SAP Cloud Connector - version 2.0, allows an authenticated user with low privilege to perform Denial of service attack from adjacent UI by sending a malicious request which leads to low impact on the availability and no impact on confidentiality or Integrity  of the application.



CVE-2023-49578

The SAP HCM (SMART PAYE solution) - versions S4HCMCIE 100, SAP_HRCIE 600, SAP_HRCIE 604, SAP_HRCIE 608, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker can cause limited impact on confidentiality and integrity of the application.



CVE-2023-49577

In SAP Commerce Cloud - versions HY_COM 1905, HY_COM 2005, HY_COM2105, HY_COM 2011, HY_COM 2205, COM_CLOUD 2211, a locked B2B user can misuse the forgotten password functionality to un-block his user account again and re-gain access if SAP Commerce Cloud - Composable Storefront is used as storefront, due to weak access controls in place. This leads to a considerable impact on confidentiality and integrity.



CVE-2023-42481

SAP Master Data Governance File Upload application allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing ‘traverse to parent directory’ are passed through to the file APIs. As a result, it has a low impact to the confidentiality.



CVE-2023-49058

SAP Business Objects Business Intelligence Platform is vulnerable to stored XSS allowing an attacker to upload agnostic documents in the system which when opened by any other user could lead to high impact on integrity of the application.



CVE-2023-42478

Competing bills moving through the House of Representatives both reauthorize Section 702 surveillance—but they pave very different paths forward for Americans’ privacy and civil liberties.

Two surveillance bills are barreling their way through the US House of Representatives this week. Both claim to achieve roughly the same goal: Enact sweeping reforms and save a dying surveillance program beleaguered by “persistent and widespread” abuse.

Under this program, Section 702, the US government collects hundreds of millions of phone calls, emails, and text messages each year. An inestimable chunk belongs to American citizens, permanent residents, and others in the United States neither suspected nor accused of any crime.

While both bills would extend the program’s life, only one of them can credibly lay claim to the title of reform. Legislation introduced last week by Representative Andy Biggs in the House Judiciary Committee would require the Federal Bureau of Investigation (FBI) to obtain warrants before accessing the communications of Americans collected under Section 702. The second bill, introduced by the House Intelligence Committee, contains no equivalent protection.

The House Judiciary Committee’s Protect Liberty and End Warrantless Surveillance Act (PLEWSA, unfortunately) secures a glaring loophole in US law that helps police and intelligence agencies buy their way around the Fourth Amendment by paying US companies for information that they’d otherwise demand a warrant to disclose. The House Intelligence Committee’s bill—the FISA Reform and Reauthorization Act, or FRRA—does nothing to address this privacy threat.

What the FRRA does appear to do, despite its name, is explode the number of companies the US government may compel to cooperate with wiretaps under Section 702. That was the assessment on Friday of Marc Zwillinger, amicus curiae to the Foreign Intelligence Surveillance Court of Review (FISCR). “These changes would vastly widen the scope of businesses, entities, and their affiliates who are eligible to be compelled to assist 702 surveillance,” Zwillinger wrote in an article with Steve Lane, a former Justice Department (DOJ) attorney.

Section 702 currently allows the government to compel a class of companies called “electronic communications providers” to collect communications. If the FRRA becomes law, according to Zwillinger, that category would be greatly expanded to include a slew of new businesses, including “data centers, colocation providers, business landlords, and shared workspaces,” as well as, he says, “hotels where guests connect to the internet.”

Congressional sources tell WIRED that officials at the DOJ, Department of Defense, and National Security Agency have been placing urgent calls directly to House lawmakers to oppose the PLEWSA and advance the FRRA—an effort, the sources say, being coordinated by White House advisers. Privately, some Democrats have been urged to help kill the “Jim Jordan bill,” an aide said, explaining the apparent jab is meant to frame an entirely bipartisan bill as an extreme Republican measure. (Jordan, the aide noted, is not the bill’s author and did not introduce it.) Regardless, a major chunk of the PLEWSA was cannibalized from privacy legislation with a record of broad bipartisan support, and particularly in the Senate, where top Democrat Chuck Schumer has previously lent his name to a bill banning police and intelligence agencies from buying people’s personal data.

The PLEWSA likewise exited the House Judiciary Committee last week with broad bipartisan support from both Jordan, the Republican chair, and Jerrold Nadler, its ranking Democrat.

Section 702 surveillance begins with monitoring the communications of foreigners believed to be located outside of the United States. Under these conditions, the US government can ignore most constitutional protections, wiretapping nearly any individual it deems likely to possess—or likely to possess in the future—information of intelligence value.

Correspondence between foreign targets and their lawyers, doctors, religious leaders, wives, husbands, and children are all open for collection, a fact that would not change if every one of them were a US citizen. Whatever calls, emails, or texts are intercepted as a result of targeting a foreigner under 702 are legally permissible, or “incidental,” in spy agency parlance.

Once that information is legally in the government’s possession, the use of it is subject to a different set of legal doctrines, many of which ignore the novel circumstances under which it was initially seized. A federal appeals court in 2021 described the “two-step” process by which communications may be seized under 702 and only years later dug up for an entirely different reason. The process on the whole is constitutional, it said, so long as each step “independently complies with the Fourth Amendment.” Under this logic, the FBI has been permitted to treat the private communications of Americans—secretly obtained during foreign surveillance—as roughly the equivalent of information it stumbles across in plain view.

How often Americans are targeted by Section 702 surveillance is a question that the government says it genuinely can’t answer. It does, however, disapprove of using the word “target” to describe Americans whose calls and texts are intercepted by US spies.

Congressional sources opposed to the FRRA, the House Intelligence Committee’s bill, say it reflects a deference toward executive power that has become customary among House and Senate intelligence staff. In arguing that constant experience has never shown secret agencies to be predisposed to self-restraint, a senior aide pointed to the case of an intelligence analyst caught abusing 702 data for “online dating” purposes last year. It had recently been confirmed, they said, that the analyst had not been fired.

“The Intelligence Committee’s ‘FISA Reform and Reauthorization Act’ may have the word ‘reform’ in its name, but the bill’s text proves otherwise,” says Representative Zoe Lofgren. “Congress must not green-light another major surveillance reauthorization without enacting surveillance reform measures that curb abuses and protect Americans’ civil liberties."

Talking points obtained by WIRED that were being circulated over the weekend by critics of the PLEWSA bill’s deeper reforms allude to the “grave damage” it poses to national security. Supporters of the FRRA bill have dubiously credited the 702 with halting “another 9/11.” But the PLEWSA bill strikes an appreciable balance between privacy and security for a surveillance authority aimed at foiling tier-one threats. It contains clear caveats to help the government advance investigations of cybercrime and exigencies for most immediate, violent threats.

Sources say both the PLEWSA and the FRRA could receive a floor vote as early as Tuesday under rarely prescribed Queen-of-the-Hill rules—meaning, in short, that the bill with the greatest number of supporters might ultimately carry the day.

Congress Clashes Over the Future of America’s Section 702 Spy Program

A flaw was found in PostgreSQL involving the pg_cancel_backend role that signals background workers, including the logical replication launcher, autovacuum workers, and the autovacuum launcher. Successful exploitation requires a non-core extension with a less-resilient background worker and would affect that specific background worker only. This issue may allow a remote high privileged user to launch a denial of service (DoS) attack.

CVE-2023-5870

Microsoft Defender API and PowerShell APIs suffer from an arbitrary code execution due to a flaw in powershell not handling user provided input that contains a semicolon.

    [+] Credits: John Page (aka hyp3rlinx)    [+] Website: hyp3rlinx.altervista.org[+] Source:  http://hyp3rlinx.altervista.org/advisories/MICROSOFT_DEFENDER_ANTI_MALWARE_POWERSHELL_API_UNINTENDED_CODE_EXECUTION.txt[+] twitter.com/hyp3rlinx[+] x.com/hyp3rlinx[+] ISR: ApparitionSec      [Vendor]www.microsoft.com[Product]Windows PowerShell[Vulnerability Type]Arbitrary Code Execution[CVE Reference]N/A[Security Issue]Microsoft Defender Anti Malware and or PS API's can result in executing arbitrary code.E.g. scan a directory, shortcut .lnk or even non-existent item, may execute unintended code.This vector builds upon my previous advisory and subsequent project PSTrojanFile.Requirements:1) On CL 'powershell' cmd is prefixed or passed in by calling PowerShell from another script2) Executable file of same name as the parameter that lives nearbyExamples:powershell Start-MpScan -Scanpath "C:\Users\gg\Downloads\;saps Helper;.1.zip"(Helper.exe lives on Desktop)Create directory  ";saps Test", Test.exe, Test.cmd etc is on same CL pathpowershell Add-MpPreference -ControlledFolderAccessAllowedApplications ";saps Test"Create directory with semicolon, drop PE file named doom.exe in same path.powershell Set-ProcessMitigation -PolicyFilePath  "test;saps doom"TODO: Update PSTrojanFile[References]http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-POWERSHELL-UNSANITIZED-FILENAME-COMMAND-EXECUTION.txthttps://github.com/hyp3rlinx/PSTrojanFilehttps://packetstormsecurity.com/files/153863/Microsoft-Windows-PowerShell-Command-Execution.htmlhttps://www.exploit-db.com/exploits/47248https://github.com/MicrosoftDocs/windows-powershell-docs/tree/main/docset/winserver2019-ps/defender[Video PoC URL]https://www.youtube.com/watch?v=0Go6yJiRWP8[Network Access]Remote [Severity]High[Disclosure Timeline]Vendor Notification:  circa (2019)December 7, 2023 : Public Disclosure[+] DisclaimerThe information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, andthat due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due creditis given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibilityfor any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related informationor exploits by the author or elsewhere. All content (c).hyp3rlinx

Microsoft Defender Anti-Malware PowerShell API Arbitrary Code Execution

Ransomware attacks have become a significant and pervasive threat in the ever-evolving realm of cybersecurity. Among the various iterations of ransomware, one trend that has gained prominence is Ransomware-as-a-Service (RaaS). This alarming development has transformed the cybercrime landscape, enabling individuals with limited technical expertise to carry out devastating attacks.

Ransomware attacks have become a significant and pervasive threat in the ever-evolving realm of cybersecurity. Among the various iterations of ransomware, one trend that has gained prominence is Ransomware-as-a-Service (RaaS). This alarming development has transformed the cybercrime landscape, enabling individuals with limited technical expertise to carry out devastating attacks.

**Traditional and double extortion ransomware attacks**

Traditionally, ransomware refers to a type of malware that encrypts the victim's files, effectively blocking access to data and applications until a ransom is paid to the attacker. However, more contemporary attackers often employ an additional strategy. The bad actors create copies of the compromised data and leverage the threat of publishing sensitive information online unless their demands for ransom are met. This dual approach adds an extra layer of complexity and potential harm to the victims.

**A new model for ransomware**

RaaS is the latest business model in the world of ransomware. Similar to other "as-a-service" offerings, inexperienced hackers can now take advantage of on-demand tools for malicious activities. Instead of creating and deploying their own ransomware, they are given the option to pay a fee, select a target, and launch an attack using specialized tools provided by a service provider.

This model significantly reduces the time and cost required to execute a ransomware attack, especially when identifying new targets. In fact, a recent survey revealed that the average timeframe between a ransomware attacker breaching a network and encrypting files has dropped below 24 hours for the first time.

The RaaS model also fosters economies of scale, as service providers are motivated to develop new strains that can bypass security defenses. Broja Rodriguez, Threat Hunting Team Lead at Outpost24, highlights that having multiple customers actually aids ransomware creators in marketing their tools.

"\[The customers\] propagate a specifically named ransomware across numerous machines, creating a sense of urgency for victims to pay. When victims research the ransomware and find multiple reports about it, they are more inclined to comply with the ransom demands. It's akin to a branding strategy in the criminal world."

The customer base also means the ransomware creators can get more detailed feedback about which techniques work best in different scenarios. They get real-time intelligence on how well cybersecurity tools are adapting to new strains, and where vulnerabilities remain unplugged.

**The business model of RaaS**

Despite its illicit nature, RaaS operates similarly to legitimate businesses. Customers, commonly referred to as "affiliates," have various payment options, including flat fees, subscriptions, or a percentage of the revenue. In some cases, providers even offer to manage the ransom collection process, typically utilizing untraceable cryptocurrencies, effectively serving as payment processors.

It's also a highly competitive market, with user feedback on "dark web" forums. As Broja Rodriguez explains, customers aren't loyal, and the competition drives up quality (which is bad news for victims). If a service disappoints:

"\[Customers\] won't hesitate to give a try to another RaaS group. Having multiple affiliations broadens their options and enhances their chances of profiting from their cybercriminal activities. Being that all the affiliates are searching for the best group, competitiveness between RaaS groups can increase. A small failure of your malware not executing on a victim can make you lose affiliates, and they will move to other groups with more name recognition or, at least, to those where their malware executes."

**Defending against RaaS**

There are numerous recommendations for defending against ransomware that emphasize the importance of business continuity. These include maintaining reliable backups and implementing effective disaster recovery plans to minimize the impact of a successful attack. While these measures are undoubtedly valuable, it is crucial to note that they do not directly address the risk of data exposure.

To effectively mitigate ransomware attacks, it is crucial to proactively identify and address security vulnerabilities. Leveraging penetration testing and red teaming methodologies can significantly enhance your defense. For a continuous and comprehensive approach, especially for dynamic attack surfaces like web applications, partnering with a pen testing as a service (PTaaS) provider is highly recommended. Outpost24's PTaaS offers real-time insights, continuous monitoring, and expert validation, ensuring the security of your web applications at scale.

Information is a critical asset in the fight against ransomware, and Cyber Threat Intelligence plays a pivotal role. Outpost24's Threat Compass offers a modular approach, enabling the detection and analysis of threats tailored to your organization's infrastructure. With access to up-to-date threat intelligence and actionable context, your security team can respond swiftly and effectively, bolstering your defenses against ransomware attacks.

**The bottom line**

Ransomware attacks have grown increasingly sophisticated, resulting in more powerful, targeted, and agile threats. To effectively defend against this evolving menace, it is crucial to utilize targeted tools fueled by the latest intelligence. Contact Outpost24 to assist you in taking the necessary steps to safeguard your organization's security.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Ransomware-as-a-Service: The Growing Threat You Can't Ignore

gpac 2.3-DEV-rev617-g671976fcc-master contains memory leaks in gf_mpd_resolve_url media_tools/mpd.c:4589.

1、Version  
./MP4Box -version  
MP4Box - GPAC version 2.3-DEV-rev617-g671976fcc-master  
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io/

Please cite our work in your research:  
GPAC Filters: https://doi.org/10.1145/3339825.3394929  
GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration:  
Features: GPAC\_CONFIG\_LINUX GPAC\_64\_BITS GPAC\_HAS\_IPV6 GPAC\_HAS\_SSL GPAC\_HAS\_SOCK\_UN GPAC\_MINIMAL\_ODF GPAC\_HAS\_QJS GPAC\_HAS\_JPEG GPAC\_HAS\_PNG GPAC\_HAS\_LINUX\_DVB GPAC\_DISABLE\_3D

2、ASAN Log  
\[DASH\] Updated manifest:  
P#1: start 0 - duration 0 - xlink none  
\[DASH\] Manifest after update:  
P#1: start 0 - duration 0 - xlink none  
\[DASH\] Setting up period start 0 duration 0 xlink none ID DID1  
\[DASH\] Cannot compute default segment duration  
\[DASH\] AS#1 changed quality to bitrate 10 kbps - Width 1280 Height 720 FPS 30/1 (playback speed 1)  
\[DASH\] AS#2 changed quality to bitrate 120 kbps - Width 384 Height 256 FPS 30/1 (playback speed 1)  
\[DASH\] AS#3 changed quality to bitrate 120 kbps - Width 384 Height 256 FPS 30/1 (playback speed 1)  
\[DASH\] AS#4 changed quality to bitrate 120 kbps - Width 448 Height 256 FPS 30/1 (playback speed 1)  
\[DASH\] AS#5 changed quality to bitrate 120 kbps - Width 448 Height 256 FPS 30/1 (playback speed 1)  
\[DASH\] AS#6 changed quality to bitrate 120 kbps - Width 384 Height 208 FPS 30/1 (playback speed 1)  
\[DASH\] AS#7 changed quality to bitrate 120 kbps - Width 448 Height 208 FPS 30/1 (playback speed 1)  
\[DASH\] AS#8 changed quality to bitrate 120 kbps - Width 448 Height 208 FPS 30/1 (playback speed 1)  
\[DASH\] No ROUTE entity on HTTP request  
\[DASH\] AST at init 1621274304781  
\[DASH\] At current time 78824071088 ms: Initializing Timeline: startNumber=1 segmentNumber=78824071 segmentDuration=1.000000 - 0.000 seconds in segment (start range 7.88241e+07)  
\[DASH\] No ROUTE entity on HTTP request  
\[DASH\] Segment duration unknown - cannot estimate current startNumber  
\[DASH\] No ROUTE entity on HTTP request  
\[DASH\] AST at init 1621274304781  
\[DASH\] At current time 78824071088 ms: Initializing Timeline: startNumber=1 segmentNumber=78824071 segmentDuration=1.000000 - 0.000 seconds in segment (start range 7.88241e+07)  
\[DASH\] No ROUTE entity on HTTP request  
\[DASH\] AST at init 1621274304781  
\[DASH\] At current time 78824071088 ms: Initializing Timeline: startNumber=1 segmentNumber=78824071 segmentDuration=1.000000 - 0.000 seconds in segment (start range 7.88241e+07)  
\[DASH\] No ROUTE entity on HTTP request  
\[DASH\] AST at init 1621274304781  
\[DASH\] At current time 78824071088 ms: Initializing Timeline: startNumber=1 segmentNumber=78824071 segmentDuration=1.000000 - 0.000 seconds in segment (start range 7.88241e+07)  
\[DASH\] No ROUTE entity on HTTP request  
\[DASH\] AST at init 1621274304781  
\[DASH\] At current time 78824071088 ms: Initializing Timeline: startNumber=1 segmentNumber=78824071 segmentDuration=1.000000 - 0.000 seconds in segment (start range 7.88241e+07)  
\[DASH\] No ROUTE entity on HTTP request  
\[DASH\] AST at init 1621274304781  
\[DASH\] At current time 78824071088 ms: Initializing Timeline: startNumber=1 segmentNumber=78824071 segmentDuration=1.000000 - 0.000 seconds in segment (start range 7.88241e+07)  
\[DASH\] No ROUTE entity on HTTP request  
\[DASH\] AST at init 1621274304781  
\[DASH\] At current time 78824071088 ms: Initializing Timeline: startNumber=1 segmentNumber=78824071 segmentDuration=1.000000 - 0.000 seconds in segment (start range 7.88241e+07)  
\[DASH\] Unable to resolve initialization URL: Bad Parameter  
Filter dashin failed to setup: Bad Parameter  
Filters not connected:  
fout (dst=crash24\_dash.mpd:gpac:segdur=10000/1000:profile=full:!sap:buf=1500:!check\_dur:pssh=v:subs\_sidx=0) (idx=1)  
Arg segdur set but not used  
Arg profile set but not used  
Arg !sap set but not used  
Arg buf set but not used  
Arg !check\_dur set but not used  
Arg pssh set but not used  
Arg subs\_sidx set but not used  
Error DASHing file: Bad Parameter

\=================================================================  
\==3766==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 50 byte(s) in 1 object(s) allocated from:  
#0 0x7f8f1245b9a7 in \_\_interceptor\_strdup ../../../../src/libsanitizer/asan/asan\_interceptors.cpp:454  
#1 0x7f8f112d489f in gf\_mpd\_resolve\_url media\_tools/mpd.c:4589  
#2 0x7f8f11303e24 in gf\_dash\_resolve\_url media\_tools/dash\_client.c:3447

SUMMARY: AddressSanitizer: 50 byte(s) leaked in 1 allocation(s).

3、Reproduction  
./MP4Box -dash 10000 $poc

4、poc  
crash24.zip

5、Impact  
This vulnerability is capable of causing crashes, or lead to dos.

6、 Env  
Linux dr0v-virtual-machine 6.2.0-36-generic #37 SMP PREEMPT\_DYNAMIC Mon Oct 9 15:34:04 UTC 2 x86\_64 x86\_64 x86\_64 GNU/Linux  
AFL++ 4.09a

7、Credit  
dr0v

Tag

#sap