It appears we have something of a problem. It’s not really a new problem, and shouldn’t be too surprising, but it did pop up again this week: bogus CVEs. Starting out in the security field? What’s the best way to jump-start a career? Getting a CVE find to your name certainly can’t hurt. And as a result, you get very junior security researchers looking for and reporting novel security vulnerabilities of sometimes dubious quality. Sometimes that process looks a lot like slinging reports against the wall to see what sticks. Things brings us to an odd bug report in the OBS Studio project.

A researcher put together a script to look for possible password exposure on Github projects, and it caught a configuration value named “password” in a .ini file, being distributed in the project source. Obvious credential leak in Git source, right? Except for the little detail that it was in the “locale” folder, and the files were named ca-es.ini, ja-jp.ini, and similar. You may be in on the joke by now, but if not, those are translation strings. It wasn’t leaked credentials, it was various translations of the word “password”. This sort of thing happens quite often, and from the viewpoint of a researcher looking at results from an automated tool, it can be challenging to spend enough time with each result to fully understand the code in question. It looks like this case includes a language barrier, making it even harder to clear up the confusion.

Things took a turn for the worse when a CVE was requested. The CVE Numbering Authority (CNA) that processed the request was MITRE, which issued CVE-2023-34585. It was a completely bogus CVE, and thankfully a more complete explanation from OBS was enough to convince the researcher of his error. That, however, brings us back to CVE-2023-36262, which was published this week. It’s yet another CVE, for the same non-issue, and even pointing at the same GitHub issue where the alleged bug is debunked. There’s multiple fails here, but the biggest disappointment is MITRE, for handing out CVEs twice for the same issue. Shout-out to [Netspooky] on Twitter for spotting this one.

Bogus PoC

Don’t run untrusted code. Don’t run untrusted code, even if it’s claimed to be a Proof of Concept (PoC) from a security researcher. The background is CVE-2023-35829, a use-after-free in the Rokchip video driver in Linux kernel versions prior to 6.3.2. There’s not a lot of details about this flaw, except that in certain instances it could be used to achieve escalation of privilege. What’s newsworthy is that there was a PoC published on Github, and shared fairly widely on Twitter, but turns out that PoC also included a nasty little surprise.

For anyone that has ran this PoC, consider your data stolen. This is what eventually runs on your host after a few stages. If you wanna analyse it, don't use a web browser or your IP will get blacklisted. #CVE_2023_35829 #backdoor https://t.co/gafdPfDc0r pic.twitter.com/fUIqclSARX

— Andrei Scutariu (@xnand_) July 4, 2023

The tweets and GitHub repositories have been yanked, but a bit of Google-fu can find the cached repos. (Warning, running that PoC is not a good idea.)

Bogus Breach Claim — Maybe

There’s a relatively new hacktivist group making itself a pain to the Western world recently, working under the name Anonymous Sudan. This group has made it’s name by doing Distributed Denial of Service attacks against Western targets like Microsoft. This week, the group made claims that they had hit Microsoft with a breach, and exfiltrated 30 million customers’ data. The only problem is that Microsoft can’t find any sign of a problem. The 100 samples of stolen data that were released with the announcement seem to be from an old incident, so we’re rating this one “probably bogus”.

WordPress Plugin: Ultimate Member

On the other hand, the attack against WordPress installs using the Ultimate Member plugin seems to be very real. The vulnerability involves setting a user’s wp_capabilities value to jump to administrator privileges. That was accomplished by side-stepping security code through the use of wp_capabiliti\\es, wp_caPabilitiEs, and a few other creative bypasses. With version 2.6.7 of the plugin, a whitelist of those allowed keys has been added, finally putting the issue to rest.

ServiceNow

Researcher [R3zk0n] has found a series of issues in the ServiceNow platform that could lead to Admin access. This cloud system provides IT software as a service, and is used widely worldwide. The issue allows any standard user account to become an administrator. The PoC is published, and a ServiceNow update is available. While it is a welcome relief that this attack requires a valid user account, it still ranks a CVSS of 9.9, and may prove to be quite a problem.

Bits and Bytes

We do have an interesting problem in the Linux Kernel, nicknamed StackRot. It’s a very broad privilege escalation, introduced in kernel 6.1 with the addition of the Maple Tree memory structure. This vulnerability actually ended up provoking Linus Torvalds to sling some C code himself to fix it. The fix is in versions 6.1.37, 6.3.11, 6.4.1, and the in-process 6.5 code.

PortSwigger is back with a guide to GraphQL. Turns out that there are some common ways to find GraphQL endpoints, and potentially quite a bit of information that can be gathered from looking at what’s available at that endpoint.

Similarly, HAKAI Offensive Security has a primer on finding Nginx traversal flaws. The most common one seems to be a location configuration that lacks the final slash on a path, opening up the server to path traversal and other fun tricks. Go forth and learn! And hack responsibly.