The 3CX product installs a Windows service called “Abyss Web Server” (abyssws.exe) which listens on default public ports 5000 (tcp/http) and 5001 (tcp/https) for incoming requests to the web panel and runs with NT AUTHORITY\SYSTEM privileges.
Without requiring authentication/authorization it is possible to upload arbitrary scripts into an accessible web path through the VAD_Deploy.aspx script.
Given this, it is possible to run arbitrary code/commands with the privileges of the target server.
Continue reading SSD Advisory – 3CX VoIP Phone System Manager Server Remote Code Execution Vulnerability (with SYSTEM privileges)
A remote authenticated user (student) could place malicious PHP files inside a public web path and execute arbitrary code/commands (note that self-registration will be probably enabled on most implementations).
This is because the insitem() function inside /appLms/modules/scorm/scorm.php which subsequently calls into /addons/pclzip/pclzip.lib.php to extract uploaded zip files.
If the zip file contains a malicious file entry with directory traversal specifiers (like ex. ./../../../../plugins/index.php) the application will not strip them and will cause the file to be written outside the temporary newly created folder.
As attachment, proof of concept code. Configure it. Finally launch from the command line.
Continue reading SSD Advisory – Forma LMS scorm.php Directory Traversal Vulnerability and Remote Code Execution
A vulnerability in the way wget handles redirects allows attackers that are able to hijack a connection initiated by wget or compromise a server from which wget is downloading files from, would allow them to cause the user running wget to execute arbitrary commands. The commands are executed with the privileges with which wget is running. This could prove to be quite severe when wget is launched as ‘root’.
Continue reading SSD Advisory – Wget Arbitrary Commands Execution
UPDATE: I got word that rileykidd has posted his own write-up, if you would like to see another solution go to: http://rileykidd.com/2016/06/09/hack-in-the-box-2016-misc400-writeup-part-1/
The following is a write-up on our Hack in the Box 2016 PHP Challenge that was part of the CTF. The CTF’s goal was to give researchers and security researcher (as CTF was with security orientation) with a challenge that is more than “just” an SQL injection or “just” code execution.
If you would like the CTF challenge files, send us an email to ssdbeyondsecurity.com.
Continue reading HITB 2016 PHP Challenge Write Up