Unveiling CVE-2024-44777, CVE-2024-44778, and CVE-2024-44779

Unveiling CVE-2024-44777, CVE-2024-44778, and CVE-2024-44779

How Curiosity and Boredom Can Lead to Discovering Unknown Vulnerabilities

In this discussion, I will focus on vTiger CRM 7.4.0, an older version of the CRM platform that, despite its age, remains an important research target. 

I discovered a Reflected XSS vulnerability in this version, which is especially concerning since there is no public CVE associated with it.so many users are likely unaware of this security risk.

CVE-2024-44777

First Reflected Cross-Site Scripting (XSS) vulnerability confirmed by the vendor; 

The first XSS vulnerability I discovered is in the `parent` parameter, which I exploited using a well-known XSS payload designed for injection points within a script section.

Brief Explanation:

Before diving into the first XSS, it's important to understand a quirk of JavaScript. Due to the nature of the language, you can concatenate different data types, including functions with strings, which makes the following snippet ""-alert()-"" valid code.

While searching for XSS vulnerabilities in vTiger CRM, I noticed that my placeholder was injected into a script block, specifically within a string. Because of JavaScript's flexibility in concatenating functions with strings, the ""-alert()-"" payload successfully executed, taking advantage of this behavior.

The payload:

"-alert()-"

The Proof of Concept (PoC): 

https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&parent=%22-alert()-%22

The screen:

CVE-2024-44778

Second Reflected Cross-Site Scripting (XSS) vulnerability confirmed by the vendor; 

The second XSS vulnerability I discovered is in the tag parameter, and I find it the most interesting because it required some creativity.

Brief Explanation:.

This XSS was particularly unique. The tag parameter in the GET request was passed directly to a JavaScript function. With some knowledge of JavaScript, I realized I could exploit this by closing the function with the first part of my payload using );. I then called the alert() function as a proof of concept (PoC). To ensure the exploit was clean and functional, I used the alt attribute as a "black hole" to absorb any remaining code, making the attack seamless.

The payload:

);alert();%22+alt=%22

The Proof of Concept (PoC):

https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&tag=);alert();%22+alt=%22

The screen:

CVE-2024-44779

Third Reflected Cross-Site Scripting (XSS) vulnerability confirmed by the vendor; 

The third XSS vulnerability I discovered is in the viewname parameter. It serves as a clear demonstration of why relying on blacklists is ineffective—you'll almost always overlook a valid entry

Brief Explanation:.

This XSS highlights the inherent weaknesses of using blacklists as a security measure. While crafting a payload to exploit this vulnerability, I noticed that the most common event handlers were filtered out. However, I discovered that custom or less common event handlers, such as onabc or onxxx, were not stripped.

To identify which event handlers bypassed the blacklist, I used Burp Suite Professional's Intruder tool to test all known event handlers. I found that several less common ones were not blocked, allowing me to choose the most convenient one to exploit this XSS.

The payload:

ddd'+onpointerdown=alert()+alt=

The Proof of Concept (PoC):

https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Accounts&view=List&viewname=95ddd'+onpointerdown=alert()+alt=

The screen:


**This Article is only for Informational/Educational porpouse**

Commenti

Posta un commento

Post popolari in questo blog

C++ Reverse Shell attempting obfuscation while dynamically loading API.

Immagine
 C++ Reverse Shell Attempting Obfuscation While Dynamically Loading Windows API This time, I wrote a Reverse Shell in C++, attempting to bypass AV by loading Windows APIs dynamically. Sadly, this time I could not use antiscan.me to test this Shell since that site is not working anymore. The Reverse Shell uses the following Windows API: LoadLibraryA GetProcAddress WSAStartup WSASocketA WSAConnectA CreateProcessA ExitProcess Every API has been loaded dynamically to try to bypass AV controls. Loading Windows API Dynamically: How to Read the Following Paragraph // Creating the signature of the function // Creating an instance of the function // Calling the function  LoadLibraryA Becomes loader using loader = HMODULE(__stdcall*)(LPCSTR); loader loader_a = reinterpret_cast<loader>((FARPROC)GetProcAddress(LoadLibraryA(x), "LoadLibraryA")); getter getter_a = reinterpret_cast<getter>((FARPROC)GetProcAddress(loade
Continua a leggere

KeePass abbiamo un problema..../KeePass we have a Problem

Immagine
KeePass abbiamo un problema  ITA: Si dice che la curiosità uccida il gatto , per fortuna non è questo il caso. In un momento di sana follia ho deciso di analizzare l'eseguibile "KeePass 2" , chi non lo usa per lavoro!? Analizzando l'eseguibile con il tool open-source "Detect it Easy" ho scoperto che il tool utilizza un obfuscator in particolare "Eziriz .NET Reactor 6.X" nulla di entusiasmante finché non ho notato che la versione utilizzata da KeePass è crackata e distribuita dal noto store di Software crackati Dr. Far Far. Il sito Dr. Far Far è noto anche perché in omaggio ai clienti regala malware a volontà. Link to Detect it Easy:https://github.com/horsicq/Detect-It-Easy/ Thanks to everyone from the etetrnal n00b Marco Nappi aka Xaliom
Continua a leggere