About FreshRSS

There are new available articles, click to refresh the page.

Before yesterdayFull Disclosure

Full Disclosure
Re: cpio privilege escalation vulnerability via setuid files in cpio archive
January 15^th 2024 at 06:06

Re: cpio privilege escalation vulnerability via setuid files in cpio archive

Posted by Georgi Guninski on Jan 14

Hi, thanks for the feedback :)

Which version of tar is vulnerable to this attack? I am pretty sure
this was fixed in tar and zip `long long` ago.

tar and zip on fedora 38 are definitely not vulnerable, they clear
the setuid bit.

I continue to suspect this is vulnerability because:
1. There is directory traversal protection for untrusted archives
2. tar and zip and not vulnerable

bash script for setuid files in tar:

#!/bin/bash

mkdir -p...

January 15^th 2024 at 06:06

Full Disclosure
Re: cpio privilege escalation vulnerability via setuid files in cpio archive
January 15^th 2024 at 06:05

Re: cpio privilege escalation vulnerability via setuid files in cpio archive

Posted by fulldisclosure on Jan 14

Am 08.01.24 um 10:25 schrieb Georgi Guninski:

It's not a vulnerability, as

a) cpio archives must archive that flag as cpio is part of RPM packages
and those
must be able to contain setuid flags. Otherwise, you would need to add
chmod u+s cmds to any %POST
section. Breaking this, would invalidate so many existing packages =>
won't happen

note: initramfs makes use of cpio as well, but setuid is not needed
here, as it's...

January 15^th 2024 at 06:05

Full Disclosure
Re: [SBA-ADV-20220120-01] MOKOSmart MKGW1 Gateway Improper Session Management
January 15^th 2024 at 06:04

Re: [SBA-ADV-20220120-01] MOKOSmart MKGW1 Gateway Improper Session Management

Posted by SBA - Advisory via Fulldisclosure on Jan 14

MITRE assigned CVE-2023-51059 for this issue.

January 15^th 2024 at 06:04

Full Disclosure
cpio privilege escalation vulnerability via setuid files in cpio archive
January 8^th 2024 at 21:46

cpio privilege escalation vulnerability via setuid files in cpio archive

Posted by Georgi Guninski on Jan 08

cpio privilege escalation vulnerability via setuid files in cpio archive

Happy New Year, let in 2024 happiness be with you! :)

When extracting archives cpio (at least version 2.13) preserves
the setuid flag, which might lead to privilege escalation.

One example is r00t extracts to /tmp/ and scidiot runs /tmp/micq/backd00r
without further interaction from root.

We believe this is vulnerability, since directory traversal in cpio
is considered...

January 8^th 2024 at 21:46

Full Disclosure
OXAS-ADV-2023-0006: OX App Suite Security Advisory
January 8^th 2024 at 21:46

OXAS-ADV-2023-0006: OX App Suite Security Advisory

Posted by Martin Heiland via Fulldisclosure on Jan 08

Dear subscribers,

We're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those
vulnerabilities. Feel free to join our bug bounty programs for OX AppSuite, Dovecot and PowerDNS at YesWeHack.

This advisory has also been published at https://documentation.open-xchange.com/security/advisories/.

Yours sincerely,
Martin Heiland, Open-Xchange GmbH

Internal reference: MWB-2315
Type:...

January 8^th 2024 at 21:46

Full Disclosure
OXAS-ADV-2023-0005: OX App Suite Security Advisory
January 8^th 2024 at 21:45

OXAS-ADV-2023-0005: OX App Suite Security Advisory

Posted by Martin Heiland via Fulldisclosure on Jan 08

January 8^th 2024 at 21:45

Full Disclosure
SSH-Snake: Automated SSH-Based Network Traversal
January 8^th 2024 at 21:45

SSH-Snake: Automated SSH-Based Network Traversal

Posted by Joshua Rogers on Jan 08

SSH-Snake is a powerful tool designed to perform automatic network
traversal using SSH private keys discovered on systems, with the objective
of creating a comprehensive map of a network and its dependencies,
identifying to what extent a network can be compromised using SSH and SSH
private keys starting from a particular system.

SSH-Snake can automatically reveal the relationship between systems which
are connected via SSH, which would normally...

January 8^th 2024 at 21:45

Full Disclosure
Windows PowerShell Single Quote Code Execution / Event Log Bypass
January 4^th 2024 at 23:10

Windows PowerShell Single Quote Code Execution / Event Log Bypass

Posted by hyp3rlinx on Jan 04

[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/WINDOWS_POWERSHELL_SINGLE_QUOTE_CODE_EXEC_EVENT_LOG_BYPASS.txt
[+] twitter.com/hyp3rlinx
[+] twitter.com/malvuln
[+] ISR: ApparitionSec

[Vendor]
www.microsoft.com

[Product]
Microsoft Windows PowerShell

Built on the . NET Framework, Windows PowerShell helps IT professionals and
power users control and automate the...

January 4^th 2024 at 23:10

Full Disclosure
RansomLord v2 - Anti-Ransomware Exploitation Tool / New Release
January 4^th 2024 at 23:10

RansomLord v2 - Anti-Ransomware Exploitation Tool / New Release

Posted by hyp3rlinx on Jan 04

RansomLord v2 - Anti-Ransomware Exploitation Tool

[Description]
RansomLord is a proof-of-concept Anti-Ransomware exploitation tool that
generates PE files, used to exploit vulnerable Ransomware pre-encryption.

Lang: C

SHA256 : 8EA83752C4096C778709C14B60B9735CC68A5971DCDB0028A0BB167550554769

This version now intercepts and terminates malware tested from 43 different
threat groups.
Adding Wagner, Hakbit, Paradise, Jaff, DoubleZero, Blacksnake,...

January 4^th 2024 at 23:10

Full Disclosure
[ES2023-02] FreeSWITCH susceptible to Denial of Service via DTLS Hello packets during call initiation
December 26^th 2023 at 15:38

[ES2023-02] FreeSWITCH susceptible to Denial of Service via DTLS Hello packets during call initiation

Posted by Sandro Gauci on Dec 26

# FreeSWITCH susceptible to Denial of Service via DTLS Hello packets during call initiation

- Fixed versions: 1.10.11
- Enable Security Advisory:
https://github.com/EnableSecurity/advisories/tree/master/ES2023-02-freeswitch-dtls-hello-race
- Vendor Security Advisory: https://github.com/signalwire/freeswitch/security/advisories/GHSA-39gv-hq72-j6m6
- Other references: CVE-2023-51443
- Tested vulnerable versions: 1.10.10
- Timeline:
-...

December 26^th 2023 at 15:38

Full Disclosure
asterisk release 20.5.1
December 19^th 2023 at 22:18

asterisk release 20.5.1

Posted by Asterisk Development Team via Fulldisclosure on Dec 19

The Asterisk Development Team would like to announce security release
Asterisk 20.5.1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/20.5.1
and
https://downloads.asterisk.org/pub/telephony/asterisk

The following security advisories were resolved in this release:
- [Path traversal via AMI GetConfig allows access to outside
files](...

December 19^th 2023 at 22:18

Full Disclosure
CORRECTED asterisk release 21.0.1
December 19^th 2023 at 22:17

CORRECTED asterisk release 21.0.1

Posted by Asterisk Development Team on Dec 19

The earlier announcement should not have had any User or Upgrade notes.

The Asterisk Development Team would like to announce security release
Asterisk 21.0.1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/21.0.1
and
https://downloads.asterisk.org/pub/telephony/asterisk

The following security advisories were resolved in this release:
- [Path traversal via AMI GetConfig allows...

December 19^th 2023 at 22:17

Full Disclosure
asterisk release 18.20.1
December 19^th 2023 at 22:17

asterisk release 18.20.1

Posted by Asterisk Development Team via Fulldisclosure on Dec 19

The Asterisk Development Team would like to announce security release
Asterisk 18.20.1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/18.20.1
and
https://downloads.asterisk.org/pub/telephony/asterisk

The following security advisories were resolved in this release:
- [Path traversal via AMI GetConfig allows access to outside
files](...

December 19^th 2023 at 22:17

Full Disclosure
CORRECTED asterisk release certified-18.9-cert6
December 19^th 2023 at 22:17

CORRECTED asterisk release certified-18.9-cert6

Posted by Asterisk Development Team on Dec 19

The earlier release announcement should NOT have had any User or Upgrade
notes.

The Asterisk Development Team would like to announce security release
Certified Asterisk 18.9-cert6.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/certified-18.9-cert6
and
https://downloads.asterisk.org/pub/telephony/certified-asterisk

The following security advisories were resolved in this release:...

December 19^th 2023 at 22:17

Full Disclosure
[ES2023-03] RTPEngine susceptible to Denial of Service via DTLS Hello packets during call initiation
December 19^th 2023 at 22:16

[ES2023-03] RTPEngine susceptible to Denial of Service via DTLS Hello packets during call initiation

Posted by Sandro Gauci on Dec 19

# RTPEngine susceptible to Denial of Service via DTLS Hello packets during call initiation

- Fixed versions: mr12.1.1.2, mr12.0.1.3, mr11.5.1.16, mr10.5.6.3, mr10.5.6.2
- Enable Security Advisory: https://github.com/EnableSecurity/advisories/tree/master/ES2023-03-rtpengine-dtls-hello-race
- Vendor Patch: https://github.com/sipwise/rtpengine/commit/e969a79428ac4a15cdf1c0a1c6f266dbdc7e60b6
- Tested vulnerable versions: mr11.5.1.6
- Timeline:...

December 19^th 2023 at 22:16

Full Disclosure
[ES2023-01] Asterisk susceptible to Denial of Service via DTLS Hello packets during call initiation
December 19^th 2023 at 22:16

[ES2023-01] Asterisk susceptible to Denial of Service via DTLS Hello packets during call initiation

Posted by Sandro Gauci on Dec 19

# Asterisk susceptible to Denial of Service via DTLS Hello packets during call initiation

- Fixed versions: 18.20.1, 20.5.1, 21.0.1,18.9-cert6
- Enable Security Advisory: https://github.com/EnableSecurity/advisories/tree/master/ES2023-01-asterisk-dtls-hello-race
- Vendor Security Advisory: https://github.com/asterisk/asterisk/security/advisories/GHSA-hxj9-xwr8-w8pq
- Other references: CVE-2023-49786
- Tested vulnerable versions: 20.1.0
-...

December 19^th 2023 at 22:16

Full Disclosure
[SBA-ADV-20220120-01] MOKOSmart MKGW1 Gateway Improper Session Management
December 19^th 2023 at 22:15

[SBA-ADV-20220120-01] MOKOSmart MKGW1 Gateway Improper Session Management

Posted by SBA - Advisory via Fulldisclosure on Dec 19

# MOKOSmart MKGW1 Gateway Improper Session Management #

Link:
https://github.com/sbaresearch/advisories/tree/public/2022/SBA-ADV-20220120-01_MOKOSmart_MKGW1_Gateway_Improper_Session_Management

## Vulnerability Overview ##

MOKOSmart MKGW1 Gateway devices with firmware version 1.1.1 or below do
not provide an adequate session management for the administrative web
interface. This allows adjacent attackers with access to the management
network to...

December 19^th 2023 at 22:15

Full Disclosure
APPLE-SA-12-19-2023-1 macOS Sonoma 14.2.1
December 19^th 2023 at 22:15

APPLE-SA-12-19-2023-1 macOS Sonoma 14.2.1

Posted by Apple Product Security via Fulldisclosure on Dec 19

APPLE-SA-12-19-2023-1 macOS Sonoma 14.2.1

macOS Sonoma 14.2.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214048.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

WindowServer
Available for: macOS Sonoma
Impact: A user who shares their screen may unintentionally share the...

December 19^th 2023 at 22:15

Full Disclosure
[KIS-2023-14] PKP-WAL <= 3.4.0-3 (NativeImportExportPlugin) Remote Code Execution Vulnerability
December 19^th 2023 at 22:15

[KIS-2023-14] PKP-WAL <= 3.4.0-3 (NativeImportExportPlugin) Remote Code Execution Vulnerability

Posted by Egidio Romano on Dec 19

---------------------------------------------------------------------------------
PKP-WAL <= 3.4.0-3 (NativeImportExportPlugin) Remote Code Execution
Vulnerability
---------------------------------------------------------------------------------

[-] Software Links:

https://pkp.sfu.ca
https://github.com/pkp/pkp-lib

[-] Affected Versions:

PKP Web Application Library (aka PKP-WAL or pkp-lib) version 3.4.0-3
and prior versions, as used in Open...

December 19^th 2023 at 22:15

Full Disclosure
Disclosure of CVE-2023-50917: RCE Vulnerability in MajorDoM
December 19^th 2023 at 22:14

Disclosure of CVE-2023-50917: RCE Vulnerability in MajorDoM

Posted by Balgogan via Fulldisclosure on Dec 19

**Introduction**

MajorDoMo, a beacon in Russian home automation and particularly favored by Raspberry Pi aficionados, has been a trusted
name for over a decade. With over 380 stars on its official GitHub repository at the time of writing
(https://github.com/sergejey/majordomo), its popularity is evident. However, lurking within its `thumb.php` module is a
severe unauthenticated Remote Code Execution (RCE) vulnerability before 0662e5e.
NOTE:...

December 19^th 2023 at 22:14

Full Disclosure
SEC Consult SA-20231128 :: Missing Certificate Validation & User Enumeration in Anveo Mobile App and Server
December 12^th 2023 at 23:22

SEC Consult SA-20231128 :: Missing Certificate Validation & User Enumeration in Anveo Mobile App and Server

Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on Dec 12

SEC Consult Vulnerability Lab Security Advisory < 20231128-0 >
=======================================================================
title: Missing Certificate Validation & User Enumeration
product: Anveo Mobile App and Server
vulnerable version: Mobile App: 10.0.0.359 / 2016-07-13; Server: 11.0.0.5
fixed version: -
CVE number: -
impact: Medium
homepage:...

December 12^th 2023 at 23:22

SEC Consult SA-20231205 :: Argument injection leading to unauthenticated RCE and authentication bypass in Atos Unify OpenScape Session Border Controller (SBC), Branch, BCF

Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on Dec 12

SEC Consult Vulnerability Lab Security Advisory < 20231205-0 >
=======================================================================
title: Argument injection leading to unauthenticated RCE and
authentication bypass
product: Atos Unify OpenScape Session Border Controller (SBC)
Atos Unify OpenScape Branch
Atos Unify OpenScape BCF
vulnerable...

December 12^th 2023 at 23:22

Full Disclosure
SEC Consult SA-20231211-0 :: Local Privilege Escalation via MSI installer in PDF24 Creator
December 12^th 2023 at 23:22

SEC Consult SA-20231211-0 :: Local Privilege Escalation via MSI installer in PDF24 Creator

Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on Dec 12

SEC Consult Vulnerability Lab Security Advisory < 20231211-0 >
=======================================================================
title: Local Privilege Escalation via MSI installer
product: PDF24 Creator (geek Software GmbH)
vulnerable version: <=11.15.1
fixed version: 11.15.2
CVE number: CVE-2023-49147
impact: High
homepage:...

December 12^th 2023 at 23:22

Full Disclosure
SEC Consult SA-20231206 :: Kiosk Escape Privilege Escalation in One Identity Password Manager Secure Password Extension
December 12^th 2023 at 23:22

SEC Consult SA-20231206 :: Kiosk Escape Privilege Escalation in One Identity Password Manager Secure Password Extension

Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on Dec 12

SEC Consult Vulnerability Lab Security Advisory < 20231206-0 >
=======================================================================
title: Kiosk Escape Privilege Escalation
product: One Identity Password Manager Secure Password Extension
vulnerable version: <5.13.1
fixed version: 5.13.1
CVE number: CVE-2023-48654
impact: critical
homepage:...

December 12^th 2023 at 23:22

Full Disclosure
HNS-2023-04 - HN Security Advisory - Buffer overflow vulnerabilities with long path names in TinyDir
December 12^th 2023 at 23:21

HNS-2023-04 - HN Security Advisory - Buffer overflow vulnerabilities with long path names in TinyDir

Posted by Marco Ivaldi on Dec 12

Hi,

Please find attached a security advisory that describes some buffer
overflow vulnerabilities we discovered in TinyDir.

* Title: Buffer overflow vulnerabilities with long path names in TinyDir
* Product: TinyDir <= 1.2.5
* Author: Marco Ivaldi <marco.ivaldi () hnsecurity it>
* Date: 2023-12-04
* CVE ID: CVE-2023-49287
* Severity: High - 7.7 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
* Vendor URL: https://github.com/cxong/tinydir...

December 12^th 2023 at 23:21

Full Disclosure
APPLE-SA-12-11-2023-5 macOS Ventura 13.6.3
December 12^th 2023 at 23:21

APPLE-SA-12-11-2023-5 macOS Ventura 13.6.3