The SyncThru Web Service on Samsung SCX-6x55X printers allows an attacker to gain access to a list of SMB users and cleartext passwords by reading the HTML source code.

![Windsor Moreira](https://miro.medium.com/fit/c/56/56/1*myZsCocYKZPJR8JbYjb2mQ.png)

Samsung Printer SCX-6x55X Series SyncThru Web Service is affected by an improper access control vulnerability. The vulnerability can permit an attacker to gain access to a list of SMB users and passwords.

The multifunctional printers, Samsung Printer SCX-6X55X in particular, allow you to perform scans and send the scanned files directly to the server via SMB, as long as, obviously, you have previously registered users. You only can register or modify users if you’re logged as administrator.

![](https://miro.medium.com/max/1332/1*rk51-EYOGdb-jIe6TiNDSg.png)

SMB server list with somes inputs.

Even if you are not authenticated, you can access the smb server list entry..

![](https://miro.medium.com/max/1400/1*6iV6V-qaHcAFURFWEhCj0g.png)

Setup of user Giddeon.

.. and still get the clear text password by inspecting the page’s source code.

![](https://miro.medium.com/max/1066/1*nuuXfyQWB2kiPIrtFi7N-g.png)

User giddeon password.

There will be scenarios that it will be impossible to manually enumerate input by input for each user. So you can download (export) the configuration of the smb server entries with the credentials in plain text.

I made this simple code in python, using the requests library to perform the proof of concept. You can access it by clicking **here**.

![](https://miro.medium.com/max/1400/1*VLXgLt8zc14uqhBETC-glw.png)

Code to exploit.

The export output of the smb entries will look like this.

![](https://miro.medium.com/max/1400/1*KT8JwZOLh7XF4OWwhQveLg.png)

SMB server list.

Proof of concept video.

CVE-2021-42913: Samsung Printer SCX-6X55X Improper Access Control (CVE-2021-42913)

A Stored Cross Site Scripting (XSS) issue exists in Convos-Chat before 6.32.

Greeting Everyone !

Today In This Blog we will Explore XSS attack vector, Which Is Possible through SVG file Upload Functionality Due To Improper Validation Of file it got Executed to the Backend Server .

**Description**

Chat component was found vulnerable to unrestricted file upload and any malicious JavaScript execution can be performed. Stored cross-site scripting arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way.

**Impact**

This allow an attacker to steal user session ,account takeover ,redirect user to attacker controlled site Javascript execution leads to multiple possible attack scenarios.

**Proof Of Concept**

Step 1: Download the package/product from github repository https://github.com/convos-chat/convos and configure on localhost as per instruction.  
Step 2: Login into the application with valid credentials.  
Step 3: Navigate to chat and upload a svg file via upload functionality with below malicious JavaScript payload in it.  
Step 4: Once the file is uploaded click on generated link to access the file and observe the uploaded file and JavaScript payload execution.

**Which End Point Are Vulnerable**

1.Profile Picture Upload  
2.File Upload On Another Functionality  
3.File Upload through Comment Section

1.Ensure that the file’s content is validated properly and input sanitization is performed.  
2.Make sure a strict check against file extensions is implemented and a whitelisted is used to allow only required filetypes.  
3.Make sure that the file size limit is properly validated and large files are not processed by the application.  
4.Ensure that the injection points such as filename parameters are properly validated and sanitized in order to prevent client-side and server-side injection attacks.

**Reference Links**

Product url: https://github.com/convos-chat/convos  
Report: https://github.com/convos-chat/convos/issues/623  
Released Fix: https://github.com/convos-chat/convos/commit/14a3b1e98cd1a3211c0ef3d4f5ffdbc60baaca54

CVE-2021-42584: Cross Site Scripting - Stored through crafted SVG file in Convos-Chat before 6.32

Wechat-php-sdk v1.10.2 is affected by a Cross Site Scripting (XSS) vulnerability in Wechat.php.

CVE-2021-43678: GitHub - gaoming13/wechat-php-sdk: 微信公众平台php版开发包

GGLocker iOS application, contains an insecure data storage of the password hash value which results in an authentication bypass.

**Insecure Data Storage found in GGLocker password manager app resulting in authentication bypass of the app**

![](https://miro.medium.com/max/1400/1*E2cyeEC2z8E96vhahp2dHQ.png)

GGLocker for iOS

Password managers apps are an attractive target for hackers as they contain a users’ login credentials. This means that if you can break it, you gain access to a user’s credentials stored within. It is therefore important for the mobile app to be security conscious when handling the master password to access the vault of crown jewels.

When you first download the app, it will prompt you to enter a password which then create your own credentials database (the vault). After which, you will then proceed to enter the password you have entered to access the vault as shown below.

![](https://miro.medium.com/max/450/1*cP0qNywr-T_6d-31fv_0Dw.png)

Entering the wrong password will deny access to the password vault and entering the correct password will allow access to the password vault.

![](https://miro.medium.com/max/600/1*sMjc5jtn3-twEHcnyNS1Rw.png)

![](https://miro.medium.com/max/600/1*1Otmww6jxTNDSmGdIk1rxQ.png)

The main issue that I found is on the insecure storage of the password that is being used to access the vault.

**Details:** By inspecting the app’s source code found in the developer’s Github page, we know that the app does not store the password in plaintext. The text value is being hashed and the app stores the hash value.

We also identified that the LoginViewController has a function called perform that is responsible to validate the access to the vault. The perform function checks if the hash value the enter is identical to the hash value of the initial password set as shown below:

![](https://miro.medium.com/max/1400/1*dxYvdhP3Bw_6F-W4f71Duw.png)

source code of “perform” function

As a hacker, this means that if I tamper the hash value of the perform function to an attacker controlled value, it is possible to perform an authentication bypass to access the vault! **I believe that using a non jailbroken iPhone with Frida, Theos or Grapefruit would be able to perform the exploit.** For demonstration purpose, I will be using Theos to perform hooking of LoginViewController to inspect the value of the return hashed value.

First, we will perform a classdump extraction of the mobile app to identify the function and we will then hook on the function to inspect the return value. The result should look something like this when inspecting app logs from macOS Console:

![](https://miro.medium.com/max/1400/1*-KkVgNTYqxDcp4voVy366w.png)

We noticed that “disk\_md5\_pwd” equals to “5f4dcc3b5aa765d61d8327deb882cf99” which translates to “password”. This also means that if a hacker enter the word “password”, the individual would be able to access the vault.

A skilled hacker can also take this vulnerability to the next level by manipulating the return value to a particular value of the individual choice :/

**Recommendations:**

1.  We can consider to implement jailbreak detection function to prevent the app from running in a jailbroken phone. By doing so, it makes things harder for a hacker to perform exploitation on the app. **_However do note that the vulnerability can still be performed in a non jailbroken environment (just that it will be much harder)._**
2.  To consider to store the hash value in a keychain to prevent unauthorized tampering of the value.

> The purpose of the article is to educate and spread awareness on the importance of secure coding to better secure a mobile app. **In no way** I am promoting unethical hacking. Please hack responsibly and feel encouraged that you are taking baby steps in making the digital world more secure :)

CVE-2021-3179: Yet another password manager app, how to better secure it?

glFusion CMS 1.7.9 is affected by an access control vulnerability via /public_html/users.php.

Incidentally, it's worth mentioning that the lockout is based on failed attempts from an IP address, not by user name. So the valid user could still log into the site. Unless they're sharing a public IP with the attacker, of course.

…

On Thu, Dec 9, 2021 at 9:43 AM Lee Garner \*\*\*@\*\*\*.\*\*\*> wrote: Currently the full name (could be a nickname) is shown along with the username. I don't think it would hurt to show only the fullname, if available, otherwise the user name. Creating a "nickname" field is interesting, but I suspect most users will leave it blank if allowed, or use their login names for it as well. On Thu, Dec 9, 2021 at 2:12 AM Topsec\_bunney \*\*\*@\*\*\*.\*\*\*> wrote: > We can get username on this link: > > http://192.168.255.130/glfusion1.7.9/public\_html/users.php?mode=profile&uid=3 > \[image: firefox\_fIwf2EDlUU\] > <https://user-images.githubusercontent.com/73220685/145376552-976aae00-0893-44b7-ac14-0c1e7de9233f.png\> > > So, attacker can get all username . > > Then they can always log in to all users with the wrong password, which > will prevent all users from logging in to the website normally. > > \[image: firefox\_LrrbnCvHFd\] > <https://user-images.githubusercontent.com/73220685/145376725-bde27dbe-c667-4ba4-8cf4-4b5f99998885.png\> > > There are two solutions: > > 1. > > set the verification code on the login page > 2. > > The second is to display the user's nickname instead of the login name > > — > You are receiving this because you are subscribed to this thread. > Reply to this email directly, view it on GitHub > <#487\>, or unsubscribe > <https://github.com/notifications/unsubscribe-auth/ABYLFOJM34JDJPZKT6FGA4TUQB6JPANCNFSM5JWB3F2Q\> > . > Triage notifications on the go with GitHub Mobile for iOS > <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675\> > or Android > <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm\_campaign%3Dnotification-email%26utm\_medium%3Demail%26utm\_source%3Dgithub\>. > >

CVE-2021-44949: glFusion CMS 1.7.9 user Login denied vulnerability · Issue #487 · glFusion/glfusion

The olm_session_describe function in Matrix libolm before 3.2.7 is vulnerable to a buffer overflow. The Olm session object represents a cryptographic channel between two parties. Therefore, its state is partially controllable by the remote party of the channel. Attackers can construct a crafted sequence of messages to manipulate the state of the receiver's session in such a way that, for some buffer sizes, a buffer overflow happens on a call to olm_session_describe. Furthermore, safe buffer sizes were undocumented. The overflow content is partially controllable by the attacker and limited to ASCII spaces and digits. The known affected products are Element Web And SchildiChat Web.

Today we are releasing security updates to libolm, matrix-js-sdk, and several clients including Element Web / Desktop. Users are encouraged to upgrade as soon as possible. This resolves the pre-disclosure issued on December 3rd.

Fixed library versions are:

*   libolm: 3.2.8
*   matrix-js-sdk: 15.2.1

Client versions incorporating the fixes are:

*   Element Web / Desktop: 1.9.7
*   SchildiChat Web / Desktop: 1.9.7-sc.1
*   Cinny: 1.6.0

These releases mitigate a buffer overflow in `olm_session_describe`, a libolm debugging function used by matrix-js-sdk in its end-to-end encryption (E2EE) implementation. If you rely on matrix-js-sdk for E2EE, you are affected. This vulnerability has been assigned CVE-2021-44538.

Clients which do _not_ use matrix-js-sdk for E2EE, like FluffyChat or Element Android / iOS, are _not_ affected.

This issue has been present since the introduction of the `olm_session_describe` function in October 2019 (commits: libolm, matrix-js-sdk).

We do not believe it is practical to successfully exploit this issue. However, upgrading remains important as the overflow _can_ be triggered remotely.

Separately from the above vulnerability, we noticed during an internal audit that the libolm bindings in matrix-js-sdk were not zeroing out certain arrays containing entropy for cryptographic operations. This causes the entropy to remain resident in memory longer than necessary. As a defense-in-depth measure, this release of libolm now proactively overwrites those arrays when it is safe to do so.

Lastly, we are also taking this opportunity to update the version of Electron bundled with Element Desktop, pulling in the latest backported security fixes there.

The buffer overflow was found and reported by GitHub user @brevilo in the course of developing jOlm, a library of Java bindings to libolm; thank you. If you believe you've discovered a security vulnerability in Matrix or its implementations, please see our Security Disclosure Policy for how to get in touch.

CVE-2021-44538: Disclosure: buffer overflow in libolm and matrix-js-sdk | Matrix.org

glFusion CMS v1.7.9 is affected by an arbitrary user registration vulnerability in /public_html/users.php. An attacker can register with the mailbox of any user. When users want to register, they will find that the mailbox has been occupied.

That's true, but I'm not sure now much of a problem it is. If the malicious user uses a valid email address, the activation email will be sent to the real email account holder. If the submission queue is used, the email is sent upon approval. If the user submission is rejected, the record is deleted and available for re-registration. I suppose it wouldn't hurt to send an email to the new user even if queued, saying "your account is pending approval"

…

On Wed, Dec 8, 2021 at 10:18 PM Topsec\_bunney \*\*\*@\*\*\*.\*\*\*> wrote: \*\*There is a logical problem with the user registration page After clicking the register button, the user does not need to confirm the email. The system directly saves the submitted content in the database. This leads to a problem. An attacker can register with the mailbox of any user. When users want to register, they will find that the mailbox has been occupied.\*\* \[image: firefox\_0LibhucPYT\] <https://user-images.githubusercontent.com/73220685/145344346-91dbbce9-01c4-4fad-8a78-b070c9959766.png\> — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#485\>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABYLFOKDJWVDPQVG2YPTBB3UQBCZ5ANCNFSM5JVTDREQ\> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675\> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm\_campaign%3Dnotification-email%26utm\_medium%3Demail%26utm\_source%3Dgithub\>.

CVE-2021-44937: glFusion CMS 1.7.9 Arbitrary user registration vulnerability · Issue #485 · glFusion/glfusion

“When you find the things I find, they really matter. They affect everybody’s security.”
Currently streaming : The Expanse and Lost in Space on Netflix
Currently listening to : Amorphis, Architects, and Killswitch Engage
Currently running : 130 kilometers (or ~80 miles) a month
Currently playing : Floorball (a type of floor hockey with five players and a goalkeeper)

_“When you find the things I find, they really matter. They affect everybody’s security.”_

**Currently streaming** : The Expanse and Lost in Space on Netflix

**Currently listening to** : Amorphis, Architects, and Killswitch Engage

**Currently running** : 130 kilometers (or ~80 miles) a month

**Currently playing** : Floorball (a type of floor hockey with five players and a goalkeeper)

**Currently proud of** : The volume of Microsoft MVPs hailing from Finland

It’s negative 20 centigrade and dark outside in Tampere, Finland. Seemingly unphased by the frigid air, Dr. Nestori Syynimaa kicks off his daily routine with a morning run. Contrary to what you might think, he isn’t listening to security podcasts or technical audiobooks, but rather detaching from work to gear up for his day ahead. This time is just for him. His local radio station and heavy metal music get him home through his front door as his extremities begin to thaw. With a clear head, he sits down at his battle-ready workstation. Nestori begins to work uncovering new ways to understand the relationship between identity systems and the cloud, in aid of making the internet more robust and secure.

Before becoming a security researcher, Nestori started his career in IT. In early 2000, IT was where it was at. Desperate for computer technicians, he says companies hired anyone who knew what “I-T” was. He laughs now because in his opinion, the bar was very low. While others were spending their first paychecks on mopeds, Nestori invested in a boxed copy of Microsoft Visual C++. Without any training he taught himself how to program, quickly rising through the ranks in the IT space.

Nestori wouldn’t stop there. He went back to school to get the education he felt he should have had, prior to starting on the job. While in school, he was teaching at an IT training organization working his way up to CIO for a large telecom provider in Finland. A friend from the company told him the cloud was going to be the “next big thing” in tech and they would need a trainer. Nestori embraced the challenge and took the opportunity.

During his time as a trainer, course attendees would ask a lot about security. Forget on-premises firewalls, this was the untitled space we now know as “the cloud”. Security frameworks were nascent and so your best bet was to protect your credentials and identity systems. It was clear to Nestori identity security was what was drawing the attention of his customers and students. There was a need for expertise in this new field and so Nestori decided to step forward and of his own volition, fill the void for his clients and the industry. He did all this while maintaining his afterhours work which included building AADInternals, his Azure Active Directory toolkit, which he eventually published. And he completed his PhD!

Last December, Nestori was awarded Microsoft MVP status for his work in security. He paused and realized there was a chance for him to ditch the 16-hour workdays to become a full-time researcher. This was a pivotal moment for him. Nestori’s robust skillset is one that is highly sought after. He began reaching out to see what opportunities might exist for full-time security research and was very quickly snapped up by Secureworks who recognized the immense value he could bring to their company and customers. Now, his after-hours hobby has become his full-time job!

Nestori is not in it for the money. He truly enjoys fixing things and keeping the world safe. When he identifies a vulnerability or some business logic that could be exploited, he doesn’t jump out of his chair pumping his fists. Rather, his thoughts go immediately to the potential implications for customers, should a less ethically minded hacker stumble upon the same discovery. Despite this fact, the rush of the find keeps him searching for more, never stressing about the things he cannot control. Nestori’s constant curiosities have helped him to become one of the most prolific bug bounty hunters of the 2021 calendar year.

When he reflects on the work he does, Nestori believes to be a solid researcher you must be a person who likes uncovering things with an analytical mindset. When asked how he handles failure his response, with a wink and smile is: “I don’t know what that means.” His colleagues, recognizing his unique talents at reverse-engineering communication protocols and finding the flaws in token exchanges, refer to him as “a wizard”. And just like the wizard Gandalf, Nestori continues to maintain his curiosity and technical prowess to block the proverbial Balrog, warning, “You shall not pass.”

You don’t need to risk hypothermia to follow along with Nestori. You can follow his journey on Twitter (@DrAzureAD), AADInternals on GitHub, and his blog at https://o365blog.com.

Researcher Spotlight: Dr. Nestori Syynimaa’s Constant Mission Protecting Identities

A Hidden Functionality in Fortinet FortiOS 7.x before 7.0.1, FortiOS 6.4.x before 6.4.7 allows attacker to Execute unauthorized code or commands via specific hex read/write operations.

**![](https://fortiguard.com/static/images/icons/psirt.svg?v=4996) PSIRT Advisories**

**FortiOS - debug commands allow memory manipulation**

**Summary**

A debug functionality in FortiGate may allow a privileged user to execute unauthorized code or commands via specific  
chains of \`print str\` and \`cmd mem\` cli commands to, respectively, read and write hexadecimal values to any memory address.

**Affected Products**

Any FortiGate version 7.0.0 or below is impacted.  
Any FortiGate version 6.4.6 or below is impacted.  
Any FortiGate version 6.2.9 or below is impacted.  
Any FortiGate version 6.0.14 or below is impacted.  
Any FortiGate version 5.6.14 or below is impacted.  

**Solutions**

Upgrade FortiGate firmware with any version greater or equals to 7.0.1  
Upgrade FortiGate firmware with any version greater or equals to 6.4.7  
Upgrade FortiGate firmware with any version greater or equals to 6.2.10  

**Acknowledgement**

Fortinet is pleased to thank Orange CERT-CC team for reporting this vulnerability under responsible disclosure.

CVE-2021-36169: Fortiguard

Insufficient Input Validation in the search functionality of Wordpress plugin Use-Your-Drive prior to 1.18.3 allows unauthenticated user to craft a reflected Cross-Site Scripting attack.

Tag

#ios