Re: OpenBSD kernel relinking is not transactional and a local exploit exists

Posted by pesco on Jun 21

C. W. Schech on Sat, Jun 17 2023:

By who? Which user ID specifically?

And clearly such checksums could not be tampered with?

PoC or GTFO.

rolling on the floor laughing

Re: OpenBSD kernel relinking is not transactional and a local exploit exists

Posted by jvoisin via Fulldisclosure on Jun 21

I'm unsure I understand the threat model here: an attacker with root
privileges is able to modify the kernel data about to be relinked?

You're also mentioning SLSA, but as you also said, OpenBSD doesn't have
reproducible builds and all the cool build hardening things(tm). So
having a cryptographic path to the resulting relinked kernel won't
really improve anything, given the current state of affairs.

OXAS-ADV-2023-0002: OX App Suite Security Advisory

Posted by Martin Heiland via Fulldisclosure on Jun 21

Dear subscribers,

We're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those
vulnerabilities. Feel free to join our bug bounty programs for OX AppSuite, Dovecot and PowerDNS at YesWeHack.

This advisory has also been published at https://documentation.open-xchange.com/security/advisories/.

Yours sincerely,
Martin Heiland, Open-Xchange GmbH

Internal reference: MWB-1994
Type:...

OpenBSD kernel relinking is not transactional and a local exploit exists

Posted by Schech, C. W. ("Connor") on Jun 19

The automatic and mandatory-by-default reordering of OpenBSD kernels
is NOT transactional and as a result, a local unpatched exploit exists
which allows tampering or replacement of the kernel. Arbitrary build
artifacts are cyclically relinked with no data integrity or provenance
being maintained or verified for the objects being consumed with
respect to the running kernel before and during the execution of the
mandatory kernel_reorder process in...

Polycom BToE Connector 4.4.0.0 Multiple Vulnerabilities

Posted by BUG on Jun 19

Microsoft® Lync™ Better Together over Ethernet (BToE) feature on
Polycom® VVX® business media. phones enables you to control phone
activity from your computer using your Lync client.
The BToE feature enables you to place, answer, and hold audio and video
calls from your Polycom VVX phone and your Lync client on your computer.

#### Title: Polycom BToE Connector 4.4.0.0 Multiple Vulnerabilities
#### Affected versions: 4.4.0.0
#### Tested...

Windows PowerShell / Trojan File RCE revisited

Posted by hyp3rlinx on Jun 09

Hi,

Windows PowerShell Filename Code Execution POC

Discovery: 2019 and revisited 2023

Since it still works, I dusted off and made minor improvements:

Execute a remote DLL using rundll32
Execute an unintended secondary PS1 script or local text-file (can be
hidden)
Updated the PS1 Trojan Filename Creator Python3 Script
First reported to Microsoft back in 2019 yet remains unfixed as of the time
of this writing.

Remote code execution via a...

Defense in depth -- the Microsoft way (part 85): escalation of privilege plus remote code execution with HVCISCAN.exe

Posted by Stefan Kanthak on Jun 07

Hi @ll,

about a month ago Microsoft published HVCIScan-{amd,arm}64.exe, a
"Tool to check devices for compatibility with memory integrity (HVCI)"

The "Install instructions" on the download page
<https://www.microsoft.com/en-us/download/105217> tell:

| Download the hvciscan.exe for your system architecture (AMD64 or ARM64).
| From an elevated command window or PowerShell, run hvciscan.exe

"ELEVATED" sounds...

LPE and RCE in RenderDoc: CVE-2023-33865, CVE-2023-33864, CVE-2023-33863

Posted by Qualys Security Advisory via Fulldisclosure on Jun 07

Qualys Security Advisory

LPE and RCE in RenderDoc: CVE-2023-33865, CVE-2023-33864, CVE-2023-33863

========================================================================
Contents
========================================================================

Summary
CVE-2023-33865, a symlink vulnerability in /tmp/RenderDoc
- Analysis
- Exploitation
CVE-2023-33864, an integer underflow to heap-based buffer overflow
- Analysis
- Exploitation...

[CVE-2023-29459] FC Red Bull Salzburg App "at.redbullsalzburg.android.AppMode.Default.Splash.SplashActivity" Arbitrary URL Loading

Posted by Julien Ahrens (RCE Security) on Jun 02

RCE Security Advisory
https://www.rcesecurity.com

1. ADVISORY INFORMATION
=======================
Product: FC Red Bull Salzburg App
Vendor URL: https://play.google.com/store/apps/details?id=laola.redbull
Type: Improper Authorization in Handler for Custom URL Scheme [CWE-939]
Date found: 2023-04-06
Date published: 2023-06-01
CVSSv3 Score: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVE: CVE-2023-29459...

[RT-SA-2022-004] STARFACE: Authentication with Password Hash Possible

Posted by RedTeam Pentesting GmbH on Jun 01

Advisory: STARFACE: Authentication with Password Hash Possible

RedTeam Pentesting discovered that the web interface of STARFACE as well
as its REST API allows authentication using the SHA512 hash of the
password instead of the cleartext password. While storing password
hashes instead of cleartext passwords in an application's database
generally has become best practice to protect users' passwords in case
of a database compromise, this...

CVE-2022-48331 - Buffer Overflow in Widevine Trustlet (drm_save_keys @ 0x69b0)

Posted by Cyber Intel Security on May 30

1. INFORMATION
--------------
[+] CVE : CVE-2022-48331
[+] Title : Buffer Overflow in Widevine Trustlet
(drm_save_keys @ 0x69b0)
[+] Vendor : Google
[+] Device : Nexus 6
[+] Affected component : Widevine
[+] Publication date : March 2023
[+] Credits : CyberIntel Team

2. AFFECTED VERSIONS
--------------------

5.0.0 (LRX21O), 5.0.1 (LRX22C), 5.1.0 (LMY47D), 5.1.0 (LMY47E), 5.1.0...

CVE-2022-48334 - Buffer Overflow in Widevine Trustlet (drm_verify_keys @ 0x7370)

Posted by Cyber Intel Security on May 30

1. INFORMATION
--------------
[+] CVE : CVE-2022-48334
[+] Title : Buffer Overflow in Widevine Trustlet
(drm_verify_keys @ 0x7370)
[+] Vendor : Google
[+] Device : Nexus 6
[+] Affected component : Widevine
[+] Publication date : March 2023
[+] Credits : CyberIntel Team

2. AFFECTED VERSIONS
--------------------
5.0.0 (LRX21O), 5.0.1 (LRX22C), 5.1.0 (LMY47D), 5.1.0 (LMY47E), 5.1.0...

CVE-2022-48333 - Buffer Overflow in Widevine Trustlet (drm_verify_keys @ 0x730c)

Posted by Cyber Intel Security on May 30

1. INFORMATION
--------------
[+] CVE : CVE-2022-48333
[+] Title : Buffer Overflow in Widevine Trustlet
(drm_verify_keys @ 0x730c)
[+] Vendor : Google
[+] Device : Nexus 6
[+] Affected component : Widevine
[+] Publication date : March 2023
[+] Credits : CyberIntel Team

2. AFFECTED VERSIONS
--------------------
5.0.0 (LRX21O), 5.0.1 (LRX22C), 5.1.0 (LMY47D), 5.1.0 (LMY47E), 5.1.0...

CVE-2022-48332 - Buffer Overflow in Widevine Trustlet (drm_save_keys @ 0x6a18)

Posted by Cyber Intel Security on May 30

1. INFORMATION
--------------
[+] CVE : CVE-2022-48332
[+] Title : Buffer Overflow in Widevine Trustlet
(drm_save_keys @ 0x6a18)
[+] Vendor : Google
[+] Device : Nexus 6
[+] Affected component : Widevine
[+] Publication date : March 2023
[+] Credits : CyberIntel Team

2. AFFECTED VERSIONS
--------------------
5.0.0 (LRX21O), 5.0.1 (LRX22C), 5.1.0 (LMY47D), 5.1.0 (LMY47E), 5.1.0...

CVE-2022-48336 - Buffer Overflow in Widevine Trustlet (PRDiagParseAndStoreData @ 0x5cc8)

Posted by Cyber Intel Security on May 30

1. INFORMATION
--------------
[+] CVE : CVE-2022-48336
[+] Title : Buffer Overflow in Widevine Trustlet
(PRDiagParseAndStoreData @ 0x5cc8)
[+] Vendor : Google
[+] Device : Nexus 6
[+] Affected component : Widevine
[+] Publication date : March 2023
[+] Credits : CyberIntel Team

2. AFFECTED VERSIONS
--------------------
5.0.0 (LRX21O), 5.0.1 (LRX22C), 5.1.0 (LMY47D), 5.1.0 (LMY47E),...

CVE-2022-48335 - Buffer Overflow in Widevine Trustlet (PRDiagVerifyProvisioning @ 0x5f90)

Posted by Cyber Intel Security on May 30

1. INFORMATION
--------------
[+] CVE : CVE-2022-48335
[+] Title : Buffer Overflow in Widevine Trustlet
(PRDiagVerifyProvisioning @ 0x5f90)
[+] Vendor : Google
[+] Device : Nexus 6
[+] Affected component : Widevine
[+] Publication date : March 2023
[+] Credits : CyberIntel Team

2. AFFECTED VERSIONS
--------------------
5.0.0 (LRX21O), 5.0.1 (LRX22C), 5.1.0 (LMY47D), 5.1.0...

SCHUTZWERK-SA-2022-001: Cross-Site-Scripting in Papaya Medical Viewer

Posted by Lennert Preuth via Fulldisclosure on May 30

Title
=====

SCHUTZWERK-SA-2022-001: Cross-Site-Scripting in Papaya Medical Viewer

Status
======

PUBLISHED

Version
=======

1.0

CVE reference
=============

CVE-2023-33255

Link
====

https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2022-001/

Text-only version:
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2022-001.txt

Further SCHUTZWERK advisories:
https://www.schutzwerk.com/blog/tags/advisories/

Affected products/vendor...

[RT-SA-2023-005] Pydio Cells: Server-Side Request Forgery

Posted by RedTeam Pentesting GmbH on May 30

For longer running processes, Pydio Cells allows for the creation of
jobs, which are run in the background. The job "remote-download" can be
used to cause the backend to send a HTTP GET request to a specified URL
and save the response to a new file. The response file is then available
in a user-specified folder in Pydio Cells.

Details
=======

Product: Pydio Cells
Affected Versions: 4.1.2 and earlier versions
Fixed Versions: 4.2.0,...

[RT-SA-2023-004] Pydio Cells: Cross-Site Scripting via File Download

Posted by RedTeam Pentesting GmbH on May 30

Advisory: Pydio Cells: Cross-Site Scripting via File Download

Pydio Cells implements the download of files using presigned URLs which
are generated using the Amazon AWS SDK for JavaScript [1]. The secrets
used to sign these URLs are hardcoded and exposed through the JavaScript
files of the web application. Therefore, it is possible to generate
valid signatures for arbitrary download URLs. By uploading an HTML file
and modifying the download URL...

[RT-SA-2023-003] Pydio Cells: Unauthorised Role Assignments

Posted by RedTeam Pentesting GmbH on May 30

Advisory: Pydio Cells: Unauthorised Role Assignments

Pydio Cells allows users by default to create so-called external users
in order to share files with them. By modifying the HTTP request sent
when creating such an external user, it is possible to assign the new
user arbitrary roles. By assigning all roles to a newly created user, access to
all cells and non-personal workspaces is granted.

Details
=======

Product: Pydio Cells
Affected...

Printerlogic multiple vulnerabilities

Posted by Eldar Marcussen on May 29

PrinterLogic SaaS, multiple vulnerabilities
===========================================================
PrinterLogic's Enterprise Print Management software allows IT
professionals to simplify printer driver management and empower end
users.
-- https://www.printerlogic.com/

Background
----------------------------------
The following findings were identified by performing both dynamic
testing of the PrinterLogic SaaS platform and code...

SEC Consult SA-20230517-0 :: Stored XSS vulnerability in rename functionality in Wekan (Open-Source kanban)

Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on May 29

SEC Consult Vulnerability Lab Security Advisory < 20230517-0 >
=======================================================================
title: Stored XSS vulnerability in rename functionality
product: Wekan (Open-Source kanban)
vulnerable version: <=6.74
fixed version: 6.75 or higher
CVE number: CVE-2023-28485
impact: Medium
homepage: https://wekan.github.io...

SEC Consult SA-20230516-0 :: Multiple Vulnerabilities in Serenity and StartSharp Software

Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on May 29

SEC Consult Vulnerability Lab Security Advisory < 20230516-0 >
=======================================================================
title: Multiple Vulnerabilities
product: Serenity and StartSharp Software
vulnerable version: < 6.7.1
fixed version: 6.7.1 or higher
CVE number: CVE-2023-31285, CVE-2023-31286, CVE-2023-31287
impact: high
homepage:...

APPLE-SA-2023-05-18-7 watchOS 9.5

Posted by Apple Product Security via Fulldisclosure on May 29

APPLE-SA-2023-05-18-7 watchOS 9.5

watchOS 9.5 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213764.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Accessibility
Available for: Apple Watch Series 4 and later
Impact: An app may be able to bypass Privacy preferences
Description: A...

APPLE-SA-2023-05-18-2 iOS 15.7.6 and iPadOS 15.7.6

Posted by Apple Product Security via Fulldisclosure on May 29

APPLE-SA-2023-05-18-2 iOS 15.7.6 and iPadOS 15.7.6

iOS 15.7.6 and iPadOS 15.7.6 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213765.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Accessibility
Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE
(1st...

SEC Consult SA-20230515-0 :: Multiple Vulnerabilities in Kiddoware Kids Place Parental Control Android App

Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on May 15

SEC Consult Vulnerability Lab Security Advisory < 20230515-0 >
=======================================================================
title: Multiple Vulnerabilities
product: Kiddoware Kids Place Parental Control Android App
vulnerable version: <=3.8.49
fixed version: 3.8.50 or higher
CVE number: CVE-2023-28153, CVE-2023-29078, CVE-2023-29079
impact: High
homepage:...

CyberDanube Security Research 20230511-0 | Multiple Vulnerabilities in Advantech EKI-15XX Series

Posted by Thomas Weber on May 11

CyberDanube Security Research 20230511-0
-------------------------------------------------------------------------------
title| Multiple Vulnerabilities
product| EKI-1524-CE series, EKI-1522 series, EKI-1521 series
vulnerable version| 1.21
fixed version| 1.24
CVE number| CVE-2023-2573, CVE-2023-2574, CVE-2023-2575
impact| High
homepage| https://advantech.com...

OXAS-ADV-2023-0001: OX App Suite Security Advisory

Posted by Martin Heiland via Fulldisclosure on May 08

Dear subscribers,

We're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those
vulnerabilities. Feel free to join our bug bounty programs for OX AppSuite, Dovecot and PowerDNS at YesWeHack.

This advisory has also been published at https://documentation.open-xchange.com/security/advisories/.

Yours sincerely,
Martin Heiland, Open-Xchange GmbH

Internal reference: OXUIB-2130
Type:...

SCHUTZWERK-SA-2023-001: SQL Injection in Spryker Commerce OS

Posted by Lennert Preuth via Fulldisclosure on May 08

Title
=====

SCHUTZWERK-SA-2023-001: SQL Injection in Spryker Commerce OS

Status
======

PUBLISHED

Version
=======

1.0

CVE reference
=============

CVE-2023-27568

Link
====

https://www.schutzwerk.com/advisories/schutzwerk-sa-2023-001/

Text-only version:
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2023-001.txt

Affected products/vendor
========================

Spryker Commerce OS by Spryker Systems GmbH, with spryker/sales:...

APPLE-SA-2023-05-03-1 AirPods Firmware Update 5E133 and Beats Firmware Update 5B66

Posted by Apple Product Security via Fulldisclosure on May 04

APPLE-SA-2023-05-03-1 AirPods Firmware Update 5E133 and
Beats Firmware Update 5B66

AirPods Firmware Update 5E133 and Beats Firmware Update 5B66
address the following issues. Information about the security content
is also available at https://support.apple.com/HT213752.

AirPods Firmware Update 5E133

Released April 11, 2023

Bluetooth

Available for: AirPods (2nd generation and later), AirPod Pro (all models),
AirPods Max
Impact: When your...

SEC Consult SA-20230502-0 :: Bypassing cluster isolation through insecure defaults and shared storage in Databricks Platform

Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on May 02

SEC Consult Vulnerability Lab Security Advisory < 20230502-0 >
=======================================================================
title: Bypassing cluster isolation through insecure defaults and
shared storage
product: Databricks Platform
vulnerable version: PaaS version as of 2023-01-26
fixed version: Current PaaS version
CVE number: -
impact: critical...

Piwigo - CVE-2023-26876

Posted by Rodolfo Tavares via Fulldisclosure on Apr 28

=====[ Tempest Security Intelligence - ADV-03/2023
]==========================

Piwigo - Version 13.5.0

Author: Rodolfo Tavares

Tempest Security Intelligence - Recife, Pernambuco - Brazil

=====[ Table of Contents]==================================================
* Overview
* Detailed description
* Timeline of disclosure
* Thanks & Acknowledgments
* References

=====[ Vulnerability...

Re: Checking existence of firewalled URLs via javascript's script.onload

Posted by Jonathan Gregson via Fulldisclosure on Apr 28

Hi Georgi,

As you suggested, this is a CSRF attack. Using such techniques to attack or enumerate local applications has been known
for some time and is a very difficult issue to address. Browsers have done well in preventing malicious _authenticated_
cross-site requests, but as you've found, attackers can still use such techniques for enumeration and information
gathering.

Fortunately, it's not very practical except in targeted...

Security vulnerabilities in Telit Cinterion IoT (formerly Thales) devices

Posted by Security Explorations on Apr 24

Hello,

In 2020, a vulnerability (CVE-2020-15858) in multiple Cinterion IoT
devices was discovered by Adam Laurie and Grzegorz Wypych of IBM
X-Force Red [1].

The issue was described as allowing for organizational secrets theft
and Java application code access. The use of Java VM / apps by
wireless (connected) devices triggered my attention in particular.

Historically, Java flaws could be successfully exploited for a more
in-depth investigation...

Checking existence of firewalled web servers in Firefox via iframe.onload

Posted by Georgi Guninski on Apr 21

In short in Firefox 112, it is possible to check existence
of firewalled web servers. This doesn't work in Chrome and Chromium 112
for me.

If user A has tcp connection to web server B, then in the
following html:

<iframe src="http://B&quot; onload="load()" onerror="alert('error')" id="i1" />

the javascript function load() will get executed if B serves
valid document to A's browser...

Checking existence of firewalled URLs via javascript's script.onload

Posted by Georgi Guninski on Apr 21

There is minor information disclosure vulnerability similar
to nmap in browser.

It is possible to check the existence of firewalled URL U via
the following javascript in a browser:

<script src="U"
onload="alert('Exists')"
onerror="alert('Does not exist')">

This might have privacy implication on potentially
"semi-blind CSRF" (XXX does this makes sense?).

Works for me in...

[CVE-2023-22620] SecurePoint UTM <= 12.2.5 “spcgi.cgi” sessionId Information Disclosure Allowing Device Takeover

Posted by Julien Ahrens (RCE Security) on Apr 18

RCE Security Advisory
https://www.rcesecurity.com

1. ADVISORY INFORMATION
=======================
Product: SecurePoint UTM
Vendor URL: https://www.securepoint.de/en/for-companies/firewall-vpn
Type: Exposure of Sensitive Information to an Unauthorized Actor [CWE-200]
Date found: 2023-01-05
Date published: 2023-04-11
CVSSv3 Score: 9.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVE: CVE-2023-22620

2....

[CVE-2023-22897] SecurePoint UTM <= 12.2.5 “spcgi.cgi” Remote Memory Contents Information Disclosure

Posted by Julien Ahrens (RCE Security) on Apr 18

RCE Security Advisory
https://www.rcesecurity.com

1. ADVISORY INFORMATION
=======================
Product: SecurePoint UTM
Vendor URL: https://www.securepoint.de/en/for-companies/firewall-vpn
Type: Use of Uninitialized Variable [CWE-457]
Date found: 2023-01-05
Date published: 2023-04-12
CVSSv3 Score: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
CVE: CVE-2023-22897

2. CREDITS
==========
This...

APPLE-SA-2023-04-07-3 Safari 16.4.1

Posted by Apple Product Security via Fulldisclosure on Apr 10

APPLE-SA-2023-04-07-3 Safari 16.4.1

Safari 16.4.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213722.

WebKit
Available for: macOS Big Sur and macOS Monterey
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Apple is aware of a report that this issue
may have been actively exploited.
Description: A use after free issue was addressed...

APPLE-SA-2023-04-07-1 iOS 16.4.1 and iPadOS 16.4.1

Posted by Apple Product Security via Fulldisclosure on Apr 10

APPLE-SA-2023-04-07-1 iOS 16.4.1 and iPadOS 16.4.1

iOS 16.4.1 and iPadOS 16.4.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213720.

IOSurfaceAccelerator
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air
3rd generation and later, iPad 5th generation and later, and iPad
mini 5th generation and later
Impact: An app may be able to execute arbitrary code...

APPLE-SA-2023-04-07-2 macOS Ventura 13.3.1

Posted by Apple Product Security via Fulldisclosure on Apr 10

APPLE-SA-2023-04-07-2 macOS Ventura 13.3.1

macOS Ventura 13.3.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213721.

IOSurfaceAccelerator
Available for: macOS Ventura
Impact: An app may be able to execute arbitrary code with kernel
privileges. Apple is aware of a report that this issue may have been
actively exploited.
Description: An out-of-bounds write issue was...

APPLE-SA-2023-04-10-3 macOS Big Sur 11.7.6

Posted by Apple Product Security via Fulldisclosure on Apr 10

APPLE-SA-2023-04-10-3 macOS Big Sur 11.7.6

macOS Big Sur 11.7.6 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213725.

IOSurfaceAccelerator
Available for: macOS Big Sur
Impact: An app may be able to execute arbitrary code with kernel
privileges. Apple is aware of a report that this issue may have been
actively exploited.
Description: An out-of-bounds write issue was...

APPLE-SA-2023-04-10-1 iOS 15.7.5 and iPadOS 15.7.5

Posted by Apple Product Security via Fulldisclosure on Apr 10

APPLE-SA-2023-04-10-1 iOS 15.7.5 and iPadOS 15.7.5

iOS 15.7.5 and iPadOS 15.7.5 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213723.

IOSurfaceAccelerator
Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone
SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod
touch (7th generation)
Impact: An app may be able to execute arbitrary code with...

APPLE-SA-2023-04-10-2 macOS Monterey 12.6.5

Posted by Apple Product Security via Fulldisclosure on Apr 10

APPLE-SA-2023-04-10-2 macOS Monterey 12.6.5

macOS Monterey 12.6.5 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213724.

IOSurfaceAccelerator
Available for: macOS Monterey
Impact: An app may be able to execute arbitrary code with kernel
privileges. Apple is aware of a report that this issue may have been
actively exploited.
Description: An out-of-bounds write issue was...

FedEx Ship Manager (FSM) v3704 Insecure Use of .NET Remoting

Posted by Harrison Neal on Apr 04

Vulnerable Software Download URL:
https://www.fedex.com/en-us/shipping/ship-manager/software.html#tab-4

FSM 3704 (and some earlier versions) use .NET Remoting in a way that can
lead to unauthenticated remote code execution attacks as SYSTEM. Tools that
can successfully attack affected services are freely available.
Administrators should block or otherwise limit access to TCP ports opened
by services installed by this software wherever possible.

RSA NetWitness EDR Agent / Incorrect Access Control - Code Execution / CVE-2022-47529

Posted by hyp3rlinx on Mar 30

[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/RSA_NETWITNESS_EDR_AGENT_INCORRECT_ACCESS_CONTROL_CVE-2022-47529.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec

[Vendor]
RSA Securitywww.netwitness.com

[Product]
NetWitness Endpoint EDR Agent

The RSA NetWitness detection and response (EDR) endpoint monitors
activity across all your...

RSA NetWitness Platform EDR / Incorrect Access Control - Code Execution

Posted by hyp3rlinx on Mar 27

[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/RSA_NETWITNESS_EDR_AGENT_INCORRECT_ACCESS_CONTROL_CVE-2022-47529.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec

[Vendor]
RSA Security
www.netwitness.com

[Product]
NetWitness Endpoint EDR Agent

The RSA NetWitness detection and response (EDR) endpoint monitors activity across all your...

APPLE-SA-2023-03-27-7 watchOS 9.4

Posted by Apple Product Security via Fulldisclosure on Mar 27

APPLE-SA-2023-03-27-7 watchOS 9.4

watchOS 9.4 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213678.

AppleMobileFileIntegrity
Available for: Apple Watch Series 4 and later
Impact: A user may gain access to protected parts of the file system
Description: The issue was addressed with improved checks.
CVE-2023-23527: Mickey Jin (@patch1t)

Calendar
Available for: Apple Watch...

APPLE-SA-2023-03-27-4 macOS Monterey 12.6.4

Posted by Apple Product Security via Fulldisclosure on Mar 27

APPLE-SA-2023-03-27-4 macOS Monterey 12.6.4

macOS Monterey 12.6.4 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213677.

Apple Neural Engine
Available for: macOS Monterey
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: The issue was addressed with improved memory handling.
CVE-2023-23540: Mohamed GHANNAM (@_simo36)...

APPLE-SA-2023-03-27-3 macOS Ventura 13.3

Posted by Apple Product Security via Fulldisclosure on Mar 27

APPLE-SA-2023-03-27-3 macOS Ventura 13.3

macOS Ventura 13.3 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213670.

AMD
Available for: macOS Ventura
Impact: An app may be able to cause unexpected system termination or
write kernel memory
Description: A buffer overflow issue was addressed with improved
memory handling.
CVE-2023-27968: ABC Research s.r.o.

Apple Neural Engine...

APPLE-SA-2023-03-27-1 iOS 16.4 and iPadOS 16.4

Posted by Apple Product Security via Fulldisclosure on Mar 27

APPLE-SA-2023-03-27-1 iOS 16.4 and iPadOS 16.4

iOS 16.4 and iPadOS 16.4 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213676.

Accessibility
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air
3rd generation and later, iPad 5th generation and later, and iPad
mini 5th generation and later
Impact: An app may be able to access information about a user’s...

APPLE-SA-2023-03-27-6 tvOS 16.4

Posted by Apple Product Security via Fulldisclosure on Mar 27

APPLE-SA-2023-03-27-6 tvOS 16.4

tvOS 16.4 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213674.

AppleMobileFileIntegrity
Available for: Apple TV 4K (all models) and Apple TV HD
Impact: A user may gain access to protected parts of the file system
Description: The issue was addressed with improved checks.
CVE-2023-23527: Mickey Jin (@patch1t)

Core Bluetooth
Available for:...

APPLE-SA-2023-03-27-2 iOS 15.7.4 and iPadOS 15.7.4

Posted by Apple Product Security via Fulldisclosure on Mar 27

APPLE-SA-2023-03-27-2 iOS 15.7.4 and iPadOS 15.7.4

iOS 15.7.4 and iPadOS 15.7.4 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213673.

Accessibility
Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone
SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod
touch (7th generation)
Impact: An app may be able to access information about a...

APPLE-SA-2023-03-27-8 Safari 16.4

Posted by Apple Product Security via Fulldisclosure on Mar 27

APPLE-SA-2023-03-27-8 Safari 16.4

Safari 16.4 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213671.

WebKit
Available for: macOS Big Sur and macOS Monterey
Impact: Processing maliciously crafted web content may bypass Same
Origin Policy
Description: This issue was addressed with improved state management.
WebKit Bugzilla: 248615
CVE-2023-27932: an anonymous researcher...

APPLE-SA-2023-03-27-9 Studio Display Firmware Update 16.4

Posted by Apple Product Security via Fulldisclosure on Mar 27

APPLE-SA-2023-03-27-9 Studio Display Firmware Update 16.4

Studio Display Firmware Update 16.4 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213672.

Display
Available for: macOS Ventura 13.3 and later
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: A memory corruption issue was addressed with improved
state management....

APPLE-SA-2023-03-27-5 macOS Big Sur 11.7.5

Posted by Apple Product Security via Fulldisclosure on Mar 27

APPLE-SA-2023-03-27-5 macOS Big Sur 11.7.5

macOS Big Sur 11.7.5 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213675.

Apple Neural Engine
Available for: macOS Big Sur
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: The issue was addressed with improved memory handling.
CVE-2023-23540: Mohamed GHANNAM (@_simo36)

AppleAVD
Available...

Defense in depth -- the Microsoft way (part 84): (no) fun with %COMSPEC%

Posted by Stefan Kanthak on Mar 24

Hi @ll,

the documentation of the builtin START command
<https://technet.microsoft.com/en-us/library/cc770297.aspx>
of Windows NT's command processor CMD.EXE states:

| When you run a command that contains the string "CMD" as the first
| token without an extension or path qualifier, "CMD" is replaced
| with the value of the COMSPEC variable.
| This prevents users from picking up cmd from the current directory....

Invitation to the World Cryptologic Competition 2023

Posted by Competition Administrator on Mar 21

The WCC 2023 is a fully-online and open competition using GitHub.
The language of the competition is English.

The WCC 2023 has a total duration of 295 days, from Sunday January 1st 2023
to Monday October 23rd 2023.
Teams and Judges must complete registration before Wednesday June 1st.

The WCC 2023 has three entry categories:
Category A: Block Ciphers with a 512-bit block, 512-bit key, and 192-bit
nonce
Category B: Digest Functions with a...

Re: Microsoft PlayReady security research

Posted by Adam Gowdiak on Mar 21

Hello,

I feel obliged to provide additional comments to this paragraph as I
start to believe that CANAL+ might not deserve sole blame here...

While Microsoft claims there is absolutely no bug at its end, I
personally start to perceive the company as the one that should be
also blamed to some extent.

Below, I am providing you with the reasons that has lead me to such a
conclusion.

For many months, no response from CANAL+ was taken at my end as...

Insecure python cgi documentation and tutorials are vulnerable to XSS.

Posted by Georgi Guninski on Mar 21

Is there low hanging fruit for the following observation?

The documentation of the python cgi module is vulnerable to XSS
(cross site scripting)

https://docs.python.org/3/library/cgi.html

```
form = cgi.FieldStorage()
print("<p>name:", form["name"].value)
print("<p>addr:", form["addr"].value)
```

First result on google for "tutorial python cgi"
is...