An issue has been discovered in GitLab EE affecting all versions starting from 16.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to abuse the policy bot to gain access to internal projects.

CVE-2023-5995

An issue has been discovered in GitLab affecting all versions starting from 12.1 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for a Guest user to add an emoji on confidential work items.

CVE-2023-3443

An issue was discovered in Huddly HuddlyCameraService before version 8.0.7, not including version 7.99, allows attackers to manipulate files and escalate privileges via RollingFileAppender.DeleteFile method performed by the log4net library.

2023-11-20

This article provides technical descriptions of two vulnerabilities that allowed for local privilege escalation in HuddlyCameraService. During a previous assessment, these vulnerabilities helped to escalate privileges from regular user to SYSTEM, establish command and control (C2), evade the installed EDR by DLL sideloading a non-Microsoft binary, and install persistence on the host since the service started on system boot.  

The first vulnerability, CVE-2023-45252, enabled privilege escalation due to the service being installed in a directory that grants write privileges to regular users. The second vulnerability, which was identified as CVE-2023-45253, enabled local privilege escalation through a privileged file operation executed by the service under the SYSTEM user context. 

The vulnerabilities were reported on August 10, 2023, and Huddly promptly addressed them by releasing a fix on September 21, 2023. The solution to resolve these vulnerabilities involves upgrading to version 8.0.7 of the program, officially released on September 21, 2023. Our team has thoroughly tested this patch, and it has effectively rectified the issues.

Official release notes and security advisory can be found at this Huddly support page.

**Privilege Escalation via Insecure Installation Directory (CVE-2023-45252) **

The first vulnerability, identified as CVE-2023-45252, enabled privilege escalation due to the service being installed in a directory that grants write privileges to regular users, affecting version <8.0.7 of Huddly’s Camera Windows software. 

**Identification and Exploitation **

By using Microsoft's Process Monitor (ProcMon), which can be used to analyze and monitor file operations on a Windows system, it was found that the HuddlyCameraService.exe file was executed as NT AUTHORITY\\SYSTEM from the C:\\Windows\\Temp\\.net\\HuddlyCameraService folder, as highlighted in Figure 1. Additionally, the process attempted to load missing dynamic-link library (DLL) files from the same folder. 

_Figure 1 - Process attempting to load missing DLLs._

Due to regular users having write permissions in C:\\Windows\\Temp\\.net\\HuddlyCameraService, which contains permissions inherited from C:\\Windows\\Temp, the service was susceptible to a local privilege escalation attack that could be exploited through a DLL hijacking attack. The permission inheritance is demonstrated in Figure 2 and Figure 3.

Figure 2 - Permissions for C:\\Windows\\Temp.

Figure 3 - Permissions for C:\\Windows\\Temp\\.net\\HuddlyCameraService.

To exploit the vulnerability, an adversary could drop a payload as one of the missing DLLs into C:\\Windows\\Temp\\.net\\HuddlyCameraService\\IQQF1G9DDW8qNL0XgxzvxAVCQLDvvYE=, and then reboot the machine. This often works because Windows uses a pre-defined search path to find DLL, which searches in a specific order.

****Arbitrary File Write Leading to Privilege Escalation (CVE-2023-45253)****

The second vulnerability, identified as CVE-2023-45253, enabled local privilege escalation through a privileged file operation executed by the service under the SYSTEM user context

This vulnerability affects version <8.0.7 of Huddly’s Camera Windows software. 

**Identification**

When the log4net library performs a rollover via the RollingFileAppender class (an Appender that rolls log files based on size or date or both), and if the maximum number of size backups is reached (set with maxSizeRollBackups), then the oldest file is deleted, as can be seen in Figure 4.

Figure 4 - DeleteFile when maxSizeRollBackups is reached.

The DeleteFile method will delete a file if it exists. Figure 5 shows that a new filename is generated, containing a tick count, which is the number of milliseconds elapsed since the system started. Then, the file is first moved to a new filename and then deleted. This allows the file to be removed even when it cannot be deleted, but it still can be moved.

_Figure 5 - DeleteFile generates a new name and moves/renames the file._

By following the call chain for System.IO.File.Move, it ends up calling Kernel32$MoveFileEx. This is where the flaw is - the service does never attempt to impersonate the user but performs all actions in the context of NT AUTHORITY\\SYSTEM. Therefore, the file move operation is done on a file that unprivileged users can manipulate in the context of NT AUTHORITY\\SYSTEM. If files are moved from C:\\ProgramData\\Huddly\\Logs\\ to, for example, C:\\Program Files\\Huddly, then the file moved to the new location will have access rights inherited from the old location, as demonstrated in Figure 6.

_Figure 6 - Inherited access rights on FakeDll.dll after successful exploitation._

By using Microsoft's Process Monitor (ProcMon), the file operations performed by the HuddlyCameraService can be seen, as shown in Figure 7.

_Figure 7 - ProcMon shows the file operations performed by the Huddly service._

The SetRenameInformationFile call originates from the Win32 MoveFileEx() function. Further inspecting the operation showed that it did not impersonate the user but was executed as NT AUTHORITY\\SYSTEM, as demonstrated in Figure 8. If the application did impersonate the user, it would have included Impersonating: <domain>\\<username> in the Event Properties.

_Figure 8 - No impersonation is being performed by the service._

The arbitrary file move as SYSTEM results in a Local Privilege Escalation. To exploit the vulnerability, an adversary could drop a payload as one of the missing DLLs into C:\\Windows\\Temp\\.net\\HuddlyCameraService\\IQQF1G9DDW8qNL0XgxzvxAVCQLDvvYE=,  as shown in Figure 9. After rebooting the machine, the malicious code would be executed as SYSTEM. There are also multiple other ways to escalate privileges with the ability to move files as SYSTEM.

_Figure 9 - Paths that resulted in NAME NOT FOUND._

**Exploitation**

When the service creates test.5.log, the service will soon open the file again to be moved/renamed. There is a short time between the file creation and the file move operation, where the attacker can modify the behavior of the file move. The exploit code will place an Opportunistic Lock (Oplock) on the test.5.log after the service creates it because this will allow the attacker to block file operations on a given file for as long as they choose to hold the lock, making it easier to win the race. The attacker cannot perform any operations on the file while the Oplock is there. However, the attacker can achieve what they want by creating Object Manager symbolic links.

Therefore, the strategy to exploit this flaw is configuring the logging with a maximum file size of 0 and setting the log folder to a folder initially used as a junction point to another "physical" directory. Then, when the service is started, it will write the logs into the junction and store them inside the other physical folder. When this is done, we can continue to phase 2 of the exploit.

Phase 2 of the exploit will attempt to open test.log.5. When it successfully opens the file, it will place an Oplock on the file. When the Oplock is triggered, the exploit code generates a new filename with the tick count, switches the mountpoint to an Object Directory, and creates two symbolic links. The test.log.5 file will point to a file owned by the attacker, and the test.log.5.TickCount.DeletePending file will point to where the attacker wants to write, for example, C:\\Program Files\\Huddly\\FakeDll.dll. After releasing the Oplock, the service will perform the final move operation through the two symbolic links. These steps are described in more detail below.

**Prepare the workspace and log4net configuration**

Create the workspace directory with the following structure:

C:\\ProgramData\\Huddly\\Logs\\workspace

|\_\_ <DIR> bait

|\_\_ <DIR> mountpoint

|\_\_ FakeDll.dll

The mountpoint directory will first be a junction to the bait directory, then switched to a junction to the RPC Control Object Directory. The DLL file is the file to be moved to a secure location such as C:\\Program Files\\Huddly\\.

Additionally, as shown in Figure 10, the log4net configuration file will be updated to write into the mountpoint directory, and the maximumFileSize will be set to 0. The maxSizeRollBackups decide how many backup files there will be. The default was five, which is why we will be looking for test.log.5.

_Figure 10 - log4net configured for exploitation._

**Create the mountpoint from mountpoint to bait**

C:\\ProgramData\\Huddly\\Logs\\workspace\\mountpoint -> C:\\ProgramData\\Huddly\\Logs\\workspace\\bait

**Start the service / reboot the machine**

The logs will be written to C:\\ProgramData\\Huddly\\Logs\\workspace\\bait\\test.log because of the junction created.

**Start phase 2 – Find the test.log.5 file and set an Oplock**

This phase will attempt to race the log4net rollover function. The exploit code enters a loop that will attempt to open the test.log.5 file. When the file open is successful, an Oplock will be placed on it, which helps win the race by allowing us to pause the operation.

**Wait for the Oplock**

The Oplock will be triggered when log4net in the service opens the test.log.5. When the Oplock is triggered, the exploit generates the new file name, switches the mountpoint, and creates two symbolic links.

Before the switch:

C:\\ProgramData\\Huddly\\Logs\\workspace\\mountpoint -> bait

test.5.log = C:\\ProgramData\\Huddly\\Logs\\workspace\\mountpoint\\test.5.log -> C:\\ProgramData\\Huddly\\Logs\\workspace\\bait\\test.5.log

After the switch:

C:\\ProgramData\\Huddly\\Logs\\workspace\\mountpoint -> \\RPC Control

test.5.log = C:\\ProgramData\\Huddly\\Logs\\workspace\\mountpoint\\test.5.log -> C:\\ProgramData\\Huddly\\Logs\\workspace\\FakeDll.dll

C:\\ProgramData\\Huddly\\Logs\\workspace\\test.5.log.<TickCount>.DeletePending = C:\\Program Files\\Huddly\\FakeDll.dll

**Release the Oplock**

Upon Oplock release, the final MoveFileEx() call redirection will occur due to the symbolic links. Consequently, the DLL will be moved to the C:\\Program Files\\Huddly folder.

Figure 11 shows the important parts of the Proof of Concept code used to exploit the vulnerability.

 

_Figure 11 - Proof of concept code to exploit the vulnerability._

After a short time, the race is won, and the FakeDll.dll was placed inside C:\\Program Files\\Huddly with inherited access rights from C:\\ProgramData\\Huddly\\Logs, as was demonstrated in Figure 6 earlier. 

**Disclosure Timeline**

*   2023-08-07 – Identified the vulnerabilities
*   2023-08-10 – Vulnerabilities reported to Huddly
*   2023-08-28 – Huddly verified vulnerabilities
*   2023-09-21 –Patch available
*   2023-10-23 - Verified the effectiveness of the patch
*   2023-11-20 - Released the full disclosure of the vulnerabilities

**Acknowledgment**

I want to thank Huddly and everyone involved with the patch for these vulnerabilities. They were kind and demonstrated a collaborative spirit, making them easy to work with.

Article written by: Henrik Pedersen, XLENT Cyber Security Norway

**References**

1.  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dll-hijacking
2.  https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order#factors-that-affect-searching
3.  https://learn.microsoft.com/en-us/sysinternals/downloads/procmon
4.  https://logging.apache.org/log4net/release/sdk/html/M\_log4net\_Appender\_RollingFileAppender\_DeleteFile.htm
5.  https://logging.apache.org/log4net/log4net-1.2.12/release/sdk/log4net.Appender.RollingFileAppender.RollOverRenameFiles.html
6.  https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/tree/main
7.  https://itm4n.github.io/cve-2020-0787-windows-bits-eop/

CVE-2023-45253: Security Disclosure of Vulnerabilities: CVE-2023-45252 and CVE-2023-45253

Restaurant Table Booking System V1.0 is vulnerable to SQL Injection in rtbs/admin/index.php via the username parameter.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-48016: cves/CVE-2023-48016-restaurant-table-booking-system-SQLInjection.md at main · Serhatcck/cves


Dell Rugged Control Center, version prior to 4.7, contains insufficient protection for the Policy folder. A local malicious standard user could potentially exploit this vulnerability to modify the content of the policy file, leading to unauthorized access to resources.



**Impact**

Medium

**Details**

Proprietary Code CVE(s)

Description

CVSS Base Score

CVSS Vector String

CVE-2023-43089

Dell Rugged Control Center, version prior to 4.7, contains insufficient protection for the Policy folder. A local malicious standard user could potentially exploit this vulnerability to modify the content of the policy file, leading to unauthorized access to resources.

4.4

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Proprietary Code CVE(s)

Description

CVSS Base Score

CVSS Vector String

CVE-2023-43089

Dell Rugged Control Center, version prior to 4.7, contains insufficient protection for the Policy folder. A local malicious standard user could potentially exploit this vulnerability to modify the content of the policy file, leading to unauthorized access to resources.

4.4

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

**Affected Products and Remediation**

CVE(s) Addressed

Product

Affected Version(s)

Updated Version(s)

Link to Update

CVE-2023-43089

Dell Rugged Control Center

Versions prior to 4.7

Version 4.7

https://www.dell.com/support/home/drivers/driversdetails?driverid=4M3T2

CVE(s) Addressed

Product

Affected Version(s)

Updated Version(s)

Link to Update

CVE-2023-43089

Dell Rugged Control Center

Versions prior to 4.7

Version 4.7

https://www.dell.com/support/home/drivers/driversdetails?driverid=4M3T2

**Workarounds and Mitigations**

Dell Rugged Control Center UI would provide an SHA-256 hash of the Policy File to the administrator, which can be used to cross-verify the legitimacy of the policy file after transfer.  

**Revision History**

Revision

Date

Description

1.0

2023-11-30

Initial Release

**Related Information**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

CVE-2023-43089: DSA-2023-371: Dell Rugged Control Center Security Update for an Improper Access Control Vulnerability

An issue in TOTOLINK X6000R V9.4.0cu.652_B20230116 and V9.4.0cu.852_B20230719 allows a remote attacker to execute arbitrary code via the hostName parameter of the switchOpMode component.

CVE-2023-43454: vuln/TOTOLINK/X6000R/1.md at main · tharsis1024/vuln

An issue in TOTOLINK X6000R V9.4.0cu.652_B20230116 and V9.4.0cu.852_B20230719 allows a remote attacker to execute arbitrary code via the IP parameter of the setDiagnosisCfg component.

CVE-2023-43453: vuln/TOTOLINK/X6000R/2.md at main · tharsis1024/vuln

An issue in TOTOLINK X6000R V9.4.0cu.652_B20230116 and V9.4.0cu.852_B20230719 allows a remote attacker to execute arbitrary code via the command parameter of the setting/setTracerouteCfg component.

CVE-2023-43455: vuln/TOTOLINK/X6000R/3.md at main · tharsis1024/vuln

A memory corruption vulnerability was addressed with improved locking. This issue is fixed in iOS 17.1.2 and iPadOS 17.1.2, macOS Sonoma 14.1.2, Safari 17.1.2. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.

This document describes the security content of Safari 17.1.2.

**About Apple security updates**

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security releases page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

**Safari 17.1.2**

Released November 30, 2023

**WebKit**

Available for: macOS Monterey and macOS Ventura

Impact: Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.

Description: An out-of-bounds read was addressed with improved input validation.

WebKit Bugzilla: 265041  
CVE-2023-42916: Clément Lecigne of Google's Threat Analysis Group

**WebKit**

Available for: macOS Monterey and macOS Ventura

Impact: Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.

Description: A memory corruption vulnerability was addressed with improved locking.

WebKit Bugzilla: 265067  
CVE-2023-42917: Clément Lecigne of Google's Threat Analysis Group

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: November 30, 2023

CVE-2023-42917: About the security content of Safari 17.1.2

LOYTEC electronics GmbH LINX Configurator 7.4.10 is vulnerable to Insecure Permissions. An admin credential is passed as a value of URL parameters without encryption, so it allows remote attackers to steal the password and gain full control of Loytec device configuration.

**Full Disclosure mailing list archives**

_From_: Chizuru Toyama <chizuru\_toyama () txone com>  
_Date_: Thu, 23 Nov 2023 02:54:46 +0000  

\[+\] CVE                                 : CVE-2023-46383, CVE-2023-46384, CVE-2023-46385 
\[+\] Title                                : Multiple vulnerabilities in Loytec LINX Configurator 
\[+\] Vendor                           : LOYTEC electronics GmbH
\[+\] Affected Product(s)     : LINX Configurator 7.4.10
\[+\] Affected Components : LINX Configurator
\[+\] Discovery Date             : 01-Sep-2021
\[+\] Publication date           : 03-Nov-2023
\[+\] Discovered by               : Chizuru Toyama of TXOne networks


\[Vulnerability Description\]

 CVE-2023-46383 : Insecure Permissions
 Loytec LINX Configurator could be connected to Loytec devices with
 an administrator credential, and it could configure device settings. 
 Since it uses HTTP Basic Authentication, which transmits usernames 
 and passwords in base64-encoded cleartext, so anyone could easily
 steal credentials if they sniff network traffics. Once obtaining the
 admin password, attackers could connect and control Loytec devices 
 via LINX configurator.
 
 CVE-2023-46384 :  Insecure Permissions 
 Following registry key contains hard-coded clear text admin password 
 for recently connected Loytec device. (password cache) If an attacker 
 succeeds in getting this registry key value, attackers could connect 
 and control Loytec devices via LINX configurator.

  Key: Computer\\HKEY\_CURRENT\_USER\\SOFTWARE\\LOYTEC\\LOYTEC LINX Configurator\\OhioIni
  Value name: ftp\_pass
  Value dada: <admin password>

 CVE-2023-46385 : Insecure Permissions
 When Loytec LINX Configurator connects to a device, it sends HTTP GET 
 request to login. Since cleartext password is passed as an URL parameter, 
 "password" without sufficient protection, anyone could easily steal 
 credentials if they sniff network traffics. Once obtaining the admin 
 password, attackers could connect and control Loytec devices via LINX 
 configurator.
 http://<IP>:<port>/webui/config/system?username=admin&password=<admin password>&login=Login


\[Timeline\]

 01-Sep-2021 : Vulnerabilities discovered
 13-Oct-2021 : Trend Micro ZDI (Zero Day Initiative) reported to vendor (no response)
 07-Oct-2022 : ICS CERT reported to vendor (no response)
 03-Nov-2023 : Public Disclosure

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

*   **\[CVE-2023-46383, CVE-2023-46384, CVE-2023-46385\] Multiple vulnerabilities in Loytec products (2)** _Chizuru Toyama (Nov 27)_

Source

CVE