GOVERMENT OF UZBEKISTAN WORKING EXPLOITS

1. NGINX EXPLOIT
2. nginx/1.20.1
3.  
4. GOVERMENT OF UZBEKISTAN
5.  
6. https://gps.103.gov.uz/
7.  
8. HIGH SEVERITY
9. Use After Free
10. Vulnerable module: glibc/libc-bin
11. Introduced through: glibc/libc-bin@2.28-10 and glibc/libc6@2.28-10
12. Detailed paths
13. Introduced through: nginx@1.20.1 › glibc/libc-bin@2.28-10
14. Introduced through: nginx@1.20.1 › glibc/libc6@2.28-10
15. NVD Description
16. Note: Versions mentioned in the description apply to the upstream glibc package.
17.  
18. The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.
19.  
20. Use After Free vulnerability report
21. HIGH SEVERITY
22. Integer Overflow or Wraparound
23. Vulnerable module: glibc/libc-bin
24. Introduced through: glibc/libc-bin@2.28-10 and glibc/libc6@2.28-10
25. Detailed paths
26. Introduced through: nginx@1.20.1 › glibc/libc-bin@2.28-10
27. Introduced through: nginx@1.20.1 › glibc/libc6@2.28-10
28. NVD Description
29. Note: Versions mentioned in the description apply to the upstream glibc package.
30.  
31. The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.
32.  
33. Integer Overflow or Wraparound vulnerability report
34. HIGH SEVERITY
35. Double Free
36. Vulnerable module: icu/libicu63
37. Introduced through: icu/libicu63@63.1-6+deb10u1
38. Detailed paths
39. Introduced through: nginx@1.20.1 › icu/libicu63@63.1-6+deb10u1
40. NVD Description
41. Note: Versions mentioned in the description apply to the upstream icu package.
42.  
43. Double free in ICU in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
44.  
45. HIGH SEVERITY
46. Double Free
47. Vulnerable module: icu/libicu63
48. Introduced through: icu/libicu63@63.1-6+deb10u1
49. Detailed paths
50. Introduced through: nginx@1.20.1 › icu/libicu63@63.1-6+deb10u1
51. NVD Description
52. Note: Versions mentioned in the description apply to the upstream icu package.
53.  
54. Double free in ICU in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
55.  
56. Double Free vulnerability report
57. HIGH SEVERITY
58. Information Exposure
59. Vulnerable module: gcc-8/gcc-8-base
60. Introduced through: gcc-8/gcc-8-base@8.3.0-6, gcc-8/libgcc1@1:8.3.0-6 and others
61. Detailed paths
62. Introduced through: nginx@1.20.1 › gcc-8/gcc-8-base@8.3.0-6
63. Introduced through: nginx@1.20.1 › gcc-8/libgcc1@1:8.3.0-6
64. Introduced through: nginx@1.20.1 › gcc-8/libstdc++6@8.3.0-6
65. NVD Description
66. Note: Versions mentioned in the description apply to the upstream gcc-8 package.
67.  
68. stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.
69.  
70. HIGH SEVERITY
71. Incorrect Privilege Assignment
72. Vulnerable module: systemd/libsystemd0
73. Introduced through: systemd/libsystemd0@241-7~deb10u8 and systemd/libudev1@241-7~deb10u8
74. Detailed paths
75. Introduced through: nginx@1.20.1 › systemd/libsystemd0@241-7~deb10u8
76. Introduced through: nginx@1.20.1 › systemd/libudev1@241-7~deb10u8
77. NVD Description
78. Note: Versions mentioned in the description apply to the upstream systemd package.
79.  
80. It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.
81.  
82. Incorrect Privilege Assignment vulnerability report
83. HIGH SEVERITY
84. Privilege Chaining
85. Vulnerable module: systemd/libsystemd0
86. Introduced through: systemd/libsystemd0@241-7~deb10u8 and systemd/libudev1@241-7~deb10u8
87. Detailed paths
88. Introduced through: nginx@1.20.1 › systemd/libsystemd0@241-7~deb10u8
89. Introduced through: nginx@1.20.1 › systemd/libudev1@241-7~deb10u8
90. NVD Description
91. Note: Versions mentioned in the description apply to the upstream systemd package.
92.  
93. It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.
94.  
95. Privilege Chaining vulnerability report
96. HIGH SEVERITY
97. Cleartext Transmission of Sensitive Information
98. Vulnerable module: curl
99. Introduced through: curl@7.64.0-4+deb10u2 and curl/libcurl4@7.64.0-4+deb10u2
100. Detailed paths
101. Introduced through: nginx@1.20.1 › curl@7.64.0-4+deb10u2
102. Introduced through: nginx@1.20.1 › curl/libcurl4@7.64.0-4+deb10u2
103. NVD Description
104. Note: Versions mentioned in the description apply to the upstream curl package.
105.  
106. A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (--ssl-reqd on the command line orCURLOPT_USE_SSL set to CURLUSESSL_CONTROL or CURLUSESSL_ALL withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations withoutTLS contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.
107.  
108. HIGH SEVERITY
109. Insufficient Entropy
110. Vulnerable module: gcc-8/gcc-8-base
111. Introduced through: gcc-8/gcc-8-base@8.3.0-6, gcc-8/libgcc1@1:8.3.0-6 and others
112. Detailed paths
113. Introduced through: nginx@1.20.1 › gcc-8/gcc-8-base@8.3.0-6
114. Introduced through: nginx@1.20.1 › gcc-8/libgcc1@1:8.3.0-6
115. Introduced through: nginx@1.20.1 › gcc-8/libstdc++6@8.3.0-6
116. NVD Description
117. Note: Versions mentioned in the description apply to the upstream gcc-8 package.
118.  
119. The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.
120.  
121. Insufficient Entropy vulnerability report
122. HIGH SEVERITY
123. Reachable Assertion
124. Vulnerable module: glibc/libc-bin
125. Introduced through: glibc/libc-bin@2.28-10 and glibc/libc6@2.28-10
126. Detailed paths
127. Introduced through: nginx@1.20.1 › glibc/libc-bin@2.28-10
128. Introduced through: nginx@1.20.1 › glibc/libc6@2.28-10
129. NVD Description
130. Note: Versions mentioned in the description apply to the upstream glibc package.
131.  
132. The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.
133.  
134. #GhostSec
135. #WhosYourDaddySec
136.