Apache mod_session_crypto versions 2.3 through 2.5 suffer form a padding oracle vulnerability.
390f7fdc6969dd238103bdc9a74a406df47dd249a11cddc2a73743e36e51e549ASP.NET Core version 5.-RC1 suffers from an HTTP header injection vulnerability.
1d6c349a4c1cbeebdb441bb9d71d28155836dfc3262d25c0f5027232b302026bOpenSSH can forward TCP sockets and UNIX domain sockets. If privilege separation is disabled, then on the server side, the forwarding is handled by a child of sshd that has root privileges. For TCP server sockets, sshd explicitly checks whether an attempt is made to bind to a low port (below IPPORT_RESERVED) and, if so, requires the client to authenticate as root. However, for UNIX domain sockets, no such security measures are implemented. This means that, using "ssh -L", an attacker who is permitted to log in as a normal user over SSH can effectively connect to non-abstract unix domain sockets with root privileges. On systems that run systemd, this can for example be exploited by asking systemd to add an LD_PRELOAD environment variable for all following daemon launches and then asking it to restart cron or so. The attached exploit demonstrates this - if it is executed on a system with systemd where the user is allowed to ssh to his own account and where privsep is disabled, it yields a root shell.
e76185809315ccb4de20af9908f94cf1d0c88a604c2850502c670e5b10961415The OpenSSH agent permits its clients to load PKCS11 providers using the commands SSH_AGENTC_ADD_SMARTCARD_KEY and SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED if OpenSSH was compiled with the ENABLE_PKCS11 flag (normally enabled) and the agent isn't locked. For these commands, the client has to specify a provider name. Th e agent passes this provider name to a subprocess (via ssh-agent.c:process_add_smartcard_key -> ssh-pkcs11-client.c:pkcs11_add_provider -> ssh-pkcs11-client.c:s end_msg), and the subprocess receives it and passes it to dlopen() (via ssh-pkcs 11-helper.c:process -> ssh-pkcs11-helper.c:process_add -> ssh-pkcs11.c:pkcs11_ad d_provider -> dlopen). No checks are performed on the provider name, apart from testing whether that provider is already loaded. This means that, if a user connects to a malicious SSH server with agent forwarding enabled and the malicious server has the ability to place a file with attacker-controlled contents in the victim's filesystem, the SSH server can execute code on the user's machine.
10d0d2808ffc63e1409341e7f4cd4e55ad32bf60b055a0cd27d7b6b8a3fa45abNidesoft MP3 Converter version 2.6.18 suffers from a dll hijacking vulnerability.
d5fcb9355a6f626a251596d55177683140ebbb8704664b94025b396c5b0a98e9
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed