be decoded on the receiver to prevent issues with unescaped or bad characters.

Ray Vulnerabilities

This release of Metasploit Framework also features 3 new modules to target ray.io, which is a framework for distributing AI-related workloads across multiple machines, which makes it an excellent exploitation target. These modules can perform arbitrary file reads, perform remote code execution and command injection, making them a great all-round addition to a penetration testing workflow.

The vulnerabilities for which modules are provided are:

New module content (9)

Control iD iDSecure Authentication Bypass (CVE-2023-6329)

Authors: Michael Heinzl and Tenable
Type: Auxiliary
Pull request: #19380 contributed by h4x-x0r
Path: admin/http/idsecure_auth_bypass
AttackerKB reference: CVE-2023-6329

Description: Adds an auxiliary module targeting CVE-2023-6329, an improper access control vulnerability, which allows an unauthenticated user to compute valid credentials and to add a new administrative user to the web interface of Control iD iDSecure <= v4.7.43.0.

Ivanti Virtual Traffic Manager Authentication Bypass (CVE-2024-7593)

Authors: Michael Heinzl, mxalias, and ohnoisploited
Type: Auxiliary
Pull request: #19386 contributed by h4x-x0r
Path: admin/http/ivanti_vtm_admin
AttackerKB reference: CVE-2024-7593

Description: Adds an exploit targeting CVE-2024-7593 which is an improper access control vulnerability in Ivanti Virtual Traffic Manager (vTM) . It allows an unauthenticated remote attacker to add a new administrative user to the web interface of the product before 22.7R2.

Ray static arbitrary file read

Authors: Takahiro Yokoyama, byt3bl33d3r [email protected], and danmcinerney [email protected]
Type: Auxiliary
Pull request: #19363 contributed by Takahiro-Yoko
Path: gather/ray_lfi_cve_2023_6020
AttackerKB reference: CVE-2023-6020

Description: The auxiliary module allows reading files on the remote system through a local file inclusion vulnerability.

PHP Hex Encoder

Author: Julien Voisin
Type: Encoder
Pull request: #19420 contributed by jvoisin
Path: php/hex

Description: This adds an ascii-hex encoder for PHP with optional compression.

Ray Agent Job RCE

Authors: Takahiro Yokoyama, byt3bl33d3r [email protected], and sierrabearchell
Type: Exploit
Pull request: #19363 contributed by Takahiro-Yoko
Path: linux/http/ray_agent_job_rce
AttackerKB reference: CVE-2023-48022

Description: This exploit module allows for arbitrary code execution on the target.

Ray cpu_profile command injection

Authors: Takahiro Yokoyama, byt3bl33d3r [email protected], and sierrabearchell
Type: Exploit
Pull request: #19363 contributed by Takahiro-Yoko
Path: linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019
AttackerKB reference: CVE-2023-6019

Description: This exploit module allows for command injection to be performed on the target.

GiveWP Unauthenticated Donation Process Exploit

Authors: EQSTSeminar, Julien Ahrens, Valentin Lobstein, and Villu Orav
Type: Exploit
Pull request: #19424 contributed by Chocapikk
Path: multi/http/wp_givewp_rce
AttackerKB reference: CVE-2024-5932

Description: Adds a new module exploits/multi/http/wp_givewp_rce which targets CVE-2024-5932 – a critical RCE vulnerability in the WordPress GiveWP plugin (up to version 3.14.1).

pgAdmin Binary Path API RCE

Authors: Ayoub Mokhtar, M.Selim Karahan, and Mustafa Mutlu
Type: Exploit
Pull request: #19422 contributed by igomeow
Path: windows/http/pgadmin_binary_path_api
AttackerKB reference: CVE-2024-3116

Description: Adds a new module targeting all versions of PgAdmin up to 8.4 which leverages a Remote Code Execution (RCE) CVE-2024-3116 flaw through the validate binary path API.

Gather electerm Passwords

Author: Kali-Team [email protected]
Type: Post
Pull request: #19395 contributed by cn-kali-team
Path: multi/gather/electerm

Description: Adds a post module to gather passwords and saved session information stored in the Electerm program.

Enhanced Modules (2)

Modules which have either been enhanced, or renamed:

  • #19393 from jheysel-r7 – Adds a patch bypass for CVE-2024-32113 (the original vulnerability this exploited). The patch released in 18.12.14 disallows the Path Traversal vulnerability to be exploited however it was later disclosed that the vulnerable endpoint was accessible all along, without the need for the Path Traversal. And so CVE-2024-38856 was issued as an Incorrect Authorization which was patched in version 18.12.15.
  • #19417 from Chocapikk – The new PHP filter chain evaluates a POST parameter, which simplifies the process and reduces the payload size enabling the module to send the entire payload in one POST request instead of writing the payload to a file character by character over many POST requests. Support for both Windows and Linux Meterpreter payloads, not just PHP Meterpreter, has also been added.

Enhancements and features (3)

  • #19377 from jvoisin – Not written.
  • #19409 from jvoisin – This adds additional fingerprinting checks to the existing post/linux/gather/checkvm module to more accurately identify VMs.
  • #19415 from zeroSteiner – Changes the output of the ldap_esc_vulnerable_cert_finder to be more useful, including display changes favoring useful templates and including an explanation of why a template may be vulnerable.

Bugs fixed (4)

  • #19241 from zgoldman-r7 – Replaced the usage a deprecated Ruby method to fix crashing modules.
  • #19376 from jvoisin – This fixes the php/base64 encoder which was previously generating php payloads that were failing when being being run due to the way single quotes were being inserted into the payload.
  • #19411 from dledda-r7 – Fixes a crash in Metasploit’s RPC layer when calling module.results when a nil module result was present.
  • #19421 from zeroSteiner – This updates the windows/fileformat/adobe_pdf_embedded_exe exploit to define that its compatible with both ARCH_X86 and ARCH_X64 payloads due to it just generating an EXE.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Metasploit Weekly Wrap-Up 08/30/2024