RansomLord v1 / Anti-Ransomware Exploit Tool

Posted by malvuln on Aug 02

RansomLord is a proof-of-concept tool that automates the creation of PE
files, used to compromise Ransomware pre-encryption.

Lang: C

SHA256: b0dfa2377d7100949de276660118bbf21fa4e56a4a196db15f5fb344a5da33ee

Video PoC:
https://www.youtube.com/watch?v=_Ho0bpeJWqI

Download: https://github.com/malvuln/RansomLord

RansomLord generated PE files are saved to disk in the x32 or x64
directorys where the program is run from.

Goal is to exploit code...

Savant Web Server 3.1 - Remote Buffer Overflow (Egghunter)

Posted by Mahmoud Noureldin on Aug 02

This is an old app but in an easy way which not the same which in public.

Exploit Title: Savant Web Server 3.1 - Remote Buffer Overflow (Egghunter)

# Date: [30/07/2023]
# Exploit Author: [0xBOF90]
# Vendor Homepage: [link]
# Version: [app version] (3.1)
# Tested on: [Windows 10]

import socket
import sys

try:
server = b"192.168.56.102"
#\x00\x0a\x0d\x25
port = 80
size = 253
# msfvenom -p windows/shell_reverse_tcp...

Stored XSS - Perch

Posted by Andrey Stoykov on Aug 01

# Exploit Title:
# Date: 07/2023
# Exploit Author: Andrey Stoykov
# Version: 3.2
# Tested on: Windows Server 2022
# Blog: http://msecureltd.blogspot.com

XSS #1:

File: roles.edit.post.php

Line #57:

[...]
<div class="field-wrap <?php echo $Form->error('roleTitle', false);?>">
<?php echo $Form->label('roleTitle', 'Title'); ?>
<div class="form-entry">...

Pentest Paper - Introduction to Web Pentest

Posted by Andrey Stoykov on Aug 01

Just putting this for the new starters.

It is in two languages, Bulgarian and English.

https://drive.google.com/file/d/1mzYeratoSV82Oxaj_dYvu4fg7vSBuhE1/view
https://drive.google.com/file/d/1b8obLloMnmQGI1gqAablzuTyKOFBRZjb/view

Has basic configuration for Burpsuite Proxy, including basic exploitation
of XSS, SQLi, CSRF and Open redirect.

Has brief theory explanation prior to showing how to exploit each flaw.

Kind Regards,
Andrey Stoykov

Unauthorized MFA Code Delivery in EmpowerID

Posted by Patel, Nirav on Aug 01

Severity: High

Description:

An identified security flaw is present in EmpowerID versions V7.205.0.0 and prior versions, causing the system to
mistakenly send Multi-Factor Authentication (MFA) codes to unintended email addresses. To exploit this vulnerability,
an attacker would need to have access to valid and breached login details, including a username and password.

This vulnerability's root cause lies in insufficient verification of...

CVE-2023-28130 - Hostname injection leads to Remote Code Execution RCE (Authenticated)

Posted by Rick Verdoes via Fulldisclosure on Aug 01

=========================
Exploit Title: Hostname injection leads to Remote Code Execution RCE (Authenticated)
Product: Gaia Portal
Vendor: Checkpoint
Vulnerable Versions: R81.20 < Take 14, R81.10 < Take 95, R81 < Take 82 and R80.40 < Take 198
Tested Version: R81.10 (take 335)
Advisory Publication: July 27, 2023
Latest Update: July 72, 2023
Vulnerability Type: Improper Control of Generation of Code (Code Injection) [CWE-94]
CVE...

Trovent Security Advisory 2303-01 / CVE-2023-36255 / Authenticated remote code execution in Eramba

Posted by Stefan Pietsch on Aug 01

# Trovent Security Advisory 2303-01 #
#####################################

Authenticated remote code execution in Eramba
#############################################

Overview
########

Advisory ID: TRSA-2303-01
Advisory version: 1.0
Advisory status: Public
Advisory URL: https://trovent.io/security-advisory-2303-01
Affected product: Eramba
Affected version: 3.19.1 (Enterprise and Community edition)
Vendor: Eramba Limited,...

ETSI WEBstore 2023 - Persistent Cross Site Scripting Web Vulnerability

Posted by info () vulnerability-lab com on Aug 01

Document Title:
===============
ETSI WEBstore 2023 - Persistent Cross Site Scripting Web Vulnerability

References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2327

Release Date:
=============
2023-07-26

Vulnerability Laboratory ID (VL-ID):
====================================
2327

Common Vulnerability Scoring System:
====================================
4.6

Vulnerability Class:
====================...

APPLE-SA-2023-07-24-5 macOS Monterey 12.6.8

Posted by Apple Product Security via Fulldisclosure on Jul 25

APPLE-SA-2023-07-24-5 macOS Monterey 12.6.8

macOS Monterey 12.6.8 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT213844.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Assets
Available for: macOS Monterey
Impact: An app may be able to modify protected parts of the file system...

APPLE-SA-2023-07-24-6 macOS Big Sur 11.7.9

Posted by Apple Product Security via Fulldisclosure on Jul 25

APPLE-SA-2023-07-24-6 macOS Big Sur 11.7.9

macOS Big Sur 11.7.9 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT213845.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Assets
Available for: macOS Big Sur
Impact: An app may be able to modify protected parts of the file system...

APPLE-SA-2023-07-24-7 tvOS 16.6

Posted by Apple Product Security via Fulldisclosure on Jul 25

APPLE-SA-2023-07-24-7 tvOS 16.6

tvOS 16.6 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT213846.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Kernel
Available for: Apple TV 4K (all models) and Apple TV HD
Impact: An app may be able to execute arbitrary code with kernel...

APPLE-SA-2023-07-24-8 watchOS 9.6

Posted by Apple Product Security via Fulldisclosure on Jul 25

APPLE-SA-2023-07-24-8 watchOS 9.6

watchOS 9.6 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT213848.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Apple Neural Engine
Available for: Apple Watch Series 4 and later
Impact: An app may be able to execute arbitrary code with kernel...

APPLE-SA-2023-07-24-4 macOS Ventura 13.5

Posted by Apple Product Security via Fulldisclosure on Jul 25

APPLE-SA-2023-07-24-4 macOS Ventura 13.5

macOS Ventura 13.5 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT213843.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Apple Neural Engine
Available for: macOS Ventura
Impact: An app may be able to execute arbitrary code with kernel...

Availability Booking Calendar PHP - Stored XSS and Unrestricted File Upload

Posted by Andrey Stoykov on Jul 25

# Exploit Title: Availability Booking Calendar PHP - Multiple Issues
# Date: 07/2023
# Exploit Author: Andrey Stoykov
# Tested on: Ubuntu 20.04
# Blog: http://msecureltd.blogspot.com

XSS #1:

Steps to Reproduce:

1. Browse to Bookings
2. Select All Bookings
3. Edit booking and select Promo Code
4. Enter payload TEST"><script>alert(`XSS`)</script>

// HTTP POST request

POST...

APPLE-SA-2023-07-24-1 Safari 16.6

Posted by Apple Product Security via Fulldisclosure on Jul 25

APPLE-SA-2023-07-24-1 Safari 16.6

Safari 16.6 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT213847.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

WebKit
Available for: macOS Big Sur and macOS Monterey
Impact: A website may be able to bypass Same Origin Policy
Description: The...

APPLE-SA-2023-07-24-3 iOS 15.7.8 and iPadOS 15.7.8

Posted by Apple Product Security via Fulldisclosure on Jul 25

APPLE-SA-2023-07-24-3 iOS 15.7.8 and iPadOS 15.7.8

iOS 15.7.8 and iPadOS 15.7.8 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT213842.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Apple Neural Engine
Available for devices with Apple Neural Engine: iPhone 8 and later, iPad
Pro...

APPLE-SA-2023-07-24-2 iOS 16.6 and iPadOS 16.6

Posted by Apple Product Security via Fulldisclosure on Jul 25

APPLE-SA-2023-07-24-2 iOS 16.6 and iPadOS 16.6

iOS 16.6 and iPadOS 16.6 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT213841.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Apple Neural Engine
Available for devices with Apple Neural Engine: iPhone 8 and later, iPad
Pro (3rd...

APPLE-SA-2023-07-24-1 Safari 16.6

Posted by Deven Kishore via Fulldisclosure on Jul 24

APPLE-SA-2023-07-24-1 Safari 16.6

Safari 16.6 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT213847.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

WebKit
Available for: macOS Big Sur and macOS Monterey
Impact: A website may be able to bypass Same Origin Policy
Description: The...

[SYSS-2023-006]: Omnis Studio - Expected Behavior Violation (CWE-440) (CVE-2023-38334)

Posted by Matthias Deeg via Fulldisclosure on Jul 21

Advisory ID: SYSS-2023-006
Product: Omnis Studio
Manufacturer: Omnis Software Ltd.
Affected Version(s): 10.22.00
Tested Version(s): 10.22.00
Vulnerability Type: Expected Behavior Violation (CWE-440)
Risk Level: Low
Solution Status: Open
Manufacturer Notification: 2023-03-30
Solution Date: -
Public Disclosure: 2023-07-20
CVE Reference:...

[SYSS-2023-005]: Omnis Studio - Expected Behavior Violation (CWE-440) (CVE-2023-38335)

Posted by Matthias Deeg via Fulldisclosure on Jul 21

Advisory ID: SYSS-2023-005
Product: Omnis Studio
Manufacturer: Omnis Software Ltd.
Affected Version(s): 10.22.00
Tested Version(s): 10.22.00
Vulnerability Type: Expected Behavior Violation (CWE-440)
Risk Level: Low
Solution Status: Open
Manufacturer Notification: 2023-03-30
Solution Date: -
Public Disclosure: 2023-07-20
CVE Reference:...

Active Super Shop CMS v2.5 - HTML Injection Vulnerabilities

Posted by info () vulnerability-lab com on Jul 19

Document Title:
===============
Active Super Shop CMS v2.5 - HTML Injection Vulnerabilities

References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2278

Release Date:
=============
2023-07-04

Vulnerability Laboratory ID (VL-ID):
====================================
2278

Common Vulnerability Scoring System:
====================================
5.4

Vulnerability Class:
====================
Script Code...

Boom CMS v8.0.7 - Cross Site Scripting Vulnerability

Posted by info () vulnerability-lab com on Jul 19

Document Title:
===============
Boom CMS v8.0.7 - Cross Site Scripting Vulnerability

References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2274

Release Date:
=============
2023-07-03

Vulnerability Laboratory ID (VL-ID):
====================================
2274

Common Vulnerability Scoring System:
====================================
5.3

Vulnerability Class:
====================
Cross Site Scripting -...

Tiva Events Calender v1.4 - Cross Site Scripting Vulnerability

Posted by info () vulnerability-lab com on Jul 19

Document Title:
===============
Tiva Events Calender v1.4 - Cross Site Scripting Vulnerability

References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2276

Release Date:
=============
2023-07-05

Vulnerability Laboratory ID (VL-ID):
====================================
2276

Common Vulnerability Scoring System:
====================================
5

Vulnerability Class:
====================
Cross Site...

Dooblou WiFi File Explorer 1.13.3 - Multiple Vulnerabilities

Posted by info () vulnerability-lab com on Jul 19

Document Title:
===============
Dooblou WiFi File Explorer 1.13.3 - Multiple Vulnerabilities

References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2317

Release Date:
=============
2023-07-04

Vulnerability Laboratory ID (VL-ID):
====================================
2317

Common Vulnerability Scoring System:
====================================
5.1

Vulnerability Class:
====================
Multiple...

PaulPrinting CMS - (Search Delivery) Cross Site Scripting Vulnerability

Posted by info () vulnerability-lab com on Jul 19

Document Title:
===============
PaulPrinting CMS - (Search Delivery) Cross Site Scripting Vulnerability

References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2286

Release Date:
=============
2023-07-17

Vulnerability Laboratory ID (VL-ID):
====================================
2286

Common Vulnerability Scoring System:
====================================
5.2

Vulnerability Class:
====================...

Webile v1.0.1 - Multiple Cross Site Web Vulnerabilities

Posted by info () vulnerability-lab com on Jul 19

Document Title:
===============
Webile v1.0.1 - Multiple Cross Site Web Vulnerabilities

References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2321

Release Date:
=============
2023-07-03

Vulnerability Laboratory ID (VL-ID):
====================================
2321

Common Vulnerability Scoring System:
====================================
5.5

Vulnerability Class:
====================
Cross Site...

Aures Booking & POS Terminal - Local Privilege Escalation Vulnerability

Posted by info () vulnerability-lab com on Jul 19

Document Title:
===============
Aures Booking & POS Terminal - Local Privilege Escalation Vulnerability

References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2323

Release Date:
=============
2023-07-17

Vulnerability Laboratory ID (VL-ID):
====================================
2323

Common Vulnerability Scoring System:
====================================
7.2

Vulnerability Class:
====================...

PaulPrinting CMS - Multiple Cross Site Web Vulnerabilities

Posted by info () vulnerability-lab com on Jul 19

Document Title:
===============
PaulPrinting CMS - Multiple Cross Site Web Vulnerabilities

References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2285

Release Date:
=============
2023-07-19

Vulnerability Laboratory ID (VL-ID):
====================================
2285

Common Vulnerability Scoring System:
====================================
5.8

Vulnerability Class:
====================
Cross Site...

CVE-2023-38408: Remote Code Execution in OpenSSH's forwarded ssh-agent

Posted by Qualys Security Advisory via Fulldisclosure on Jul 19

Qualys Security Advisory

CVE-2023-38408: Remote Code Execution in OpenSSH's forwarded ssh-agent

========================================================================
Contents
========================================================================

Summary
Background
Experiments
Results
Discussion
Acknowledgments
Timeline

========================================================================
Summary...

Re: Citrix Gateway & Cloud MFA - Insufficient Session Validation Vulnerability

Posted by Jeffrey Walton on Jul 19

There's also https://en.wikipedia.org/wiki/Session_hijacking#Prevention

One thing Jim Manico of OWASP recommends is to (re)prompt the user for
their password on occasion, like when performing a high value
operation. That will effectively re-authenticate a user before a high
value operation. Attackers with a cookie but without the user's
password should fail the re-authentication challenge.

Jeff

[RT-SA-2023-001] Session Token Enumeration in RWS WorldServer

Posted by RedTeam Pentesting GmbH on Jul 19

Advisory: Session Token Enumeration in RWS WorldServer

Session tokens in RWS WorldServer have a low entropy and can be
enumerated, leading to unauthorised access to user sessions.

Details
=======

Product: WorldServer
Affected Versions: 11.7.3 and earlier versions
Fixed Version: 11.8.0
Vulnerability Type: Session Token Enumeration
Security Risk: high
Vendor URL: https://www.rws.com/localization/products/additional-solutions/
Vendor Status:...

WBCE - Stored XSS

Posted by Andrey Stoykov on Jul 16

# Exploit Title: WBCE - Stored XSS
# Date: 07/2023
# Exploit Author: Andrey Stoykov
# Version: 1.6.1
# Tested on: Windows Server 2022
# Blog: http://msecureltd.blogspot.com

Steps to Exploit:

1. Login to application
2. Browse to following URI "http://host/wbce/admin/pages/intro.php&quot;
3. Paste XSS payload "TEST"><img src=x onerror=alert(1)>"
4. Then browse to settings "Settings->General Settings->Enable...

Re: Citrix Gateway & Cloud MFA - Insufficient Session Validation Vulnerability

Posted by Jens Timmerman on Jul 16

Hi,

I've been working with a lot of products I believe that are vulnerable
to a very similar exploit, and I was wondering how one should fix
this/protect against this attack?

I looked at
https://owasp.org/www-community/attacks/Session_hijacking_attack
<https://owasp.org/www-community/attacks/Session_hijacking_attack> but
the page linking to the related controls doesn't seem to exist.

Unquoted Path - XAMPP 8.2.4

Posted by Andrey Stoykov on Jul 11

# Exploit Title: XAMPP 8.2.4 - Unquoted Path
# Date: 07/2023
# Exploit Author: Andrey Stoykov
# Version: 8.2.4
# Software Link:
https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/8.2.4/xampp-windows-x64-8.2.4-0-VS16-installer.exe
# Tested on: Windows Server 2022
# Blog: http://msecureltd.blogspot.com/

Steps to Exploit:

1. Search for unquoted paths
2. Generate meterpreter shell
3. Copy shell to XAMPP directory replacing...

APPLE-SA-2023-07-10-1 Safari 16.5.2

Posted by Apple Product Security via Fulldisclosure on Jul 11

APPLE-SA-2023-07-10-1 Safari 16.5.2

Safari 16.5.2 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT213826.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

WebKit
Available for: macOS Big Sur and macOS Monterey
Impact: Processing web content may lead to arbitrary code execution....

APPLE-SA-2023-07-10-2 Rapid Security Responses for iOS 16.5.1 and iPadOS 16.5.1

Posted by Apple Product Security via Fulldisclosure on Jul 11

APPLE-SA-2023-07-10-2 Rapid Security Responses for iOS 16.5.1 and iPadOS 16.5.1

Rapid Security Responses for iOS 16.5.1 and iPadOS 16.5.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT213823.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

This document describes the content of...

APPLE-SA-2023-07-10-3 Rapid Security Responses for macOS Ventura 13.4.1

Posted by Apple Product Security via Fulldisclosure on Jul 11

APPLE-SA-2023-07-10-3 Rapid Security Responses for macOS Ventura 13.4.1

Rapid Security Responses for macOS Ventura 13.4.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT213825.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

This document describes the content of Rapid Security...

Re: [tool] tc - anonymous and cyphered chat over Tor circuits in PGP

Posted by bo0od via Fulldisclosure on Jul 11

I didnt see worst than this app to use for anonymity like this one:

- PGP is old bad stuff:

https://www.kicksecure.com/wiki/OpenPGP#Issues_with_PGP

- RSA/DSA old as well and has tons of security issues like side channel
and timing attacks..etc (the researches about them everywhere)

use Post-Quantum cryptography or at least ECC.

- C code is again old and insecure (memory issues..etc), should be
replaced with Rust

so yeah nice idea but...

Asterisk Release 16.30.1

Posted by Asterisk Development Team via Fulldisclosure on Jul 11

The Asterisk Development Team would like to announce security release
Asterisk 16.30.1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/16.30.1
and
https://downloads.asterisk.org/pub/telephony/asterisk

The following security advisories were resolved in this release:
https://github.com/asterisk/asterisk/security/advisories/GHSA-4xjp-22g4-9fxm

Change Log for Release 16.30.1...

Asterisk Release 18.18.1

Posted by Asterisk Development Team via Fulldisclosure on Jul 11

The Asterisk Development Team would like to announce security release
Asterisk 18.18.1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/18.18.1
and
https://downloads.asterisk.org/pub/telephony/asterisk

The following security advisories were resolved in this release:
https://github.com/asterisk/asterisk/security/advisories/GHSA-4xjp-22g4-9fxm

Change Log for Release 18.18.1...

Re: Ransom.Haron / Code Execution

Posted by malvuln on Jul 11

*** Correction: should have been CRYPTSP.dll ***

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022
Original source:
https://malvuln.com/advisory/dedad693898bba0e4964e6c9a749d380.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Ransom.Haron
Vulnerability: Code Execution
Description: Haron looks for and executes DLLs in its current directory.
Therefore, we can potentially hijack a vuln DLL execute our own code,...

Asterisk Release 19.8.1

Posted by Asterisk Development Team via Fulldisclosure on Jul 11

The Asterisk Development Team would like to announce security release
Asterisk 19.8.1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/19.8.1
and
https://downloads.asterisk.org/pub/telephony/asterisk

The following security advisories were resolved in this release:
https://github.com/asterisk/asterisk/security/advisories/GHSA-4xjp-22g4-9fxm

Change Log for Release 19.8.1...

Asterisk Release 20.3.1

Posted by Asterisk Development Team via Fulldisclosure on Jul 11

The Asterisk Development Team would like to announce security release
Asterisk 20.3.1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/20.3.1
and
https://downloads.asterisk.org/pub/telephony/asterisk

The following security advisories were resolved in this release:
https://github.com/asterisk/asterisk/security/advisories/GHSA-4xjp-22g4-9fxm

Change Log for Release 20.3.1...

Asterisk Release certified-18.9-cert5

Posted by Asterisk Development Team via Fulldisclosure on Jul 11

The Asterisk Development Team would like to announce security release
Certified Asterisk 18.9-cert5.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/certified-18.9-cert5
and
https://downloads.asterisk.org/pub/telephony/certified-asterisk

The following security advisories were resolved in this release:
https://github.com/asterisk/asterisk/security/advisories/GHSA-4xjp-22g4-9fxm...

SEC Consult SA-20230628-0 :: Stored XSS & Privilege Escalation in Boomerang Parental Control App

Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on Jul 07

SEC Consult Vulnerability Lab Security Advisory < 20230628-0 >
=======================================================================
title: Stored XSS & Privilege Escalation
product: Boomerang Parental Control App
vulnerable version: <13.83
fixed version: >=13.83 (only issue 1), rest not fixed
CVE number: CVE-2023-36620, CVE-2023-36621
impact: High...

SEC Consult SA-20230705-0 :: Path traversal bypass & Denial of service in Kyocera TASKalfa 4053ci printer

Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on Jul 07

SEC Consult Vulnerability Lab Security Advisory < 20230705-0 >
=======================================================================
title: Path traversal bypass & Denial of service
product: Kyocera TASKalfa 4053ci printer
vulnerable version: TASKalfa 4053ci Version <= 2VG_S000.002.561
fixed version: 2VG_S000.002.574
CVE numbers: CVE-2023-34259, CVE-2023-34260, CVE-2023-34261...

SEC Consult SA-20230703-0 :: Multiple Vulnerabilities including Unauthenticated RCE in Siemens A8000

Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on Jul 07

SEC Consult Vulnerability Lab Security Advisory < 20230703-0 >
=======================================================================
title: Multiple Vulnerabilities including Unauthenticated RCE
product: Siemens A8000 CP-8050 MASTER MODULE (6MF2805-0AA00)
Siemens A8000 CP-8031 MASTER MODULE (6MF2803-1AA00)
vulnerable version: <= V04.92
fixed version: CPCI85 V05
CVE...

SEC Consult Vulnerability Lab Whitepaper: Everyone Knows SAP®, Everyone Uses SAP, Everyone Uses RFC, No One Knows RFC: From RFC to RCE 16 Years Later

Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on Jul 07

SEC Consult Vulnerability Lab Whitepaper < 20230629-0 >
=======================================================================
Title: Everyone Knows SAP®, Everyone Uses SAP,
Everyone Uses RFC, No One Knows RFC:
From RFC to RCE 16 Years Later
Researcher: Fabian Hagg (Office Vienna)
SEC Consult Vulnerability Lab...

Re: OpenBSD kernel relinking is not transactional and a local exploit exists

Posted by pesco on Jun 21

C. W. Schech on Sat, Jun 17 2023:

By who? Which user ID specifically?

And clearly such checksums could not be tampered with?

PoC or GTFO.

rolling on the floor laughing

Re: OpenBSD kernel relinking is not transactional and a local exploit exists

Posted by jvoisin via Fulldisclosure on Jun 21

I'm unsure I understand the threat model here: an attacker with root
privileges is able to modify the kernel data about to be relinked?

You're also mentioning SLSA, but as you also said, OpenBSD doesn't have
reproducible builds and all the cool build hardening things(tm). So
having a cryptographic path to the resulting relinked kernel won't
really improve anything, given the current state of affairs.

OXAS-ADV-2023-0002: OX App Suite Security Advisory

Posted by Martin Heiland via Fulldisclosure on Jun 21

Dear subscribers,

We're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those
vulnerabilities. Feel free to join our bug bounty programs for OX AppSuite, Dovecot and PowerDNS at YesWeHack.

This advisory has also been published at https://documentation.open-xchange.com/security/advisories/.

Yours sincerely,
Martin Heiland, Open-Xchange GmbH

Internal reference: MWB-1994
Type:...

OpenBSD kernel relinking is not transactional and a local exploit exists

Posted by Schech, C. W. ("Connor") on Jun 19

The automatic and mandatory-by-default reordering of OpenBSD kernels
is NOT transactional and as a result, a local unpatched exploit exists
which allows tampering or replacement of the kernel. Arbitrary build
artifacts are cyclically relinked with no data integrity or provenance
being maintained or verified for the objects being consumed with
respect to the running kernel before and during the execution of the
mandatory kernel_reorder process in...

Polycom BToE Connector 4.4.0.0 Multiple Vulnerabilities

Posted by BUG on Jun 19

Microsoft® Lync™ Better Together over Ethernet (BToE) feature on
Polycom® VVX® business media. phones enables you to control phone
activity from your computer using your Lync client.
The BToE feature enables you to place, answer, and hold audio and video
calls from your Polycom VVX phone and your Lync client on your computer.

#### Title: Polycom BToE Connector 4.4.0.0 Multiple Vulnerabilities
#### Affected versions: 4.4.0.0
#### Tested...

Windows PowerShell / Trojan File RCE revisited

Posted by hyp3rlinx on Jun 09

Hi,

Windows PowerShell Filename Code Execution POC

Discovery: 2019 and revisited 2023

Since it still works, I dusted off and made minor improvements:

Execute a remote DLL using rundll32
Execute an unintended secondary PS1 script or local text-file (can be
hidden)
Updated the PS1 Trojan Filename Creator Python3 Script
First reported to Microsoft back in 2019 yet remains unfixed as of the time
of this writing.

Remote code execution via a...

Defense in depth -- the Microsoft way (part 85): escalation of privilege plus remote code execution with HVCISCAN.exe

Posted by Stefan Kanthak on Jun 07

Hi @ll,

about a month ago Microsoft published HVCIScan-{amd,arm}64.exe, a
"Tool to check devices for compatibility with memory integrity (HVCI)"

The "Install instructions" on the download page
<https://www.microsoft.com/en-us/download/105217> tell:

| Download the hvciscan.exe for your system architecture (AMD64 or ARM64).
| From an elevated command window or PowerShell, run hvciscan.exe

"ELEVATED" sounds...

LPE and RCE in RenderDoc: CVE-2023-33865, CVE-2023-33864, CVE-2023-33863

Posted by Qualys Security Advisory via Fulldisclosure on Jun 07

Qualys Security Advisory

LPE and RCE in RenderDoc: CVE-2023-33865, CVE-2023-33864, CVE-2023-33863

========================================================================
Contents
========================================================================

Summary
CVE-2023-33865, a symlink vulnerability in /tmp/RenderDoc
- Analysis
- Exploitation
CVE-2023-33864, an integer underflow to heap-based buffer overflow
- Analysis
- Exploitation...

[CVE-2023-29459] FC Red Bull Salzburg App "at.redbullsalzburg.android.AppMode.Default.Splash.SplashActivity" Arbitrary URL Loading

Posted by Julien Ahrens (RCE Security) on Jun 02

RCE Security Advisory
https://www.rcesecurity.com

1. ADVISORY INFORMATION
=======================
Product: FC Red Bull Salzburg App
Vendor URL: https://play.google.com/store/apps/details?id=laola.redbull
Type: Improper Authorization in Handler for Custom URL Scheme [CWE-939]
Date found: 2023-04-06
Date published: 2023-06-01
CVSSv3 Score: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVE: CVE-2023-29459...

[RT-SA-2022-004] STARFACE: Authentication with Password Hash Possible

Posted by RedTeam Pentesting GmbH on Jun 01

Advisory: STARFACE: Authentication with Password Hash Possible

RedTeam Pentesting discovered that the web interface of STARFACE as well
as its REST API allows authentication using the SHA512 hash of the
password instead of the cleartext password. While storing password
hashes instead of cleartext passwords in an application's database
generally has become best practice to protect users' passwords in case
of a database compromise, this...

CVE-2022-48331 - Buffer Overflow in Widevine Trustlet (drm_save_keys @ 0x69b0)

Posted by Cyber Intel Security on May 30

1. INFORMATION
--------------
[+] CVE : CVE-2022-48331
[+] Title : Buffer Overflow in Widevine Trustlet
(drm_save_keys @ 0x69b0)
[+] Vendor : Google
[+] Device : Nexus 6
[+] Affected component : Widevine
[+] Publication date : March 2023
[+] Credits : CyberIntel Team

2. AFFECTED VERSIONS
--------------------

5.0.0 (LRX21O), 5.0.1 (LRX22C), 5.1.0 (LMY47D), 5.1.0 (LMY47E), 5.1.0...

CVE-2022-48334 - Buffer Overflow in Widevine Trustlet (drm_verify_keys @ 0x7370)

Posted by Cyber Intel Security on May 30

1. INFORMATION
--------------
[+] CVE : CVE-2022-48334
[+] Title : Buffer Overflow in Widevine Trustlet
(drm_verify_keys @ 0x7370)
[+] Vendor : Google
[+] Device : Nexus 6
[+] Affected component : Widevine
[+] Publication date : March 2023
[+] Credits : CyberIntel Team

2. AFFECTED VERSIONS
--------------------
5.0.0 (LRX21O), 5.0.1 (LRX22C), 5.1.0 (LMY47D), 5.1.0 (LMY47E), 5.1.0...