[FD] APPLE-SA-2023-09-11-3 macOS Big Sur 11.7.10
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2023-09-11-3 macOS Big Sur 11.7.10 macOS Big Sur 11.7.10 addresses the following issues. Information about the security content is also available at https://support.apple.com/kb/HT213915. Apple maintains a Security Updates page at https://support.apple.com/HT201222 which lists recent software updates with security advisories. ImageIO Available for: macOS Big Sur Impact: Processing a maliciously crafted image may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A buffer overflow issue was addressed with improved memory handling. CVE-2023-41064: The Citizen Lab at The University of Torontoʼs Munk School macOS Big Sur 11.7.10 may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/ All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmT/m3MACgkQX+5d1TXa IvqNSg//bbzgVN2E8yAjEnjXK08rQlR7TmCxvDCa9s2GI3hPYb881pMDz2kG4ntu C8MaKgYwQ8f6DKowxL2bJAXz9p48tzfHEcxVVCW3vwel0MrstLQRllrv4GrRrU2T /kkOWs4WZPQYMuvf+j08+KlGOWwPdhxNBlkzoZKe1Sq0DKFOBhdwnBfUsQgREMK+ zFz7iVYHKCgAs8hQwOA7mmxa7W42PO5XuBh2d4bxsjiV+63Z4vIhy3uiXrqGDolT pOLsOXpRaLxDeVTi7/AKBJcR+ScC/wTinCBaFuELqQsXeYVKJeLl901MYa54VZtf 6x+7c/QOKf8LUQR58VH9uB1cRGaC4rI0GfGBMZAR3C1xhM0TRzHuH6HOsBK2ZQva OprPGZ8aNb1XhuuZeYYxNnXOtmto8V8ZynBzjoPv5P3BeaBgRbpOnlIsamSTQUeb BSLnKQ6MbDbrGBQHcqKhdYyL65EzXGfoYgLbKG+FdzoaTdJ8EO+FXum6smPcHEvm uzHkCQvYPZ6ZpeGQ3OPrD0mqTrqdI5JwdM1Qj3ks5srGHH8UYK1k1TQx5kK/5MX1 1ASkIhexyGtDS3DNVWOaDniRXA6bMNrJCNQC7PU5O1Py0kR1gITB9WAP+LOQ4PBF Of9Y2FxFxHMYJ40gHwa5e/mo4Sf5fvnr9WUU9/34VC5f+tTI47M= =bfbZ -END PGP SIGNATURE- ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] [SYSS-2023-002] Razer Synapse - Local Privilege Escalation
Advisory ID: SYSS-2023-002 Product: Razer Synapse Manufacturer: Razer Inc. Affected Version(s): Versions before 3.8.0428.042117 (20230601) Tested Version(s): 3.8.0228.022313 (20230315) under Windows 10 Pro (10.0.19044) under Windows 11 Home (10.0.22621) Vulnerability Type:Improper Privilege Management (CWE-269) Time-of-check Time-of-use Race Condition (CWE-367) Risk Level:High Solution Status: Fixed Manufacturer Notification: 2023-03-23 Solution Date: 2023-04-28 Public Disclosure: 2023-08-31 CVE Reference: CVE-2022-47631 Author of Advisory:Dr. Oliver Schwarz, SySS GmbH Overview: Razer Synapse is an additional driver software for Razer gaming devices. The manufacturer describes the product as a "unified cloud-based hardware configuration tool" (see [1]). Due to an unsafe installation path, improper privilege management, and a time-of-check time-of-use race condition, the associated system service "Razer Synapse Service" is vulnerable to DLL hijacking. As a result, local Windows users can abuse the Razer driver installer to obtain administrative privileges on Windows. In order to exploit the vulnerability, the attacker needs physical access to the machine and needs to prepare the attack before Razer Synapse is installed along with a Razer driver. Vulnerability Details: The attack scenario considers a Windows machine without any previous installation of any Razer device or software. The attacker has a local unprivileged Windows account, physical access to the machine, and a device which is either a Razer peripheral or able to pretend to be one (such as a Bash Bunny or a Raspberry Pi Zero). The attacker aims at executing code with full system privileges. The attack exploits the Razer Synapse Service which runs with elevated privileges. While the main binary of the service is stored in the protected location "C:\Program Files (x86)\Razer\Synapse3\Service", it dynamically loads libraries from "C:\ProgramData\Razer\Synapse3\Service\bin". Before the installation, standard users can write to this path, since "C:\ProgramData" is world-writable on a standard installation of Windows. The Synapse installation procedure changes access privileges, so that standard users cannot write to the path any longer. However, if the path is created before the driver installation, the creator can set own files to be read-only and deny write access for the SYSTEM user. Upon start, the Synapse service checks the location for foreign DLLs, removes them, and aborts upon failure to delete them. However, due to a time-of-check time-of-use race condition, attackers can replace a benign DLL after it has been checked and before it is loaded. Note that the described vulnerability is similar to CVE-2021-44226 (SYSS-2021-058) and CVE-2022-47632 (SYSS-2022-047), which Razer Inc. fixed in March and September of 2022, respectively. The new attack differs from the earlier ones in that the attacker now has to exploit a race condition. Proof of Concept (PoC): The attack consists of the following steps: 1. Before the installation of the driver/Synapse, the attacker creates "C:\ProgramData\Razer\Synapse3\Service\bin", copies a custom malicious version of userenv.dll into the directory, sets the DLL to read-only, and denies write access for SYSTEM. 2. Afterwards, the attacker triggers the installation of Synapse. This can be done without any elevated privileges by plugging in a Razer device and following the installation procedure for Synapse if device-specific co-installers are not disabled. Alternatively, a device such as Bash Bunny or a Raspberry Pi Zero can be used and pretend to be a Razer device. 3. With the help of a script, the attacker monitors the installation progress. As soon as legitimate DLL files show up in the directory, the attacker temporarily overwrites the malicious DLL with a legitimate one, waits for the DLL to be assessed (i.e., read), and then quickly copies back the malicious content to the DLL before it is actually loaded and executed. Solution: Razer has published a patched version that will be deployed automatically upon driver installation on current Windows builds. To prevent similar attacks through other co-installers, system administrators can disable them by setting the following key in the Windows registry: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Installer\DisableCoInstallers = 1
[FD] APPLE-SA-2023-09-11-2 macOS Monterey 12.6.9
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2023-09-11-2 macOS Monterey 12.6.9 macOS Monterey 12.6.9 addresses the following issues. Information about the security content is also available at https://support.apple.com/kb/HT213914. Apple maintains a Security Updates page at https://support.apple.com/HT201222 which lists recent software updates with security advisories. ImageIO Available for: macOS Monterey Impact: Processing a maliciously crafted image may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A buffer overflow issue was addressed with improved memory handling. CVE-2023-41064: The Citizen Lab at The University of Torontoʼs Munk School macOS Monterey 12.6.9 may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/ All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmT/m3IACgkQX+5d1TXa IvrzPg//a+Al1VjRmASSN1lWptcH3EN4AcviKdzPAcl3Wtlh/28UFzIuMkgyH7B/ e0VUEgqo+4RqyYVfmWTZJBQ9J0otX3M+wG9XRVt3VlgwStqQ9+sjK1nRIMKq3YO6 KMVM9TggVAqEQOOTvdPhsb439RoP2q8kAiQnxw0r/CqzWkPnLvDTdLGWW5WO4G2Q tFv7z2nV4aPsmZWDwsfc4S8UyrAP+57iBLpegwD6kLaLiRFOm4ZS/bPmWYck0HDK qojdx6gJ3fYVCoMexiJuBLpJWdCA582f8SfsgYj1/pIwmTC2Vu5HZz3FxF6ULAuY rbmcZO2zA9w30XgjPDtWQ3l00mVi8Pnod4gDD0bN2aYuDtTXWQ7U/zmkT65kDLPO uQCZmBAeRLaaUnBlmGRpHBe7zqLlUTU+AcjzRwcXs7WnEuZ59WVCkMlQIELmAx2m /2jEcMMBe9GNnxEcSa7N0HBbuPHrakC5JA4u63SYeb2NHe9i5PPlwQvRHJJ+Atps LpsqgdSNk0LmLgldzglIVdhoRBo6F3i1BuIeof0STBLgl3AM1jJJWeL0wPv5RV95 eIN+Uvs7ni1OUZUq0Io7vAg1alyZAv6TZEz8venYA0J+2WxFVu/jOaOxwGJUyzQf 7fblA7wBfxZ+TdZKzaU6OUCoJP/g/gDWzrBG+0EJGH9dcxJP8no= =I1tR -END PGP SIGNATURE- ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] SEC Consult SA-20230829-0 :: Reflected Cross-Site Scripting (XSS) in PTC - Codebeamer (ALM Solution)
SEC Consult Vulnerability Lab Security Advisory < 20230829-0 > === title: Reflected Cross-Site Scripting (XSS) product: PTC - Codebeamer (ALM Solution) vulnerable version: <=22.10-SP7, <=22.04-SP5, <=21.09-SP13 fixed version: >=22.10-SP8, >=22.04-SP6, >=21.09-SP14 CVE number: CVE-2023-4296 impact: high homepage: https://www.ptc.com/en/products/codebeamer found: 2023-04-14 by: Niklas Schilling (Office Munich) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia https://www.sec-consult.com === Vendor description: --- "Codebeamer offers unique digital workflows that help your teams improve development collaboration, product line development efficiency, and regulatory compliance. Codebeamer's open platform extends application lifecycle management functionalities with product line configuration capabilities, and provides unique configurability for complex processes. Connect all development tools to give your teams a single development platform. You can also easily adapt the solution to specific development needs and automate process control for regulatory compliance." Source: https://www.ptc.com/en/products/codebeamer Business recommendation: SEC Consult recommends PTC customers to install the latest updates. Furthermore, an in-depth security analysis performed by security professionals is highly advised, as the software may be affected from other security issues. Vulnerability overview/description: --- 1) Reflected Cross-Site Scripting (XSS) Vulnerability (CVE-2023-4296) The dynamic Error Page in Codebeamer is vulnerable to a reflected XSS attack. It successfully sanitizes malicious HTML tags such as
[FD] APPLE-SA-2023-09-11-1 iOS 15.7.9 and iPadOS 15.7.9
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2023-09-11-1 iOS 15.7.9 and iPadOS 15.7.9 iOS 15.7.9 and iPadOS 15.7.9 addresses the following issues. Information about the security content is also available at https://support.apple.com/kb/HT213913. Apple maintains a Security Updates page at https://support.apple.com/HT201222 which lists recent software updates with security advisories. ImageIO Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation) Impact: Processing a maliciously crafted image may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A buffer overflow issue was addressed with improved memory handling. CVE-2023-41064: The Citizen Lab at The University of Torontoʼs Munk School This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from https://www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "iOS 15.7.9 and iPadOS 15.7.9". All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmT/m3IACgkQX+5d1TXa Ivq6Ww//WB9pTBOCCs5nm4b199CRT+zde3vODQd70Jk6hux40O+XnoObqqpB3ZxD eiklegUOLEbGhgKqHyLMWxDUXCx0FaQMx2EzzwfRkYGSRnreDnFLd1V50mC4kWuk w711Y6ZEdwrV9DhK0/M/3lzbhOMt4lLrPYeb4i2LJ/zFsqVTW8lrLqITkA3Rapns MtMH/zXzL5PYmNMP8Vbjudb+9T0LQ5+WEh4JvGheVnxe/X7Ijqv+v5MUUbp6U31j xvTrhcKKsOqSgJrBTxoE+AICD7uEFNpcdxXo+yFOfFP7F//iXVWGYGpjb/xmmxiW ZGFKhQkuM1wk9tCLZEhQYVRplKAtxTTEzoXfdCLWbHn6drxX2oFA+BThwnInUO2z AGcy2MOoPK9F+JZPheMGdE9ZJa/B8s/Vtim1KL6nQukVXpqtC77RQHo2c5IeDQBS nzhdxLxAL2qqENLt/rrY3tQvvPt5aithjJ4y4wwSUeeavcEqyHbum2XavwmK7YpH iGRdb76wQFd7gISPlgEuDW9mK8bsrNOUk9UDu6EgXrIGgjpvT/YSd779UgxcTUus BfWigHBgtvXF8ju5QrECxNSSRz/Byh+j7Pbf6iVMrvU9TyIJrhIhtHNWMx1fwQVp +eIp5LLjSc1OM0swUL1qtsgXlxcVLkMc0HmFd1BVQRi1g5Pdyp0= =+8rR -END PGP SIGNATURE- ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] SEC Consult SA-20230918-0 :: Authenticated Remote Code Execution and Missing Authentication in Atos Unify OpenScape
SEC Consult Vulnerability Lab Security Advisory < 20230918-0 > === title: Authenticated Remote Code Execution and Missing Authentication product: Atos Unify OpenScape Session Border Controller Atos Unify OpenScape Branch Atos Unify OpenScape BCF vulnerable version: OpenScape SBC before V10 R3.3.0 OpenScape Branch V10 before V10 R3.3.0 OpenScape BCF V10 before V10 R10.10.0 fixed version: OpenScape SBC V10 >=R3.3.0 OpenScape Branch V10 >=R3.3.0 OpenScape BCF V10 >=R10.10.0 CVE number: CVE-2023-36618, CVE-2023-36619 impact: critical homepage: https://unify.com found: 2023-04-21 by: Armin Weihbold (Office Linz) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia https://www.sec-consult.com === Vendor description: --- "Unify is is the Atos brand for communication and collaboration solutions Unify is the newest member of the Atos family, combining Atos’ knowledge and reputation in the IT services market with Unify’s expertise in unified communications and collaboration to provide customers with seamless services solutions for their entire digital portfolio. Within Atos, Unify continues to deliver a unique integrated proposition for unified communications and real time capabilities." Source: https://unify.com/en/expert/unify Business recommendation: SEC Consult recommends users of the affected products to install the latest update. Furthermore, an in-depth security analysis performed by security professionals is highly advised, as the software may be affected from other security issues. Vulnerability overview/description: --- 1) Authenticated Remote Code Execution (CVE-2023-36618) The API of the administrative web application insufficiently validates the input of authenticated users at the server. This leads to the possibility of executing arbitrary PHP functions (with some defined exceptions) and subsequently operating system level commands with root privileges. A low-privileged ReadOnly role is sufficient to exploit this security issue. 2) Missing Authentication (CVE-2023-36619) A number of scripts that are used to administer the appliance can be accessed or executed unauthenticated via the web server. Proof of concept: - 1) Authenticated Remote Code Execution (CVE-2023-36618) A large part of the application is built according to the scheme in the following listing. Some functions are defined and at the end the function `callMainFunction` is called, which takes care of processing POST data. --- ls -al [...] -rw-r--r-- 1 rootroot 0 Apr 21 10:22 root_from_ro --- 2) Missing Authentication (CVE-2023-36619) The following scripts, which are executable without authentication and do not expect command line arguments, could be identified. For this, heuristic methods based on the source code were used. In particular, scripts were searched that do not use any of the normally used authentication methods and do not only consist of classes. - https://hostname/core/configuringInBackground.php - https://hostname/core/downloadProfiles.php - https://hostname/core/hello_world.php - https://hostname/core/scripts/applyZooServerData.php - https://hostname/core/scripts/cfgGenUpdateSSPStatusTable.php - https://hostname/core/scripts/checkcardsDbHw.php - https://hostname/core/scripts/config1.php - https://hostname/core/scripts/recover.php - https://hostname/core/scripts/start.php - https://hostname/core/scripts/startPre.php - https://hostname/core/shutdown.php - https://hostname/data/sipLbInfo.php - https://hostname/data/turnInfo.php The following demonstrates an execution. The following request is sent to the appliance: --- GET /core/scripts/start.php HTTP/1.1 Host: hostname Upgrade-Insecure-Requests: 1 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-Dest: document Referer: https://hostname/acd.html Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close --- In the successful response, the time is highlighted to compare with the PHP log: --- HTTP/1.1 200 OK Date: Thu, 20 Apr 2023 11:4