This PR adds a module for a buffer overflow at the administration
interface of WatchGuard Firebox and XTM appliances. The appliances are
built from a cherrypy python backend sending XML-RPC requests to a C
binary called wgagent using pre-authentication endpoint /agent/login.
This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before
12.1.3_U8, and 12.2.x through 12.5.x before 12.5.9_U2. Successful
exploitation results in remote code execution as user nobody.
This module exploits built-in functionality in OpenNMS Horizon in order
to execute arbitrary commands as the opennms user. For versions 32.0.2
and higher, this module requires valid credentials for a user with
ROLE_FILESYSTEM_EDITOR privileges and either ROLE_ADMIN or ROLE_REST.
For versions 32.0.1 and lower, credentials are required for a user with
ROLE_FILESYSTEM_EDITOR, ROLE_REST, and/or ROLE_ADMIN privileges.
This PR adds support for Debian and number of fixes and improvements for
the runc_cwd_priv_esc. Proir to this fix the module would report
vulnerable for a number of versions that the patch had been back ported
to.
This PR updates the pre-existing apache_ofbiz_deserialization
module to include functionality that will bypass authentication by
using the newly discovered CVE-2023-51467.
Now uses the Rex::Version system to check the user's version of runC.
The old system used to allow runC version 1.1.12 (which is patched).
Now it allows from 1.0.0-rc93->1.1.11 (and I tested that it works as expected).
Support added for Debian as this was tested with both Debian and Ubuntu.
Newer versions of Docker wouldn't delete the built container due to the message format.
I added a new regex to check for the message format which now deletes containers.
Fixed error reporting bug, runC version sanitising
Some runC versions contain the `+` and `~` token. These break
Rex::Version objects. A simple check was added against these symbols
and anything following them is cut off. Another solution may be
to replace these tokens with the `-` symbol to maintain information.
One of the failure cases was unreachable and this was fixed.
Fix runC and docker presence checks
The old runC and docker presence checks wer using `if` instead of `unless`.
executable? also requires a full path to work correctly. Since only the command
names themselves were being passed in, the check was silently failing.
The chosen fix was to instead use the command_exists? function,
which has the added benefit of working on both Windows and Linux.
Noam Rathaus