Unveiling CVE-2024-44777, CVE-2024-44778, and CVE-2024-44779

Unveiling CVE-2024-44777, CVE-2024-44778, and CVE-2024-44779

How Curiosity and Boredom Can Lead to Discovering Unknown Vulnerabilities

In this discussion, I will focus on vTiger CRM 7.4.0, an older version of the CRM platform that, despite its age, remains an important research target. 

I discovered a Reflected XSS vulnerability in this version, which is especially concerning since there is no public CVE associated with it.so many users are likely unaware of this security risk.

CVE-2024-44777

First Reflected Cross-Site Scripting (XSS) vulnerability confirmed by the vendor; 

The first XSS vulnerability I discovered is in the `parent` parameter, which I exploited using a well-known XSS payload designed for injection points within a script section.

Brief Explanation:

Before diving into the first XSS, it's important to understand a quirk of JavaScript. Due to the nature of the language, you can concatenate different data types, including functions with strings, which makes the following snippet ""-alert()-"" valid code.

While searching for XSS vulnerabilities in vTiger CRM, I noticed that my placeholder was injected into a script block, specifically within a string. Because of JavaScript's flexibility in concatenating functions with strings, the ""-alert()-"" payload successfully executed, taking advantage of this behavior.

The payload:

"-alert()-"

The Proof of Concept (PoC): 

https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&parent=%22-alert()-%22

The screen:

CVE-2024-44778

Second Reflected Cross-Site Scripting (XSS) vulnerability confirmed by the vendor; 

The second XSS vulnerability I discovered is in the tag parameter, and I find it the most interesting because it required some creativity.

Brief Explanation:.

This XSS was particularly unique. The tag parameter in the GET request was passed directly to a JavaScript function. With some knowledge of JavaScript, I realized I could exploit this by closing the function with the first part of my payload using );. I then called the alert() function as a proof of concept (PoC). To ensure the exploit was clean and functional, I used the alt attribute as a "black hole" to absorb any remaining code, making the attack seamless.

The payload:

);alert();%22+alt=%22

The Proof of Concept (PoC):

https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&tag=);alert();%22+alt=%22

The screen:

CVE-2024-44779

Third Reflected Cross-Site Scripting (XSS) vulnerability confirmed by the vendor; 

The third XSS vulnerability I discovered is in the viewname parameter. It serves as a clear demonstration of why relying on blacklists is ineffective—you'll almost always overlook a valid entry

Brief Explanation:.

This XSS highlights the inherent weaknesses of using blacklists as a security measure. While crafting a payload to exploit this vulnerability, I noticed that the most common event handlers were filtered out. However, I discovered that custom or less common event handlers, such as onabc or onxxx, were not stripped.

To identify which event handlers bypassed the blacklist, I used Burp Suite Professional's Intruder tool to test all known event handlers. I found that several less common ones were not blocked, allowing me to choose the most convenient one to exploit this XSS.

The payload:

ddd'+onpointerdown=alert()+alt=

The Proof of Concept (PoC):

https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Accounts&view=List&viewname=95ddd'+onpointerdown=alert()+alt=

The screen:


**This Article is only for Informational/Educational porpouse**

Commenti

Posta un commento

Post popolari in questo blog

Case of Study : Hide PowerUp.ps1 from MS Defender

Immagine
Hide PowerUp.ps1 from MS Defender PowerUp.ps1 is a well-known script among pentesters for escalating local privileges. However, since it is fairly old and quite popular, Microsoft Defender detects it as malicious. To use it, we need to either create a custom version of the script or obfuscate the one available online. In this guide, we will use a minimal obfuscation approach. By making small changes to the script, we can bypass Microsoft Defender’s detection and use the script without any issues. What We need A Windows VM with the AV Signatures Updated The PowerUp.ps1 Script ( here ) The Tool DefenderCheck made by matterpreter ( here ) Notepad Let's Start The first step is to disable Microsoft Defender temporarily so we can download the PowerUp.ps1 script without interference. After disabling Windows Defender, go to the GitHub page that contains the raw version of PowerUp.ps1. Copy the content and save it in Notepad with a .ps1 extension. Once you have downloaded both the PowerUp ...
Continua a leggere

C++ Reverse Shell attempting obfuscation while dynamically loading API.

Immagine
 C++ Reverse Shell Attempting Obfuscation While Dynamically Loading Windows API This time, I wrote a Reverse Shell in C++, attempting to bypass AV by loading Windows APIs dynamically. Sadly, this time I could not use antiscan.me to test this Shell since that site is not working anymore. The Reverse Shell uses the following Windows API: LoadLibraryA GetProcAddress WSAStartup WSASocketA WSAConnectA CreateProcessA ExitProcess Every API has been loaded dynamically to try to bypass AV controls. Loading Windows API Dynamically: How to Read the Following Paragraph // Creating the signature of the function // Creating an instance of the function // Calling the function  LoadLibraryA Becomes loader using loader = HMODULE(__stdcall*)(LPCSTR); loader loader_a = reinterpret_cast<loader>((FARPROC)GetProcAddress(LoadLibraryA(x), "LoadLibraryA")); getter getter_a = reinterpret_cast<getter>((FARPROC)GetProcAddress(loade...
Continua a leggere