Security
Creative Contact Form: Directory Traversal (CVE-2020-9364)
Identifier: AIT-SA-20200301-01
Target: Creative Contact Form (for Joomla)
Vendor: Creative Solutions
Version: 4.6.2 (before Dec 03 2019)
CVE: CVE-2020-9364
Accessibility: Remote
Severity: High
Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)
Summary
Creative Contact Form is a responsive jQuery contact form for the Joomla content-management-system.
OpenVPN: updating /etc/resolv.conf
OpenVPN comes with example-scripts to update /etc/resolv.conf using "resolvconf" or systemd-resolvconf. I don't use one of them therefore I modified the script so that it simply changes /etc/resolv.conf directly. I placed a variable "IMMUTEABLE" in this script. If IMMUTEABLE is set to 1, this script will change the fileattribute of /etc/resolv.conf to immuteable. In that way it is possible to prevent other programms like dhcp-clients to change /etc/resolv.conf while openvpn is running.
BSides 2019: Code diving for pop chains
I gave a talk at the BSides 2019 Vienna about PHP Object Injection. Here is the abstract of this talk:
OkayCMS: Unauthenticated remote code execution
Identifier: AIT-SA-20191129-01
Target: OkayCMS
Vendor: OkayCMS
Version: all versions including 2.3.4
CVE: CVE-2019-16885
Accessibility: Local
Severity: Critical
Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)
Summary
OkayCMS is a simple and functional content managment system for an online store.
FreeRadius: Privilege Escalation via Logrotate
Identifier: AIT-SA-20191112-01
Target: FreeRadius
Vendor: FreeRadius
Version: all versions including 3.0.19
Fixed in Version: 12.2.3, 12.1.8 and 12.0.8
CVE: CVE-2019-10143
Accessibility: Local
Severity: Low
Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)
Summary
CVE-2019-15741: Privilege Escalation via Logrotate in Gitlab Omnibus
Overview
- Identifier: AIT-SA-20190930-01
- Target: GitLab Omnibus
- Vendor: GitLab
- Version: 7.4 through 12.2.1
- Fixed in Version: 12.2.3, 12.1.8 and 12.0.8
- CVE: CVE-2019-15741
- Accessibility: Local
- Severity: Low
- Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)
Vulnerability Description
GitLab Omnibus sets the ownership of the log directory to the system-user "git", which might let local users obtain root access because of unsafe interaction with logrotate.
Privilege escalation in groonga-httpd (CVE-2019-11675)
Overview
- System affected: Debian packages of groonga/-httpd 6.1.5-1
- Software-Version: 6.1.5-1
- User-Interaction: Not required
- Impact: Local root
- CVE: CVE-2019-11675
Detailed Description
The path of the logdirectory of groonga-httpd can be manipulated by user groonga:
Anatomy of a Linux container rootkit
This year I gave a talk at the Easterhegg 2019 about a Linux kernel rootkit that can handle containers. I mainly presented my Bachelor work from 2017 with some improvements.