Merge pull request #132 from 0xn3va/develop

Small updates

Author: 0xn3va

Container/Escaping/cve-list.md

@@ -19,9 +19,20 @@
 
 | CVE | Title | Required capabilities | References |
 | --- | --- | --- | --- |
+| [CVE-2022-47939](https://nvd.nist.gov/vuln/detail/CVE-2022-47939) | A use-after-free vulnerability in fs/ksmbd/smb2pdu.c | `?` | <p>> [Linux Kernel ksmbd Use-After-Free Remote Code Execution Vulnerability](https://www.zerodayinitiative.com/advisories/ZDI-22-1690/)</p> |
+| [CVE-2022-34918](https://nvd.nist.gov/vuln/detail/CVE-2022-34918) | A type confusion bug in nft_set_elem_init that leads to a buffer overflow. | CAP_NET_ADMIN | <p>> [CVE-2022-34918 A crack in the Linux firewall](https://randorisec.fr/crack-linux-firewall/)</p><p>> [Github: randorisec/CVE-2022-34918-LPE-PoC](https://github.com/randorisec/CVE-2022-34918-LPE-PoC)</p> |
+| [CVE-2022-32250](https://nvd.nist.gov/vuln/detail/CVE-2022-32250) | A use-after-free vulnerability in the Netfilter subsystem | `?` | <p>> [Linux Kernel Exploit (CVE-2022-32250) with mqueue](https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/)</p><p>> [SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250)](https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/)</p> |
+| [CVE-2022-29582](https://nvd.nist.gov/vuln/detail/CVE-2022-29582) | A use-after-free vulnerability in fs/io_uring.c due to a race condition in io_uring timeouts | - | <p>> [CVE-2022-29582: An io_uring vulnerability](https://ruia-ruia.github.io/2022/08/05/CVE-2022-29582-io-uring/)</p><p>> [Github: Ruia-ruia/CVE-2022-29582-Exploit](https://github.com/Ruia-ruia/CVE-2022-29582-Exploit)</p> |
+| [CVE-2022-27666](https://nvd.nist.gov/vuln/detail/CVE-2022-27666) | A heap buffer overflow vulnerability in IPsec ESP transformation code in net/ipv4/esp4.c and net/ipv6/esp6.c that allows a local attacker with a normal user privilege to overwrite kernel heap objects. | `?` | <p>> [CVE-2022-27666: Exploit esp6 modules in Linux kernel](https://etenal.me/archives/1825)</p><p>> [Github: plummm/CVE-2022-27666](https://github.com/plummm/CVE-2022-27666)</p> |
+| [CVE-2022-2602](https://access.redhat.com/security/cve/cve-2022-2602) | A use-after-free vulnerability when an io_uring request is being processed. | | <p>> [DirtyCred Remastered: how to turn an UAF into Privilege Escalation](https://exploiter.dev/blog/2022/CVE-2022-2602.html)</p><p>> [Github: LukeGix/CVE-2022-2602](https://github.com/LukeGix/CVE-2022-2602)</p> |
+| [CVE-2022-2588](https://access.redhat.com/security/cve/cve-2022-2588) | A use-after-free vulnerability in route4_change in the net/sched/cls_route.c filter implementation in the Linux kernel. | CAP_NET_ADMIN | <p>> [DirtyCred: Opening Pandora’s Box to Current and Future Container Escapes](https://www.crowdstrike.com/blog/what-is-the-dirtycred-exploit-technique/)</p><p>> [Markakd/CVE-2022-2588](https://github.com/Markakd/CVE-2022-2588)</p> |
 | [CVE-2022-25636](https://nvd.nist.gov/vuln/detail/CVE-2022-25636) | An out-of-bounds memory access leads to privilege escalation | CAP_NET_ADMIN | [The Discovery and Exploitation of CVE-2022-25636](https://nickgregory.me/linux/security/2022/03/12/cve-2022-25636/) |
+| [CVE-2022-1786](https://nvd.nist.gov/vuln/detail/CVE-2022-1786) | A use-after-free flaw in io_uring subsystem in the way a user sets up a ring with IORING_SETUP_IOPOLL with more than one task completing submissions on this ring. | `?` | [CVE-2022-1786 A Journey To The Dawn](https://blog.kylebot.net/2022/10/16/CVE-2022-1786/) |
+| [CVE-2022-1015](https://nvd.nist.gov/vuln/detail/CVE-2022-1015) | A flaw in linux/net/netfilter/nf_tables_api.c of the netfilter subsystem that allows a local user to cause an out-of-bounds write issue | CAP_NET_ADMIN | <p>> [CVE-2022-1015: A validation flaw in Netfilter leading to Local Privilege Escalation](https://ysanatomic.github.io/cve-2022-1015/)</p><p>> [How The Tables Have Turned: An analysis of two new Linux vulnerabilities in nf_tables](https://blog.dbouman.nl/2022/04/02/How-The-Tables-Have-Turned-CVE-2022-1015-1016/)</p> |
+| [CVE-2022-0995](https://nvd.nist.gov/vuln/detail/CVE-2022-0995) | An out-of-bounds memory write flaw in watch_queue event notification subsystem that can overwrite parts of the kernel state. | `?` | [Github: Bonfee/CVE-2022-0995](https://github.com/Bonfee/CVE-2022-0995) |
+| [CVE-2022-0847](https://nvd.nist.gov/vuln/detail/cve-2022-0847) | A vulnerability which allows overwriting data in arbitrary read-only files and leads to privilege escalation via injecting code into root processes | CAP_DAC_READ_SEARCH | <p>> [The Dirty Pipe Vulnerability](https://dirtypipe.cm4all.com/)</p><p>> [DirtyPipe (CVE-2022-0847) – the new DirtyCoW?](https://jfrog.com/blog/dirtypipe-cve-2022-0847-the-new-dirtycow/)</p><p>> [Github: greenhandatsjtu/CVE-2022-0847-Container-Escape](https://github.com/greenhandatsjtu/CVE-2022-0847-Container-Escape)</p><p>> [Github: Al1ex/CVE-2022-0847](https://github.com/Al1ex/CVE-2022-0847)</p> |
 | [CVE-2022-0492](https://nvd.nist.gov/vuln/detail/CVE-2022-0492) | Missing verification allows setting the `release_agent` file for the process without administrative privileges | <p>CAP_SYS_ADMIN</p><p>Disabled AppArmor/SELinux</p><p>Disabled Seccomp</p> | [New Linux Vulnerability CVE-2022-0492 Affecting Cgroups: Can Containers Escape?](https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/) |
-| [CVE-2022-0185](https://access.redhat.com/security/cve/cve-2022-0185) | A heap-based buffer overflow flaw in the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel | <p>CAP_SYS_ADMIN</p><p>or [unshare(CLONE_NEWNS&#124;CLONE_NEWUSER)](https://man7.org/linux/man-pages/man1/unshare.1.html)</p> | <p>> [CVE-2022-0185 - Winning a $31337 Bounty after Pwning Ubuntu and Escaping Google's KCTF Containers](https://www.willsroot.io/2022/01/cve-2022-0185.html)</p><p>> [CVE-2022-0185 in Linux Kernel Can Allow Container Escape in Kubernetes](https://blog.aquasec.com/cve-2022-0185-linux-kernel-container-escape-in-kubernetes)</p><p>> [Demo exploits for CVE-2022-0185](https://github.com/Crusaders-of-Rust/CVE-2022-0185)</p> |
+| [CVE-2022-0185](https://access.redhat.com/security/cve/cve-2022-0185) | A heap-based buffer overflow flaw in the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel | <p>CAP_SYS_ADMIN</p><p>or [unshare(CLONE_NEWNS&#124;CLONE_NEWUSER)](https://man7.org/linux/man-pages/man1/unshare.1.html)</p> | <p>> [CVE-2022-0185 - Winning a $31337 Bounty after Pwning Ubuntu and Escaping Google's KCTF Containers](https://www.willsroot.io/2022/01/cve-2022-0185.html)</p><p>> [CVE-2022-0185 in Linux Kernel Can Allow Container Escape in Kubernetes](https://blog.aquasec.com/cve-2022-0185-linux-kernel-container-escape-in-kubernetes)</p><p>> [Github: Crusaders-of-Rust/CVE-2022-0185](https://github.com/Crusaders-of-Rust/CVE-2022-0185)</p> |
 | [CVE-2021-22555](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22555) | A heap out-of-bounds write in Linux Netfilter | CAP_NET_ADMIN | [CVE-2021-22555: Turning \x00\x00 into 10000$](https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html) |
 | [CVE-2021-31440](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31440) | The flaw in handling of eBPF programs leads to escalate privileges | CAP_SYS_MODULE | [CVE-2021-31440: AN INCORRECT BOUNDS CALCULATION IN THE LINUX KERNEL EBPF VERIFIER](https://www.zerodayinitiative.com/blog/2021/5/26/cve-2021-31440-an-incorrect-bounds-calculation-in-the-linux-kernel-ebpf-verifier) |
 | [CVE-2020-8835](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8835) |  The bpf verifier (kernel/bpf/verifier.c) did not properly restrict the register bounds for 32-bit operations, leading to out-of-bounds reads and writes in kernel memory | CAP_SYS_ADMIN | [CVE-2020-8835: LINUX KERNEL PRIVILEGE ESCALATION VIA IMPROPER EBPF PROGRAM VERIFICATION](https://www.zerodayinitiative.com/blog/2020/4/8/cve-2020-8835-linux-kernel-privilege-escalation-via-improper-ebpf-program-verification) |

Linux/bash-tips.md

@@ -2,7 +2,7 @@
 
 # Bash multiprocessing
 
-{% embed url="https://fr1nge.xyz/posts/supercharge-your-bash-scripts-with-multiprocessing/" %}
+{% embed url="https://web.archive.org/web/20210625034833/https://fr1nge.xyz/posts/supercharge-your-bash-scripts-with-multiprocessing/" %}
 
 # Useful commands
 
@@ -186,6 +186,10 @@ $ pv file.txt -L 2 # 2 bytes per second
 $ pv file.txt -L -l 2 # 2 lines per second
 ```
 
+## ssh
+
+{% embed url="https://iximiuz.com/en/posts/ssh-tunnels/" %}
+
 ## tar
 
 [tar](https://linux.die.net/man/1/tar) saves many files together into a single tape or disk archive, and can restore individual files from the archive.

SUMMARY.md

@@ -144,4 +144,6 @@
 - [Race Condition](Web%20Application/Race%20Condition/README.md)
 - [Server Side Request Forgery](Web%20Application/Server%20Side%20Request%20Forgery/README.md)
     - [Post Exploitation](Web%20Application/Server%20Side%20Request%20Forgery/post-exploitation.md)
+- [SVG Abuse](Web%20Application/SVG%20Abuse/README.md)
+- [Weak Random Generation](Web%20Application/Weak%20Random%20Generation/README.md)
 - [Web Cache Poisoning](Web%20Application/Web%20Cache%20Poisoning/README.md)

Web Application/Abusing HTTP hop-by-hop Request Headers/README.md

@@ -85,3 +85,4 @@ Remeber that `X-Forwarded-For` header is not the only header for transmitting a
 
 - [Abusing HTTP hop-by-hop request headers](https://nathandavison.com/blog/abusing-http-hop-by-hop-request-headers)
 - [Python script to find hop-by-hop header abuse potential against the provided URL](https://gist.github.com/ndavison/298d11b3a77b97c908d63a345d3c624d)
+- [Writeup: Worldwide Server-side Cache Poisoning on All Akamai Edge Nodes ($50K+ Bounty Earned)](https://medium.com/@jacopotediosi/worldwide-server-side-cache-poisoning-on-all-akamai-edge-nodes-50k-bounty-earned-f97d80f3922b)

Web Application/Broken Authentication/README.md

@@ -6,6 +6,81 @@ If the operations of adding a new email address or changing an existing one do n
 
 {% embed url="https://0xn3va.gitbook.io/cheat-sheets/cloud/aws/amazon-cognito" %}
 
+# Email confirmation
+
+## Binding an email using a confirmation link
+
+Try to follow a confirmation link for account `A` within the session of account `B` within an email confirmation flow. If an application is vulnerable, it will link the verified email to account `B`. In this case, the attack flow may look like:
+
+1. An attacker links `[email protected]` to their account.
+1. An attacker sends a confirmation link to a victim.
+1. A victim follows the link from an email while logged into an application.
+1. An application links `[email protected]` to a victim.
+
+References:
+- [Writeup: Watch out the links : Account takeover!](https://akashhamal0x01.medium.com/watch-out-the-links-account-takeover-32b9315390a7)
+
+## Confirmation of multiple emails
+
+A method for adding new emails can accept several email address in a single request. However, the method can create a one-time token based on only one email, but send an email with a recovery link to all passed emails at once. For instance, if an application is vulnerable to such an attack, on the following request:
+
+```http
+PUT /user/profile HTTP/1.1
+Host: vulnerable-website.com
+Content-Type: application/json
+Content-Length: 57
+
+{"email": ["[email protected]", "[email protected]"]}
+```
+
+an application sends the same confirmation link to two email addresses.
+
+You can also try the following payloads:
+
+```http
+[email protected]&[email protected]
+[email protected],[email protected]
+[email protected]|[email protected]
+[email protected]%[email protected]
+[email protected]%[email protected]
+[email protected]%0a%0dcc:[email protected]
+...
+```
+
+Another similar case is if there is a business logic vulnerability when confirmation link is sent to a wrong email. For example, if an application sends a confirmation link to an already added, main email, instead of an unconfirmed one.
+
+References:
+- [Report: Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation to Any Shop Owner by Taking Advantage of the Shopify SSO](https://hackerone.com/reports/791775)
+
+## Skipping the confirmation process
+
+If an application allows you to create users without an email confirmation process, you can try to abuse that to get a new user with a pre-confirmed email. This is possible at least in the following cases:
+
+- An application allows creation of bot users that have pre-defined confirmed emails.
+- SCIM provisioning functions.
+- OAuth authentication via a vulnerable service that allows using unconfirmed accounts for authentication.
+
+References:
+- [Report: Bypass Email Verification -- Able to Access Internal Gitlab Services that use Login with Gitlab and Perform Check on email domain](https://gitlab.com/gitlab-org/gitlab/-/issues/11643)
+
+## Using unconfirmed emails
+
+If an application allows using unconfirmed emails, try to abuse this behavior in flows where an application or other applications/systems rely on an email address. For example:
+
+- If there are applications/systems that blindly trust the data of a vulnerable application, you can try to abuse this trust. For example, if an application can be used as an OAuth authorization server, try using an account with an unconfirmed email to authenticate to a third-party application using OAuth, you can find more details at [OAuth 2.0 Vulnerabilities: Abusing accounts with unconfirmed email](/Web%20Application/OAuth%202.0%20Vulnerabilities/README.md#abusing-accounts-with-unconfirmed-email).
+- Try using unconfirmed emails to preoccupy emails that may be used by other users or used internally by an application. In this case, you can block some application functions for all or specific users.
+- If some functions must not be available for users who have not confirmed their email, check that these functions are really not available for them. Additionally, make sure the REST and GraphQL APIs also abide by the same policy.
+
+## Using OTP for email confirmation
+
+{% embed url="https://0xn3va.gitbook.io/cheat-sheets/web-application/broken-authentication#phone-and-otp-authentication" %}
+
+## Weak confirmation token
+
+Confirmation token may be generated using a vulnerable generation algorithm, which may lead to the possibility of predicting the generated values. If you manage to predict tokens you will be able to generate valid confirmation tokens for any emails.
+
+{% embed url="https://0xn3va.gitbook.io/cheat-sheets/web-application/weak-random-generation" %}
+
 # Information disclosure
 
 An application can return unknown data in response when performing an operation. These can be requested passwords, generated OTP, cookies with additional privileges, user data, detailed error messages, and etc. Check the response from the server for such data.
@@ -134,10 +209,6 @@ Content-Length: 72
 
 ## Password recovery does not end previously created sessions
 
-{% hint style="info" %}
-This is the best practice to follow
-{% endhint %}
-
 Successful password recovery should end previously created sessions. If this does not happen, an victim will not have mechanisms for managing the security of their account. As a result, an attacker will be able to maintain an active session for an extended period of time.
 
 ## Token leakage via Referer header
@@ -153,6 +224,12 @@ References:
 - [Report: [Cross Domain Referrer Leakage] Password Reset Token Leaking to Third party Sites.](https://hackerone.com/reports/265740)
 - [Report: Referer Referer Header Leakage in language changer may lead to FB token theft](https://hackerone.com/reports/870062)
 
+## Weak recovery token
+
+Recovery token may be generated using a vulnerable generation algorithm, which may lead to the possibility of predicting the generated values. If you manage to predict tokens you will be able to generate valid recovery tokens for any accounts.
+
+{% embed url="https://0xn3va.gitbook.io/cheat-sheets/web-application/weak-random-generation" %}
+
 # Phone and OTP authentication
 
 ## OTP resend

Web Application/Command Injection/README.md

@@ -70,8 +70,9 @@ The following `GIT_*` parameters can be used to abuse a git directory:
 - [GIT_PROXY_COMMAND](https://git-scm.com/docs/git-config#Documentation/git-config.txt-coregitProxy) is used for overridding `core.gitProxy`
 - [GIT_SSH_COMMAND](https://git-scm.com/docs/git-config#Documentation/git-config.txt-coresshCommand) is used for overridding `core.sshCommand`
 - [GIT_EXTERNAL_DIFF](https://git-scm.com/docs/git-config#Documentation/git-config.txt-diffexternal) is used for overridding `diff.external`
+- [GIT_CONFIG*](https://git-scm.com/docs/git-config#Documentation/git-config.txt-GITCONFIGCOUNT). Modern versions of Git support setting any config value via `GIT_CONFIG*` environment variables
 
-{% embed url="https://0xn3va.gitbook.io/cheat-sheets/web-application/command-injection/parameters-injection@abusing-a-git-directory" %}
+{% embed url="https://0xn3va.gitbook.io/cheat-sheets/web-application/command-injection/parameters-injection#abusing-a-git-directory" %}
 
 ## LD_PRELOAD
 
@@ -344,6 +345,15 @@ Open3.capture2e("os command here")
 Open3.pipeline("os command here")
 ```
 
+# Linux files
+
+## /etc/environment
+
+[/etc/environment](https://man7.org/linux/man-pages/man7/environ.7.html) contains environment variables specifying the basic environment variables for new shells. However, it can be used by other programs. Every executed job in the Linux task scheduler (cron) imports this file, and if there is a job that is executed by a user (e.g. root), you can abuse `/etc/environment` to execute arbitrary code on behalf of that user. For example, you can use [LD_PRELOAD](#ld_preload) to gain code execution.
+
+References:
+- [FabricScape: Escaping Service Fabric and Taking Over the Cluster](https://unit42.paloaltonetworks.com/fabricscape-cve-2022-30137/)
+
 # Tips
 
 ## Brace expansion