Jenkins Scriptler Plugin 342.v6a_89fd40f466 and earlier does not restrict a file name query parameter in an HTTP endpoint, allowing attackers with Scriptler/Configure permission to delete arbitrary files on the Jenkins controller file system.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Analysis Model API Plugin
*   Deployment Dashboard Plugin
*   Dingding JSON Pusher Plugin
*   HTMLResource Plugin
*   Nexus Platform Plugin
*   OpenId Connect Authentication Plugin
*   PaaSLane Estimate Plugin
*   Scriptler Plugin

**Descriptions****DoS vulnerability in Analysis Model API Plugin**

**SECURITY-3327 / CVE-2023-5072**  
**Severity (CVSS):** Medium  
**Affected plugin: analysis-model-api**  
**Description:**

Analysis Model API Plugin 11.11.0 and earlier bundles versions of JSON-Java vulnerable to CVE-2023-5072.

This may allow attackers able to control input to cause a Denial of Service (DoS) by parsing a crafted JSON document.

As of publication, Synopsys Rapid Scan Static is the only plugin the Jenkins security team is aware of whose report parser is potentially affected.

Analysis Model API Plugin 11.13.0 updates JSON-Java to version 20231013, which is unaffected by this issue.

**Arbitrary file deletion vulnerability in Scriptler Plugin**

**SECURITY-3205 / CVE-2023-50764**  
**Severity (CVSS):** High  
**Affected plugin: scriptler**  
**Description:**

Scriptler Plugin 342.v6a\_89fd40f466 and earlier does not restrict a file name query parameter in an HTTP endpoint.

This allows attackers with Scriptler/Configure permission to delete arbitrary files on the Jenkins controller file system.

Scriptler Plugin 344.v5a\_ddb\_5f9e685 ensures that the file being deleted is located in the expected directory.

**Missing permission check in Scriptler Plugin**

**SECURITY-3206 / CVE-2023-50765**  
**Severity (CVSS):** Medium  
**Affected plugin: scriptler**  
**Description:**

Scriptler Plugin 342.v6a\_89fd40f466 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to read the contents of a Groovy script by knowing its ID.

Scriptler Plugin 344.v5a\_ddb\_5f9e685 requires the appropriate permission to read the contents of a Groovy script.

**CSRF vulnerability and missing permission checks in Nexus Platform Plugin allow XXE**

**SECURITY-3204 / CVE-2023-50766 (CSRF), CVE-2023-50767 (missing permission check)**  
**Severity (CVSS):** High  
**Affected plugin: nexus-jenkins-plugin**  
**Description:**

Nexus Platform Plugin 3.18.0-03 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

Additionally, the plugin does not configure its XML parser to prevent XML external entity (XXE) attacks, so attackers can have Jenkins parse a crafted XML response that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Nexus Platform Plugin 3.18.1-01 configures its XML parser to prevent XML external entity (XXE) attacks.

Additionally, POST requests and Overall/Administer permission are required for the affected HTTP endpoints.

Nexus Platform Plugin is not currently distributed by the Jenkins Project due to licensing issues. The fixed version can be downloaded from the Sonatype website.

**CSRF vulnerability and missing permission checks in Nexus Platform Plugin allow capturing credentials**

**SECURITY-3203 / CVE-2023-50768 (CSRF), CVE-2023-50769 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: nexus-jenkins-plugin**  
**Description:**

Nexus Platform Plugin 3.18.0-03 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Nexus Platform Plugin 3.18.1-01 requires POST requests and Overall/Administer permission for the affected form validation methods.

Nexus Platform Plugin is not currently distributed by the Jenkins Project due to licensing issues. The fixed version can be downloaded from the Sonatype website.

**Password stored in a recoverable format by OpenId Connect Authentication Plugin**

**SECURITY-3168 / CVE-2023-50770**  
**Severity (CVSS):** Medium  
**Affected plugin: oic-auth**  
**Description:**

OpenId Connect Authentication Plugin provides an anti-lockout feature, which allows administrators to define a local user account that can be used to recover access to Jenkins.

In OpenId Connect Authentication Plugin 2.6 and earlier the password to that account is stored in a recoverable format.

This allows attackers with access to the Jenkins controller file system to recover the plain text password of that account, likely gaining administrator access to Jenkins.

**Open redirect vulnerability in OpenId Connect Authentication Plugin**

**SECURITY-2979 / CVE-2023-50771**  
**Severity (CVSS):** Medium  
**Affected plugin: oic-auth**  
**Description:**

OpenId Connect Authentication Plugin 2.6 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins.

This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication.

**Tokens stored and displayed in plain text by Dingding JSON Pusher Plugin**

**SECURITY-3184 / CVE-2023-50772 (storage), CVE-2023-50773 (masking)**  
**Severity (CVSS):** Medium  
**Affected plugin: dingding-json-pusher**  
**Description:**

Dingding JSON Pusher Plugin 2.0 and earlier stores access tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these tokens, increasing the potential for attackers to observe and capture them.

**CSRF vulnerability in HTMLResource Plugin allows deleting arbitrary files**

**SECURITY-3183 / CVE-2023-50774**  
**Severity (CVSS):** High  
**Affected plugin: htmlresource**  
**Description:**

HTMLResource Plugin 1.02 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to delete arbitrary files on the Jenkins controller file system.

**CSRF vulnerability in Deployment Dashboard Plugin**

**SECURITY-3092 / CVE-2023-50775**  
**Severity (CVSS):** Medium  
**Affected plugin: ec2-deployment-dashboard**  
**Description:**

Deployment Dashboard Plugin 1.0.10 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to copy jobs.

**Tokens stored and displayed in plain text by PaaSLane Estimate Plugin**

**SECURITY-3182 / CVE-2023-50776 (storage), CVE-2023-50777 (masking)**  
**Severity (CVSS):** Medium  
**Affected plugin: paaslane-estimate**  
**Description:**

PaaSLane Estimate Plugin 1.0.4 and earlier stores PaaSLane authentication tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these tokens, increasing the potential for attackers to observe and capture them.

**CSRF vulnerability and missing permission checks in PaaSLane Estimate Plugin**

**SECURITY-3179 / CVE-2023-50778 (CSRF), CVE-2023-50779 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: paaslane-estimate**  
**Description:**

PaaSLane Estimate Plugin 1.0.4 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified token.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**Severity**

*   SECURITY-2979: Medium
*   SECURITY-3092: Medium
*   SECURITY-3168: Medium
*   SECURITY-3179: Medium
*   SECURITY-3182: Medium
*   SECURITY-3183: High
*   SECURITY-3184: Medium
*   SECURITY-3203: Medium
*   SECURITY-3204: High
*   SECURITY-3205: High
*   SECURITY-3206: Medium
*   SECURITY-3327: Medium

**Affected Versions**

*   **Analysis Model API Plugin** up to and including 11.11.0
*   **Deployment Dashboard Plugin** up to and including 1.0.10
*   **Dingding JSON Pusher Plugin** up to and including 2.0
*   **HTMLResource Plugin** up to and including 1.02
*   **Nexus Platform Plugin** up to and including 3.18.0-03
*   **OpenId Connect Authentication Plugin** up to and including 2.6
*   **PaaSLane Estimate Plugin** up to and including 1.0.4
*   **Scriptler Plugin** up to and including 342.v6a\_89fd40f466

**Fix**

*   **Analysis Model API Plugin** should be updated to version 11.13.0
*   **Nexus Platform Plugin** should be updated to version 3.18.1-01
*   **Scriptler Plugin** should be updated to version 344.v5a\_ddb\_5f9e685

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Deployment Dashboard Plugin
*   Dingding JSON Pusher Plugin
*   HTMLResource Plugin
*   OpenId Connect Authentication Plugin
*   PaaSLane Estimate Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Andrea Chiera, CloudBees, Inc.** for SECURITY-3179, SECURITY-3182, SECURITY-3183, SECURITY-3184, SECURITY-3203, SECURITY-3204, SECURITY-3205, SECURITY-3206
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2979, SECURITY-3092
*   **Steve Marlowe <smarlowe@cisco.com> of Cisco ASIG** for SECURITY-3168

CVE-2023-50764: Jenkins Security Advisory 2023-12-13

A cross-site request forgery (CSRF) vulnerability in Jenkins Deployment Dashboard Plugin 1.0.10 and earlier allows attackers to copy jobs.

CVE-2023-50775: Jenkins Security Advisory 2023-12-13

Missing permission checks in Jenkins Nexus Platform Plugin 3.18.0-03 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2023-50769: Jenkins Security Advisory 2023-12-13

A cross-site request forgery (CSRF) vulnerability in Jenkins Nexus Platform Plugin 3.18.0-03 and earlier allows attackers to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2023-50766: Jenkins Security Advisory 2023-12-13

By Deeba Ahmed
Hidden Code, Hidden Profits - Tracked Before You Click - SDBN Takes Adobe to Court Over Alleged Illegal Tracking of Dutch Cizitens.
This is a post from HackRead.com Read the original post: Dutch Watchdog Sues Adobe Over Mass Collection of Citizen Data

Dutch privacy watchdog SDBN alleges that Adobe is spying on and collecting data from ‘virtually every Dutch internet user’ through the illegal placement of tracking cookies.

Dutch privacy watchdog Stichting Data Bescherming Nederland (**SDBN**) is suing Adobe for illegally tracking and sharing the personal data of millions of Dutch citizens.

For your information, SDBN is a Netherlands-based non-profit foundation striving to safeguard users’ privacy and data protection. Apart from Adobe, the organization is also actively pursuing lawsuits against Amazon and X (formerly Twitter).

Adobe, a United States-based design software company known for its creativity and multimedia software products, is accused of secretly collecting vast amounts of data from users visiting prominent websites and apps, including Dutch telecommunications company KPN, Stichting Pensioenfonds ABP (National Civil Pension Fund), and the Dutch Tax Authority.

According to SDBN, the collected data is then shared with multiple third parties without obtaining user consent. Moreover, the company allegedly used tactics like hidden tracking cookies and app SDKs to collect data.

In a press release that the organization shared with Hackread.com, users are kept in the dark about their digital footprints, and sometimes Adobe plants cookies before they can say no. These profiles are shared with other companies for targeted advertising.

This practice violates the General Data Protection Regulation (**GDPR**), putting users at risk of data exposure, identity fraud, and other privacy concerns. SDBN claims that Adobe is snooping on nearly every Dutch citizen, even those who have never used Adobe products.

> _“Via websites and apps, Adobe itself illegally collects an enormous amount of data on virtually every Dutch internet user, irrespective of whether they have ever used an Adobe product”._
> 
> SDBN

It warns that this data trade is not risk-free and could expose sensitive information and identity. They are taking Adobe to court, demanding an end to the covert tracking and compensation for millions of affected Dutch citizens.

Adobe profited financially from this unlawful data collection. Hence, SDBN filed a class action lawsuit demanding Adobe to cease illegal data collection, destroy all the illegally collected data, and disclose all parties with whom data has been shared. The lawsuit aims to stop tracking cookies on popular websites and hidden code in apps like Marktplaats and Buienradar. 

SDBN also demands justice for an estimated seven million Dutch citizens whose data was shared, demanding Adobe to remove every illegally collected data and give impacted users compensation for the privacy invasion. 

Dutch internet users can join the fight by signing up for a free mass claim on SDBN’s website. If a Dutch internet user has visited the aforementioned websites or used the listed apps, they may be eligible to join the lawsuit and claim compensation.

SDBN’s chairperson Anouk Ruhaak, stated that the design software vendor’s involvement in mass data collection and trading is surprising.

“While Adobe is primarily recognized as a design software supplier, what’s surprising is its simultaneous involvement in the digital personal data market – tracking your online activities. Have you made online Christmas purchases? Well, Adobe likely has a detailed record of what you browsed and where you bought your Christmas stockings or perfume.”

SDBN also shared a list of websites and apps which it claims are used by Adobe to track users. These included the following sites:

*   Abp.nl
*   Albelli.nl
*   Bruna.nl
*   Douglas.nl
*   Expedia.nl
*   Gamma.nl
*   Karwei.nl
*   ketnet.be
*   Kijk.nl
*   Kpn.com
*   Kwf.nl
*   Tui.nl
*   Unibet.nl
*   Unive.nl
*   Wsj.com
*   Footlocker.nl
*   Hallmark.com
*   Beterhoren.nl
*   Belastingdienst.nl

****Examples of mobile apps (iOS and Android) that allegedly contain Adobe tracking software include:****

*   Asos
*   RTL XL
*   MijnKPN
*   Ziggo GO
*   Buienradar
*   Marktplaats
*   PlayStation
*   TomTom Go Navigation
*   Essent Verbruiksmanager

****_RELATED ARTICLES_****

1.  **Canada Bans WeChat and Kaspersky Due to Spying Concerns**
2.  **Google Facing Lawsuit Over Tracking Users in Incognito Mode**
3.  **$4 billion lawsuit claims Google tracked iPhone users’ activities**
4.  **Amazon Files Lawsuits Against Fraudsters Peddling Fake Reviews**
5.  **Authors Sue OpenAI: ChatGPT’s Training Methods Challenged in Lawsuit**

Dutch Watchdog Sues Adobe Over Mass Collection of Citizen Data

Threat actors are increasingly placing malicious ads for Zoom within Google searches.

During the past month, we have observed an increase in the number of malicious ads on Google searches for “Zoom”, the popular piece of video conferencing software. Threat actors have been alternating between different keywords for software downloads such as “Advanced IP Scanner” or “WinSCP” normally geared towards IT administrators.

While Zoom is used by millions of people around the world, these campaigns are likely targeting victims who are into cryptocurrencies as well as corporate users, in order to gain access to company networks.

In this blog post, we chose to highlight two cases:

*   Case #1 is about a new loader which we have not seen mentioned publicly before called **_HiroshimaNukes_**. It drops an additional payload designed to steal user data.
*   Case #2 is a campaign dropping FakeBat loader where the threat actor tracked victims via a panel that was new to us, called **_Hunting panel 1.40_**. FakeBat is often used by threat actors as the initial entry point for hands on keyboard operations.

We have reported the malicious ads to Google.

**Advertiser profiles**

The threat actors are using a number of fake identities to create multiple advertiser accounts. We noticed that different ads had different advertiser IDs but the backend infrastructure was the same.

Fake advertiser profiles

They are also using what looks like existing advertising accounts (one of the accounts had over 30K ads) which may have been compromised:

Advertising account possibly hacked to insert malicious Zoom ad

While we don’t know how many people may have fallen for these Zoom malvertising campaigns, we can say that the number of ads and their positioning was prominent enough to generate a substantial amount of traffic.

**Cloaking via new services**

The threat actors are using tracking templates to cloak the redirection mechanism to either the legitimate Zoom website or a site or their choosing. They are abusing a service called AppsFlyer (onelink.me) and HYROS (l.hyros.com) for their redirects. We observed the following links for the Zoom campaigns:

*   aksdquwrqr\[.\]onelink\[.\]me
*   ntcrgfmmc3\[.\]onelink\[.\]me
*   169-zoona32\[.\]onelink\[.\]me
*   zoromonm\[.\]onelink\[.\]me
*   notetrest\[.\]onelink\[.\]me
*   putin-777\[.\]onelink\[.\]me
*   zoomus\[.\]onelink\[.\]me
*   mmozl\[.\]onelink\[.\]me
*   arnold\[.\]onelink\[.\]me
*   desktop-client\[.\]onelink\[.\]me
*   slovo-pacana\[.\]onelink\[.\]me
*   l\[.\]hyros\[.\]com/c8KqPHYKdt

Ad and redirection mechanism

**Case #1: HiroshimaNukes**

HiroshimaNukes is a name given by its author to a piece of malware that was new to us. It uses several techniques to bypass detection from DLL side-loading to very large payloads. Its goal is to drop additional malware, typically a stealer followed by data exfiltration.

HiroshimaNukes loader installation flow

**Distribution**

The threat actor is targeting users via Google ads related to a search for zoom:

Malicious ad for Zoom via Google search

Clicking on the ad redirects to a domain at _zoommaster\[.\]life_ that checks the IP address of the visitor and performs a redirect to _zoom.us_ (legitimate) site or _zoom-us\[.\]tech_ (malicious site) based on certain conditions. Intended targets will see a web page that looks similar to the real Zoom’s website:

Fake Zoom web page with malicious download

Users are tricked into downloading a file called _ZoomInstaller.zip_ which once extracted contains one main executable and several DLL files:

Content of the Zoom download archive

The _\_Zoom.exe_ file is a legitimate binary signed by Zoom Video Communications, Inc:

Main executable is legitimate

**DLL side-loading**

DLL side-loading is a technique used by threat actors to bypass detection. It consists of replacing a legitimate library file (DLL) used by a program (EXE) with a malicious one, using the same name and location.

When the main program is launched, it will automatically load the corresponding DLL without necessarily validating it. In this instance, _\_Zoom.exe_ side-loads _librcrypto-3-zm.dll_:

The malicious DLL that is loaded when the main executable runs

While DLL side-loading is commonly used by malware authors, it is also a unique TTP that we don’t see in all malvertising campaigns. We were able to search for previous similar attacks from the same threat actor. This time, the malicious DLL was side-loaded as if it was the FFmpeg library (_ffmpeg.dll_). As you can see from the screenshot below, the lure varied over time with for example brands such as TradingView, Notion or Obsidian.

Other examples of DLL side-loading

All the malicious DLLs we found were likely compiled by the same threat actor, who was either sloppy or wanted to leave the malware name in plain sight:

D:\\Projects\\General\\HiroshimaNukesDropper\\V2\\Dll\\x64\\Release\\Dll.pdb

This “HiroshimaNukes” dropper will spawn a new executable (_zoom\_crypted.exe_) that also attempts to evade detection due to its size:

Dropped file over 774 MB

The file has been inflated with junk code:

UnpacMe service’s analysis of the binary

Looking at its strings we can see that it is a stealer focusing on cryptocurrency wallets:

0x40284e: Cookies
0x40290a: Network\\Cookies
0x4029c2: DHistoryDDDDDDDsWeb Datassssssss
0x42c43b: TDiscord PTB\\Local Storage\\leveldbTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTC
0x42c51f: wDiscord Canary\\leveldbwwwwwwwwwwwwwwwwwwwwww-
0x42e1fd: Jkey3.dbJJJJJJJ
0x42e67c: Nformhistory.sqlite
0x42e798: Nformhistory.sqlite
0x433d69: WIMAP PasswordWWWWWWWWWWWWW
0x43515c:
0x44241d: oArmoryoooooo6
0x4426f4: 2bytecoin22222222
0x4427ba: ZJaxxClassicZZZZZZZZZZZ
0x4431f2: %Jaxx\\Local Storage\\leveldb%%%%%%%%%%%%%%%%%%%%%%%%%%
0x44347e: jEthereumjjjjjjjj2
0x443544: oEthereum\\keystoreooooooooooooooooo>
0x443621: #Electrum
0x443751: }Electrum\\wallets}}}}}}}}}}}}}}}}
0x443825: Electrum-LTC
0x4438ff: Electrum-LTC\\wallets
0x443a3c: Electrum-BCH
0x443b76: WElectrum-BCH\\walletsWWWWWWWWWWWWWWWWWWWW
0x443c5e: 2Atomic222222&
0x443d64: atomic\\Local Storage\\leveldb
0x443e5a: +Guarda
0x443f66: 9lGuarda\\Local Storage\\leveldb
0x4440ab: tWasabitttttt
0x444194: 7^WalletWasabi\\Client\\Wallets
0x444335: ,Daedalus,,,,,,,,f
0x444441: Daedalus Mainnet\\wallets
0x444523: Ledger Live
0x4445fc: )Ledger Live)))))))))))
0x444d50: /Litecoin////////

**Case #2: FakeBat and Hunting panel**

In this second case we look at a FakeBat loader payload which has an interesting addition to it. The threat actors are tracking victims from their campaigns using a control panel called Hunting panel 1.40 which was new to us.

FakeBat installation flow

**Distribution**

Unsuspecting users doing a Google search for “zoom” are deceived by a Sponsored result that looks authentic from the outside. While the ad display URL is **zoom.us** (which is the official website for Zoom), clicking on the menu beside the ad reveals an advertiser identified as “CHANDLER BONNY M”:

Malicious ad for Zoom via Google search

Web traffic following click on ad

On this landing page, users are tricked into downloading a malicious version of the Zoom installer:

Fake Zoom web page and malicious installer

The download process is initiated via a JavaScript event linking to the _ms-appinstaller_ URL where the MSIX file is hosted:

Source code processing the download of the MSIX installer

**Malware payload**

The malicious installer contains several files but the malicious components reside in the PowerShell scripts. This technique has been used by the threat actor for months already, probably because they get higher infection rates than with a traditional malware binary.

Contents of the MSIX file

The Base64-encoded PowerShell reveals the malware’s command and control server as well as a number of other commands such as reporting telemetry back about the machine and any security software installed, and more importantly a GPG encrypted payload decoded on the fly.

View of the malicious PowerShell script

**Panel and API**

Inspecting web traffic, we noticed that a new WebSocket was created to send data to a remote domain at api\[.\]huntingpanel\[.\]link. Some of this data includes a fileID, a project name and the domain that was used for the landing page.

Connection to WebSocket

This server is hosting a login page to “Hunting panel 1.40”, a control panel we had not heard of before. We surmise this is a way for the threat actor to track their malvertising and payload delivery campaigns. The panel’s background image is from the Firewatch video game.

Hunting panel 1.40 control panel

**Protection**

Malvertising continues to be a privileged malware delivery vector where threat actors are able to bypass ad verification checks, and often times security solutions as well.

We are actively tracking and reporting each new malvertising campaign we come across. As we can’t always control when third parties will take action on malicious ads, our top priority is to ensure our customers remain protected by blocking new malware domains and samples.

Both our consumer and enterprise users are protected agains these threats.

**Acknowledgements**

We would like to thank Sergei Frankoff, malware researcher and a co-founder of Open Analysis, for his help with the HiroshimaNukes dropper.

**Indicators of Compromise**

**Case #1 IOCs**

**_Description_**

**_Indicator_**

Fake Zoom site

zoom-us\[.\]tech

Download URL

zoom-us\[.\]tech/ZoomInstaller.zip

Fake Zoom archive (ZoomInstaller.zip)

fd524641d2be705d76feb0453374c5b2ad9582ced4f00bb3722b735401da2762

Malicious DLL (libcrypto-3-zm.dll)

30fda67726f77706955f6b52b202452e91d5ff132783854eec63e809061a4b5c

Stealer payload

5b917d04d416cafaf13ed51c40b58dc8b4413483ea3f5406b8348038125cad0b

Stealer C2

94.131.110\[.\]127

**Case #2 IOCs**

**_Description_**

**_Indicator_**

Fake Zoom site

z00nn.one-platform-to-connect\[.\]group

Fake Zoom site

info-zoomapp\[.\]com

Fake Zoom site

zoomnewsonly\[.\]site

Fake Zoom site

zoonn\[.\]virtual-meetings\[.\]cn\[.\]com

Fake Zoom site

promoapp-zoom\[.\]com

Download URL

youstorys\[.\]com/fonts/Zoom-x64.msix

Download URL

windows-rars\[.\]shop/bootstrap/Zoom-x64.msix

Download URL

scheta\[.\]site/apps.store/ZoomInstaller.msix

Installer (Zoom-x64.msix)

dcb80bd21bd6900fe87423d3fb0c49d8f140d5cf5d81b662cd74c22fca622893

Installer (Zoom-x64.msix)

44cac5bf0bab56b0840bd1c7b95f9c7f5078ff417705eeaaf5ea5a2167a81dd5

Installer (ZoomInstaller.msix)

462df2e4a633e57de0d5148060543576d7c1165bf90e6aec4183f430d8925a1c

Encrypted payload URL

winkos\[.\]net/ld/zm.tar.gpg

FakeBat C2

2311foreign\[.\]xyz

 Malvertisers zoom in on cryptocurrencies and initial access 

PDF24 Creator versions 11.15.1 and below suffer from a local privilege escalation vulnerability via the MSI installer.

SEC Consult Vulnerability Lab Security Advisory < 20231211-0 >  
=======================================================================  
               title: Local Privilege Escalation via MSI installer  
             product: PDF24 Creator (geek Software GmbH)  
  vulnerable version: <=11.15.1  
       fixed version: 11.15.2  
          CVE number: CVE-2023-49147  
              impact: High  
            homepage: https://tools.pdf24.org/en/creator/  
               found: 2023-10-16  
                  by: Lukas Donaubauer (Office Munich)  
                      Mario Keck (Office Munich)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"pdf24.org is a project of geek software GmbH, a German company based in Berlin,  
that was founded in 2006. PDF24 offers free and easy to use PDF solutions for  
many PDF problems, online and as software for download. Solutions include the  
well-known PDF24 Creator and PDF24 Online Tools."

Source: https://www.pdf24.org/en/about-us

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the product  
conducted by security professionals to identify and resolve potential further  
security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Local Privilege Escalation via MSI installer (CVE-2023-49147)  
The configuration of the PDF24 Creator MSI installer file was found to  
produce a visible cmd.exe window running as the SYSTEM user when using  
the repair function of msiexec.exe. This allows a local attacker to use  
a chain of actions, to open a fully functional cmd.exe with the privileges  
of the SYSTEM user.

Note: This attack does not work using a recent version of the Edge Browser or  
Internet Explorer. A different browser, such as Chrome or Firefox, needs to be  
used. Also make sure, that Edge or IE have not been set to the default browser.

Proof of concept:  
-----------------  
1) Local Privilege Escalation via MSI installer (CVE-2023-49147)  
For the exploit to work, the PDF24 Creator has to be installed via the MSI file.  
Afterwards, any low-privileged user can run the following command to start the  
repair of PDF24 Creator and trigger the vulnerable actions without a UAC popup:

msiexec.exe /fa <PATH TO INSTALLERFILE>\pdf24-creator-11.14.0-x64.msi

At the very end of the repair process, the sub-process pdf24-PrinterInstall.exe gets  
called with SYSTEM privileges and performs a write action on the file  
"C:\Program Files\PDF24\faxPrnInst.log". This can be used by an attacker by simply  
setting an oplock on the file as soon as it gets read. To do that, one can use the  
'SetOpLock.exe' tool from "https://github.com/googleprojectzero/symboliclink-testing-tools"  
with the following parameters:

SetOpLock.exe "C:\Program Files\PDF24\faxPrnInst.log" r

If the oplock is set, the cmd window that gets opened when pdf24-PrinterInstall.exe  
is executed doesn't close. The attacker can then perform the following actions to  
spawn a SYSTEM shell:  
- right click on the top bar of the cmd window  
- click on properties  
- under options click on the "Legacyconsolemode" link  
- open the link with a browser other than internet explorer or edge (both don't open as SYSTEM when on Win11)  
- in the opened browser window press the key combination CTRL+o  
- type cmd.exe in the top bar and press Enter

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested which was the latest version available  
at the time of the test:  
* 11.14.0 (pdf24-creator-11.14.0-x64.msi)  
* 11.15.1 (pdf24-creator-11.15.1-x64.msi)

A new version was released during our contact attempts (v11.15.1) which is  
also affected by the vulnerability.

The tests were conducted on an up to date Windows 10 system.

Vendor contact timeline:  
------------------------  
2023-10-20: Contacting vendor through team@pdf24.org; no response.  
2023-11-14: Contacting vendor again through team@pdf24.org and stefan@pdf24.org  
             No response.  
2023-11-17: Requesting CVE number  
2023-11-23: Received CVE number  
2023-11-27: Sending vendor CVE number and setting preliminary deadline for  
             advisory release (11th December)  
2023-11-27: Identified that latest version 11.15.1 is also vulnerable.  
2023-11-28: Vendor response, seems our emails ended up in spam.  
             Sending advisory unencrypted upon vendor request.  
2023-12-04: Asking for a status update. Further questions from vendor.  
             Providing more details, clarification regarding Windows 11, browser  
             usage and recommendation for fix.  
2023-12-08: Vendor releases fixed version 11.15.2.  
2023-12-11: Coordinated release of advisory.

Solution:  
---------  
The vendor provides a patched version 11.15.2 which can be downloaded from the  
vendor's website:

https://tools.pdf24.org/en/creator

Also check out the changelog from the vendor for further information:  
https://creator.pdf24.org/changelog/en.html

Workaround:  
-----------  
Use the available EXE installer.

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF L. Donaubauer, M. Keck / @2023

PDF24 Creator 11.15.1 Local Privilege Escalation

Atos Unify OpenScape Session Border Controller (SBC) versions before V10 R3.4.0, Branch versions before V10 R3.4.0, and BCF versions before V10 R10.12.00 and V10 R11.05.02 suffer from an argument injection vulnerability that can lead to unauthenticated remote code execution and authentication bypass.

SEC Consult Vulnerability Lab Security Advisory < 20231205-0 >  
=======================================================================  
               title: Argument injection leading to unauthenticated RCE and  
                      authentication bypass  
             product: Atos Unify OpenScape Session Border Controller (SBC)  
                      Atos Unify OpenScape Branch  
                      Atos Unify OpenScape BCF  
  vulnerable version: OpenScape SBC before V10 R3.4.0  
                      OpenScape Branch before V10 R3.4.0  
                      OpenScape BCF V10 before V10 R10.12.00 and V10 R11.05.02  
       fixed version: OpenScape SBC V10 R3.4.0 or higher  
                      OpenScape Branch V10 R3.4.0 or higher  
                      OpenScape BCF V10 R10.12.00 or higher, V10 R11.05.02  
          CVE number: CVE-2023-6269  
              impact: Critical  
            homepage: https://unify.com/  
               found: 2023-09-01  
                  by: Armin Weihbold (Office Linz)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"Unify is is the Atos brand for communication and collaboration solutions  
Unify is the newest member of the Atos family, combining Atos’ knowledge and  
reputation in the IT services market with Unify’s expertise in unified  
communications and collaboration to provide customers with seamless services  
solutions for their entire digital portfolio. Within Atos, Unify continues to  
deliver a unique integrated proposition for unified communications and real  
time capabilities."

Source: https://unify.com/en/expert/unify

Business recommendation:  
------------------------  
SEC Consult recommends users of this solution to immediately install the latest  
patch from the vendor.

Furthermore, an in-depth security analysis performed by security professionals  
is highly advised, as the software may be affected from other security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Argument injection leading to unauthenticated RCE and authentication bypass (CVE-2023-6269)  
The administrative web interface insufficiently escapes supplied login  
credentials before passing them to a user management application, leading to  
an unauthenticated attacker being able to gain root access to the appliance  
via SSH.

Another possibility to exploit this vulnerability is to append a special  
argument during logon to completely bypass the authentication of the web interface.  
A previously unauthenticated attacker can logon as administrator without any  
known credentials.

Proof of concept:  
-----------------  
1) Argument injection leading to unauthenticated RCE and authentication bypass (CVE-2023-6269)  
Example 1) Gaining unauthenticated SSH root access

The file receiving data from the login page is `auth.php`, here the  
user-provided credentials are passed on to the function  
`PasswordMgr::authPassword` after some checks on the supplied username.

```php  
// /srv/www/htdocs/auth.php  
// [...]  
     $ret=false;  
     $real_user='';  
     $error = '';  
     $local_user=strip_tags($_POST['username']);  
// [...]  
     if( !sessionLimitReached() )  
     {  
         // Authenticate user/password...  
         $privilege = PasswordMgr::getUserPrivilege($local_user);  
         if (($local_user == 'assistant') || ($local_user == 'cdr') || (!PasswordMgr::isUserEnabled($local_user))){  
             $ret = false;  
         }  
         else {  
             switch ($privilege) {  
                 case 'admin':  
                     $ret = PasswordMgr::authPassword($_POST["username"], $_POST["password"], $error, $real_user, $local_user, FALSE);  
                     break;  
                 // [...]  
             }  
         }  
         // [...]  
     }  
// [...]

```

The function `PasswordMgr::authPassword` in `core/PasswordMgr.php` is just a  
wrapper around `call_osbpasswd` in the same file.

```php  
// /srv/www/htdocs/core/PasswordMgr.php

public static function authPassword($username, $password, &$error, &$real_user, &$local_user, $local = FALSE)  
{  
     $error='';  
     if ( PasswordMgr::call_osbpasswd("auth", $username, $password, $error, $real_user, $local_user, $local ) )  
     {  
         $error='Current Password does not match user';  
         return false;  
     }  
     return true;  
}  
```

The function `call_osbpasswd` is responsible for anything related to user  
management, it does this by constructing shell arguments and supplying them to  
the executable `/osb/bin/osbpasswd` which is executed with root privileges via  
`cfgUtilExecSudo`. This executable handles the actual authentication, creation  
of users, and other tasks.  
In the case of authentication the arguments are written to a temporary file  
and read from there.  
Before that the supplied password is escaped using `escapeshellcmd` instead of  
`escapeshellarg`. This means that space characters (hex 0x20) in the password  
are left intact allowing for argument injection.

```php  
// /srv/www/htdocs/core/PasswordMgr.php

public static function call_osbpasswd( $method, $username, $password, &$output, &$real_user, &$local_user, $local, $extraArg = '' )  
{  
     // [...]  
     $curruser = 'GUI';  
     // [...]

     $params = "$method";  
     if ($local)          $params .= ' --local';  
     if ($username != '') $params .= " --user $username";  
     if ($curruser != '') $params .= " --curruser $curruser";  
     if ($extraArg != '') $params .= "$extraArg";

     $file = '';  
     // [...]  
     else {  
         $params .= " --password ";  
         $fakePar = $params."xxxxxx";  
         $params .= escapeshellcmd($password);  
         $params .= "\n";  
         $file = tempnam('/osb/var/tmp','osbpasswd.'.md5($params).'.');  
         /*E.g.: /opt/openbranch/var/tmp/osbpasswd.f9e2a9fcf29c6275830257316d560e27.CG4IcQ */  
         cfgUtilEcho( $params, $file );  
         $command = "/osb/bin/osbpasswd ".$fakePar." --file ".$file;  
     }

     $outArray = array();  
     $ret = cfgUtilExecSudo($command, $outArray, FALSE, TRUE);  
     // [...]  
     return $ret;  
}  
```

The function that is responsible for parsing command line arguments  
in the called application `/osb/bin/osbpasswd` iterates over arguments and  
sets global variables based on them. This is done in a loop and no check is  
done if that argument was already set. This means an attacker can override all  
parameters by specifying them again.

```C  
int parse_arguments(int argc, char **argv, int n)  
{  
   // [...]  
   while ( n < argc && argv[n] ) {  
     // [...]  
     else if ( !strcmp("--user", argv[n]) ) {  
         if ( ++n < argc )  
            arg_user = argv[n];  
     }  
     else if ( !strcmp("--shell", argv[n]) ) {  
         if ( ++n < argc )  
             arg_shell = argv[n];  
     }  
     // [...]  
     else if ( !strcmp("auth", argv[n]) ) {  
         arg_command_name = argv[n];  
         arg_command_number = 1;  
     }  
     else if ( !strcmp("add", argv[n]) ) {  
         arg_command_name = argv[n];  
         arg_command_number = 6;  
     }  
     // [...]  
     ++n;  
   }  
   return 0LL;  
}  
```

The combination of faulty escaping of the supplied password and overly  
permissive parsing of arguments in the called binary leads to an attacker being  
able to request arbitrary operations from the `/osb/bin/osbpasswd` binary with  
arbitrary arguments. An attacker could for example create a new user with SSH  
access and change the password of the root user leading to a complete  
compromise of the system.

To demonstrate the vulnerability, it is sufficient to [...]

[ Proof of concept removed ]

- this creates a new user with SSH access, the second one [...]

[ Proof of concept removed ]

which changes the password of the root user. The attacker can then login [...]  
to gain root access.

Example 2) Bypassing the web interface logon as administrator  
As described in example 1, the same vulnerability can also be exploited to  
bypass the logon for the web interface and immediately gain access as  
administrator because the arguments for the command-line tool are passed and  
evaluated.

By supplying the [...] following [...] string [...], it is possible to logon  
without known credentials:

[ Proof of concept removed ]

[...]  
Afterwards the attacker is logged on as administrator (or any other supplied  
user account).

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested which was the latest version available  
at the time of the test:

* Atos Unify OpenScape Session Border Controler (SBC) Firmware Version V10 R3.3.0

According to vendor, versions before V10 R3.3.0 are affected as well.

The vendor confirmed that the following products are vulnerable:  
* Atos Unify OpenScape SBC V10 before V10 R3.4.0  
* Atos Unify OpenScape Branch V10 before V10 R3.4.0  
* Atos Unify OpenScape BCF V10 before V10R10.12.00 and V10R11.05.02

Vendor contact timeline:  
------------------------  
2023-09-13: Contacting vendor through email obso@atos.net; sending  
             encrypted advisory (S/MIME)  
2023-09-25: Call with vendor, patch has already been developed, available  
             internally for testing & QA since 22nd.  
2023-09-26: Preliminary vendor security advisory available, giving feedback  
             regarding recommendations. Vendor informs customers in advance  
             (TLP:AMBER), patch planned for 2023-09-27.  
2023-10-04: Vendor security advisory public release (TLP:WHITE).  
2023-10-06: Asking regarding next steps for affected product Atos Unify  
             OpenScape BCF.  
2023-10-10: Vendor confirms that OpenScape BCF is affected as well and added  
             it to their advisory.  
2023-11-27: Reserving CVE-2023-6269 and sending it to vendor, defining  
             release date of 5th December.  
2023-12-05: Coordinated release of security advisory.

Solution:  
---------  
The vendor provides a patch for the affected products:  
* Atos Unify OpenScape Session Border Controller Firmware Version V10 >=R3.4.0  
* Atos Unify OpenScape Branch version V10 >=R3.4.0  
* Atos Unify OpenScape BCF version V10 >=V10R10.12.00 and V10R11.05.02

The patches can be obtained for registered customers through the vendor's  
download server:  
https://sws.unify.com/SWSIntranet/SWSIntra.aspx or via  
https://unify.com/en/partner/partnerportal  
https://unify.com/en/support/kunden-support-portal

Furthermore, the vendor has also released a security advisory which is  
available here:  
https://networks.unify.com/security/advisories/OBSO-2310-01.pdf

Workaround:  
-----------  
In addition to deploying the patch, limit access to the administrative  
web application and SSH ports to authorized personnel on the network level.

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF A. Weihbold / @2023

Atos Unify OpenScape Authentication Bypass / Remote Code Execution

The "userModify" feature of Silverpeas Core 6.3.1 is vulnerable to Cross Site Request Forgery (CSRF) leading to privilege escalation. If an administrator goes to a malicious URL while being authenticated to the Silverpeas application, the CSRF with execute making the attacker an administrator user in the application.

**Cross Site Request Forgery in Silverpeas**

Moderate severity GitHub Reviewed Published Dec 13, 2023 to the GitHub Advisory Database • Updated Dec 13, 2023

GHSA-g27c-w2v7-88xp: Cross Site Request Forgery in Silverpeas

Silverpeas Core 6.3.1 and prior are vulnerable to Cross Site Scripting (XSS) via the message/notification feature.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2023-47324

**Cross-site Scripting in silverpeas**

Moderate severity GitHub Reviewed Published Dec 13, 2023 to the GitHub Advisory Database • Updated Dec 13, 2023

**Package**

maven org.silverpeas.core:silverpeas-core-api (Maven)

**Affected versions**

< 6.3.2

maven org.silverpeas.core:silverpeas-core-configuration (Maven)

maven org.silverpeas.core:silverpeas-core-war (Maven)

maven org.silverpeas.core:silverpeas-core-web (Maven)

**Description**

Published to the GitHub Advisory Database

Dec 13, 2023

Last updated

Dec 13, 2023

Tag

#git