An issue was discovered in TSplus Remote Access through 16.0.2.14. There are Full Control permissions for Everyone on some directories under %PROGRAMFILES(X86)%\TSplus\UserDesktop\themes.

    # Exploit Title: TSplus 16.0.0.0 - Remote Work Insecure Files and Folders Permissions
    # Date: 2023-08-09
    # Exploit Author: Carlo Di Dato for Deloitte Risk Advisory Italia
    # Vendor Homepage: https://tsplus.net/
    # Version: Up to 16.0.0.0
    # Tested on: Windows
    # CVE : CVE-2023-31068
    
    With TSPlus Remote Work (v. 16.0.0.0) you can create a secure single 
    sign-on web portal and remote desktop gateway that enables users to 
    remotely access the console session of their office PC.
    The solution comes with an embedded web server to allow remote users to 
    easely connect remotely.
    However, insecure file and folder permissions are set, and this could 
    allow a malicious user to manipulate file content (e.g.: changing the 
    code of html pages or js scripts) or change legitimate files (e.g. 
    Setup-RemoteWork-Client.exe) in order to compromise a system or to gain 
    elevated privileges.
    
    This is the list of insecure files and folders with their respective 
    permissions:
    
    Permission: Everyone:(OI)(CI)(F)
    
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\cgi-bin
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\download
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\downloads
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\prints
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\var
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\cgi-bin\remoteapp
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\downloads\shared
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\js
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\html5\jwres
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\html5\locales
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\own
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\des
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\key
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\topmenu
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\key\parts
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\img
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\third
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\img\cp
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\img\srv
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\third\images
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\third\js
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\third\images\bramus
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\third\js\prototype
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\var\log
    
    -------------------------------------------------------------------------------------------
    
    Permission: Everyone:(F)
    
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\robots.txt
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\cgi-bin\hb.exe.config
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\cgi-bin\SessionPrelaunch.Common.dll.config
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\cgi-bin\remoteapp\index.html
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\download\common.js
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\download\lang.js
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\download\Setup-RemoteWork-Client.exe
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\html5\jwres\jwwebsockify.jar
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\html5\jwres\web.jar
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\html5\own\exitlist.html
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\html5\own\exitupload.html
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\index.html
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\img\index.html
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\img\port.bin
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\third\jws.js
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\third\sha256.js
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\third\js\prototype\prototype.js
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\js\jquery.min.js

CVE-2023-31068: OffSec’s Exploit Database Archive

Varient News Magazine Script version 1.3.0 suffers from an ignored default credential vulnerability.

    ======================================================================================================================================| # Title     : Varient News Magazine Script V1.3.0 Insecure Settings Vulnerability                                                  || # Author    : indoushka                                                                                                            || # Tested on : windows 10 Français V.(Pro)                                                                                          || # Vendor    : https://varient.codingest.com/                                                                                       |  | # Dork      : "Varient - News Magazine - Varient"                                                                                  |======================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine .[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] Use Admin : admin@gmail.com & Pass : 1234[+] http://127.0.0.1/wwwmafrxyz/adminGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

Varient News Magazine Script 1.3.0 Insecure Settings

IWT Imagine CMS version 1.0 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : IWT Imagineِ CMS v1.0 XSS Vulnerability                                                                             || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(32-bit)                                             | | # Vendor    : http://imaginewebtech.com                                                                                          |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /photo-gallery.html?id=1'<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>[+] https://127.0.0.1wwsanklechain/photo-gallery.html?id=1%27%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

IWT Imagine CMS 1.0 Cross Site Scripting

An issue was discovered in MmMapIoSpace routine in Foxconn Live Update Utility 2.1.6.26, allows local attackers to escalate privileges.

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

CVE-2020-24088: GitHub - rjt-gupta/CVE-2020-24088: Windows Privilege Escalation: Foxconn Live Update Utility v2.1.6.26

Adobe Acrobat Reader versions 2019.021.20056 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security update available for Adobe Acrobat and Reader | APSB19-55

**Bulletin ID**

**Date Published**

**Priority**

APSB19-55

December 10, 2019

2

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and  important vulnerabilities.  Successful exploitation could lead to arbitrary code execution in the context of the current user.    

Adobe recommends users update their software installations to the latest versions by following the instructions below.    

The latest product versions are available to end users via one of the following methods:    

*   Users can update their product installations manually by choosing Help > Check for Updates.     
    
*   The products will update automatically, without requiring user intervention, when updates are detected.      
    
*   The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.     
    

For IT administrators (managed environments):     

*   Download the enterprise installers from ftp://ftp.adobe.com/pub/adobe/, or refer to the specific release note version for links to installers.     
    
*   Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.     
    

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:    

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

**CVE Number**

Out-of-Bounds Read  

Information Disclosure  

Important   

CVE-2019-16449  

CVE-2019-16456

CVE-2019-16457

CVE-2019-16458

CVE-2019-16461

CVE-2019-16465

Out-of-Bounds Write 

Arbitrary Code Execution   

Critical

CVE-2019-16450

CVE-2019-16454

Use After Free   

Arbitrary Code Execution     

Critical

CVE-2019-16445

CVE-2019-16448

CVE-2019-16452

CVE-2019-16459

CVE-2019-16464

CVE-2019-16471  

Heap Overflow 

Arbitrary Code Execution     

Critical

CVE-2019-16451

Buffer Error

Arbitrary Code Execution     

Critical

CVE-2019-16462

CVE-2019-16470  

Untrusted Pointer Dereference

Arbitrary Code Execution 

Critical

CVE-2019-16446

CVE-2019-16455

CVE-2019-16460

CVE-2019-16463

Binary Planting (default folder privilege escalation) 

Privilege Escalation

Important 

CVE-2019-16444

Security Bypass

Arbitrary Code Execution

Critical

CVE-2019-16453

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:    

*   Mateusz Jurczyk of Google Project Zero & Anonymous working with Trend Micro Zero Day Initiative (CVE-2019-16451)
*   Honc (章哲瑜) (CVE-2019-16444) 
*   Ke Liu of Tencent Security Xuanwu Lab. (CVE-2019-16445, CVE-2019-16449, CVE-2019-16450, CVE-2019-16454, CVE-2019-16471)
*   Sung Ta (@Mipu94) of SEFCOM Lab, Arizona State University (CVE-2019-16446, CVE-2019-16448) 
*   Aleksandar Nikolic of Cisco Talos (CVE-2019-16463)
*   Technical support team of HTBLA Leonding (CVE-2019-16453) 
*   Haikuo Xie of Baidu Security Lab (CVE-2019-16461)
*   Bit of STAR Labs (CVE-2019-16452) 
*   Xinyu Wan and Yiwei Zhang from Renmin University of China (CVE-2019-16455, CVE-2019-16460, CVE-2019-16462)
*   Bo Qu of Palo Alto Networks and Heige of Knownsec 404 Security Team (CVE-2019-16456) 
*   Zhibin Zhang of Palo Alto Networks (CVE-2019-16457)
*   Qi Deng, Ken Hsu of Palo Alto Networks (CVE-2019-16458) 
*   Lexuan Sun, Hao Cai of Palo Alto Networks (CVE-2019-16459)
*   Yue Guan, Haozhe Zhang of Palo Alto Networks (CVE-2019-16464) 
*   Hui Gao of Palo Alto networks (CVE-2019-16465)
*   Zhibin Zhang, Yue Guan of Palo Alto Networks (CVE-2019-16465)
*   Zhangqing and Zhiyuan Wang from cdsrc of Qihoo 360 (CVE-2019-16470)

March 26, 2020: Added acknowledgement for CVE-2019-16471, CVE-2019-16470

.

CVE-2019-16470: Adobe Security Bulletin

Adobe InDesign versions 17.1 (and earlier) and 16.4.1 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security Update Available for Adobe InDesign | APSB22-23

**Bulletin ID**

**Date Published**

**Priority**

APSB22-23  

May 10, 2022   

3

**Summary**

Adobe has released a security update for Adobe InDesign.  This update addresses critical vulnerabilities. Successful exploitation could lead to arbitrary code execution.  

**Affected versions**

17.1 and earlier versions  

16.4.1 and earlier versions  

**Solution**

Adobe categorizes these updates with the following priority rating and recommends users update their software installations via the Creative Cloud desktop app updater, or by navigating to the InDesign Help menu and clicking "Updates." For more information, please reference this help page.

**Product**

**Updated version**

**Platform**

**Priority rating**

Adobe InDesign

17.2  

Windows and macOS

3

Adobe InDesign

16.4.2  

Windows and macOS

3

For managed environments, IT administrators can use the Creative Cloud Packager to create deployment packages. Refer to this help page for more information.

**Vulnerability Details**

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

**CVSS base score**    

**CVSS vector**   

**CVE Number**

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-28831  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-28832  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-28833  

**Acknowledgments**

Adobe would like to thank the following researcher for reporting this issue and for working with Adobe to help protect our customers:   

*   Mat Powell of Trend Micro Zero Day Initiative (CVE-2022-28831; CVE-2022-28832; CVE-2022-28833)

CVE-2022-28831: Adobe Security Bulletin

Adobe InCopy versions 17.1 (and earlier) and 16.4.1 (and earlier)  are affected by an Use-After-Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security Update Available for Adobe InCopy | APSB22-28

**Bulletin ID**

**Date Published**

**Priority**

APSB22-28

May 10, 2022

3

**Summary**

Adobe has released a security update for Adobe InCopy.  This update addresses  critical vulnerabilities. Successful exploitation could lead to arbitrary code execution.                      

**Affected versions**

16.4.1 and earlier version  

**Solution**

Adobe categorizes these updates with the following priority rating and recommends users update their software installations via the Creative Cloud desktop app updater, or by navigating to the InCopy Help menu and clicking "Updates." For more information, please reference this help page.

**Product**

**Updated version**

**Platform**

**Priority rating**

Adobe InCopy   

17.2  

Windows  and macOS    

3

Adobe InCopy   

16.4.2  

Windows  and macOS    

3

For managed environments, IT administrators can use the Creative Cloud Packager to create deployment packages. Refer to this help page for more information.

**Vulnerability Details**

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

**CVSS base score**    

**CVSS vector**   

**CVE Number**

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical 

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-28834  

Use After Free (CWE-416)  

Arbitrary code execution  

Critical 

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-28835  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-28836  

**Acknowledgments**

Adobe would like to thank the following researchers for reporting this issue and for working with Adobe to help protect our customers.  

*   Mat Powell of Trend Micro Zero Day Initiative (CVE-2022-28834; CVE-2022-28835; CVE-2022-28836)

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

CVE-2022-28835: Adobe Security Bulletin

Anaconda 3 2023.03-1-Linux allows local users to disrupt TLS certificate validation by modifying the cacert.pem file used by the installed pip program. This occurs because many files are installed as world-writable on Linux, ignoring umask, even when these files are installed as root. Miniconda is also affected.

**Background**

Well over a year ago I installed Anaconda3 on my laptop for some work.  When the installation completed I noticed that numerous files had been installed world-writable.  This is less then ideal obviously but it was my laptop so I fixed the issue and moved on.  Fast-forward to September 2022 and I'm left cleaning up these issues after every upgrade or install at a customer site.  This is where I become annoyed that this issue still hasn't been resolved so I figured I better report it.

After an unacceptably long delay to try to get resolution of this issue I am publishing the details.

**Technical Details  
**

Installing any version of the Anaconda or Miniconda on Linux results in numerous world-writable files.  For example, below I took the latest version from the website and performed the batch (no prompt) install to $HOME/anaconda3:  

\[jeremy@test1 ~\]$ **bash Anaconda3-2023.03-1-Linux-x86\_64.sh -b -p $HOME/anaconda3**  
PREFIX=/home/jeremy/anaconda3  
Unpacking payload ...

Installing base environment...

Downloading and Extracting Packages

Downloading and Extracting Packages

Preparing transaction: done  
Executing transaction: |

    Installed package of scikit-learn can be accelerated using scikit-learn-intelex.  
    More details are available here: https://intel.github.io/scikit-learn-intelex

    For example:

        $ conda install scikit-learn-intelex  
        $ python -m sklearnex my\_application.py

done  
installation finished.

With the installation finished I ran a quick check of the permissions for files and directories with the other writable bit set.  As you can see from the two commands below they are all files.   Previously I have found directories as well.  

\[jeremy@test1 ~\]$ **find /home/jeremy/anaconda3 -perm /0002 \$ -type f -o -type d \$ | wc**  
    606     606   58235  
\[jeremy@test1 ~\]$ **find /home/jeremy/anaconda3 -perm /0002 -type f | wc**  
    606     606   58235 

To see what those files look like permission wise you can run a find command filtering for files that are world-writable with the "-perm /0002" option:  

\[jeremy@test1 ~\]$ **find /home/jeremy/anaconda3 -perm /0002 -type f -ls**  
  3773199     92 -rwxrwxrwx   2  jeremy   jeremy      91648 Nov  5  2022 /home/jeremy/anaconda3/lib/python3.10/site-packages/pip/\_vendor/distlib/w32.exe  
  3773231    108 -rwxrwxrwx   2  jeremy   jeremy     108032 Nov  5  2022 /home/jeremy/anaconda3/lib/python3.10/site-packages/pip/\_vendor/distlib/t64.exe  
  3773242    168 -rwxrwxrwx   2  jeremy   jeremy     168448 Nov  5  2022 /home/jeremy/anaconda3/lib/python3.10/site-packages/pip/\_vendor/distlib/w64-arm.exe  
  3773208     96 -rwxrwxrwx   2  jeremy   jeremy      97792 Nov  5  2022 /home/jeremy/anaconda3/lib/python3.10/site-packages/pip/\_vendor/distlib/t32.exe  
  3773215    100 -rwxrwxrwx   2  jeremy   jeremy     101888 Nov  5  2022 /home/jeremy/anaconda3/lib/python3.10/site-packages/pip/\_vendor/distlib/w64.exe  
  3773253    180 -rwxrwxrwx   2  jeremy   jeremy     182784 Nov  5  2022 /home/jeremy/anaconda3/lib/python3.10/site-packages/pip/\_vendor/distlib/t64-arm.exe  
  3773149      4 -rw-rw-rw-   2  jeremy   jeremy        469 Nov  5  2022 /home/jeremy/anaconda3/lib/python3.10/site-packages/pip/\_vendor/vendor.txt  
  3773176    280 -rw-rw-rw-   2  jeremy   jeremy     286370 Nov  5  2022 /home/jeremy/anaconda3/lib/python3.10/site-packages/pip/\_vendor/certifi/cacert.pem  
  3773161      4 -rw-rw-rw-   2  jeremy   jeremy        286 Nov  5  2022 /home/jeremy/anaconda3/lib/python3.10/site-packages/pip/py.typed  
  3773169      4 -rw-rw-rw-   2  jeremy   jeremy       4072 Dec  9  2022 /home/jeremy/anaconda3/lib/python3.10/site-packages/pip-22.3.1-py3.10.egg-info/PKG-INFO  
...  
  3713940      4 -rwxrwxrwx   1  jeremy   jeremy        740 Aug 31  2020 /home/jeremy/anaconda3/pkgs/libllvm10-10.0.1-hbcb73fb\_5/info/recipe/parent/install\_llvm.bat  
  3714015      4 -rwxrwxrwx   1  jeremy   jeremy       1387 Aug 31  2020 /home/jeremy/anaconda3/pkgs/libllvm10-10.0.1-hbcb73fb\_5/info/recipe/parent/install\_llvm.sh  
  3713958      4 -rwxrwxrwx   1  jeremy   jeremy        726 Sep  4  2020 /home/jeremy/anaconda3/pkgs/libllvm10-10.0.1-hbcb73fb\_5/info/recipe/parent/xcode-select  
  3714009      4 -rwxrwxrwx   1  jeremy   jeremy       1387 Aug 31  2020 /home/jeremy/anaconda3/pkgs/libllvm10-10.0.1-hbcb73fb\_5/info/recipe/install\_llvm.sh  
  3657118      4 -rwxrwxrwx   1  jeremy   jeremy       3364 Jan  5  2021 /home/jeremy/anaconda3/pkgs/jupyterlab\_widgets-1.0.0-pyhd3eb1b0\_1/info/recipe/recipe\_log.txt  
  3657112      4 -rwxrwxrwx   1  jeremy   jeremy        828 Jan  5  2021 /home/jeremy/anaconda3/pkgs/jupyterlab\_widgets-1.0.0-pyhd3eb1b0\_1/info/recipe/meta.yaml.template  
  3279942      4 -rwxrwxrwx   1  jeremy   jeremy       1923 Jun 13  2019 /home/jeremy/anaconda3/pkgs/backports.weakref-1.0.post1-py\_1/info/recipe/recipe\_log.txt  
  3279943      4 -rwxrwxrwx   1  jeremy   jeremy       1091 Jun 12  2019 /home/jeremy/anaconda3/pkgs/backports.weakref-1.0.post1-py\_1/info/recipe/meta.yaml.template  
  3709519      8 -rwxrwxrwx   1  jeremy   jeremy       4402 May  4  2020 /home/jeremy/anaconda3/pkgs/atomicwrites-1.4.0-py\_0/info/recipe/recipe\_log.txt  
  3709528      4 -rwxrwxrwx   1  jeremy   jeremy        774 May  4  2020 /home/jeremy/anaconda3/pkgs/atomicwrites-1.4.0-py\_0/info/recipe/meta.yaml.template 

I'm not sure how frequently if ever these files are used but one file stuck out to me when I reviewed the list.  The cacert.pem file used by the python certify module under their pip installation.  Since certify provides the trusted root certificate authorities, any manipulation of these could allow untrusted content to pass through SSL connections via Man-in-the-middle attack.  You can see below there are two files found but since they are the same inode number we know they are actually a hardlink:  

\[jeremy@test1 ~\]$ find /home/jeremy/anaconda3 -type f -perm /0002 -name cacert.pem -ls  
  1986492    280 -rw-rw-rw-   2  jeremy   jeremy     286370 Nov  5  2022 /home/jeremy/anaconda3/lib/python3.10/site-packages/pip/\_vendor/certifi/cacert.pem  
  1986492    280 -rw-rw-rw-   2  jeremy   jeremy     286370 Nov  5  2022 /home/jeremy/anaconda3/pkgs/pip-22.3.1-py310h06a4308\_0/lib/python3.10/site-packages/pip/\_vendor/certifi/cacert.pem  

For illustrations purposes here I created and used a different account (test) to truncate the cacert.pem files and show they have been truncated to 0 bytes.  

  
\[test@test1 ~\]$ **find /home/jeremy/anaconda3/ -type f -perm /0002 -name cacert.pem -ls**  
  1986492    280 -rw-rw-rw-   2  jeremy   jeremy     286370 Nov  5  2022 /home/jeremy/anaconda3/lib/python3.10/site-packages/pip/\_vendor/certifi/cacert.pem  
  1986492    280 -rw-rw-rw-   2  jeremy   jeremy     286370 Nov  5  2022 /home/jeremy/anaconda3/pkgs/pip-22.3.1-py310h06a4308\_0/lib/python3.10/site-packages/pip/\_vendor/certifi/cacert.pem  
\[test@test1 ~\]$ **truncate --size=0 /home/jeremy/anaconda3/lib/python3.10/site-packages/pip/\_vendor/certifi/cacert.pem**  
\[test@test1 ~\]$ **find /home/jeremy/anaconda3/ -type f -perm /0002 -name cacert.pem -ls**  
  1986492      0 -rw-rw-rw-   2  jeremy   jeremy          0 Jun  5 17:28 /home/jeremy/anaconda3/lib/python3.10/site-packages/pip/\_vendor/certifi/cacert.pem  
  1986492      0 -rw-rw-rw-   2  jeremy   jeremy          0 Jun  5 17:28 /home/jeremy/anaconda3/pkgs/pip-22.3.1-py310h06a4308\_0/lib/python3.10/site-packages/pip/\_vendor/certifi/cacert.pem

Moving back to my normal user,  if these files are used by the Anaconda3 packaged version of pip this should result in SSL error:

  
\[jeremy@test1 ~\]$ **/home/jeremy/anaconda3/bin/pip install tensorflow==**  
WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(136, '\[X509: NO\_CERTIFICATE\_OR\_CRL\_FOUND\] no certificate or crl found (\_ssl.c:4123)'))': /simple/tensorflow/  
WARNING: Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(136, '\[X509: NO\_CERTIFICATE\_OR\_CRL\_FOUND\] no certificate or crl found (\_ssl.c:4123)'))': /simple/tensorflow/  
WARNING: Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(136, '\[X509: NO\_CERTIFICATE\_OR\_CRL\_FOUND\] no certificate or crl found (\_ssl.c:4123)'))': /simple/tensorflow/  
WARNING: Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(136, '\[X509: NO\_CERTIFICATE\_OR\_CRL\_FOUND\] no certificate or crl found (\_ssl.c:4123)'))': /simple/tensorflow/  
WARNING: Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(136, '\[X509: NO\_CERTIFICATE\_OR\_CRL\_FOUND\] no certificate or crl found (\_ssl.c:4123)'))': /simple/tensorflow/  
Could not fetch URL https://pypi.org/simple/tensorflow/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/tensorflow/ (Caused by SSLError(SSLError(136, '\[X509: NO\_CERTIFICATE\_OR\_CRL\_FOUND\] no certificate or crl found (\_ssl.c:4123)'))) - skipping  
ERROR: Could not find a version that satisfies the requirement tensorflow== (from versions: none)  
ERROR: No matching distribution found for tensorflow==

As you can see we do in fact get an error that no valid cert is found.  This is due to the truncated root CA certs file.  Clearly there are significant risks besides a Denial of Service (DoS) from Anaconda's creation of these world-writable files. 

**Disclosure Timeline:**

*   Sep 22, 2022 - Reported world-writable vulnerability including list of files  
    
*   Sep 22, 2022 - Confirmation from Anaconda
*   Sep 23, 2022 - Provided an easy way to reproduce to Anaconda
*   Sep 23, 2022 - Anaconda confirms reproducer and says "We are working on a fix for this issue and will notify you. once a fix is available"
*   Nov 16, 2022 - I request status update
*   Nov 16, 2022 - Anaconda responds "Our security team is taking a look at this issue this week and we can give you a better time frame estimation once this has been completed. "
*   Nov 23, 2022 - Anaconda updates "Our security group has reviewed this issue, and are prioritizing it for a future sprint cycle"
*   Jan 31, 2023 - With no response from Anaconda I test and the issue still exists.  At this point I research if a CVE is filed and find similar (though not the sames) issues in Windows reported as: CVE\-2022-26526.
*   Feb 20, 2023 - Anaconda responds that CVE\-2022-26526 is fixed but the issue I reported "is unfortunately not a straightforward fix".
*   Feb 28, 2023 - I respond that any proper fix should take into account the user's umask during installation.
*   Feb 28, 2023 - Anaconda acknowledges my umask email
*   Jun 1, 2023 - I inquire again for the status of a fix
*   Jun 1, 2023 - Anaconda erroneously believes "fixes for this implemented in Anaconda 2022.05 and Miniconda3 4.12.0 and beyond"
*   Jun 2, 2023 - I verify Linux is still vulnerable and email them to let them know
*   Jun 2, 2023 - I finally file for a CVE with MITRE as the CNA-LR
*   Jun 18, 2023 - MITRE rerves CVE\-2023-35845 for this issue
*   Jun 22, 2023 - I provide one more email to Anaconda notifying them of the impending CVE and receive no response as of this writing on Jun 27.  
    

**Solutions**

Given this information it's clear that there are risks and possibly significant risks besides a Denial of Service (DoS) from Anaconda's creation of these world-writable files.  Luckily if you already  upgraded the pip packaged with Anaconda it appears to fix this world-writable cacert.pem file limiting the one illustrated path to exploitation here:  

\[jeremy@test1 ~\]$ **$HOME/anaconda3/bin/pip install --upgrade pip**  
Requirement already satisfied: pip in ./anaconda3/lib/python3.10/site-packages (22.3.1)  
Collecting pip  
  Using cached pip-23.1.2-py3-none-any.whl (2.1 MB)  
Installing collected packages: pip  
  Attempting uninstall: pip  
    Found existing installation: pip 22.3.1  
    Uninstalling pip-22.3.1:  
      Successfully uninstalled pip-22.3.1  
Successfully installed pip-23.1.2  

You can see there does exist one of the cacert.pem file but this is not the one used by the Anaconda3 pip (a utility detailed below confirmed that for me):

\[jeremy@test1 ~\]$ **find $HOME/anaconda3 -type f -perm /0002 -name cacert.pem -ls**  
  3773176    280 -rw-rw-rw-   1  jeremy   jeremy     286370 Nov  5  2022 /home/jeremy/anaconda3/pkgs/pip-22.3.1-py310h06a4308\_0/lib/python3.10/site-packages/pip/\_vendor/certifi/cacert.pem 

Regardless of the pip solution the best strategy for now appears to be to strip all "other" write permissions from your Anaconda3 installation directory any time you install or update software:

\[jeremy@test1 ~\]$ **find $HOME/anaconda3 -type f -perm /0002 -exec chmod o-w {} \\;**  
  

**Detection of Similar Problems  
**

Finally, if your interested in a utility to capture information about what opens, executes, or changes permissions to create world-writable I've create an eBPF program to help identify that and stored in my github repo here:

https://github.com/jfilizetti/ebpf-security-tools

Here is an example capture of the cacert.pem described above:

\[root@test1 jeremy\]# **./world\_writable\_monitor.py -f regular,directory | grep** cacert.pem  
chmod      666     1000:1000    93877     conda.exe             0                                    -100       /home/jeremy/anaconda3/pkgs/pip-22.3.1-py310h06a4308\_0/lib/python3.10/site-packages/pip/\_vendor/certifi/cacert.pem  
open       666     1000:1000    93910     pip                   0                                    -100       /home/jeremy/anaconda3/lib/python3.10/site-packages/pip/\_vendor/certifi/cacert.pem

CVE-2023-35845: CVE-2023-35845:  Anaconda3 creates numerous world-writable files on install

When receiving rendering data over IPC `mStream` could have been destroyed when initialized, which could have led to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, and Thunderbird < 115.2.

**Mozilla Foundation Security Advisory 2023-34**

Announced

August 29, 2023

Impact

high

Products

Firefox

Fixed in

*   Firefox 117

**#CVE-2023-4573: Memory corruption in IPC CanvasTranslator**

Reporter

sonakkbi

Impact

high

**Description**

When receiving rendering data over IPC mStream could have been destroyed when initialized, which could have led to a use-after-free causing a potentially exploitable crash.

**References**

*   Bug 1846687

**#CVE-2023-4574: Memory corruption in IPC ColorPickerShownCallback**

Reporter

sonakkbi

Impact

high

**Description**

When creating a callback over IPC for showing the Color Picker window, multiple of the same callbacks could have been created at a time and eventually all simultaneously destroyed as soon as one of the callbacks finished. This could have led to a use-after-free causing a potentially exploitable crash.

**References**

*   Bug 1846688

**#CVE-2023-4575: Memory corruption in IPC FilePickerShownCallback**

Reporter

sonakkbi

Impact

high

**Description**

When creating a callback over IPC for showing the File Picker window, multiple of the same callbacks could have been created at a time and eventually all simultaneously destroyed as soon as one of the callbacks finished. This could have led to a use-after-free causing a potentially exploitable crash.

**References**

*   Bug 1846689

**#CVE-2023-4576: Integer Overflow in RecordedSourceSurfaceCreation**

Reporter

fffvr

Impact

high

**Description**

On Windows, an integer overflow could occur in RecordedSourceSurfaceCreation which resulted in a heap buffer overflow potentially leaking sensitive data that could have led to a sandbox escape.  
_This bug only affects Firefox on Windows. Other operating systems are unaffected._

**References**

*   Bug 1846694

**#CVE-2023-4577: Memory corruption in JIT UpdateRegExpStatics**

Reporter

Lukas Bernhard

Impact

high

**Description**

When UpdateRegExpStatics attempted to access initialStringHeap it could already have been garbage collected prior to entering the function, which could potentially have led to an exploitable crash.

**References**

*   Bug 1847397

**#CVE-2023-4578: Error reporting methods in SpiderMonkey could have triggered an Out of Memory Exception**

Reporter

Irvan Kurniawan (@sourc7)

Impact

moderate

**Description**

When calling JS::CheckRegExpSyntax a Syntax Error could have been set which would end in calling convertToRuntimeErrorAndClear. A path in the function could attempt to allocate memory when none is available which would have caused a newly created Out of Memory exception to be mishandled as a Syntax Error.

**References**

*   Bug 1839007

**#CVE-2023-4579: Persisted search terms were formatted as URLs**

Reporter

Malte Jürgens

Impact

moderate

**Description**

Search queries in the default search engine could appear to have been the currently navigated URL if the search query itself was a well formed URL. This could have led to a site spoofing another if it had been maliciously set as the default search engine.

**References**

*   Bug 1842766

**#CVE-2023-4580: Push notifications saved to disk unencrypted**

Reporter

Harveer Singh

Impact

moderate

**Description**

Push notifications stored on disk in private browsing mode were not being encrypted potentially allowing the leak of sensitive information.

**References**

*   Bug 1843046

**#CVE-2023-4581: XLL file extensions were downloadable without warnings**

Reporter

Umar Farooq (@Puf)

Impact

moderate

**Description**

Excel .xll add-in files did not have a blocklist entry in Firefox's executable blocklist which allowed them to be downloaded without any warning of their potential harm.

**References**

*   Bug 1843758

**#CVE-2023-4582: Buffer Overflow in WebGL glGetProgramiv**

Reporter

Dohyun Lee (@l33d0hyun) of SSD-Disclosure Labs & DNSLab, Korea Univ.

Impact

low

**Description**

Due to large allocation checks in Angle for glsl shaders being too lenient a buffer overflow could have occured when allocating too much private shader memory on mac OS.  
_This bug only affects Firefox on macOS. Other operating systems are unaffected._

**References**

*   Bug 1773874

**#CVE-2023-4583: Browsing Context potentially not cleared when closing Private Window**

Reporter

Thejaka Maldeniya

Impact

low

**Description**

When checking if the Browsing Context had been discarded in HttpBaseChannel, if the load group was not available then it was assumed to have already been discarded which was not always the case for private channels after the private session had ended.

**References**

*   Bug 1842030

**#CVE-2023-4584: Memory safety bugs fixed in Firefox 117, Firefox ESR 102.15, Firefox ESR 115.2, Thunderbird 102.15, and Thunderbird 115.2**

Reporter

Randell Jesup, Andrew McCreight, the Mozilla Fuzzing Team

Impact

high

**Description**

Memory safety bugs present in Firefox 116, Firefox ESR 102.14, Firefox ESR 115.1, Thunderbird 102.14, and Thunderbird 115.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 117, Firefox ESR 102.15, Firefox ESR 115.2, Thunderbird 102.15, and Thunderbird 115.2

**#CVE-2023-4585: Memory safety bugs fixed in Firefox 117, Firefox ESR 115.2, and Thunderbird 115.2**

Reporter

Donal Meehan, Sebastian Hengst, and the Mozilla Fuzzing Team

Impact

high

**Description**

Memory safety bugs present in Firefox 116, Firefox ESR 115.1, and Thunderbird 115.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 117, Firefox ESR 115.2, and Thunderbird 115.2

CVE-2023-4573: Security Vulnerabilities fixed in Firefox 117

A new cyber attack campaign is leveraging the PowerShell script associated with a legitimate red teaming tool to plunder NTLMv2 hashes from compromised Windows systems primarily located in Australia, Poland, and Belgium.
The activity has been codenamed Steal-It by Zscaler ThreatLabz.
"In this campaign, the threat actors steal and exfiltrate NTLMv2 hashes using customized versions of Nishang's

Endpoint Security / Malware

A new cyber attack campaign is leveraging the PowerShell script associated with a legitimate red teaming tool to plunder NTLMv2 hashes from compromised Windows systems primarily located in Australia, Poland, and Belgium.

The activity has been codenamed Steal-It by Zscaler ThreatLabz.

"In this campaign, the threat actors steal and exfiltrate NTLMv2 hashes using customized versions of Nishang's Start-CaptureServer PowerShell script, executing various system commands, and exfiltrating the retrieved data via Mockbin APIs," security researchers Niraj Shivtarkar and Avinash Kumar said.

Nishang is a framework and collection of PowerShell scripts and payloads for offensive security, penetration testing, and red teaming.

The attacks leverage as many as five different infection chains, although they all leverage phishing emails containing ZIP archives as the starting point to infiltrate specific targets using geofencing techniques -

*   **NTLMv2 hash stealing infection chain**, which employs a custom version of the aforementioned Start-CaptureServer PowerShell script to harvest NTLMv2 hashes
*   **System info stealing infection chain**, which OnlyFans lures to target Australian users into downloading a CMD file that pilfers system information
*   **Fansly whoami infection chain**, which uses explicit images of Ukrainian and Russian Fansly models to entice Polish users into downloading a CMD file that exfiltrates the results of the whoami command
*   **Windows update infection chain**, which targets Belgium users with fake Windows update scripts designed to run commands like tasklist and systeminfo

It's worth noting that the last attack sequence was highlighted by the Computer Emergency Response Team of Ukraine (CERT-UA) in May 2023 as part of an APT28 campaign directed against government institutions in the country.

UPCOMING WEBINAR

Way Too Vulnerable: Uncovering the State of the Identity Attack Surface

Achieved MFA? PAM? Service account protection? Find out how well-equipped your organization truly is against identity threats

Supercharge Your Skills

This raises the possibility that the Steal-It campaign could also be the work of the Russian state-sponsored threat actor.

"The threat actors' custom PowerShell scripts and strategic use of LNK files within ZIP archives highlights their technical expertise," the researchers said. "The persistence maintained by moving files from the Downloads to Startup folder and renaming them underscores the threat actors' dedication to prolonged access."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#windows