Apache CloudStack version 4.5.0 and later has a SAML 2.0 authentication Service Provider plugin which is found to be vulnerable to XML external entity (XXE) injection. This plugin is not enabled by default and the attacker would require that this plugin be enabled to exploit the vulnerability. When the SAML 2.0 plugin is enabled in affected versions of Apache CloudStack could potentially allow the exploitation of XXE vulnerabilities. The SAML 2.0 messages constructed during the authentication flow in Apache CloudStack are XML-based and the XML data is parsed by various standard libraries that are now understood to be vulnerable to XXE injection attacks such as arbitrary file reading, possible denial of service, server-side request forgery (SSRF) on the CloudStack management server.

**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2022-35741

AnyDesk 7.0.9 allows a local user to gain SYSTEM privileges via a symbolic link because the user can write to their own %APPDATA% folder (used for ad.trace and chat) but the product runs as SYSTEM when writing chat-room data there.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives****AnyDesk Public Exploit Disclosure - Arbitrary file write by symbolic link attack lead to denial-of-service attack on local machine**

_From_: chan chan <siuchunc.03 () gmail com>  
_Date_: Wed, 22 Jun 2022 17:42:49 +0800  

Hi FullDisclosure,

I would like to publish an exploit that I found on AnyDesk as follows.

# Exploit Title: AnyDesk allow arbitrary file write by symbolic link
attack lead to denial-of-service attack on local machine
# Google Dork: \[if applicable\]
# Date: 24/5/2022
# Exploit Author: Erwin Chan
# Vendor Homepage: https://anydesk.com/en
# Software Link: https://anydesk.com/en
# Version: 7.0.9
# Tested on: Windows 11



It was found that AnyDesk (version 7.0.9) was vulnerable to arbitrary file
write by symbolic link attack leading to denial-of-service attack on local
machine. It was noted that two functions were affected.
\*Affected function A\*
When there was a remote connection come in, a directory under AppData of
current user (without admin privilege) and a "ad.trace" file (i.e.,
"C:\\Users\\<user>\\AppData\\Roaming\\AnyDesk") will be created by "AnyDesk.exe"
with "NT Authority\\SYSTEM" privilege.
\[image: image.png\]
\[image: image.png\]
\*Affected function B\*
After a connection was made, local or remote user could use the chat room.
The chat log was written to folder
"C:\\Users\\<user>\\AppData\\Roaming\\AnyDesk\\chat\\" by "AnyDesk.exe" with "NT
Authority\\SYSTEM" privilege. Or the local user (without admin privilege)
could change the location of the chat log to anywhere that he/she has
"Modify" privilege.
\[image: image.png\]
\[image: image.png\]
\*Vulnerability Summary\*
Since the directories (i.e., "C:\\Users\\<user>\\AppData\\Roaming\\AnyDesk\\",
"C:\\Users\\<user>\\AppData\\Roaming\\AnyDesk\\chat\\") were assigned with
"Modify" privilege for current user, current user could modify the entire
directory. With this setup, an unprivileged user is able to achieve
arbitrary file write by creating a symbolic link to a privileged location
(e.g., C:\\Windows\\System32). As a result, a malicious user could
potentially deny any service by overwriting the configuration or system
file of applications such as Anti Virus solutions. It was noted that the
file content could be manipulated in affected function B such that a low
privileged user could write an arbitrary file to an arbitrary location.
\[image: d98609c1-7ec9-4a1d-9a6c-f4ef670e5d23.png\]
\*Affected function A: Exploit steps by local user (without admin privilege)\*

   1. Remove the directory "C:\\Users\\<user>\\AppData\\Roaming\\AnyDesk"
   2. Create symbolic link of "ad.trace" file to a privileged location
   (e.g., C:\\Windows\\System32\\test.file) (PoC binary could be found here:
   https://github.com/googleprojectzero/symboliclink-testing-tools/blob/main/CreateSymlink/CreateSymlink\_readme.txt
   )

\[image: image.png\]

   1. Connect to local machine (target machine) from a remote machine.
   After the connection was initiated, the content of "ad.trace" file would be
   written to target file (e.g., C:\\Windows\\System32\\test.file)

\[image: image.png\]
\*Affected function B: Exploit steps by local user (without admin privilege)\*

   1. edit username of remote connector

\[image: image.png\]

   1. Establish a AnyDesk connection from remote. Enter arbitrary text into
   the chat box. Mark down the filename of chat log

\[image: image.png\]

   1. Remove the directory "C:\\Users\\<user>\\AppData\\Roaming\\AnyDesk\\chat"
   2. Create symbolic link of chat log file (e.g., 657584961.txt) to a
   privileged location (e.g., C:\\Windows\\test.conf) (PoC binary could be found
   here:
   https://github.com/googleprojectzero/symboliclink-testing-tools/blob/main/CreateSymlink/CreateSymlink\_readme.txt
   )

\[image: image.png\]

   1. Open the chat room and enter arbitrary content into it. After that,
   the content of chat room would be written to target file (e.g.,
   C:\\Windows\\test.conf)

\[image: image.png\]
\[image: image.png\]

Please let me know if any detail need further. Thanks

Regards,
Erwin

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

*   **AnyDesk Public Exploit Disclosure - Arbitrary file write by symbolic link attack lead to denial-of-service attack on local machine** _chan chan (Jun 27)_

CVE-2022-32450: Full Disclosure: AnyDesk Public Exploit Disclosure

An issue was discovered in Poly EagleEye Director II before 2.2.2.1. os.system command injection can be achieved by an admin.

DATE

ID#

TITLE

03-07-22

PLYTV21-09

Studio X50 – Improper Neutralization of Special Elements used in an OS Command

03-07-22

PLYPL21-12

EEDII – Multiple Security Vulnerabilities

02-23-22

PLYGN21-08

Poly Systems – Apache Log4j

09-29-21

Security Advisory Version 1.0

Plantronics Hub – Local Privilege Escalation

09-07-21

Security Bulletin Version 1.0

CX5100/CX5500 Authenticated Command Injection

04-30-21

Security Advisory Version 1.0

Information Disclosure Vulnerability Poly VOIP Phones

02-24-21

Security Advisory Version 1.0

Information Disclosure Vulnerability Poly VOIP Phones

02-24-21

Security Bulletin Version 1.1

Increased SIP Provisioning Attacks

02-22-21

Security Advisory Version 1.0

Information Disclosure Vulnerability Poly ZTP Service

01-20-21

Security Bulletin Version 1.0

Cybersecurity and Infrastructure Security Agency (CISA) Alert AA20-352A

04-24-20

Security Bulletin Version 1.0

Poly Recommended Best Security Practices for Unified Communications

04-01-20

Security Advisory Version 1.0

Poly Voice Endpoints – XSS and CSRF Vulnerabilities

02-07-20

Security Bulletin Version 1.0

CCX500 - UI Vulnerability Allows Access to Android Settings

01-15-20

Security Bulletin Version 1.6

Worldwide H.323 and SIP Botnet Calling Video Systems

01-10-20

Security Advisory Version 1.2.0

Remote Code Execution Vulnerability in UCS Software

01-10-20

Security Advisory Version 1.0.0

Vulnerabilities in VxWorks Operating System and Poly Products

09-04-19

Security Advisory Version 1.0.0

Plantronics Hub - Local Privilege Escalation Vulnerability

08-06-19

Security Advisory Version 1.0

Remote Code Execution Vulnerability in Obihai OBi1022

06-19-19

Security Advisory Version 1.1

Insufficient Authentication Resulting in Information Leakage on VVX Products

06-14-19

Security Advisory Version 1.1

Hard Coded Credentials Vulnerability in VVX Products

04-26-19

Security Advisory Version 1.0

Multiple Vulnerabilities in HDX Products Older than 3.1.14

02-20-19

Security Bulletin Version 1.0

HDX (versions older than 3.1.13) can be affected by multiple Botnets

01-24-19

Security Advisory Version 1.1

Cyber Threats Targeting Default Passwords

11-30-18

Security Bulletin Version 1.1

TLS 1.2 and Microsoft O365 Impacts to Polycom Products

11-05-18

Security Bulletin Version 1.0

Bluetooth Authentication Weakness Found in Trio

11-05-18

Security Bulletin Version 1.0

Stored Cross-Site Scripting Found in Trio

11-01-18

Security Bulletin Version 1.0

Remote Code Execution Vulnerability Found in Group Series

08-10-18

Security Bulletin Version 1.1

HDX SoftwareVersions Older than 3.1.12 and Omni Botnet

07-12-18

Security Advisory Version 1.9

Processor Based "Speculative Execution" Vulnerabilities AKA "Spectre" and "Meltdown" on Polycom Products

07-11-18

Security Advisory Version 1.2

Vulnerabilities in Polycom VVX Phones and UC Software

07-03-18

Security Advisory Version 1.0

Polycom UCS Software Vulnerabilities

06-26-18

Security Advisory Version 1.1

RealPresence Web Suite Vulnerability

05-10-18

Security Advisory Version 1.0

RealPresence Debut Vulnerabilities

03-05-18

Security Advisory Version 1.0

QDX 6000 Vulnerabilities

12-20-17

Security Advisory Version 1.2

"Krack" Vulnerability with Polycom Products

11-24-17

Security Advisory Version 1.2

Remote Code Execution on HDX Endpoints

10-18-17

Security Advisory Version 1.1

BlueBorne Bluetooth Vulnerabilities

08-28-17

Security Advisory Version 1.0

Information Disclosure on Multiple Polycom Products

08-11-17

Security Bulletin Version 1.1

WannaCry Vulnerability and Polycom Products

06-14-17

Security Bulletin Version 1.0

Relating to CVE-2017-7494 "SambaCry" Vulnerability and Polycom Products

03-22-17

Security Bulletin Version 1.0

Relating to CVE-2017-5638 "Apache Struts" Vulnerability and Polycom Products

10-26-16

Security Advisory Version 1.1

Relating to CVE-2016-5195 "Dirty COW" Vulnerability

09-20-16

Security Advisory Version 2.0

Relating to a Cross-site Scripting (XSS) Vulnerability in Polycom HDX Video Endpoints

09-13-16

Security Advisory Version 1.0

Relating to an XML External Entity (XXE) Vulnerability in Polycom HDX Video Endpoints)

04-06-16

Security Advisory Version 1.2

Relating to a GNU glibc DNS Vulnerability (CVE-2015-7547)

03-08-16

Security Bulletin Version 1.0

Relating to CVE-2016-0800 “DROWN” Vulnerability and Polycom Products

02-09-16

Security Office Update 2.0

Security Update Relating to H.323 and SIP AES Media Encryption on Polycom Products

12-16-15

Security Advisory Version 1.0

Relating to RealPresence Capture Server and RealPresence Media Suite Appliance Editions

12-09-15

Security Advisory Version 1.0

Relating to Path Traversal Vulnerabilities in Polycom VVX Business Media Phones

10-23-15

Security Advisory Version 2.0

Relating to GHOST glibc Vulnerability

10-23-15

Security Advisory Version 1.6.1

Relating to Logjam Vulnerability

06-29-15

Security Bulletin Version 1.0

RealPresence Resource Manager 8.4 security fixes summary

06-23-15

Security Advisory Version 1.0

Relating to Command Shell Vulnerability in Polycom Group Series Video Endpoints

06-23-15

Security Advisory Version 1.0

Relating to Inadequate SSH Restrictions Vulnerability in Polycom Group Series Video Endpoints

06-23-15

Security Advisory Version 1.0

Relating to Software Update Vulnerability in Polycom Group Series Video Endpoints

06-23-15

Security Advisory Version 1.0

Relating to Weak Entropy Vulnerability in Polycom Group Series Video Endpoints Web Cookies

06-17-15

Security Bulletin Version 1.0

Relating to "Tomcat Denial of Service"

06-15-15

Security Bulletin Version 1.0

Relating to Leap Second Insertion

04-20-15

Security Bulletin Version 1.6

Relating to SSLv3 "POODLE" Vulnerability and Polycom Products

10-24-14

Security Advisory Version 1.7

Relating to Bash shell arbitrary code execution on Various Polycom Products

10-06-14

Security Bulletin Version 1.2

Relating to Multiple OpenSSL Vulnerabilities on Various Polycom Products

06-05-14

Security Advisory Version 1.12

Relating to OpenSSL Vulnerability “Heartbleed” on Various Polycom Products

12-20-13

Security Bulletin 5471

Relating to JBoss Application Server on RealPresence Resource Manager

03-14-13

Security Bulletin 102404

Security Advisory relating to telnet shell authorization bypass on Polycom HDX Video Endpoints

03-14-13

Security Bulletin 107522

Security Advisory Relating to the Firmware Update Command Injection Vulnerability on Polycom HDX Video Endpoints

03-14-13

Security Bulletin 107523

Security Advisory Relating to the Command Shell Vulnerability on Polycom HDX Video Endpoints

03-14-13

Security Bulletin 107524

Security Advisory Relating to the H.323 Format String Vulnerability on Polycom HDX Video Endpoints

03-14-13

Security Bulletin 107525

Security Advisory Relating to the H.323 CDR Database SQL Injection on Polycom HDX Video Endpoints

03-14-13

Security Bulletin 107526

Security Advisory Relating to the PUP File Header MAC Signature Bypass on Polycom HDX Video Endpoints

CVE-2022-26482: Security Center

Tor 0.4.7.x before 0.4.7.8 allows a denial of service via the wedging of RTT estimation.

**Name**

CVE-2022-33903

**Source**

CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)

**Vulnerable and fixed packages**

The table below lists information on source packages.

Source Package

Release

Version

Status

tor (PTS)

buster, buster (security)

0.3.5.16-1

fixed

bullseye (security), bullseye

0.4.5.10-1~deb11u1

fixed

bookworm, sid

0.4.7.8-1

fixed

The information below is based on the following data on fixed versions.

Package

Type

Release

Fixed Version

Urgency

Origin

Debian Bugs

tor

source

stretch

(not affected)

tor

source

buster

(not affected)

tor

source

bullseye

(not affected)

tor

source

(unstable)

0.4.7.8-1

**Notes**

\[bullseye\] - tor <not-affected> (Only affects 0.4.7.x)  
\[buster\] - tor <not-affected> (Only affects 0.4.7.x)  
\[stretch\] - tor <not-affected> (Only affects 0.4.7.x)  
https://bugzilla.redhat.com/show\_bug.cgi?id=2099227  
https://gitlab.torproject.org/tpo/core/tor/-/issues/40626  
https://lists.torproject.org/pipermail/tor-announce/2022-June/000242.html  
https://github.com/torproject/tor/commit/b0496d40197dd5b4fb7b694c1410082d4e34dda6 (tor-0.4.7.8)

CVE-2022-33903: CVE-2022-33903

An issue was discovered in Open Design Alliance Drawings SDK before 2023.3. An Out-of-Bounds Read vulnerability exists when reading a DWG file with an invalid vertex number in a recovery mode. An attacker can leverage this vulnerability to execute code in the context of the current process.

CVE-2022-28809: ODA Security Advisories | Open Design Alliance

Pexip Infinity before 28.1 allows remote attackers to trigger a software abort via G.719.

CVE-2022-32263: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity 27 before 28.0 allows remote attackers to trigger excessive resource consumption and termination because of registrar resource mishandling.

CVE-2022-29286: Pexip security bulletins | Pexip Infinity Docs

In Squid 3.x through 3.5.28, 4.x through 4.17, and 5.x before 5.6, due to improper buffer management, a Denial of Service can occur when processing long Gopher server responses.

Date: 2022-04-18 13:42:36 +0000 Improve handling of Gopher responses (#1022) diff --git a/src/gopher.cc b/src/gopher.cc index c4d1aeaad..6a77d9aaf 100644 --- a/src/gopher.cc +++ b/src/gopher.cc @@ -365,7 +365,6 @@ gopherToHTML(GopherStateData \* gopherState, char \*inbuf, int len) char \*lpos = NULL; char \*tline = NULL; LOCAL\_ARRAY(char, line, TEMP\_BUF\_SIZE); - LOCAL\_ARRAY(char, tmpbuf, TEMP\_BUF\_SIZE); char \*name = NULL; char \*selector = NULL; char \*host = NULL; @@ -375,7 +374,6 @@ gopherToHTML(GopherStateData \* gopherState, char \*inbuf, int len) char gtype; StoreEntry \*entry = NULL; - memset(tmpbuf, '\\0', TEMP\_BUF\_SIZE); memset(line, '\\0', TEMP\_BUF\_SIZE); entry = gopherState->entry; @@ -410,7 +408,7 @@ gopherToHTML(GopherStateData \* gopherState, char \*inbuf, int len) return; } - String outbuf; + SBuf outbuf; if (!gopherState->HTML\_header\_added) { if (gopherState->conversion == GopherStateData::HTML\_CSO\_RESULT) @@ -582,37 +580,34 @@ gopherToHTML(GopherStateData \* gopherState, char \*inbuf, int len) break; } - memset(tmpbuf, '\\0', TEMP\_BUF\_SIZE); - if ((gtype == GOPHER\_TELNET) || (gtype == GOPHER\_3270)) { if (strlen(escaped\_selector) != 0) - snprintf(tmpbuf, TEMP\_BUF\_SIZE, " %s\\n", - icon\_url, escaped\_selector, rfc1738\_escape\_part(host), - \*port ? ":" : "", port, html\_quote(name)); + outbuf.appendf(" %s\\n", + icon\_url, escaped\_selector, rfc1738\_escape\_part(host), + \*port ? ":" : "", port, html\_quote(name)); else - snprintf(tmpbuf, TEMP\_BUF\_SIZE, " %s\\n", - icon\_url, rfc1738\_escape\_part(host), \*port ? ":" : "", - port, html\_quote(name)); + outbuf.appendf(" %s\\n", + icon\_url, rfc1738\_escape\_part(host), \*port ? ":" : "", + port, html\_quote(name)); } else if (gtype == GOPHER\_INFO) { - snprintf(tmpbuf, TEMP\_BUF\_SIZE, "\\t%s\\n", html\_quote(name)); + outbuf.appendf("\\t%s\\n", html\_quote(name)); } else { if (strncmp(selector, "GET /", 5) == 0) { /\* WWW link \*/ - snprintf(tmpbuf, TEMP\_BUF\_SIZE, " %s\\n", - icon\_url, host, rfc1738\_escape\_unescaped(selector + 5), html\_quote(name)); + outbuf.appendf(" %s\\n", + icon\_url, host, rfc1738\_escape\_unescaped(selector + 5), html\_quote(name)); } else if (gtype == GOPHER\_WWW) { - snprintf(tmpbuf, TEMP\_BUF\_SIZE, " %s\\n", - icon\_url, rfc1738\_escape\_unescaped(selector), html\_quote(name)); + outbuf.appendf(" %s\\n", + icon\_url, rfc1738\_escape\_unescaped(selector), html\_quote(name)); } else { /\* Standard link \*/ - snprintf(tmpbuf, TEMP\_BUF\_SIZE, " %s\\n", - icon\_url, host, gtype, escaped\_selector, html\_quote(name)); + outbuf.appendf(" %s\\n", + icon\_url, host, gtype, escaped\_selector, html\_quote(name)); } } safe\_free(escaped\_selector); - outbuf.append(tmpbuf); } else { memset(line, '\\0', TEMP\_BUF\_SIZE); continue; @@ -645,13 +640,12 @@ gopherToHTML(GopherStateData \* gopherState, char \*inbuf, int len) break; if (gopherState->cso\_recno != recno) { - snprintf(tmpbuf, TEMP\_BUF\_SIZE, "

**Record# %d  
_%s_**\\n

", recno, html\_quote(result));
+                    outbuf.appendf("

**Record# %d  
_%s_**\\n

", recno, html\_quote(result));
                     gopherState->cso\_recno = recno;
                 } else {
-                    snprintf(tmpbuf, TEMP\_BUF\_SIZE, "%s\\n", html\_quote(result));
+                    outbuf.appendf("%s\\n", html\_quote(result));
                 }
 
-                outbuf.append(tmpbuf);
                 break;
             } else {
                 int code;
@@ -679,8 +673,7 @@ gopherToHTML(GopherStateData \* gopherState, char \*inbuf, int len)
 
                 case 502: { /\* Too Many Matches \*/
                     /\* Print the message the server returns \*/
-                    snprintf(tmpbuf, TEMP\_BUF\_SIZE, "

**%s**\\n

", html\_quote(result));
-                    outbuf.append(tmpbuf);
+                    outbuf.appendf("

**%s**\\n

", html\_quote(result));
                     break;
                 }
 
@@ -696,13 +689,12 @@ gopherToHTML(GopherStateData \* gopherState, char \*inbuf, int len)
 
     }               /\* while loop \*/
 
-    if (outbuf.size() > 0) {
-        entry->append(outbuf.rawBuf(), outbuf.size());
+    if (outbuf.length() > 0) {
+        entry->append(outbuf.rawContent(), outbuf.length());
         /\* now let start sending stuff to client \*/
         entry->flush();
     }
 
-    outbuf.clean();
     return;
 }

CVE-2021-46784

Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via the Session Initiation Protocol.

CVE-2022-27928: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity 27.x before 27.2 has Improper Access Control. An attacker can sometimes join a conference (call join) if it has a lock but not a PIN.

Tag

#dos