Xtle0O0

**Name of the Vulnerable Software and Affected Versions** emp3r0r versions prior to 3.21.2 **Description** The software accesses multiple shared maps without consistent synchronization across goroutines. Concurrent activity can trigger a `fatal error: concurrent map read and map write`, leading to a C2 process crash and resulting in availability loss. The issue stems from mixed access patterns (iteration and mutation) without a single lock policy in maps such as the operator session map, port-forwarding session map, and FTP stream map. An attacker can trigger high concurrency, such as through rapid operator session churn and simultaneous agent message traffic, to exploit this condition. This results in a denial of service as the C2 component exits due to the panic. **Recommendations** Versions prior to 3.21.2 should be updated to version 3.21.2 or later.

**Name of the Vulnerable Software and Affected Versions** emp3r0r versions prior to 3.21.1 **Description** emp3r0r is a command and control (C2) tool designed for Linux environments. Versions prior to 3.21.1 accept untrusted agent metadata, specifically `Transport` and `Hostname`, during the check-in process. This metadata is then used in tmux shell command strings executed via `/bin/sh -c`, leading to command injection and potential remote code execution on the operator host. **Recommendations** Update to version 3.21.1 or later.

**Nome do Software Vulnerável e Versões Afetadas** Versões do Sliver anteriores à 1.7.0 **Descrição** O listener de comando e controle (C2) DNS aceita mensagens de inicialização TOTP não autenticadas e aloca sessões DNS do lado do servidor sem validar os valores OTP, mesmo quando o EnforceOTP está ativado. As sessões são armazenadas indefinidamente nesse fluxo, permitindo que um ator remoto não autenticado crie sessões repetidamente e esgote a memória do servidor. O código vulnerável está localizado em `server/c2/dns.go` (linhas 84-90, 378-390, 490-521), `client/command/jobs/dns.go` (linhas 46-52), `implant/sliver/transports/dnsclient/dnsclient.go` (linhas 896-900) e `protobuf/dnspb/dns.proto` (linha 22). O vetor de ataque envolve o envio de consultas DNS repetidas com uma mensagem protobuf mínima do tipo `TOTP` para o listener DNS acessível na rede. O caminho de tratamento do tipo `DNSMessageType TOTP` é o gatilho. Isso pode levar a uma negação de serviço remota não autenticada por esgotamento de recursos. **Recomendações** Versões anteriores à 1.7.0 devem ser atualizadas para a versão 1.7.0 ou posterior.

**Name of the Vulnerable Software and Affected Versions** Sliver versions prior to 1.6.11 **Description** Sliver is a command and control framework that utilizes a custom Wireguard netstack. A path traversal issue exists in the website content subsystem, allowing an authenticated operator to read arbitrary files on the Sliver server host. This can expose sensitive data such as operator configurations, TLS keys, tokens, and logs. The issue stems from the server accepting and persisting arbitrary website paths from the operator without proper sanitization or containment, and subsequently reading from disk using these paths. The vulnerable components include the website content management (gRPC): `WebsiteAddContent`, `Website`, and `Websites`, as well as the server-side file read in `Website.ToProtobuf`. The issue requires an authenticated operator account with sufficient permissions. A proof of concept demonstrates the ability to read files like `/etc/hosts`. **Recommendations** Versions prior to 1.6.11 should be updated to version 1.6.11 or later. Validate and reject paths that are absolute or contain '..' in `WebsiteAddContent` (server side). Canonicalize paths and enforce they remain within the web content directory. Avoid reading content by `Path` in `Website.ToProtobuf`; read by content ID instead.