reconFTW is a tool designed to perform automated recon on a target domain by running the best set of tools to perform scanning and finding out vulnerabilities. A vulnerability has been identified in reconftw where inadequate validation of retrieved subdomains may lead to a Remote Code Execution (RCE) attack. An attacker can exploit this vulnerability by crafting a malicious CSP entry on it's own domain. Successful exploitation can lead to the execution of arbitrary code within the context of the application, potentially compromising the system. This issue has been addressed in version 2.7.1.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-46117: fix regex · six2dez/reconftw@e639de3

Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.2.2.

**modoboa Cross-Site Request Forgery vulnerability**

Moderate severity GitHub Reviewed Published Oct 20, 2023 to the GitHub Advisory Database • Updated Oct 20, 2023

GHSA-57cr-rq3f-ppmx: modoboa Cross-Site Request Forgery vulnerability

Cross-site Scripting (XSS) - DOM in GitHub repository modoboa/modoboa prior to 2.2.2.

**modoboa Cross-site Scripting vulnerability**

Critical severity GitHub Reviewed Published Oct 20, 2023 to the GitHub Advisory Database • Updated Oct 20, 2023

GHSA-pqgm-9g82-wcm7: modoboa Cross-site Scripting vulnerability

**modoboa Cross-site Scripting vulnerability**

High severity GitHub Reviewed Published Oct 20, 2023 to the GitHub Advisory Database • Updated Oct 20, 2023

GHSA-9wj3-cfq8-wpvj: modoboa Cross-site Scripting vulnerability

Vietnamese cybercrime groups are using multiple different MaaS infostealers and RATs to target the digital marketing sector.

Cybersecurity researchers have uncovered a connection between the notorious DarkGate remote access trojan (RAT) and the Vietnam-based financial cybercrime operation behind the Ducktail infostealer.

WithSecure's researchers, who spotted Ducktail's activity in 2022, started their investigation into DarkGate after detecting multiple infection attempts against organizations in the UK, US, and India.

"It rapidly became apparent that the lure documents and targeting were very similar to recent Ducktail infostealer campaigns, and it was possible to pivot through open source data from the DarkGate campaign to multiple other infostealers which are very likely being used by the same actor/group," the report noted.

**DarkGate's Ties to Ducktail**

DarkGate is backdoor malware capable of a wide range of malicious activities, including information stealing, cryptojacking, and using Skype, Teams, and Messages to distribute malware.

The malware can steal a variety of data from infected devices, including usernames, passwords, credit card numbers, and other sensitive information and be used to mine cryptocurrency on infected devices without the user's knowledge or consent.

It can be used to deliver ransomware to infected devices, encrypting the user's files and demanding a ransom payment to decrypt them.

WithSecure senior threat intelligence analyst Stephen Robinson explains that at a high level, DarkGate malware functionality hasn’t changed since the initial reporting in 2018.

"It has always been a Swiss-army knife, multifunctional malware," he says. "That said, it has been repeatedly updated and modified by the author since then, which we can assume has been to improve the implementation of those malicious functions, and to keep up with the AV/Malware detection arms race."

He notes DarkGate campaigns (and the actors behind them) can be differentiated by who they are targeting, the lures and infection vectors they are using, and their actions on the target.

"The specific Vietnamese cluster that the report focuses on used the same targeting, file names, and even lure files for multiple campaigns using multiple strains of malware," Robinson says.

They created PDF lure files using an online service that adds its own metadata to each file created; that metadata gave further strong links between the different campaigns.

They also created multiple malicious LNK files on the same device and did not wipe the metadata, enabling further activity to be clustered.

The correlation between DarkGate and Ducktail was determined from nontechnical markers such as lure files, targeting patterns, and delivery methods, collated in a 15-page report.

"Nontechnical indicators like lure files and metadata are highly impactful forensic cues. Lure files, which act as bait to entice victims into executing the malware, offer invaluable insights into an attacker's modus operandi, their potential targets, and their evolving techniques," explains Callie Guenther, senior manager of cyber threat research at Critical Start.

Similarly, metadata — information like "LNK Drive ID" or details from services like Canva — can leave discernible traces or patterns that might persist across different attacks or specific actors.

"These consistent patterns, when analyzed, can bridge the gap between varied campaigns, enabling researchers to attribute them to a common perpetrator, even if the malware's technical footprint differs," she says.

Ngoc Bui, cybersecurity expert at Menlo Security, says understanding the relationships between different malware families linked to the same threat actors is essential.

"It helps in building a more comprehensive threat profile and identifying the tactics and motivations of these threat actors," Bui says.

For example, if researchers find connections between DarkGate, Ducktail, Lobshot, and Redline Stealer, they may be able to conclude that a single actor or group is involved in multiple campaigns, which suggests a high level of sophistication.

"It may also help analysts determine if more than one threat group is working together as we see with ransomware campaigns and efforts," Bui adds.

**MaaS Impacts Cyber-Threat Landscape**

Bui points out the availability of DarkGate as a service has significant implications for the cybersecurity landscape.

"It lowers the entry barrier for aspiring cybercriminals who may lack technical expertise," Bui explains. "As a result, more individuals or groups can access and deploy sophisticated malware like DarkGate, increasing the overall threat level."

Bui adds that malware-as-a-service (MaaS) offerings provide cybercriminals with a convenient and cost-effective means to conduct attacks.

For a cybersecurity analyst, this poses a challenge because they must continually adapt to new threats and consider the possibility of multiple threat actors using the same malware service.

It also can make tracking the threat actor using the malware a little more difficult as the malware itself may cluster back to the developer and not the threat actor using the malware.

**Paradigm Shift in Defense**

Guenther says that to better comprehend the modern, ever-evolving cyber-threat landscape, a paradigm shift in defense strategies is overdue.

"Embracing behavior-based detection sequences, as well as leveraging AI and ML, allows for the identification of anomalous network behaviors, surpassing the previous limitations of signature-based methods," she says.

Furthermore, pooling threat intelligence and fostering communication about emergent threats and tactics across industry verticals can catalyze early detection and mitigation.

"Regular audits, encompassing network configurations and penetration tests, can preemptively unearth vulnerabilities," Guenther adds. "Moreover, a well-informed workforce, trained in recognizing contemporary threats and phishing vectors, becomes an organization's first line of defense, reducing the risk quotient substantially."

Ducktail Infostealer, DarkGate RAT Linked to Same Threat Actors

Users could hold up to five SIM cards previously, but now they can only have two; it's a move that the government says is intended to cut down mobile spam levels.

Burkina Faso aims to increase mobile security in the African country with a new bill that says users can only hold two SIM cards (i.e., lines of service) from a mobile provider.

And the sale of SIM cards will only be made in approved agencies and points of sale.

The use of multiple SIM cards can allow for SIM farms to be built, which are typically connected to organizations where the SIM cards are connected to computer servers to send large amounts of SMS spam.

Aminata Zerbo-Sabané, Burkina Faso's Minister of Digital Transition, Posts, and Electronic Communications, said this measure is aimed at reducing the improper use of electronic communication services.

The bill will better regulate the identification of customers of electronic communications service providers, and reduce the illicit use of mobile services, she said.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

SIM Card Ownership Slashed in Burkina Faso

By Waqas
Another day, another malware threat against Windows devices and users!
This is a post from HackRead.com Read the original post: New Windows Infostealer ‘ExelaStealer’ Being Sold on Dark Web

Be cautious of the newly advertised ExelaStealer infostealer malware, now making the rounds on dark web forums and Telegram. Its primary aim is to target Windows-based devices.

****_KEY FINDINGS_****

**FortiGuard Labs has discovered a new infostealer in the cybercrime landscape called ExelaStealer mostly targeting Windows device**s.

**The infostealer is written in Python but uses resources in many different languages when required.**

**The malware deployment entails a decoy PDF file and executing obfuscated Python code.**

**It can steal sensitive user data, including session data and cookies, credit card details, passwords, and keystrokes.**

**It can collect extensive system data, including WLAN profiles and firewall status.**

**ExelaStealer is available in open-source and paid versions on the Dark web. The paid version comes with additional customization features.**

****ExelaStealer** uses code obfuscation techniques to block analysis and reverse engineering efforts.**

We have seen many infostealing malware emerging in cyberspace including Raccoon, RedLine, Vidar, and the relatively new entrant ThirdEye. However, the buzz in the cybersecurity world is that the yet-unknown ExelaStealer is far more dangerous than these.

The cybersecurity researchers at FortiGuard Labs discovered ExelaStealer in August 2023 and provided a detailed account of ExelaStealer’s workings in its new blog post. Per its research, the infostealer is offered as open-source and paid versions on the dark web, with the paid one featuring extended capabilities.

The malware is written in Python but often uses other language resources such as JavaScript. Windows-based systems are its key targets, whereas the malware looks for sensitive data such as passwords, session data, cookies, keystrokes, and credit card details.

Both versions of ExelaStealer are advertised on Dark Web forums with all the ads posted by a single contact using the handle “quicaxd.” For the paid version, the pricing structure varies. A monthly subscription is offered at $20, a three-month subscription is $45, and a lifetime subscription is $120.

It is worth noting that, according to FortiGuard Lab’s report, an active Telegram channel is used for facilitating purchases and getting access to the GitHub repository for the open-source version.

Given the infostealer’s open-source feature, it is possible for anyone with basic programming skills to create their own binaries using its source code. At the moment, ExelaStealer’s packaging and configuration are such that they can only affect Windows systems.

As per Fortiguard Labs, the binaries they analyzed have been released as part of a specific campaign, and the involvement of a decoy document further supports this assumption.

Researchers couldn’t identify the initial attack vector, but they suspect it could be achieved through malware deployment, watering holes, or phishing attacks. The binary is the attack’s first stage, which spawns an executable (sirket-ruhsat-pdf.exe) and launches a PDF viewer to display a decoy document titled ‘BNG 824 ruhsat.pdf’ to the user. Sirket-ruhsat-pdf.exe and BNG 824 ruhsat.pdf are planted into the C: drive’s root directory in which the former is a PyInstaller-generated file while the latter is a decoy file.

Regarding the attack stages, FortiGuard Labs researchers noted that the malware’s core functionality is embedded in a file titled Exela.py. The build process starts with a batch file that invokes Python and the ‘build.py’ file. The builder then uses a file titled ‘obf.py’ to hide the infostealer’s code and evade detection, reverse engineering, and analysis efforts.

Except for the library components, the obfuscated code is consolidated into a file titled ‘Obfuscated.py’ which is then deployed. The malware then starts gathering data along with executing a base64-encoded PowerShell command. The information is sent to the attacker’s Telegram channel, where the files are packaged into a ZIP archive and sent to a Discord webhook.

****Look out for Watering Hole and Phishing Attacks****

To protect yourself from ExelaStealer, users need to be on the lookout for watering holes and phishing attacks. A watering hole attack is a type of cyberattack in which the attacker identifies and compromises a website that is frequented by a particular group of individuals or organizations.

The goal of this attack is to infect the visitors’ computers with malware or exploit vulnerabilities in their systems. The term “watering hole” is derived from the concept of predators waiting near watering holes in the wild to ambush their prey when they come to drink.

To protect against watering hole attacks, individuals and organizations should regularly update their software, use strong security measures, and be cautious when visiting websites, especially those that might be of interest to potential attackers. Additionally, security solutions that can detect and block malicious activity are essential for identifying and mitigating such attacks.

****_**_KEY FINDINGS_**_****

1.  Formbook Takes the Throne as Most Prevalent Malware
2.  New version of Jupyter infostealer delivered through MSI installer
3.  Fake ChatGPT and AI pages on Facebook are spreading infostealers

New Windows Infostealer ‘ExelaStealer’ Being Sold on Dark Web

Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to 5.9.0.

**Description**

heap-buffer-overflow in /radare2/shlr/java/code.c:211:21 in java\_print\_opcode

**Version**

    $ r2  -v
    radare2 5.8.9 31339 @ linux-x86-64
    birth: git.5.8.8-691-gb2de2288d8 2023-10-17__01:18:28
    commit: b2de2288d8299f89288c503fc2ce22381b61aba0
    

**Platform**

    $ uname -a
    Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic #33~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Sep  7 10:33:52 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
    

**Asan**

    [31mERROR:[0m Invalid tag '83' at offset 0x00000047
    [31mERROR:[0m Unable to parse class Attribute len (0x24020007) + offset (0x25b) exceeds length of buffer (0x5878)
    [31mERROR:[0m unable to parse remainder of classfile after Method Attribute: 0
    [31mERROR:[0m Unable to parse class Attribute len (0x47608fc2) + offset (0x255) exceeds length of buffer (0x5878)
    [33mINFO:[0m Analyze all flags starting with sym. and entry0 (aa)
    [33mINFO:[0m Analyze imports (af@@@i)
    [35mWARN:[0m set your favourite calling convention in `e anal.cc=?`
    [33mINFO:[0m Analyze symbols (af@@@s)
    [33mINFO:[0m Recovering variables
    [33mINFO:[0m Analyze all functions arguments/locals (afva@@@F)
    [2K
    [33mINFO:[0m Analyze function calls (aac)
    [33mINFO:[0m Analyze len bytes of instructions for references (aar)
    [33mINFO:[0m Finding and parsing C++ vtables (avrr)
    [33mINFO:[0m Analyzing methods
    [33mINFO:[0m Finding xrefs in noncode section (e anal.in=io.maps.x)
    [33mINFO:[0m Emulate functions to find computed references (aaef)
    =================================================================
    ==3433174==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000132dd2 at pc 0x7fe86fbfe09b bp 0x7fff8b14f4c0 sp 0x7fff8b14f4b8
    READ of size 1 at 0x602000132dd2 thread T0
        #0 0x7fe86fbfe09a in java_print_opcode /home/user/fuzzing_radare2/radare2/shlr/java/code.c:211:21
        #1 0x7fe86fbfe86c in r_java_disasm /home/user/fuzzing_radare2/radare2/shlr/java/code.c:309:10
        #2 0x7fe86f9fb8e6 in decode /home/user/fuzzing_radare2/radare2/libr/arch/p/java/plugin.c:215:15
        #3 0x7fe86f562c85 in r_arch_decode /home/user/fuzzing_radare2/radare2/libr/arch/arch.c:320:9
        #4 0x7fe86dc629cf in r_anal_op /home/user/fuzzing_radare2/radare2/libr/anal/op.c:186:8
        #5 0x7fe8719d718f in r_core_anal_esil /home/user/fuzzing_radare2/radare2/libr/core/canal.c:5715:8
        #6 0x7fe87182176a in cmd_anal_all /home/user/fuzzing_radare2/radare2/libr/core/./cmd_anal.inc.c:13183:6
        #7 0x7fe871737429 in cmd_anal /home/user/fuzzing_radare2/radare2/libr/core/./cmd_anal.inc.c:14267:8
        #8 0x7fe87182381f in r_core_cmd_call /home/user/fuzzing_radare2/radare2/libr/core/cmd.c:6303:9
        #9 0x7fe87182381f in cmd_anal_all /home/user/fuzzing_radare2/radare2/libr/core/./cmd_anal.inc.c:13042:7
        #10 0x7fe871737429 in cmd_anal /home/user/fuzzing_radare2/radare2/libr/core/./cmd_anal.inc.c:14267:8
        #11 0x7fe8725c3940 in perform_analysis /home/user/fuzzing_radare2/radare2/libr/main/radare2.c:499:2
        #12 0x7fe8725b931d in r_main_radare2 /home/user/fuzzing_radare2/radare2/libr/main/radare2.c:1720:4
        #13 0x555816ea152d in main /home/user/fuzzing_radare2/radare2/binr/radare2/radare2.c:114:9
        #14 0x7fe872229d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #15 0x7fe872229e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #16 0x555816de3444 in _start (/home/user/fuzzing_radare2/radare2/binr/radare2/radare2+0x1f444) (BuildId: 655cd64f4959101bcf192e77bc6bf062577e0708)
    
    0x602000132dd2 is located 0 bytes to the right of 2-byte region [0x602000132dd0,0x602000132dd2)
    allocated by thread T0 here:
        #0 0x555816e6628e in __interceptor_malloc (/home/user/fuzzing_radare2/radare2/binr/radare2/radare2+0xa228e) (BuildId: 655cd64f4959101bcf192e77bc6bf062577e0708)
        #1 0x7fe872764b88 in r_mem_dup /home/user/fuzzing_radare2/radare2/libr/util/mem.c:306:12
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user/fuzzing_radare2/radare2/shlr/java/code.c:211:21 in java_print_opcode
    Shadow bytes around the buggy address:
      0x0c048001e560: fa fa fd fd fa fa fd fd fa fa 04 fa fa fa 04 fa
      0x0c048001e570: fa fa 04 fa fa fa 00 00 fa fa 00 00 fa fa 00 00
      0x0c048001e580: fa fa 00 00 fa fa 00 01 fa fa 00 00 fa fa 00 01
      0x0c048001e590: fa fa 00 00 fa fa 00 01 fa fa 00 00 fa fa 00 01
      0x0c048001e5a0: fa fa 00 00 fa fa 00 01 fa fa 00 00 fa fa 00 00
    =>0x0c048001e5b0: fa fa 00 01 fa fa 04 fa fa fa[02]fa fa fa fa fa
      0x0c048001e5c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c048001e5d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c048001e5e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c048001e5f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c048001e600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==3433174==ABORTING
    

**Reproduce**

    r2 -A -q poc
    

**POC File**

https://github.com/gandalf4a/crash\_report/blob/main/radare2/r2/r2\_hbo\_211

**Credit**

    Gandalf4a
    

**Impact**

This vulnerability allows a remote attacker to cause a denial of service or even arbitrary code execution on an affected radare2 r2. Exploiting this vulnerability requires user interaction, as the target must open a malicious file.

**Occurrences**

CVE-2023-5686: heap-buffer-overflow in /radare2/shlr/java/code.c:211:21 in java_print_opcode in radare2

Description

I noticed, your website is very secure.

But you overlooked a flaw DOM XSS.

Detail:

1 .Login with demo account.

2 .Go to the link: https://demo.modoboa.org/user/#profile/ and click Update

3 .Use burp to block proxy and inject payload in &language:

     <img+src=0+onerror=alert(document.cookie)>  
    

Proof of Concept

Video Poc

https://drive.google.com/file/d/1DpThlp36jJ7hcjGzehX4wlof3KsPux8O/view?usp=sharing

**Impact**

This security vulnerability has the potential to steal multiple users' cookies, gain unauthorized access to that user's account through stolen cookies, or redirect the user to other malicious websites...

CVE-2023-5688: DOM XSS in https://demo.modoboa.org/user/#profile/ in modoboa

Expand Up

@@ -30,7 +30,7 @@ TwocolsNav.prototype = {

listen: function() {

$("a.ajaxnav").click($.proxy(this.load\_section, this));

$(document).on("click", "#update", $.proxy(function(e) {

var $form \= $("form").first();

var $form \= $(e.target).closest("form");

simple\_ajax\_form\_post(e, {

formid: $form.attr("id"),

modal: false,

Expand Down

Tag

#git