Sudo’s host (-h or --host) option is intended to be used in conjunction with the list option (-l or --list) to list a user’s sudo privileges on a host other than the current one. However, due to a bug it was not restricted to listing privileges and could be used when running a command via sudo or editing a file with sudoedit. Depending on the rules present in the sudoers file this could allow a local privilege escalation attack.| Sudo
We are proud to announce the release of IPFire 2.29 – Core Update 194, the latest update to our secure and high-performance Open Source firewall. This version comes with a number of important improvements and bug fixes, continuing our commitment to building a fast, reliable, and secure platform for networks of all sizes. As always, our focus is on delivering meaningful upgrades that enhance security and usability without unnecessary complexity.| www.ipfire.org
This update brings a wide range of package updates, new features, and security improvements across the board. We’re also shipping some significant bug fixes and enhancements to improve reliability and maintainability.| www.ipfire.org
[UPDATE] March 8, 2021 – Since original publication of this blog, Volexity has now observed that cyber espionage operations using the SSRF vulnerability CVE-2021-26855 started occurring on January 3, 2021, three […]| Volexity
Another Chrome attack is now underway.| Forbes
A medium-severity vulnerability was discovered in Versa Director (CVE-2024-39717), and a patch has been released. Impacted customers failed to implement system hardening and firewall guidelines, leaving a management port exposed on the internet.| The Versa Networks Blog - The Versa Networks Blog
I have recently discovered a serious vulnerability in the KeepKey hardware wallet. Through a stack buffer overflow, remote or local attackers can execute code on the device and perform actions such as stealing the wallet keys from within a malicious website. The vulnerability was introduced with firmware v7.0.3 and patched with v7.1.0 after my disclosure.| invd blog
Cyber Threat Hunting is a critical component necessary to ensuring comprehensive defense and response measures are in place by taking a proactive approach to detecting threats. While threat hunting itself is not a new concept, the actual execution of it is constantly evolving. The current inception of threat hunting is enabled by the fact that big data handling has become more feasible along with the advent of advanced statistical analysis and machine learning.| br0k3nlab.com
A sophisticated new toolset is being used to harvest credentials from multiple cloud service providers, including AWS SES and Microsoft Office 365.| SentinelOne
During a routine audit of various WordPress plugins, we identified some issues in Profile Builder and Profile Builder Pro (50k+ active installs). We discovered an Unauthenticated Privilege Escalati…| WPScan
Exploit, vulnerability discussion online can offer useful signals| www.theregister.com
Stealing another KakaoTalk user’s chat messages with a simple 1-click exploit.| stulle123
log4j: between a rock and a hard place| crawshaw.io
Today, Fortinet published a CVSS Critical PSIRT Advisory (FG-IR-23-097 / CVE-2023-27997) along with several other SSL-VPN related fixes. This blog adds context to that advisory, providing our custo…| Fortinet Blog
Please immediately update Composer to version 2.7.0 or 2.2.23 (composer.phar self-update). The new releases includes fixes for a code execution and possible privilege escalation via InstalledVersions.php or installed.php vulnerability (CVE-2024-24821) reported by Ed Cradock. The vulnerability does not impact packagist.org and Private| Private Packagist
Separate fixes to macOS and iOS patch respective flaws in the kernel and WebKit that can allow threat actors to take over devices and are under attack.| threatpost.com
Earlier this year I had an opportunity to spend some time looking at Squiz Matrix, a Content Management System (CMS) used across a number of sectors including higher eduction, media and publishing, goverment, finance, health, and utilities. With a huge number of features, a massive PHP codebase, and a numbr of high profile sectors as clients, I set out to see if I could find any interesting little bugs hidden away.| /dev/alias – Hack. Dev. Transcend.
I imagine we've all heard about the recent 'Sequoia' bug discovered by the Qualys Research team. It's a fascinating bug so I decided to do variant analysis using CodeQL!| pwning.systems
Use after free in my_login() function of DBD::mysql (Perl module)| blog.fuzzing-project.org
Clicker has a website that presents a game that is a silly version of Universal Paperclips. I’ll find an mass assignment vulnerability that allows me to change my role to admin after bypassing a filter two different ways (newline injection and SQLI). Then I’ll exploit a file write vulnerability to get a webshell and execution on the box. To escalate, I’ll find a SetUID binary for the next user and abuse it to read their SSH key. To get root, I’ll exploit a script the user can run with...| 0xdf hacks stuff
I worked on the Paper active(now retired) machine of HackTheBox, so I will write its writeup. Port Scan kali@kali:~$ nmap -T4 -A -v -Pn -p- 10.10.11.143 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.0 (protocol 2.0) | ssh-hostkey: | 2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA) | 256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA) |_ 256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519) 80/tcp open http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid...| melonattacker.github.io
A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths. The corresponding file paths can be tested, and in some cases, result in the disclosure hardcoded credentials, API keys, or other sensitive data.| johnjhacking.com
Analyse and detection of CVE-2021-43798| j0vsec
最近,我们在 Github 的 Code Review 中看到 Github 开始出现下面这个 Warning 信息—— “This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below.”也就是说我们的代码中有一些 bidirectional unicode 的文本,中文直译作 “双向文本”,意思是一些语言是从左到右的,而另一些则是是从右到左的(如:阿拉伯语),如果同一个文件里,即有从左向右的文...| 酷 壳 - CoolShell
Overview Recently, CNCERT and 360netlab worked together and discovered a rapidly spreading DDoS botnet on the Internet. The global infection looks fairly big as just in China there are more than 10,000 daily active bots (IPs) and alsomore than 100 DDoS victims beingtargeted on a daily basis. We named| 360 Netlab Blog - Network Security Research Lab at 360
本报告由国家互联网应急中心(CNCERT)与三六零数字安全科技集团有限公司共同发布。 概述 近期,CNCERT和三六零数字安全科技集团有限公司共同监测发现一个新的且在互联网上快速传播的DDoS僵尸网络,通过跟踪监测发现其每日上线境内肉鸡数(以IP数计算)已超过1万、且每日会针对超过100个攻击目标发起攻击,给网络空间带来较大威胁。由于该僵尸网络最初使用的C2域名fol...| 360 Netlab Blog - Network Security Research Lab at 360
Earlier this year our threat researcher found a DLL hijacking flaw affecting Philips SmartControl (CVE-2020-7360). Our latest blog post combines a write-up of this vulnerability with a general introduction to DLL hijacking for infosec students.| Vonahi Security's Blog
React Native security: What developers and team leads need to know. Handle risks and threats, prevent typical security mistakes, follow best engineering practices — learn from our experience.| Cossack Labs
About The Project Given the recent news of the Meow attacks, I was curious about obtaining malware data related to Elasticsearch attacks. I’m a huge fan of Elasticsearch and use it heavily in my side-projects. I’m aware of the dangers of exposing a fresh database install on the open internet. So I simply set up a netcat listener and redirected the output to a file. I was pleasantly surprised at how successful this was.| Arch Cloud Labs
Please immediately update Composer to version 2.3.5, 2.2.12, or 1.10.26 (composer.phar self-update). The new releases include fixes for a command injection security vulnerability (CVE-2022-24828) reported by Thomas Chauchefoin from SonarSource. Fixes for Packagist.org and Private Packagist were deployed within 24 hours of| Private Packagist
On March 9th, the Git project published new releases [https://lore.kernel.org/git/xmqqim6019yd.fsf@gitster.c.googlers.com/] for maintained branches to address security vulnerability CVE-2021-21300 [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21300]. We recommend you update your Git installation to a release containing the fix.| Private Packagist
A logic bug enables a trivial bypass of the basic authentication mechanism of the proxy.| cardaci.xyz
Improper sanitization causes malicious JavaScript code in received emails to be executed when the message is displayed.| cardaci.xyz
A vulnerability in the handling of CSV data import allows authenticated users to inject arbitrary PHP code thus achieving RCE on the server hosting the web application.| cardaci.xyz
Privilege escalation to root can be achieved by a regular user via the password reset form exploiting a directory traversal vulnerability.| cardaci.xyz
Privilege escalation to root can be achieved by a regular user via the file upload handler exploiting an insufficient shell escaping mechanism.| cardaci.xyz
The insufficient output sanitization and inappropriate content type of the responses of the file manager API allows to run arbitrary JavaScript code in the context of the web application.| cardaci.xyz
This is the second part of the article about embedded Linux security.| sergioprado.blog
Zero-day exploits TCC protection by allowing XCSSET malware to bypass user authorization through piggy-backing from previously approved applications.| www.jamf.com
A flaw in exists in sudo’s -e option (aka sudoedit) that allows a malicious user with sudoedit privileges to edit arbitrary files. Sudo versions affected: Sudo versions 1.8.0 through 1.9.12p1 inclusive are affected. Versions of sudo prior to 1.8.0 construct the argument vector differently and are not affected. CVE ID: This vulnerability has been assigned CVE-2023-22809 in the Common Vulnerabilities and Exposures database.| Sudo
A serious heap-based buffer overflow has been discovered in sudo that is exploitable by any local user. It has been given the name Baron Samedit by its discoverer. The bug can be leveraged to elevate privileges to root, even if the user is not listed in the sudoers file. User authentication is not required to exploit the bug. Sudo versions affected: Sudo versions 1.7.7 through 1.7.10p9, 1.8.2 through 1.8.31p2, and 1.9.0 through 1.9.5p1 are affected.| Sudo
On systems where SELinux is enabled, sudo’s RBAC support allows a command to be run with a user-specified role and/or type. In order to transition to the target SELinux security context, sudo runs the command through the sesh helper program. When sudo is invoked as sudoedit, sesh is used to first create the editor temporary files with the proper security context and then, once the editor has run, to copy the edited temporary files to their original locations.| Sudo
Sudo’s pwfeedback option can be used to provide visual feedback when the user is inputting their password. For each key press, an asterisk is printed. This option was added in response to user confusion over how the standard Password: prompt disables the echoing of key presses. While pwfeedback is not enabled by default in the upstream version of sudo, some systems, such as Linux Mint and Elementary OS, do enable it in their default sudoers files.| Sudo
When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295. This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification.| Sudo
On Linux systems, sudo parses the /proc/[pid]/stat file to determine the device number of the process’s tty (field 7). The fields in the file are space-delimited, but it is possible for the command name (field 2) to include white space (including newline), which sudo does not account for. A user with sudo privileges can cause sudo to use a device number of the user’s choosing by creating a symbolic link from the sudo binary to a name that contains white space followed by a number.| Sudo
A flaw exists in sudo’s noexec functionality that may allow a user with sudo privileges to run additional commands even when the NOEXEC tag has been applied to a command that uses either the system() or popen() functions. Sudo versions affected: 1.6.8 through 1.8.14p3 inclusive. CVE ID: This vulnerability has been assigned CVE-2016-7032 in the Common Vulnerabilities and Exposures database.| Sudo
A flaw exists in sudo’s noexec functionality that may allow a user with sudo privileges to run additional commands even when the NOEXEC tag has been applied to a command that uses the wordexp() function. Sudo versions affected: 1.6.8 through 1.8.18 inclusive. CVE ID: This vulnerability has been assigned CVE-2016-7076 in the Common Vulnerabilities and Exposures database.| Sudo
Prior to sudo 1.8.12, the TZ environment variable was passed through unchecked. Most libc tzset() implementations support passing an absolute pathname in the time zone to point to an arbitrary, user-controlled file. This may be used to exploit bugs in the C library’s TZ parser or open files the user would not otherwise have access to. Arbitrary file access via TZ could also be used in a denial of service attack by reading from a file or fifo that will block.| Sudo
This is just a post about something that grinds my gears a bit more than it reasonably should: I| without.boats
